CiscoSecure ACS 2.4 for Windows NT User Guide
Step-by-Step Configuration for CiscoSecure ACS

Table of Contents

Step-by-Step Configuration for CiscoSecure ACS
Navigation Bar
User Setup
Group Setup
Network Configuration
System Configuration
Interface Configuration
Administration Control
External User Databases
Unknown User Policy
Database Group Mappings
External User Database Configuration
Reports and Activity
Online Documentation

Step-by-Step Configuration for CiscoSecure ACS


This chapter describes the basic operation of each of the configuration areas of CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS). It also provides additional information about each function or attribute.


Note      Your browser must support Java and Java Script. For more information see the "System Requirements" section on page 1-3. The Enable Java and Java Script functions must be enabled.


Before completing any of the tasks in this chapter, you must have:

  • CiscoSecure ACS installed and running
  • Good working knowledge of your network browser
  • One or more network access servers (NASes) configured and running
  • (optional) If you are using a third-party or token card database, you should have the server up and running

Note      To reinstate the correct Online Help (right) window for any section, click Back to Help. To view additional information for a particular window, click Section Information at the bottom of the applicable Online Help window.


Navigation Bar

The navigation bar is a column of buttons at the far left of the CiscoSecure ACS display. Each of the buttons represents a particular area or function that you can configure. Depending on your access control requirements, you might not need to configure all of the areas. This chapter has a section for each of the areas of configuration or operation with step-by-step details of the general operation. The following software features correspond to the navigation bar buttons:

The order to follow for configuration depends on your preferences and needs.

User Setup

Select User Setup to perform the following tasks:

  • View a list of all users in the CiscoSecure database
  • Find a user
  • Add a user
  • Assign the user to a group, including Voice over IP (VoIP) and Network Device Groups (NDGs)
  • Edit a user's account information
  • Change the user's authentication type
  • Configure callback information for the user
  • Set the user's Network Access Restrictions
  • Configure other Advanced Settings
  • Set the maximum number of concurrent dialin sessions (Max Sessions) for a user
  • Disable or re-enable a user's account
  • Delete a user

List All Users

To view a list of all user accounts, follow these steps:


Step 1   In the navigation bar, click User Setup. The Select window opens.

Step 2   Click List All Users. A list of all existing user accounts, enabled and disabled, displays in the right window.

Step 3   (Optional) To view or edit the information for an individual user, click the username in the right window.

Find a User

To find a user account, follow these steps:


Step 1   In the navigation bar, click User Setup. The Select window opens.

Step 2   Enter the name in the User field and click Find. You can use wildcard characters (*) in this field. The status (enabled or disabled) and group to which the user belongs display in the right window.

Step 3   (Optional) To view or edit the information for an individual user, click the username in the right window.

Add/Edit User Accounts

To add a user:


Step 1   In the navigation bar, click User Setup. The Select window opens.

Step 2   Enter a name in the User field.


Note The username can contain up to 32 characters. Names cannot contain the following special characters:
#?"*><
Leading and trailing spaces are not allowed.


Step 3   Click Add/Edit. The Edit window opens. The username being added or edited appears at the top of the window.

Supplementary User Information

Enter the following information for the user as applicable:

  • Account Disabled—Click the Account Disabled check box to deny access for this user.

Note You must click Submit to have this action take effect.


  • Supplementary User Information—(Optional) Enter the following information:
    • Real Name—If the username is not the user's real name, enter the real name here.
    • Description—Enter a detailed description of the user.

Note This item can contain up to five user-configurable fields. See the "Interface Configuration" section for information on how to display and configure these fields.


Password Authentication

Edit or enter the following information for the user:

  • Password Authentication—Select the authentication type from the drop-down menu:
    • CiscoSecure Database—Authenticates a user from the local CiscoSecure ACS database.
    • ODBC Database—Authenticates a user from an Open DataBase Connectivity-compliant database server.
    • DS Database Authentication—Authenticates a user using Directory Services. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
    • MCIS LDAP—Authenticates a user from a Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP) database server.
    • CRYPTOCard Token Card—Authenticates a user from a CRYPTOCard token card server. CiscoSecure ACS acts as a client to the token card server. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
    • SafeWord Token Card—Authenticates a user from a SafeWord token card server.
    • AXENT Token Card—Authenticates a user from an AXENT token card server. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
    • SDI SecurID Token Card—Authenticates a user from an SDI SecurID token card server. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
    • NDS Database Authentication—Authenticates a user using Novell Directory Services. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
    • Windows NT—Authenticates a user with an existing account in the Windows NT User Database located on the same machine as the CiscoSecure server. There is also an entry in the CiscoSecure ACS database used for other CiscoSecure ACS services. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.
  • CiscoSecure PAP (also used for CHAP/MS-CHAP/ARAP if the separate CHAP/MS-CHAP/ARAP field is not checked)—Authenticates using a PAP password.

You can configure the NAS to ask for a PAP password first, and then a CHAP/MS-CHAP/ARAP password. When users dial in using a PAP password, they will authenticate. To do this, enter the following line in the NAS configuration file:

ppp authentication pap chap
  • Password and Confirm Password—Enter and confirm the PAP password to be used.
  • Separate CHAP/MS-CHAP/ARAP—Click this check box to allow the user to authenticate using a CHAP, MS-CHAP, or ARAP password instead of the PAP password in the CiscoSecure User Database. This adds a level of security on top of the CiscoSecure authentication.
  • Password and Confirm Password—Enter and confirm the CHAP/MS-CHAP/ARAP password to be used.

Note The Password and Confirm Password fields are required for all authentication methods except for all third-party user databases. Additionally, if a user is assigned to a VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is re-mapped to a non-VoIP group.


  • Group to which the user is assigned—From the drop-down menu, select the group to which to assign the user. The user inherits the attributes and operations assigned to the group. By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method who are not found in an existing group are also assigned to the Default Group.
  • Callback—Callback is a command string that is passed back to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges. Options are:
    • Use group setting—Click if you want this user to use the setting for the group.
    • No callback allowed—Click to disable callback for this user.
    • Callback using this number—Click and enter the complete number, including area code if necessary, on which to always call back this user.
    • Dialup client specifies callback number—Click to allow the Windows 95/98 or Windows NT dialup client to specify the callback number.
    • Use Microsoft NT callback settings—Click to use the settings specified for Windows NT callback.

To simply call a user back on the same line the call came in on, click Group Setup, then Edit Settings to enable callback for a selected group.


Note The dialup user must have configured software that supports callback.


  • Client IP Address Assignment—Click one of the following fields:
    • Use group settings—Click to use the IP address group assignment.
    • No IP address assignment—Select this option to override the Group setting if you do not want an IP address returned by the client.
    • Assigned by dialup client—Click to use the IP address dialup client assignment. The IP address assignment in User Setup overrides the IP address assignment in Group Setup.
    • Assign static IP address—If a specific IP address should be used for this user, click this option and enter the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup.

Note If the IP address is being assigned from a pool of IP addresses or by the dialup client, leave this field blank.


  • Assigned by network access server pool—If this user is to have the IP address assigned by an IP Address pool configured on the NAS, click this option and enter the NAS IP pool name in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup.
  • Assigned from AAA pool—If this user is to have the IP address assigned by an IP Address pool configured on the AAA server, click this option and enter the applicable pool name in the text box. Select the AAA Server IP pool name in the Available Pools list and click the right arrow button to move the name into the Selected Pools list. If there is more than one pool in the Selected Pools list, the users in this group will be assigned to the first available pool in the order listed. To move a pool's position in the list, click the pool name and click Up or Down until the pool is in the position you want. The IP address assignment in User Setup overrides the IP address assignment in Group Setup.

Network Access Restrictions (User)

If this field does not display, click Interface Configuration: Advanced Options: User-Level Network Access Restrictions.

Network Access Restrictions let you permit or deny a user access to a specified network access server (NAS) or specified ports on the NAS. If you are using NAS access, the NAS (Telnet/Login/Exec) Access Control window displays. Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.

  • Access Server—Select All NASes or the name of the NAS to allow or deny the user's access.
  • Port—Enter the name of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected NAS.
  • Address—Enter the IP address from which to filter permit or deny access.

If you are using dialup, the Dialup (PPP/ARAP) Access Control window displays.

Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.

  • Type—Select one of the following:
    • CLID—Select CLID for an ISDN connection on which the user has a calling line identification number.
    • DNIS—Select to filter access on the number into which the user will be dialing.
    • CLID/DNIS—Select if the user will be using CLID and dialing in.
    • NAS/PORT—Select to restrict access when the user is dialing in to a NAS; for example, during a Telnet session.
  • Value—Enter the value that applies to the type you selected. For example, for CLID, enter the CLID number; for DNIS, enter the telephone number. You can use the wildcard asterisk (*). For example, to restrict or allow access whenever the user is dialing in from a certain area code, enter the area code followed by the asterisk (555*).

Remote Access

You can set a filter to limit the user to specific remote address information. Enter the string that must be matched before access is permitted. You can use the wildcard asterisk (*) character for large ranges. You can also use multiple strings separated by commas. Entering a remote address in User Setup overrides the remote address assignment in Group Setup.

Max Sessions (User)

If this field does not display, click Interface Configuration: Advanced Options: Max Sessions.

Sets the maximum number of simultaneous connections for this user. For CiscoSecure ACS purposes, a session is any type of user connection supported by RADIUS or TACACS+; for example, PPP, NAS prompt, Telnet, ARAP, or IPX/SLIP. All counts are based on user and group names only. CiscoSecure ACS does not support any differentiation by type of session—all sessions are counted as the same. To illustrate, a user with a Max Session count of 1 who is dialed in to a NAS with a PPP session will be refused a connection if that user then tries to telnet to a location whose access is controlled by the same ACS.


Note      Each CiscoSecure ACS server holds its own individual Max Sessions counts. There is no mechanism for CiscoSecure ACS to share Max Sessions counts across multiple servers. Therefore, if two CiscoSecure ACSes are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals.


There are three options for user Max Sessions:

  • Unlimited—Allows the administrator to allow this user an unlimited number of simultaneous sessions. This effectively disables Max Sessions for this user.
  • n—The actual maximum number of sessions to allow this user.
  • Use Group Setting—Use the Max Sessions value for the group.

The default setting is Use Group Setting.


Note      User Max Sessions settings override the group Max Sessions settings. For example, if the group Sales has a Max Sessions value of only 10, but a user in the group Sales, John, has a User Max Sessions value of Unlimited, John is still allowed an unlimited number of sessions.


Account Disable

Define the circumstances under which this user's account will become disabled.


Note      This is not to be confused with account expiration due to Password Aging. Password Aging is defined for groups only, not for individual users.


  • Never—Click to keep the user's account always enabled. This is the default.
  • Disable account if:—Click to disable the account under the circumstances you specify in the following fields:
    • Date exceeds—From the drop-down menus, select the month, date, and year on which to disable the account. The default is 30 days after the user is added.
    • Failed attempts exceed—Click the check box and enter the number of consecutive unsuccessful login attempts to allow before disabling the account. The default is 5.
    • Failed attempts since last successful login—This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully.
    • Reset current failed attempts count on submit—If an account is disabled because the failed attempts count has been exceeded, check this check box and click Submit to reset the failed attempts counter to 0 and reinstate the account.

If you are using the Windows NT user database, this expiration information is in addition to the information in the Windows NT user account. Changes here do not alter settings configured in Windows NT.

When you have finished configuring the user information, click Submit.

Advanced TACACS+ Settings (User)

The following information applies when you have a TACACS+ NAS configured. If this field does not display, click Interface Configuration: TACACS+ (Cisco): Advanced TACACS+ Features.

Enable Options

Use this option to configure user-level TACACS+ enable parameters.

TACACS+ Enable Control (User)

Use TACACS+ Enable control with Exec session to control administrator access. It is primarily used for router management control. Select the Max Privilege level you want this user to have.

Options are:

  • No Enable Privilege—Click this button to disallow enable privileges for this user.
  • Max Privilege for Any Access Server—Click this button and select the maximum privilege level for this user from the drop-down box to set the maximum privilege level for this user for any ACS on which this user is authorized.
  • Define Max Privilege on a per-Network Device Group Basis—Click this button to define maximum privilege levels for this user in the Network Device Group (NDG). To use this option, click Interface Configuration: Advanced Settings: Network Device Groups. Select the Max Privilege level you want this user to have.

See your NAS documentation for information on privilege levels.

TACACS+ Enable Password

Set the options for TACACS+ Enable password:

  • Use CiscoSecure PAP password—Click to use the information configured in the Password Authentication section above.
  • Use external database password—Select the database whose password is to be used.
  • Use separate password—Enter and confirm a control password for this user. This password is used in addition to the regular authentication.

TACACS+ Outbound Password (User)

TACACS+ Outbound Password enables a NAS to authenticate itself to another NAS/client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the CiscoSecure ACS password being given out. By default, the user's ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.

RADIUS Attributes

If you have configured CiscoSecure ACS to use per-user RADIUS attributes, click the attributes you want to assign for this user and enter any parameters. See your RADIUS documentation and "RADIUS Attribute-Value Pairs," for an explanation of attributes and their available parameters.

Deleting User Accounts

To delete a user account from the CiscoSecure database:


Step 1   Click User Setup. The Select and Help windows of the user interface open.

Step 2   In the User field, enter the complete username to be deleted.

Step 3   Click Add/Edit.

Step 4   At the bottom of the User Setup window, click Delete.


If you are authenticating using the Unknown User policy, you must also delete the user account from the external user database. This prevents the username from being automatically re-added to the CiscoSecure user database the next time the user attempts to log in.

Group Setup

Click Group Setup and click one of the following options to perform the applicable task:

  • Group—Displays the configurable groups. Select a group name, then select the action to perform on that group.
  • Users in Group—Displays all the users listed in the group you selected from the Group list box.
  • Edit Settings—Displays all the settings that you can change for the selected group.
  • Rename Group—Allows you to rename a selected group.

Note      If group mapping has not been configured, usernames that are not configured in the CiscoSecure user database are assigned to Default Group by CiscoSecure ACS the first time they log in. The privileges and restrictions for the Default Group are applied to first-time users. If you have upgraded from a previous version of CiscoSecure ACS and kept your database information, users will map as configured in the previous version.


Users in Group

To list all users in a specified group:


Step 1   Click Group Setup. The Select and Help windows open.

Step 2   From the drop-down menu, select the group to list.

Step 3   Click Users in Group. The User List and the Edit windows open. You can view, modify, or delete a user by clicking on the user's name in the list.

Group Settings

To assign or edit a group's authorization and authentication settings, follow these steps:


Note      Depending on the features that are enabled in the Interface Configuration: Advanced Settings window, Quick Link buttons appear at the top of the Group Setup window. Click the applicable button to go directly to the applicable location.



Step 1   Click Group Setup. The Select window opens.

Step 2   In the drop-down list, select the applicable group.

Step 3   Click Edit Settings. The Edit window opens.

Step 4   Complete the Group Setup section.

Before you configure Group Setup it is important to understand how this window functions. Group Setup is dynamically built depending on the configuration of your NAS and the security protocols being used. The Group Setup window contains the following basic sections:

1. Information that applies to both TACACS+ and all instances of RADIUS

2. External User Database information

3. TACACS+

4. RADIUS (IETF)

5. RADIUS (Cisco Vendor-Specific Attribute)

6. RADIUS (Ascend)

The General Information is always displayed. Third-party and token card information is displayed if the corresponding external user databases are configured. The combination of TACACS+ and RADIUS sections displayed depends on how your access server is configured. If one NAS is configured within CiscoSecure and is running TACACS+, only the following subsections are displayed:

  • General information that applies to both TACACS+ and all instances of RADIUS
  • Token Card Information
  • Callback
  • TACACS+

If a second NAS is using RADIUS (IETF), the following subsections are displayed:

  • General information that applies to both TACACS+ and all instances of RADIUS
  • Token Card Information
  • Callback
  • TACACS+
  • RADIUS (IETF)

Note      When RADIUS (Cisco), or RADIUS (Ascend) is selected for a NAS, RADIUS (IETF) attributes are available because they are the base set of attributes used to configure the first 74 attributes for all RADIUS vendors.


The content of these subsections is dynamic. Only the attributes selected from the Interface Configuration: TACACS+ (Cisco) or RADIUS (IETF) section are displayed. This allows you to select and display only those attributes you want. You can change what is displayed in each of the subsections by selecting a security protocol from the protocol configuration options in the NAS Configuration window.

Voice-over-IP (VoIP) Support

If this feature does not display, click Interface Configuration: Advanced Options and enable and configure VoIP.

Click this check box to enable support for the null password function of VoIP. This allows users to authenticate (session or telephone call) on only the user ID (telephone number). When you check this box, all users in this group become VoiP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.


Enabling VoIP disables password authentication and most of the advanced settings, including password aging and protocol attributes.

Default Time-of-Day Access Settings (Group)

If this feature does not display, click Interface Configuration: Advanced Options: Default Time-of-Day/Day-of-Week Specification.

You can define the times during which users are allowed or not allowed to access the NAS. Follow these steps:


Step 1   Click Set as Default Access Times.

Step 2   Click either Allow Access or Do Not Allow Access.

Step 3   Click the blocks of time to allow or deny access.

To set all times click Set All; to clear the time blocks, click Clear All.

If this option is not enabled, access is not limited based on time or day.

Callback

Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. Options are as follows:

  • No Callback Allowed—Click to disable callback for this user.
  • Dialup client specifies callback number—Click to allow the dialup client to specify the callback number. The dialup client must support RFC 1570, PPP LCP Extensions.
  • Use Microsoft NT Callback settings (where possible)—Click to use the Microsoft Windows NT callback settings.

Network Access Restrictions (Group)

Network Access Restrictions provide an automated method of making access control decisions on the following:

  • Calling Station ID (CLID)—These are identification attributes associated with the calling station. To support flexible access control, CiscoSecure ACS supports the use of station/node identifiers from a variety of network types.
  • Called Station ID/Dialed Number Identification Service (DNIS)—These are identification attributes of the device through or for which access was attempted. As with CLID, for maximum flexibility, CiscoSecure ACS supports the use of more than one type of device identifier. Because an access device might have many ports or numbers associated to or through which access may be attempted, DNIS can identify these specifically giving even greater granularity of control if required.

To permit or deny a group access to a specified server or specified ports on the server based on a definable filter, follow these steps:


Step 1   Click the NAS (Telnet/Login/Exec) Access Control check box.

Step 2   From the drop-down box, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.

Step 3   Select or enter the information in the following fields:

  • Access Server—Select All NASes or the name of the NAS to which to permit or deny access.
  • Port—Enter the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected NAS.
  • Address—Enter the IP address to filter on when performing access restrictions. You can enter multiple entries separated by a comma or use the wildcard asterisk (*).

Step 4   Click Enter.

To permit or deny a group access for a specified dialup location, follow these steps:


Step 1   Click the Dial-Up (PPP/ARAP) Access Control Table Defines check box.

Step 2   From the drop-down box, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.

Step 3   Select or enter the applicable information in the following fields:

  • Type—Select one of the following options:
    • CLID—Select to filter on the Calling Line Identification number.
    • DNIS—Select to filter on the number into which the group will be dialing.
    • CLID/DNIS—Select to filter on both the CLID and DNIS numbers.
    • NAS/PORT—If you are using a Cisco IOS release that does not support CLID and DNIS, select this option to filter on NAS access by entering the IP address and port number.
  • Value—Enter the value that applies to the type you selected. For example, for CLID, enter the CLID number; for DNIS, enter the telephone number. You can use the wildcard asterisk (*). For example, to restrict or allow access whenever the group is dialing in from a certain area code, enter the area code followed by the asterisk (555*).

Max Sessions (Group)

Set the maximum number of sessions available to groups and users.

  • Sessions available to group—Sets the maximum number of total simultaneous connections for the entire group. A session is any type of connection supported by RADIUS or TACACS+; for example, PPP, NAS prompt, telnet, ARAP, IPX/SLIP. The options are:
    • Unlimited—Click to allow the administrator to allow this group an unlimited number of simultaneous sessions. This effectively disables Max Sessions.
    • n—Enter the maximum number of simultaneous sessions to allow this group.
  • Sessions available to users of this group—Sets the maximum number of total simultaneous connections for each user in this group. The options are:
    • Unlimited—Click to allow the administrator to allow this group an unlimited number of simultaneous sessions. This effectively disables Max Sessions.
    • n—Enter the maximum number of simultaneous sessions to allow this group.

As an example, Sessions available to group is set to 10 and sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.

You can also set per-user Max Sessions to be applied to users within the group. This limits the number of simultaneous connections a user can establish.


Note      User settings override group settings. The default setting for group Max Sessions is Unlimited (disabled) for both the group and the user within the group.


Token Card Settings

This option allows the token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).

If this section does not display, configure a token card server. Click External User Databases: Database Configuration and add the applicable token card server.

This option is for use with token caching only for ISDN terminal adapters. You should fully understand token caching and ISDN concepts and principles before implementing this option. Token caching allows you to connect to multiple B channels without having to provide a token for each channel connection. Token card settings are applied to all users in the selected group.

The options for token caching are:

  • Session—Select Session to cache the token for the entire session. This will allow the second B channel to dynamically go in and out of service.
  • Duration—Select Duration, enter a time period, and click the unit of time measurement, either seconds, minutes, or hours. The token is cached for this time period from the time of first authentication. If this time period expires, the user cannot start a second B channel.
  • Session and Duration—Select Session, then select Duration and enter a high value (such as 1 hour). Enter a value high enough to allow the token to be cached for the entire session. If the session runs longer than the duration value, a new token is required to open a second B channel.

Enable Options

If this section does not display, configure the interface to display advanced TACACS+ settings. Click Interface Configuration: TACACS+ (Cisco). At the bottom of the page in the Advanced Configuration Options section, check the Advanced TACACS+ features option and click Submit.

Use this option to configure group-level TACACS+ enable parameters. If you are using Network Device Groups (NDGs), this option lets you easily configure the NDG for Enable-level mapping rather than having to do it for each individual user in the group. From the drop-down menus, select the NDG to which this group should belong and the privilege level to assign.

  • No Enable Privilege—(default) Click this button to disallow enable privileges for this user.
  • Max Privilege for Any Access Server—Click this button and select the maximum privilege level for this user from the drop-down box to set the maximum privilege level for this user for any ACS on which this user is authorized.
  • Define max Privilege on a per-network device group basis—Click this button to define maximum privilege levels for this user in the Network Device Group. To use this option, click Interface Configuration: Advanced Settings: Network Device Groups. Select the Max Privilege level you want this user to have. See your NAS documentation for information on privilege levels.
  • Password and Confirm Password—Enter and confirm a control password for this user. This password is used in addition to the regular authentication.

Password Aging Rules

If this section does not display, click Interface Configuration: Advanced Options: Group-Level Password Aging.

The password aging feature of CiscoSecure ACS allows administrators to force users to change their passwords under one or more of the following conditions:

  • After a specified number of days
  • After a specified number of logins
  • The first time a new user logs in

Note      CiscoSecure ACS password aging is not affiliated with Windows NT password aging.


To use this feature, the NAS must be running the TACACS+ or RADIUS protocol for password aging over dialup connections. Only password aging over interactive connection (telnet) is supported with TACACS+.


Note      To use the Password Aging feature, you must set up your NAS to perform Authentication and Accounting using the same protocol—either TACACS+ or RADIUS.


The following conditions must also be met:

  • The CiscoSecure Authentication Agent (CAA) software must be installed in Windows 95/98 or Windows NT on the PC from which the user will dial. The CAA software is available at http://www.cisco.com.
  • Users must be using the Windows 95/98, Windows NT 3.51, or Windows NT 4.0 dialup networking client or another PPP dialup client.
  • The connections must use PPP or Telnet.
  • The NAS must be using the TACACS+ or RADIUS protocol.

Note Password Aging over Telnet connections using the RADIUS protocol is not supported.



If a RADIUS user tries to make a telnet connection to the NAS during or after the warning or grace period, the change password option does not display, and the user's account is expired.
  • The NAS must be using Cisco IOS Release 11.2.7 or later and be configured to send a "watchdog" accounting packet (aaa accounting new-info update) with the IP address of the calling station.

Password aging parameters are configured on a group basis.

Users who fail authentication because they have not changed their password and have exceeded their grace period are logged in the Failed Attempts logs. The accounts are expired and appear in the Accounts Disabled list.

  • Apply age-by-date rules—Click this option and enter the number of days for one or more of the following options:
    • Active period—Click this option and enter the number of days users will be allowed to log in before being prompted to change their passwords. For example, if you enter 20, users can use their passwords for 20 days without being prompted to change them. The default Active period is 20 days.
    • Warning period—Enter the number of days users will be notified to change their passwords. The user's existing password can be used, but a warning message is presented indicating that the password must be changed and displaying the number of days left before the password expires. For example, if you enter 5 in this box and 20 in the Active period box, users will be notified to change their passwords on the 25th and 26th days.
    • Grace period—Enter the number of days to allow for the users' grace period. The grace period allows users to log in once to change their password. The existing password will be used for one last time after the number of days specified in the active and warning period fields has been exceeded; then a dialog box opens warning the user that the account will be disabled if the password is not changed, and allowing the user to change it. Continuing with the examples above, if you allow a 5-day grace period, users who did not log in during the active and grace periods would be permitted to change their password up to and including the 30th day. However, even though the grace period is set for 5 days, a user is allowed only one attempt to change the password when the password is in the grace period state. The CiscoSecure ACS will display the "last chance" warning only once. If the user does not change the password, this login is still permitted, but the password will expire, and the next authentication will be denied. An entry will be logged in the Failed-Attempts Log, and the user will need to contact support to have the account reinstated.

Note All passwords expire at midnight, not the time at which they were set.


  • Apply age-by-uses rules—Clicking these check boxes configures CiscoSecure ACS to determine password aging by number of logins.
    • Issue warning after x login—Click this check box and enter the number of the login upon which CiscoSecure ACS will start prompting users to change their passwords. For example, if you enter 10, users will be allowed to log in 10 times without a change-password prompt. On the 11th login, they will be prompted to change their passwords. To allow users to log in an unlimited number of times without changing their passwords, enter -1.
    • Require change after x login—Click this check box and enter the number of the login upon which to notify users that they must to change their passwords. Continuing with the previous example, if this number is 12, users receive prompts requesting them to change their passwords on their 11th and 12th logins. On the 13th login, they will receive a prompt telling them that they must change their passwords. If users do not change their passwords now, their accounts will expire and they will be unable to log in. This number must be greater than the Issue warning after x login number. To allow users to log in an unlimited number of times without changing their passwords, enter -1.
  • Apply password change rule—Click this check box to force new users to change their passwords the first time they log in.
  • Generate greetings for successful logins—Click this check box to allow a "Greetings" message to be displayed whenever users log on successfully. The message contains up-to-date password information specific to this user's account.

Conditions apply for all checked options. In other words, users can be forced to change their passwords every 20 days and every 10 logins, and to receive warnings and grace periods accordingly.

If no parameters are checked, passwords never expire.

IP Assignment

Configure the way to assign IP addresses to the users in this group.

  • No IP address assignment—No IP address is assigned to this group.
  • Assigned by dialup client—Click this option to use the IP address that is configured on the dialup client's network settings for TCP/IP.
  • Assigned from network access server pool—If this user is to have the IP address assigned by an IP Address pool assigned on the NAS, click this option and enter the NAS IP pool name in the text box.
  • Assigned from AAA server pool—If this user is to have the IP address assigned by an IP address pool assigned on the AAA Server, click this option. Select the AAA server IP pool name in the Available Pools list and click the right arrow button to move the name into the Selected Pools list. If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed. To move a pool's position in the list, click the pool name and click Up or Down until the pool is in the position you want.

TACACS+ Settings (Group)

If a NAS has been configured to use TACACS+ as the security control protocol, TACACS+ service/protocol/attribute configuration is displayed. Enable and configure the parameters to be applied for the authorization of each user who belongs to the group. The default service-protocol settings displayed for TACACS+ are:

  • PPP-IP
  • Shell (Exec)

To display or hide additional services or protocols, click Interface Configuration: TACACS+ (Cisco).

Select the services and protocols to be authorized for the Group by checking the box next to the protocol-service. Below each service-protocol, select the attributes to further define the authorization for that protocol-service. In the case of access control lists (ACLs) and IP address pools, the name of the ACL or pool as defined on the NAS should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.) Leave blank if the default (as defined on the NAS) should be used. More information about attributes can be found in "TACACS+ Attribute-Value Pairs," or your NAS documentation.


Note      You can define and download an ACL. Click Interface Configuration: TACACS+ (Cisco) and click Display a Window for each service selected in which you can enter customized TACACS+ options. A box opens under each service-protocol in which you can define an ACL.


When configuring Shell (Exec), you can define the Cisco IOS commands and arguments to be permitted or denied. Click the box to enable the command, enter the name of the command, define its arguments using standard permit or deny syntax, and define whether Unlisted Arguments are to be permitted or denied. You can enter any number of commands.

To add fields, submit the changes for the first commands and re-enter Group Setup. The submitted commands appear and additional fields become available.

  • IOS Commands—Check the Command check box and enter a list of Cisco IOS commands. If you click Deny, users will be able to issue only those commands listed. If you click Permit, users will be able to issue all commands not specifically listed. This is an advanced feature and should only be used by administrators who understand the security implications.
  • Command—Check this check box and enter the attributes to be stored at each of the TACACS+ service/protocol configuration sections. This allows special strings such as a downloadable access control list to be downloaded to the NAS. This is a powerful, advanced feature and should be completed by someone skilled with Cisco IOS commands, because correct syntax is the administrator's responsibility.
    • Arguments—Enter any arguments for the Cisco IOS commands listed previously.
    • Unlisted Arguments—To allow users to issue only those arguments listed, click Deny. To allow users to issue all arguments not specifically listed, click Permit.

Note      This is an advanced feature and should only be used by administrators who understand the security implications.


  • Default (Undefined) Services—Click this box to allow all services to be permitted unless specifically listed and disabled.

Note      This is an advanced feature and should only be used by administrators who understand the security implications.


RADIUS (IETF)

These parameters are displayed only when the NAS has been configured to use RADIUS (IETF). See "RADIUS Attribute-Value Pairs," and your NAS documentation for a list and explanation of RADIUS attributes. RADIUS attributes are sent as a profile for each user from CiscoSecure ACS to the requesting NAS. To display or hide any of these attributes, see the "TACACS+ or RADIUS Protocol Configuration Options" section.

Select the attributes to be authorized for the Group by checking the box next to the attribute, then define the authorization for the attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.

RADIUS (Cisco)

The RADIUS (IETF) and RADIUS (Cisco) parameters are displayed only if a NAS has been configured to use RADIUS (Cisco). RADIUS (Cisco) represents the Cisco Vendor Specific Attribute (VSA) IETF number 26. Therefore, when configuring RADIUS (Cisco), both IETF and Cisco VSA apply. The default attribute setting displayed for RADIUS (Cisco) is Cisco VSA, which are packed as RADIUS VSAs (attribute number 26 using Cisco's Vendor ID of 9).


Note      To hide or display additional IETF attributes, see the "TACACS+ or RADIUS Protocol Configuration Options" section.



Step 1   For the IETF attributes, select the attributes to be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for the attribute in the field next to it. More information about attributes can be found in "RADIUS Attribute-Value Pairs,"or your NAS documentation.

Step 2   For the Cisco VSA, enter the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.


Note      The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.


RADIUS (Ascend)

The RADIUS (IETF) and RADIUS (Ascend) parameters are displayed only if a NAS has been configured to use RADIUS (Ascend). RADIUS (Ascend) represents the Ascend proprietary attributes. Therefore, when configuring RADIUS (Ascend), both IETF and Ascend apply (proprietary attributes override IETF when conflicting).

The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.

To display additional, or hide any/all of these IETF attributes, see the "TACACS+ or RADIUS Protocol Configuration Options" section.


Step 1   For the IETF attributes, select which attributes should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.

Step 2   For the Ascend attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field next to it. More information about attributes can be found in "RADIUS Attribute-Value Pairs," or your NAS documentation.


Note The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.


Step 3   Click Submit + Restart. The group attributes are applied and services are restarted. The Edit window opens. (Click Submit if you want to save your changes and apply them later by restarting the services.)


Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services. This will affect the Max Sessions counter.


Step 4   Verify that your changes were applied by selecting the group and click Edit Settings. View the settings.

Renaming a Group

To rename a group, follow these steps:


Step 1   Click Group Setup. The Select window opens.

Step 2   Select a group from the drop-down list.

Step 3   Click Rename Group.

Step 4   Enter the new name in the Group field. Group names cannot contain angle brackets (< or >).

Step 5   Click Submit. The Select window opens with the new group name selected.


Note      The group remains in the same position in the list box. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group.


Network Configuration

The NASes and AAA Servers you use with CiscoSecure ACS must be configured and active on the network. If you are not using Network Device Groups (NDGs), when you click Network Configuration in the button bar, you will see at least two tables: Network Access Servers and AAA Servers. To configure a NAS or AAA server, just click the applicable name.

If you are using NDGs, you will see only the Network Device Groups table. To configure a NAS or AAA server, click the name of the NDG to which the device is assigned. If the device is not assigned to an NDG, it will automatically belong to the Not Assigned group.

In either case, if you have enabled Distributed Systems Settings, you will also see the Proxy Distribution Table.

Network Device Groups

Network Device Grouping (NDG) is an advanced feature that allows you to view and administer a collection of network devices as a single logical group. To simplify administration, each group can be assigned a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within CiscoSecure ACS—single discrete devices such as an individual router or NAS, and an NDG; that is, a collection of routers or AAA servers. For more information on NDGs, see "Network Device Groups" in "Overview of CiscoSecure ACS 2.4 for Windows NT Server."

You can assign groups of users to NDGs. See the "Group Settings" section for more information.

To add an NDG, follow these steps:


Step 1   Click Add Entry.

Step 2   Enter the name of the new NDG. The maximum name length is 19 characters. Quotation marks (") and commas (,) are not allowed. Spaces are allowed.

Step 3   Click Submit.

To assign an unassigned NAS or AAA server to a group, click Not Assigned.

To reassign a NAS or AAA server to a new group, click the name of its current group.

Adding and Configuring a NAS

To add a NAS, follow these steps:


Step 1   Click Network Configuration.

Step 2   If you are using NDGs, click the name of the NDG to which the NAS is assigned.

Step 3   Click Add New Access Server.

Step 4   If you are adding a NAS, in the Network Access Server Hostname box, enter the name assigned to this access server. You can also enter the information for a Cisco Systems PIX firewall in this field.


Note This field does not appear if you are configuring an existing NAS.


Step 5   In the Network Access Server IP address box, enter the name assigned to this access server. You can also enter the information for a Cisco Systems PIX firewall in this field.

Step 6   In the Key box, enter the shared secret that the TACACS+ or RADIUS NAS and CiscoSecure ACS use to encrypt the data. For correct operation, the identical key (case-sensitive) must be configured on the NAS and CiscoSecure ACS.

Step 7   If you are using NDGs, from the Network Device Group drop-down menu, select the name of the NDG to which this NAS should belong, or select Not Assigned to have this NAS be independent of NDGs.


Note To enable NDGs, click Interface Configuration: Advanced Options: Network Device Groups.


Step 8   From the Authenticate Using drop-down list, select the network security protocol. Select one of the following options:

  • TACACS+ (Cisco)—You would usually select the TACACS+ option when using Cisco Systems access servers, routers, and firewalls.
  • RADIUS (IETF)—These are the standard IETF RADIUS attributes. You would usually select this option if you are using devices using RADIUS from more than one manufacturer.
  • RADIUS (Cisco)—This is IETF attribute number 26, the Vendor Specific Attribute (VSA). This option allows you to pack commands sent to a Cisco NAS. The commands are defined in the Group Setup window. Select this option for RADIUS environments in which key TACACS+ functions are required to support Cisco equipment.
  • RADIUS (Ascend)—Click this option to see the listing of the Ascend RADIUS attributes.

Step 9   If you are using the TACACS+ security protocol, select Single Connect TACACS+ NAS to allow a stop record to be sent to the TACACS+ accounting log for each user connected through the NAS.


Note If your connection is unreliable, do not use this feature.


Step 10   Select the Log Update/Watchdog Packets from this Access Server option to allow accounting packets sent by the NAS to be logged in the Reports & Activity: TACACS+ Accounting or RADIUS Accounting reports.

Step 11   Select the Log RADIUS tunnelling Packets from this Access Server option to allow RADIUS tunnelling accounting packets to be logged in the Reports & Activity: RADIUS Accounting reports.

Step 12   Click Submit or Submit + Restart.


Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services. This will affect the Max Sessions counter.


For more information on Network Configuration, see "Distributed Systems."

Adding and Configuring a AAA Server

To configure a AAA server, follow these steps:


Step 1   From either the Network Configuration window or the Network Device Groups Table, click Add Entry to add a new AAA server or click the name of the AAA Server to edit an existing server.

Step 2   If this is a new AAA Server, in the AAA Server Name box, enter a name for the remote AAA server.


Note This item does not display for an existing AAA Server.


Step 3   In the AAA Server IP Address box, enter the IP address assigned to the remote AAA server.

Step 4   In the Key box, enter the shared secret that the remote AAA server and the CiscoSecure ACS use to encrypt the data. For correct operation, the identical key (case-sensitive) must be configured on both the remote AAA server and CiscoSecure ACS.

Step 5   From the Network Device Group drop-down box, select the NDG to which this AAA Server belongs.


Note To enable NDGs, click Interface Configuration: Advanced Options: Network Device Groups.


Step 6   Select the Log Update/Watchdog Packets when proxied to/from this AAA Server option to allow accounting packets sent or received by the AAA server to be logged in the Reports & Activity reports.

Step 7   In the AAA Server Type drop-down menu, select the protocol the remote AAA server is configured to use:

  • RADIUS—Select this option if the remote AAA server is configured using the RADIUS protocol.
  • TACACS+—Select this option if the remote AAA server is configured using the TACACS+ protocol.
  • CiscoSecure ACS for Windows NT—Select this item if the remote AAA server is another CiscoSecure ACS for Windows NT.

Step 8   The TrafficType field defines the direction in which traffic to and from the remote AAA server is allowed to flow from this local CiscoSecure ACS. From the Traffic Type drop-down menu, select one of the following options:

  • Inbound—The selected AAA server accepts requests that have been forwarded to it and does not forward the request to another AAA server. Select this option if you do not want to allow any authentication requests to be forwarded.
  • Outbound—The selected AAA server sends out authentication requests but does not receive them. If a distribution table entry is configured to proxy authentication requests to a AAA server that is configured for Outbound, the authentication request is not sent.
  • Inbound/Outbound—The specified AAA server both forwards and accepts authentication requests. This allows the selected server to handle authentication requests in any manner defined in the distribution tables.

Distribution Tables

If you have Distributed Systems Settings enabled, when you click Network Configuration, you will see the Distribution Table used for proxy.

Proxy is a powerful feature that allows you to use CiscoSecure ACS for authentication in a network that uses more than one AAA server. It is useful for users who dial in to a NAS other than the one they normally use; for example, business travelers and telecommuters. In order to use proxy, you must first click Interface Configuration: Advanced Options and enable Distributed System Settings. If you are using the same AAA protocol on all ends of the connection, all attributes are recognized and interpreted properly.


Note      In a network that uses more than one type of RADIUS protocol, CiscoSecure ACS accepts only IETF attributes. All other attributes, such as proprietary attributes, are not interpreted. If the AAA protocol for RADIUS is configured uniformly with the same attributes, all attributes are recognized.


The Distribution Table shows the Character Strings on which to proxy, the AAA Servers to proxy to, whether to strip the character string, and where to send the accounting information (Local/Remote, Remote, or Local).

The Distribution Table originally includes only the Default table, which includes this Windows NT server. After you add entries, this table includes a list of the proxies that you have configured. To add an entry, click Add Entry. To change a configuration, click the applicable character string. To sort the entries, click Sort Entries.

Adding a New Distribution Table Entry

To create a new Distribution Table entry, follow these steps:


Step 1   Click Network Configuration.

Step 2   Click the Add Entry button that is below the Distribution Table.

Step 3   In the Character String box, enter the string of characters, including the delimiter to forward on when users dial in to be authenticated. For example, .uk.


Note Angle brackets (< and >) cannot be used.


Step 4   From the Position drop-down menu, select Prefix if the character string you entered appears at the beginning of the username or Suffix if the character string appears at the end of the username.

Step 5   From the Strip drop-down menu, select Yes if the character string you entered is to be stripped off the username, or No if it is to be left intact.

Step 6   In the AAA Servers column, select the AAA server you want to use for proxy. Click > to move it to the Forward To column. To remove the server from the distribution table, click < to move it back to the AAA Servers column. You can then select additional AAA servers to use for backup proxy in the event the prior servers fail. In the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want. If the AAA server you want to use is not listed, click Network Configuration: AAA Servers: Add Entry and enter the applicable information.

Step 7   From the Send Accounting Information drop-down menu, select one of the following areas to report accounting information to:

  • Local—Keep accounting packets on the local CiscoSecure ACS
  • Remote—Send accounting packets to the remote CiscoSecure ACS
  • Local/Remote—Send accounting packets to both the local and remote CiscoSecure ACSes

This information is especially important if you are using the Max Sessions feature to control the number of connections a user is allowed. Max Sessions depends on accounting start and stop records, and where the accounting information is sent will determine where the Max Sessions counter is tracked. The Failed Attempts and Logged in Users logs are also affected by where the accounting records are sent.

Setting the Match Order

This window allows you to set the order in which CiscoSecure ACS handles the entries in the distribution table when users dial in. To be able to sort the tables, you must have already configured at least two distribution tables in addition to the default table. Click the name of the character string to move, then click Up or Down to move it to the position you want. When you have finished, click Submit or Submit + Restart.

System Configuration

To edit your current CiscoSecure configuration, click System Configuration. The Select window opens. Select one of the following options.


Note      If the feature you want is not displayed, click Interface Configuration: Advanced Options and enable the applicable feature. You might also need to enable Distributed System Settings.


  • Service Control—Open the window in which you can stop or restart the CiscoSecure ACS services.
  • Logging—Select the various CiscoSecure ACS reports and customize the type of information that is captured and presented.
  • Date Format Control—Select whether to use "Month/Day/Year" or "Day/Month/Year" format.
  • Password Validation—Configure parameters for user passwords.
  • CiscoSecure Database Replication—Configure Database Replication among CiscoSecure ACS servers.
  • RDBMS Synchronization—Configure RDBMS synchronization.

Note To use this option you must have already enabled and configured the ODBC-compliant relational database.


  • ACS Backup—Back up or configure parameters for backing up your ACS system.
  • ACS Restore—Restore or configure parameters for restoring your ACS configuration from an ACS Backup file.
  • ACS Service Management—Configure the CiscoSecure ACS monitoring service, CSMon, and for e-mail notification of CSMon events.
  • IP Pools Address Recovery—Enable automatic recovery of IP Pools whose addresses have not been used for a specified amount of time.
  • IP Pools Server—Configure IP Pools. The IP Pools feature allows you to assign the same IP address to multiple users, as long as the users are on different segments of the network. This allows you to reuse IP addresses and reduce the number of IP addresses on your network. When you enable the IP Pools feature, CiscoSecure ACS dynamically issues IP addresses from the IP pools you have defined by number or name. You can configure up to 999 IP pools, for a total of approximately 255,000 users.

Note To use the IP Pools feature, you must set up your NAS to perform Authentication and Accounting using the same protocol—either TACACS+ or RADIUS.


Service Control

To restart or stop services, click Service Control.

Restarting or Stopping Services

Click the applicable button to restart or stop services. This stops or stops and restarts all CiscoSecure services except for CSAdmin. CSAdmin controls the browser and must continue to run. This achieves the same result as starting and stopping all of the services (excluding CSAdmin) from within the Windows NT Control Panel. CSAdmin is the web server for the interface, and it is not restarted. It is left on to prevent remote administrators from losing access. If the service needs to be restarted, CSAdmin can be started or stopped from the Services icon in the Windows NT Control Panel. However, it is best to allow CiscoSecure ACS to handle the services because there are dependencies in the order in which the services are started.

Services Log File Configuration

The options in this section control the parameters for the Service log file and directory.

    • Level of detail—Click one of the following options to determine the level of detail that appears in the log file:
    • None—No log file is generated
    • Low—Only start and stop actions are logged
    • Full—All services actions are logged
  • Generate new file—If you selected Low or Full for Level of detail, click one of the following options to configure when the new log file is generated.

Note To make sure your system is set to your local time, click Start: Settings: Control Panel: Regional Settings.


    • Every Day—Click this option to have CiscoSecure ACS generate a new log file at 12:01 am local time every day.
    • Every Week—Click this option to have CiscoSecure ACS generate a new log file at 12:01 am local time every Sunday.
    • Every Month—Click this option to have CiscoSecure ACS generate a new log file at 12:01 am on the first day of every month.
    • When Size is Greater than X KB—Click this button and enter the number of kilobytes after which to have CiscoSecure ACS generate the new log file. The default is 2048 KB.
  • Manage Directory—To configure parameters for the directory for the Services log files, click Manage Directory and one of the following options:
    • Keep only the last X files—Click this option and enter the maximum number of Services log files to keep in the log directory. The default is 7 files.
    • Delete files older than X days—Click this option and enter the maximum number of days to keep the Services log files in the log directory. The default is 7 days.

Logging

CiscoSecure ACS generates CSV and ODBC log files for the administrative and accounting events for the protocols and options you have enabled. See "Logging," for more information and instructions for configuring the Logging options.

Date Format Control

Select whether to use a "Month/Day/Year" or "Day/Month/Year" format on the CiscoSecure ACS HTML interface. Note that this does not affect the accounting logs.


Note      In order for the changes to be seen in the HTML interface reports, you must restart the connection to the Administration server. Click Administration Control, then click the logoff (X) button in the upper right corner of the window.


In order for the changes to be used in the Administrator server logs, you must manually restart the Administrator server using the Windows NT Control Panel. See your Microsoft documentation for instructions.


Note      If you have reports that were generated before you change the format, be sure to move or rename them to avoid conflicts. For example, if you are using the month/day/year format, a report generated on July 12, 1999, will be named 1999-07-12.csv. If you change to the day/month/year format, on December 7, 1999, a file will be created that is also named 1999-07-12.csv and the existing file will be overwritten.


Password Validation

The Password Validation option lets you configure parameters for user passwords.


Note Password validation applies only to the password stored in the CiscoSecure user database, except for the Enable and Admin passwords.


Select one or more of the following options for user passwords:

  • Password length between X and Y characters—Enter the minimum and maximum number of characters that you want to require for the user's password, or leave the numbers set to the default of 4 and 32 characters.
  • Password may not contain the username—Check this option to require that the user's password does not contain the username anywhere within it.
  • Password is different from the previous value—Check this option to require the user's new password to be different from the previous password.
  • Password must be alphanumeric—Check this option to require the user's password to contain both letters and numbers.

CiscoSecure Database Replication

Database replication lets you enable and schedule the method and times that the CiscoSecure ACS database is replicated by sending or receiving information from another CiscoSecure ACS database.

  • Replication Components—Select the components of the database that are to be replicated and whether this CiscoSecure ACS server is to receive or send the information. For increased security you might want to have one server always be the sender and the other servers always be the receivers. This also allows you to ensure that all your servers are configured identically.
    • User and Group Database—Replicate the information for groups and users.
    • AAA & Network Access Server Tables—Replicate the information for AAA servers and NASes.
    • Distribution Table—Replicate the stripping and proxy information.
    • Interface Configuration—Replicate the Interface Configuration: Advanced Options settings.
    • Interface Security Settings—Replicate the security information for the server interface.
    • Password validation settings—Replicate the password validation settings.
    • NAS settings—Replicate the NAS settings, such as name, IP address, key, protocol, NDG membership, and so on.
  • Replication Scheduling—Configure when CiscoSecure ACS replication will take place.
    • Manually—Do not replicate automatically.
    • Automatically Triggered Cascade—Replicate to a replication partner when information from a master is received.
    • Every X minutes—Enter the number of minutes after which replication is performed again. The default is 60.

Note If this time is set too low, replication might be incomplete; if it is set too high, replication might interfere with users' ability to authenticate if usernames are added frequently.


    • At specific times—At user-definable times during the week. Allows the administrator to define a schedule when replication will take place. The minimum resolution is one hour, and replication takes place on the hour selected. Click Replicate to allow replication during those times or click No Replication to prevent replication during those times, then click the times during which you want replication to take place. Times when Replication is to take place are highlighted in green.
  • Replication Partners—Select the AAA server(s) to replicate to or from. Allows you to configure CiscoSecure ACS to be aware of other CiscoSecure ACSes. Click the name of the servers in the AAA Servers column and click -> to move the selected hosts to the Replication column. Click Up or Down to move the selected AAA server to the desired position in the column. Repeat these steps until all the desired servers are in the desired position in the Replication column.
  • Accept Replication From—To allow this CiscoSecure ACS to accept replication data from other CiscoSecure ACSes, click Accept replication from, then from the drop-down box click either Any Known CiscoSecure ACS For Windows NT Server or the name of the server from which to accept replication.
  • Replicate Now—Click to replicate immediately.

For more information on Database Replication, see "Database Information Management," and ""Distributed Systems."

RDBMS Synchronization

You can propagate changes from user and group setup information and Network configuration, including AAA servers, NASes, and NDGs, to other databases using RDBMS Synchronization.

  • RDBMS Setup—Select the source of the data and the type of change.
    • Data Source—From the drop-down box, click the source of the data to be synchronized.
    • Username—Enter the username for the changed information.
    • Password—Enter the password for the user whose information has changed.
  • Synchronization Scheduling—Set the time-of-day and day-of-week during which synchronization is allowed to take place.
    • Manually—Do not synchronize automatically.
    • Every X minutes—The frequency between synchronizations. The default is 60 minutes. If this time is set too low, synchronization might be incomplete; if it is set too high, synchronization might interfere with users' ability to authenticate.
    • At specific times—At user-definable times during the week. This option allows the administrator to define when RDBMS Synchronization will take place. The minimum resolution is one hour, and synchronization takes place on the hour selected. Click the time of day and day of week and click Synchronize to allow synchronization during those times or click No Synchronization to prevent synchronization during those times.
  • Synchronization Partners—In the AAA Servers column, select the name of the AAA server(s) to synchronize to or from, then click -> to move the selected hosts to the Synchronize column. Click Up or Down to move the AAA server to the desired position in the column. Repeat until all the desired servers are in the desired position in the Synchronize column.
  • Synchronize Now—Click Synchronize Now to synchronize immediately.

For more information on RDBMS Synchronization, see "Database Information Management," and "Distributed Systems."

ACS Backup

ACS Backup lets you back up selected components of your ACS system to the local hard drive. Components that are backed up can include your user and group databases and/or your CiscoSecure ACS System Configuration information.

ACS Backup Scheduling

To schedule the times at which the ACS system data is backed up, follow these steps:


Step 1   Click System Configuration: ACS Backup.

Step 2   In the ACS Backup Scheduling section, select one of the following schedules:

  • Manual—Do not back up automatically.
  • Every X minutes—Enter the number of minutes between backups. The default is 60.

Note Because CiscoSecure ACS is momentarily shut down during backup, if the backup interval is set too low, users might be unable to authenticate.


  • At specific times—At user-definable times during the week. This option allows the administrator to define when backup will take place. The minimum is one hour, and backup takes place on the hour selected. Click Perform Backup or Do Not Perform Backup and click the times at which you want backup performed or prevented. Selected times will be highlighted in green.

Backup Location

Enter the name of the directory in which to place the backup files. This directory must already exist; CiscoSecure ACS will not create it for you.

Manage Directory

To configure parameters for the directory for the backup files, click Manage Directory and one of the following options:

  • Keep only the last X files—Keep the most recent X files, where X is the number you enter. The default is 7.
  • Delete files older than X days—Delete all files older than X days old, where X is the number you enter. The default is 7.

Backup Now

Click Backup Now to backup the ACS system information immediately.

ACS System Restore

ACS System Restore lets you restore your ACS system data from a backup file that was created during the ACS Backup process.

Select Backup to Restore From

In the Directory box, select or enter the name of the directory that contains the .dmp backup file you want to use. Click OK. Then select the name of the backup file whose information you want to restore. This file must already exist. The most recent file is listed at the top. If this system has never been backed up, <no matching files> displays.

Select Components to Restore

You can select either or both of the following options for restoring the system information:

  • User and Group Database—Restore only the information in the User and Group Database.
  • CiscoSecure ACS System Configuration—Restore your CiscoSecure ACS information, such as AAA server information, schedules, and so on.

ACS Active Service Management Setup

The ACS Active Service Management (CSMon) feature lets you monitor all CiscoSecure ACS services.

System Monitoring

In the System Monitoring section, click the applicable check box and select from the following options:

  • Test login process every X minutes—Click this check box and enter the frequency in minutes at which the login process is tested.
  • on failure—From the drop-down box, select the action to take when the login process fails the test:
    • Restart All—Restart all CiscoSecure ACS services
    • Restart RADIUS/TACACS+—Restart only the RADIUS and/or TACACS+ protocol
    • Reboot—Reboot the machine on which CiscoSecure ACS is running
    • Take No Action—Leave CiscoSecure ACS operating as-is.
  • Generate event when an attempt is made to log in to a disabled account—Send email and log when a user attempts to log in to a disabled account.

Event Logging

In the Event Logging section, click the applicable check box and select from the following options:

  • Log all events to the NT Event log—Check this check box to have CiscoSecure ACS log all events to the Windows NT Event Log. To view the Windows NT Event Log, click Start: Administrative Tools: Event Viewer. For more detailed information about an event, click the applicable event, then click View: Details.
  • Email notification of event—Check this check box to have CiscoSecure ACS send an email when the events you selected in the System Monitoring section occur.
    • To—Enter the email address of the recipient.
    • SMTP Mail server—Enter the name of the mail server from which mail is to be sent.

Note Do not use underscores in the email addresses you enter in this field.


IP Pools Address Recovery

The IP address recovery feature allows you to recover IP addresses that have not been used for a specified period of time. If CiscoSecure ACS is to reclaim the IP addresses correctly, an accounting network must be configured on the NAS.

To enable IP Pool address recovery, in the Address Allocation Lifespan section, click the Release address if allocated for longer than x hours check box and enter the number of hours of inactivity after which the address should be released. This must be a positive number.


Note      When the unused IP addresses are recovered, all IP addresses are recovered.


IP Pools Server

The IP Pools feature allows you to assign the same IP address to multiple users, as long as the users are on different segments of the network. This means you can re-use IP addresses and reduce the number of IP addresses on your network. When you enable the IP Pools feature, CiscoSecure ACS dynamically issues IP addresses from the IP pools you have defined by number or name. You can configure up to 999 IP pools, for a total of approximately 255,000 users.

If you are using IP pooling and proxy, all accounting packets are proxied so that the CiscoSecure ACS that is assigning the IP addresses can confirm whether an IP address is already in use.

To use IP pools, the NAS must have network authorization (aaa authorization network) and accounting (aaa accounting) enabled.


Note      To use the IP Pools feature, you must set up your NAS to perform Authentication and Accounting using the same protocol—either TACACS+ or RADIUS.


CiscoSecure ACS provides automated detection of overlapping pools. To enable the use of overlapping pools, click Allow Overlapping Pool Address Ranges.


Note      To use overlapping pools, you must be using RADIUS with virtual private networking (VPN), and you cannot be using Dynamic Host Configuration Protocol (DHCP).


Configuring IP pooling is a three-step process:


Step 1   Create the IP Pool on the AAA server.

Step 2   Assign a name or number to the IP pool.

Step 3   Assign a group or user to the IP pool.

For information on assigning a group or user to an IP pool, see the "Group Setup" or "User Setup" sections.

Select one of the following options:

  • Add Entry—Click to add an IP pool.
  • Allow Overlapping Pool Address Ranges—Click to disable CiscoSecure ACS checking of overlapping IP pools. Toggles between this option and the Force Unique Pool Address Range option.

Note This option should be used only by very experienced administrators.


  • Force Unique Pool Address Range—Click to enable CiscoSecure ACS checking for overlapping of IP pools. Toggles between this option and the Allow Overlapping Pool Address Ranges option.
  • Refresh—Click to refresh the window. This allows you to see when an IP pool has come into use or is no longer in use.

Adding a New IP Pool

When you add a new pool, you will need to enter information for the following options:

  • New Pool—Enter the information for the IP pool you are adding.
  • Name—Enter the name or number you want to assign to the IP pool. Names can consist of any combination of numbers, letters, or symbols.

Note Cisco recommends that you do not use spaces in IP pool names.


  • Start Address—Enter the first IP address for the range of the IP pool.
  • End Address—Enter the ending IP address of the IP Pool. The first three octets of the Start and End addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.255. All addresses must be on the same Class C network.

Editing an Existing IP Pool

When you edit an existing pool, the following options are available:

  • Name—Edit the name or number of the IP pool, then click Submit.
  • Start Address—Edit the first IP address of the IP pool range, then click Submit.
  • End Address—Edit the ending IP address of the IP pool range, then click Submit. The first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.255. All addresses must be on the same Class C network.
  • In Use—This field indicates the number of IP addresses within this IP pool that are in use.
  • Available—This field indicates the total number of IP addresses that are available within this IP pool.
  • Refresh—The Refresh button recovers IP addresses within this IP pool when there are "dangling" connections; that is, the user has disconnected but no accounting stop packet was received. Click Reports and Activity: Failed Attempts. If there are a large number of Failed to Allocate IP Address For User messages, click Refresh to reclaim all allocated addresses in this IP Pool.

Note This can result in users being assigned addresses that are already in use.


  • Delete—To delete an IP pool, click Delete.

Note If you delete an IP pool that has users assigned to it, those users will not be able to authenticate until you edit the user profile and assign them to a different group.


Interface Configuration

The Interface Configuration window lets you display or hide fields in the other parts of the HTML user interface. The information for hidden fields will still be stored in CiscoSecure ACS, but you will not be able to see them unless you check the item here. This allows you to hide unused fields and view a clearer interface. You can configure the following items from the Interface Configuration window:

  • User Data Configuration
  • TACACS+ or RADIUS Protocol Configuration Options
  • Advanced Options

User Data Configuration

You can define up to five fields to contain information that you want to view for each user. The fields you define in this section will appear in the Supplementary User Information section at the top of the User Setup window. To define the fields, click Display and enter a Field Name in each applicable box. For example, you can set up fields for each user to display the user's email address, department, telephone number, and so on.

TACACS+ or RADIUS Protocol Configuration Options

These fields display only if you have configured a NAS with the applicable protocol. This lets you select the AV pairs you want to appear as a configurable option in the Group Setup window. Click the applicable option and click Submit. See the section "Group Setup" for more information on these fields.

Protocol Configuration Options for TACACS+

Check the box for either User and/or Group for each TACACS+ service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. For correct operation, each protocol/service must be supported by the NAS. When you have finished selecting options, click Submit.

It is unlikely that you will use every service and protocol available for TACACS+. Displaying each would make setting up a user or group very cumbersome. To simplify setup, this section allows you to customize the services and protocols that are displayed.

This list has two sections:

  • TACACS+ Services—This section includes the most commonly used services and protocols for TACACS+.
  • New Services—Enter the new services or protocols to add. Select those that should be displayed for configuration under User Setup and/or Group Setup.

Advanced Configuration Options for TACACS+

The Advanced Configuration Options section lets you add more detailed information for even more tailored configurations. Click the applicable check box to enable the option to be displayed in the applicable setup window.

  • Advanced TACACS+ Features—This option displays or hides the Advanced TACACS+ Options section in the User Setup window. These options include Privilege Level Authentication and Outbound Password Configuration for SENDPASS and SENDAUTH clients, such as routers.
  • Display a Time-of-Day access grid for every TACACS+ service where you can override the default Time-of-Day settings—If this option is checked, a grid appears in the User Setup window that lets you override the TACACS+ scheduling attributes in the Group Setup window.
  • Display a window for each service selected in which you can enter customized TACACS+ attributes—If this option is checked, an area appears in the User Setup and Group Setup windows that lets you enter custom TACACS+ attributes.
  • Display enable Default (Undefined) Service Configuration—If this check box is checked, an area appears in the User Setup and Group Setup windows that allows you to permit unknown TACACS+ services, such as CDP.

Note This option should be used by advanced system administrators only.


Protocol Configuration Options for RADIUS (IETF)

This window displays a list of all of the attributes available for IETF RADIUS. Check the box for User and/or Group for each IETF RADIUS service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. Each attribute selected must be supported by the NAS.

The RADIUS IETF attributes are available for any NAS configuration when using RADIUS. If you want to use IETF attribute #26, Vendor Specific Attribute (VSA) for Cisco, select RADIUS (Cisco) for the NAS. Attributes for RADIUS (IETF) and the Cisco VSA will appear in User Setup or Group Setup.

The Tags to Display Per Attribute option allows you to specify how many values to display for tagged attributes in the User Setup and Group Setup windows. Examples of tagged attributes are Tunnel-Type and Tunnel-Password.


Note      The RADIUS (IETF) attributes are shared with RADIUS (Cisco) and RADIUS (Ascend) attributes. You must configure the first RADIUS attributes from RADIUS (IETF) for the RADIUS vendor.


When you have finished selecting attributes, click Submit at the bottom of the page.

Protocol Configuration for RADIUS (Cisco)

This section allows you to enable the RADIUS Vendor Specific Attribute number 26. Selecting this attribute displays an entry field under User Setup and/or Group Setup in which any TACACS+ commands can be entered to fully leverage TACACS+ in a RADIUS environment.

Check the box for either User and/or Group to next to attribute number 26, the VSA for Cisco. This attribute will then appear in either the User Setup and/or Group Setup window, accordingly, as a configurable option with a field in which you can enter TACACS+ commands.

The RADIUS IETF attributes are available for any NAS configuration when using RADIUS. RADIUS IETF AV pairs are shared among all RADIUS vendors. Configure supported standard RADIUS attributes using the RADIUS IETF dictionary. Each selected attribute must be supported by the NAS. When you have finished selecting attributes, click Submit at the bottom of the page.

Protocol Configuration for RADIUS (Ascend)

This window displays a list of all of the attributes available for Ascend RADIUS. Check the box for User and/or Group for each Ascend RADIUS service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. Each attribute selected must be supported by the access server. When you have finished selecting attributes, click Submit at the bottom of the page.

Advanced Options

Click the check boxes of the items you want to have displayed in the applicable area of the HTML interface; clear the check boxes of the items you want to hide.

  • Per-User TACACS+/RADIUS Attributes—Displays or hides the Advanced Options section in the User Setup window.
  • User-Level Network Access Restrictions—Displays or hides the NAS and Dialup filter sections in the User Setup window. If the Group Setup page specifies these filters, these sections will still display.
  • Default Time-of-Day/Day-of-Week Specification—Displays or hides the time-of-day/day-of-week grid on the Group Setup page.
  • Group Level Network Access Restrictions—Displays or hides the NAS and dialup filter sections of the Group Setup window.
  • Group-Level Password Aging—Displays or hides the Password Aging section in the Group Setup window.
  • Max Sessions—Displays or hides the Max Sessions section of the User Setup and Group Setup windows.
  • Distributed-System Settings—Displays or hides the AAA server and proxy table in the Network Interface window. If the tables are not empty and have information other than the defaults in them, they will always display.
  • Remote Logging—Displays or hides the Logging field in the System Configuration window. If remote logging is configured, this window will always display.
  • CiscoSecure ACS Database Replication—Displays or hides the Database Replication field in the System Configuration window.
  • RDBMS Synchronization—Displays or hides the RDBMS Synchronization window in the System Configuration window. If RDBMS Synchronization is configured, this window will always display.
  • IP Pools—This section displays or hides the IP Pools section in the System Configuration window.
  • Network Device Groups—This option turns Network Device Groups (NDGs) on or off. When NDGs are enabled, the Network Configuration section and parts of the User Setup windows change to allow you to manage groups of network devices (NASes or AAA servers). This feature is useful if you have a large number of devices to administer.
  • Voice over IP (VoIP) Group Settings—This option displays or hides the VoIP section in the Group Setup window.
  • ODBC Logging—This option displays or hides the ODBC log configuration options in the Interface Configuration: Logging window.

Administration Control

You can administer CiscoSecure from any workstation in the network as long as the workstation is running a compatible browser. See the "System Requirements" section for a list of compatible browsers. The address to enter in the remote administrator's browser is: http:// Windows NT server ip-address:2002. The port number, 2002, is dynamically changed after the initial login of a remote administrator.

Remote administrators can use a firewall-protected dial-in connection, but this is not recommended or supported. Leaving a port open for remote administration could compromise network security.


Note      You must enable the Java functions on your browser.


Adding or Editing Remote Administrator Information

To enable remote administration from a workstation or remote client:


Step 1   Click Administration Control from the navigation bar.

Step 2   Click Add new administrator. Enter the following information:

(a). Administrator Name—User identification for the administrator to log into CiscoSecure

(b). Password—Password used by the administrator to log in

(c). Confirm Password—Confirmation of the administrator password


Note This password is for a remote administrator to access the CiscoSecure interface. There is no correlation between the administrator name/password and the username/password for dialup authentication. Accounts created for dialup authentication and those created for HTML interface administration are placed in separate databases.


Step 3   In the Administrator Privileges section, check any or all of the privileges you want to allow for this administrator:

  • User & Group Setup—Click one or both of the following check boxes:
    • Add/Edit users in these groups
    • Setup of these groups

To allow the administrator to edit data for or set up all users and groups, click >>. This moves all groups from the Available Groups column into the Permitted Groups column.

To set the administrator privileges by group, in the Available Groups column, click the name of the group whose data you want this administrator to be able to change, then click -> to move the name into the Permitted Groups column. Repeat for each group whose information you want to allow this administrator to change. To remove a group from the administrator's control, click the name in the Permitted Groups column and click <-.


Note By default a remote administrator has no privileges.


  • Other administrator privileges you can select include the following:
    • Network Configuration—Network Device Groups, NASes, and AAA Servers
    • System Configuration—Backup, restore, replication, synchronization, and other CiscoSecure ACS system options
    • Interface Configuration—User interface configuration
    • Administration Control—Administrator configuration
    • External User Databases—CiscoSecure ACS user database, Windows NT user database, and third-party databases

Step 4   You can also select the Reports & Activity items that this administrator can access.

Step 5   Click Submit to save these changes.


Note No changes are made at any time until the administrator clicks Submit. This prevents two administrators from accidentally changing information at the same time.


Access Policy

The following items can be configured for the Access Policy:

  • IP Address Filtering—Click one of the following options:
    • Allow all IP addresses to connect—(default) No filtering on any IP address is performed when an administrator is accessing CiscoSecure ACS remotely.
    • Allow only listed IP addresses to connect—Click to allow remote administration from only those workstations whose IP addresses fall within the range specified in the IP Addresses Ranges section. Workstations whose IP addresses are not within the specified range will not be able to access CiscoSecure ACS remotely.
    • Reject connections from listed IP addresses—Click to filter out remote administration from the IP addresses specified in the IP Address Ranges section. Remote administration from workstations whose IP addresses do not fall within the specified range will be permitted.
    • IP Address Ranges—Enter the IP address range in Class C format from which to permit or deny access.

Audit Policy Setup

Specify the parameters for the Administrator Audit reports. To view an Administrator Audit report, click Reports and Activity: Administrator Audit, then click the applicable filename.

  • File Management—Click one of the following options to configure when the new audit log file is generated:

Note To make sure your system is set to your local time, click Start: Settings: Control Panel: Regional Settings.


    • Every Day—Click this button to have CiscoSecure ACS generate a new audit log file at 12:01 am local time every day.
    • Every Week—Click this button to have CiscoSecure ACS generate a new audit log file at 12:01 am local time every Sunday.
    • Every Month—Click this button to have CiscoSecure ACS generate a new audit log file at 12:01 am on the first day of every month.
    • When Size is Greater than x KB—Click this button and enter the number of kilobytes after which to have CiscoSecure ACS generate the new audit log file. The default is 2048 KB.
  • Directory Management—To configure parameters for the directory for the log files, click Manage Directory and one of the following options:
    • Keep only the last x files—Click this button and enter the maximum number of audit log files to keep in the log directory. The default is 7 files.
    • Delete files older than x days—Click this button and enter the maximum number of days to keep the audit log files in the log directory. The default is 7 days.

Session Policy

An administrative login can be terminated by setting the idle timeout. This parameter applies to the browser session only. It does not apply to the dial-in session. The browser connection with CiscoSecure is terminated if there is no activity for the specified period of time.

  • Session idle timeout—Time in minutes that the browser must remain idle before the connection to CiscoSecure is terminated. This terminates the browser connection only.
  • Allow Automatic Local Login—Allows administrators to log in to their local CiscoSecure ACS without entering their password.

When this check box is checked, the browser, when it connects to the CSAdmin server, goes directly to the CiscoSecure ACS welcome screen without the administrator having to enter a valid administrator name and password.

If this check box is cleared and the form is submitted, the browser is sent a page that requires the user to log in using a valid administration name and password. The user cannot progress to the welcome screen until a valid administrator name and password pair is supplied.


Note If there are no administrator accounts defined on the CSAdmin server, the browser always goes to the welcome page, no matter what the state of the Allow Automatic Local Login check box. This prevents a situation in which the local browser is locked out of the CSAdmin server because there are no administrator accounts.


The preferred way to end a remote browser session or a local browser session where login is required (the Allow Automatic Local Login check box is clear) is to click Logout at the top right corner of any of the title bars, or to go back to the welcome screen by clicking the CiscoSecure logo and then clicking Logout. This releases the administration session in the server and closes any back door left open on the session's port. When you have logged out this way, you can close the browser or leave it running, as required.

  • Respond to Invalid IP Address Connections—Allows CiscoSecure ACS to send information to invalid IP addresses.
  • Track failed login attempts—Check this check box and enter a number in the failed attempt count box to allow CiscoSecure ACS to keep a record of failed login attempts. This option is checked by default, and the default failed attempt count is 1.
  • Lock out Administrator after x successive failed attempts—Check this check box and enter the number of unsuccessful login attempts after which an administrator will be locked out. The default is 0; that is, Administrators are allowed an unlimited number of failed login attempts.

Deleting an Administrator

To delete an administrator:


Step 1   Click Administration Control. The Select window opens.

Step 2   Click an existing administrator name in the list. The Edit window opens.

Step 3   Click Delete. A delete confirmation window opens.

Step 4   Click OK to delete the selected administrator.

External User Databases

Click External User Databases to configure the following features:

  • Unknown User Policy—Defines the action for CiscoSecure ACS to take it if it does not find a username matching that of the incoming authentication request in its own database. There are two options: fail the authentication and reject the request (that is, fail all unknown users) or continue to search the list of external user databases configured.
  • Database Group Mappings—Provides the controls to allow CiscoSecure ACS to map an applicable authentication/authorization group profile to each external user database.
  • External User Database Configuration—Installs support for communication with an external user database.

For more information on External User Databases, see "User Databases."

Unknown User Policy

In CiscoSecure ACS, an unknown user is defined as one for whom no account has been created within the CiscoSecure ACS database.

To specify how CiscoSecure ACS should handle users who are not in the CiscoSecure ACS database, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Unknown User Policy.

Step 3   In the Configure Unknown User Policy window, click one of the following:

  • Fail the attempt—Do not authenticate any unknown users.
  • Check the following external user databases—Authenticate users using the database you select:
    • CRYPTOCard Token Card—Authenticates a user from a CRYPTOCard one-time password (OTP) token card server. CiscoSecure ACS acts as a client to the token card server. The CRYPTOCard server must be installed on the same machine as CiscoSecure ACS.
    • AXENT Token Card—Authenticates a user from an AXENT token card server.
    • SDI SecurID Token Card—Authenticates a user from an SDI SecurID token card server.
    • NDS Database Authentication—Authenticates a user using Novell Directory Services (NDS).
    • Directory Services—Authenticates a user using generic implementations of Directory Services (DS), such as Netscape.
    • MCIS LDAP XX—Authenticates a user using the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator. The XX represents an abbreviation of the server name.
    • ODBC—Authenticates a user using the Microsoft Open DataBase Connectivity authenticator.
    • Windows NT—Authenticates a user from the Windows NT user database.
    • SafeWord Token Card—Authenticates a user from a Safe Word token card server.

Step 4   Click Submit.

Setting the Database Search Order

To configure the order of the databases, follow these steps:


Step 1   Click External User Databases: Unknown User Policy.

Step 2   Click Check the following external user databases.

Step 3   If the databases you want to be checked are not in the Selected Databases column, click the name of the database in the External Databases column, then click the right arrow (>). To move a database out of the list, click the name of the database and the left arrow (<).

Step 4   To move the position of a database within the list, click the name of the database, then click Up or Down until it is in the position you want.

For more information on Unknown User Policy, see "Sophisticated Handling of Unknown Users."

Network Access Authorization

While Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the NAS remain with CiscoSecure ACS. Basically, the external user database simply authenticates the user and CiscoSecure ACS then provides the additional authorization information that is sent to the NAS in the RADIUS or TACACS+ response packet. See the "Database Group Mappings" section for more information.

Database Group Mappings

The Database Group Mappings window allows you to enable CiscoSecure ACS to map an applicable authentication/authorization group profile to each external user database. Because the only data items common to both the CiscoSecure ACS database and the third-party database are username and password, external users databases can be used only for authentication.

CiscoSecure ACS supports group-access profiles for external user database mapping so that you can specify a different access profile for each individual external user database. Because it is a native Windows NT application, CiscoSecure ACS provides even greater configurability of group access profile mapping when using Windows NT as an external user database CiscoSecure ACS can extract a substantial amount of data on each user from the API calls, including the user's Windows NT Domain and, within that domain, the groups to which the user belongs. CiscoSecure ACS allows you to map group access profiles to Windows NT domains or to groups within domains.

For more information on external user databases, see ""Sophisticated Handling of Unknown Users."

To specify a token card database mapping for a group, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click the name of the external user database to be used:

  • CRYPTOCard Token Card—Authenticates a user from a CRYPTOCard token card server. CiscoSecure ACS acts as a client to the token card server.
  • SafeWord Token Card—Authenticates a user from a SafeWord token card server.
  • AXENT Token Card—Authenticates a user from an AXENT token card server.
  • SDI SecurID Token Card—Authenticates a user from an SDI SecurID token card server.
  • MCIS LDAP—Authenticates a user using the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator.
  • Directory Service—Authenticates a user using a generic implementation of Directory Services, such as Netscape.
  • ODBC Database Authentication—Authenticates a user using the Microsoft Open DataBase Connectivity authenticator.
  • NDS Authentication—Authenticates a user using Novell Directory Services.
  • Windows NT—Authenticates a user using the Microsoft Windows user database.

Step 4   Click the number of the group to be authenticated using this source. For example, Group 0 (x users) where x is the number of users assigned to the group. See the section "Group Setup" for more information.

Step 5   Click Submit.

Directory Services Database Group Mappings

To map a group to authenticate via the Directory Services user database, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click Directory Service.

Step 4   Click Add Mapping. The Create New Group Mapping for DS Users window opens. The DS Groups list derives the listed names from the DS directory; however, it does not list Windows NT groups.

Step 5   In the Define DS group set list, click the name of the applicable DS group, then click Add to selected.


Note To remove a DS group from the mapping, in the Selected list, click the name of the applicable DS group, then click Remove from selected.


Step 6   In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this DS group.

Step 7   Click Submit.

MCIS LDAP Database Group Mappings

To map a group to authenticate via the MCIS LDAP user database, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click MCIS LDAP.

Step 4   Click Add Mapping. The Create New Group Mapping for MCIS Users window opens. The MCIS Groups list derives the listed names from the LDAP directory; however, it does not list Windows NT groups.

Step 5   In the Define MCIS group set list, click the name of the applicable LDAP group, then click Add to selected.


Note To remove an MCIS group from the mapping, in the Selected list, click the name of the applicable LDAP group, then click Remove from selected.


Step 6   In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this MCIS group.

Step 7   Click Submit.

NDS Database Group Mappings

To map a group to authenticate via the Novell Directory Services (NDS) user database, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click NDS Authentication.

Step 4   Click Add Mapping. The Create New Group Mapping for NDS Users window opens. The NDS Groups list derives the listed names from the LDAP directory; however, it does not list Windows NT groups.

Step 5   In the Define NDS group set list, click the name of the applicable NDS group, then click Add to selected.


Note To remove an NDS group from the mapping, in the Selected list, click the name of the applicable NDS group, then click Remove from selected.


Step 6   In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this NDS group.

Step 7   Click Submit.

Windows NT Database Group Mappings

To map a group to the Windows NT database, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click Windows NT to authenticate a user from an existing entry in the Windows NT user database located on the same machine as the CiscoSecure server. There is also an entry in the CiscoSecure ACS database used for other CiscoSecure ACS services. A window with a list of domain configurations opens.

Step 4   Click New Configuration to add a domain or click the name of the domain to configure.

Step 5   If you are adding a domain configuration, do one of the following:

  • In the Detected domains scroll box, click the name of the domain to configure
  • In the Domain: Field dialog box, enter a known Windows NT domain name.

You can use this field to enter a domain you know is trusted, even though one has not been returned on the display. When you reboot a Windows NT server, there are a few minutes of delay during which the browser "warms up." Asking for all trusts at this time might not return the entire list correctly.

Additionally, if a trusted host is down, its name will not display, so you will not be able to add group mappings for it. The Domain field allows you to manually enter the name of an unlisted trusted domain. See your Microsoft documentation for more information on Trust Relationships.

Step 6   Click Submit. The service restarts and the Domain Configurations window opens. The name of the new configuration is listed.

Step 7   To edit an existing configuration, click its name in the Domain Configurations window. The Mappings for Domain: domainname window opens where domainname is the name of the configuration you are editing.

Step 8   Click Add Mapping. The Create New Mapping for Domain domainname window opens.

Step 9   In the CiscoSecure group scroll box, click the name of the group to which you want to map this configuration; for example, Group 0. See the section "Group Setup" for information on renaming a group.

Step 10   Click Submit.

Step 11   The Mappings for Domain: domainname window opens again, this time listing the mapping you just created.

Assigning a No Access Group

To assign a Windows NT user to the No Access group, follow these steps:


Step 1   Click External User Databases: Database Group Mappings: database

where database is the name of the external database you are using

Step 2   Click the name of the existing group or click Add mapping.

Step 3   In the drop-down box, click <No Access>.

Step 4   Click Submit.

Setting the Group Mappings Order

To set or change the order of the group mappings for a Windows NT, ODBC, LDAP, or MCIS LDAP group, follow these steps:


Step 1   Click External User Databases: Database Group Mappings: database

where database is the name of the external database to sort.

Step 2   Click the name of the group.

Step 3   Click Add Mapping.

Step 4   Make sure all the groups you want to list are in the Selected column. If not, click the name of the group to move, then click the right arrow (>).

Step 5   Click the name of the group to move, then click Up or Down until it is in the position you want.

Step 6   Click Submit.

Editing Windows NT Domain Mappings

To edit the mapping for a domain, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Group Mappings.

Step 3   Click Windows NT. The Domain Configurations window opens.

Step 4   To edit a domain, click the name of the domain you want to edit. The Mappings for Domain domainname window opens. This window displays a list of the NT groups you have configured for this domain and the CiscoSecure group to which it is mapped.

(a). To edit the mapping, click the name of the Windows NT group to be edited. The Edit mapping for Domain domainname window opens.

(b). In the CiscoSecure group scroll box, click the name of the group to which this NT group should be mapped, then click Submit.

Step 5   To add a new mapping, click Add mapping. The Create New Mapping for Domain: domainname window opens. In the CiscoSecure group: scroll box, select the CiscoSecure group to which this Windows NT domain should be mapped; for example, Group 1. If you do not want to assign this mapping to a group, you can leave this scroll box set to the default, <No Access>.

Step 6   In the Define Windows NT group set, Windows NT Groups scroll box, click the name of the NT group you want to assign to this mapping.

Step 7   Click the -> (right arrow) button to move your selection into the Selected column.

Step 8   When you have finished selecting all the groups you want, click Submit. The Mappings for Domain domainname window opens again with the new group mapping listed.

Remapping an Existing Mapped Group

You can change the mapping for an existing Windows NT group. To remap an existing Windows NT group, follow these steps:


Step 1   Click External User Databases: Database Group Mappings: Windows NT.

Step 2   Click the name of the group.

Step 3   Click the name of the mapping you want to change.

Step 4   From the drop-down box, click the name of the new group to map to.

Step 5   Click Submit.

Deleting a Group Mapping Configuration

To delete a group mapping, follow these steps:


Step 1   Click External User Databases: Database Group Mappings: database.

where database is the name of the applicable external user database

Step 2   Click the name of the group.

Step 3   Click the name of the mapping you want to delete.

Step 4   Click Delete.

Step 5   Click Submit.

Deleting a Domain Mapping Configuration

To delete an existing mapping configuration, follow these steps:


Step 1   In the navigation bar, click External User Databases.

Step 2   Click Database Mappings.

Step 3   Click Windows NT. The Domain Configurations window opens.

Step 4   Click the name of the configuration to delete. The Mappings for Domain: domainname window opens (where domainname is the name of the configuration to delete).

Step 5   Click Delete Configuration.

Step 6   Click Submit.

External User Database Configuration

To install CiscoSecure ACS support for any of the remote authentication sources, follow these steps:


Step 1   Click External User Databases.

Step 2   Click Database Configuration. The External User Databases window opens.

Step 3   Click one of the following types of authentication to be used:

  • ODBC Database Authentication—Authenticates a user using the Microsoft Open DataBase Connectivity authenticator.
  • MCIS LDAP—Authenticates a user using the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator.
  • Directory Service—Authenticates a user using a generic version of Directory Services, such as Netscape.
  • CRYPTOCard Token Card—Authenticates a user from a CRYPTOCard token card server. CiscoSecure ACS acts as a client to the token card server.
  • SafeWord Token Card—Authenticates a user from a Safe Word token card server.
  • AXENT Token Card—Authenticates a user from an AXENT token card server.
  • SDI SecurID Token Card—Authenticates a user from an SDI SecurID token card server.
  • NDS Authentication—Authenticates a user using Novell Directory Services.
  • Windows NT—Authenticates a user from an existing entry in the Windows NT user database located on the same machine as the CiscoSecure server.

For CiscoSecure ACS to interact with an external user database, two components are required; a source-specific CiscoSecure ACS DLL and the third-party authentication source API with which this communicates. However, for Windows NT, Directory Services, MCIS LDAP, ODBC, and NDS authentication, the program interface for the external authentication is local to the CiscoSecure ACS system and is provided by the local operating system. In these cases, no further components are required. To communicate with each of the OTP servers, you must have software components provided by the OTP vendors installed, in addition to the CiscoSecure ACS components. You must also specify in User Setup that a token card server is to be used.


Note If you select one of the token card servers but token card support is disabled, you must restart the CSAdmin service to reload the token card DLL.


Step 4   The Database Configuration window opens. To delete a configuration, click Delete. To set up a configuration, click Configure.

ODBC Configuration

ODBC is a standardized API that was first developed by Microsoft and is now used by most major database vendors. ODBC now follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. You must have already installed your ODBC database server and populated the database. See your Microsoft documentation for more information. To configure CiscoSecure ACS for ODBC authentication, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click ODBC Database Authentication.

Step 3   Click Configure.

Step 4   Enter the following information:

  • System DSN—Enter the Data Source Name (DSN).
  • DSN Username—Edit the DSN Username to match the security setting of your ODBC database.
  • DSN Password—Edit the DSN Password for your ODBC database.
  • DSN Connection Retries—Enter the number of times CiscoSecure should try to connect to the ODBC database before timing out. The default is 3. If you have connection problems when Windows NT starts, increase this value.
  • ODBC Worker Threads—Increase the ODBC worker thread count only if the ODBC driver you are using is certified thread safe. For example, the Microsoft Access ODBC driver is not thread safe and can cause CiscoSecure ACS to become unstable if multiple threads are used. Where possible, CiscoSecure ACS queries the driver to find out if it is thread safe. The thread count to use is a factor of how long the DSN takes to execute the procedure and the rate at which authentications are required. The maximum thread count is 10. The default is 1.
  • Support PAP authentication—If you want users to be able to log in to the ODBC database using PAP authentication, check this option.
  • PAP SQL Procedure—Enter the name of the PAP SQL procedure routine on the ODBC server.
  • Support CHAP/MS-CHAP/ARAP Authentication —If you want users to be able to log in to the ODBC database using CHAP, MS-CHAP, or ARAP authentication, check this option.
  • CHAP SQL Procedure—Enter the name of the CHAP SQL procedure routine on the ODBC server. For more information and an example routine, see the Online Documentation and your ODBC documentation.

Step 5   Click Submit.

SQL Servers and Case-Sensitive Passwords

If you want your passwords to be case-sensitive, reconfigure your SQL Server to accommodate this feature. If your users are authenticating using PPP via PAP or Telnet login, the password might not be case-sensitive, depending on how the case-sensitivity option is set on the SQL server. For example, Oracle SQL servers default to case sensitivity, whereas Microsoft SQL servers default to case-insenstivity. However, in the case of CHAP/ARAP, the password is case-sensitive if the CHAP stored procedure is configured.

For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiSc0 will all work if the SQL server is confgured for case-insensitivity.

For CHAP/ARAP, the passwords cisco or CISCO or CiSc0 are not the same, regardless of whether or not the SQL server is configured for case-sensitive passwords.

SQL Procedure Sample Routines

The following example SQL Procedure routines are included on the CiscoSecure ACS CD-ROM.

PAP Authentication

The following example routine is for use with PAP authentication:

if exists (select * from sysobjects where id = object_id
(`dbo.CSNTAuthUserPap') and sysstat & 0xf = 4)
drop procedure dbo.CSNTAuthUserPap
GO
CREATE PROCEDURE CSNTAuthUserPap
@username varchar(64), @pass varchar(255)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username
AND csntpassword = @pass )
SELECT 0,csntgroup,csntacctinfo,"No Error"
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
GO

Extract Clear Text Password

if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') and sysstat & 0xf = 4)
drop procedure dbo.CSNTExtractUserClearTextPw
GO
CREATE PROCEDURE CSNTExtractUserClearTextPw
@username varchar(64)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
GO

MCIS LDAP Configuration

MCIS is Microsoft's product suite of commercial-grade server components designed for ISPs and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT Server and Microsoft Internet Information Server (IIS).

To configure CiscoSecure ACS to use the MCIS LDAP User Database, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click MCIS LDAP.

Step 3   Click Configure.


Note The user authenticates against only one MCIS database.


Step 4   In the Hostname box, enter the IP address or DNS name of the machine that is running the LDAP software.

Step 5   In the Port box, enter the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you leave this box blank, CiscoSecure ACS uses port 389. If you do not know the port number, you can find this information by viewing LDAP Properties on the LDAP machine.

Step 6   In the Security box, select the type of security to use. The user name and password credentials are passed over the network to the MCIS LDAP directory. Normally the username and password are sent in clear text. To enhance security, there are two check boxes in the MCIS Database Configuration window that allow you to configure the level of security of the connection to the LDAP directory.

There are four combinations of the two check boxes possible. (See Table 9-1.)

Table 9-1   MCIS LDAP Password Security

Check Box State Action

Secure Authentication checked

SSL encryption checked

Simple bind over SSL. (Secure authentication over a secure channel)

Secure Authentication checked

SSL encryption unchecked

As above, except that if the ldap_open call to the SSL port fails, it calls SSPI with the user name and password.

Secure Authentication unchecked

SSL encryption checked

Simple bind over SSL. Encryption only.

Secure Authentication unchecked

SSL encryption unchecked

Simple bind to LDAP Server in clear text over wire. Credentials are transmitted in clear text at initial bind. User object contents travel the network in clear text.

If you check either of these boxes, be sure to specify the SSL port number that the MCIS LDAP Directory is configured to use for SSL. The CiscoSecure ACS CSAuth service makes one TCP/IP connection to the MCIS LDAP directory and maintains that single connection.


If you are using MCIS 2.0 with the Active Directory Service Interfaces (ADSI) 2.0 client libraries and you check the Secure Authentication check box, Windows first tries to authenticate using Kerberos, then using NT LAN Manager (NTLM). If it does not find either of these types, it sends the password in Clear Text, compromising authentication security. This issue is corrected in the Microsoft ADSI 2.5 client.

Step 7   In the Admin DN box, enter the following information from your MCIS LDAP server.:

o=root,ou=members,cn=userobject

For example:

o=xyzcompany,ou=members,cn=administrator

Note You can enter this information in reversed order (with the userobject at the beginning); however, the ou=members statement must be in the middle. The directory's root name (o=xyzcompany in the above example) is configured during installation of the LDAP directory. See your MCIS documentation for more information.


When CiscoSecure ACS binds, it authenticates itself to the directory to get administrator-level privileges. The Administrator account SUPERBROKER is created during installation. You can also create an account with just the privilege level you want to allow. At a minimum, the administrator account must allow reading passwords and reading account status. Currently CiscoSecure ACS only reads the directory; it does not write to it.

Step 8   In the Password box, enter the administrator account (SUPERBROKER) password. Password case-sensitivity is determined by the SQL server.

Step 9   In the Confirm Password box, re-enter the same password to verify its format.

Directory Services Database Configuration

The Directory Services (DS) is a generic type of Lightweight Directory Access Protocol (LDAP) used by several vendors. The information in this section applies to Netscape's implementation of DS. See your vendor documentation for more specific information. To configure CiscoSecure ACS to use the DS User Database, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click Directory Services.

Step 3   Click Configure.


Note The user authenticates against only one DS database.


Step 4   In the Hostname box, enter the name or IP address of the machine that is running the DS software.

Step 5   In the Port box, enter the TCP/IP port number on which the DS server is listening. The default is 389, as stated in the DS specification. If you leave this box blank, CiscoSecure ACS uses port 389. If you do not know the port number, you can find this information by viewing those properties on the DS machine.

Step 6   The username and password credentials are normally passed over the network to the DS directory in clear text. To enhance security, in the Security box, check the Use secure authentication check box.

Step 7   In the Admin DN box, enter the following information from your DS server:

uid=userid,ou=organizationalunit,[ou=nextorganizationalunit]o=organization

where userid is the username

organizationalunit is the last level of the tree

nextorganizationalunit is the next level up the tree.

For example:

uid=joesmith,ou=members,ou=administrators,o=cisco

See your DS documentation for more information.

Step 8   In the Password box, enter the administrator password. Password case-sensitivity is determined by the server.

Step 9   In the Confirm Password box, re-enter the same password to verify its format.

Step 10   In the User Object Type box, enter the uid (user ID). This is configured on your Directory Server. See your DS documentation for more information.

Step 11   In the User Object Class box, enter the class of user object (for example, person). See your DS documentation for more information.

Step 12   In the User Directory Subtree box, enter:

o=subtree

where subtree is the tree in which all of your users are located. This is configured when you set up your Directory Server. See your DS documentation for more information.

CRYPTOCard Token Card Database Configuration

If you are using CRYPTOCard authentication, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click CRYPTOCard.

Step 3   Click Configure.

Step 4   Enter the following information:

  • Server Name—The name or IP address of the CRYPTOCard Server. The number defaults to 127.0.0.1 and cannot be changed.
  • CRYPTOCard Path—The path and directory in which all the configuration files for the CRYPTOCard server are located.

Step 5   Click Submit.

SafeWord Token Card Database Configuration

If you are using SafeWord authentication, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click CRYPTOCard.

Step 3   Click Configure.

Step 4   Enter the following information:

  • Server Name—Mnemonic for the user, preferably the name of the remote server.
  • Server Address—The IP address of the remote Safe Word token card server.

Step 5   Click Submit.

AXENT Token Card Database Configuration

If you are using AXENT authentication, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click AXENT.

Step 3   Click Configure.

Step 4   Enter the following information:

  • Server Name—Name of the defender security server
  • Server Address—IP address of the defender security server
  • Server Port—Port number of the defender security server
  • Communication Timeout—Number of seconds to wait before sending notification to the user that the connection has timed out
  • Agent ID—Identification of an agent that has been approved by the server
  • Agent Key—Agent's SNK key in hexadecimal numbers (00 to FF)

Step 5   Click Submit.

SDI SecurID Token Card Database Configuration

If you are using SDI authentication, follow these steps:


Step 1   Before you start:

  • Log in to the Windows NT server with administrative privileges.
  • Make sure you have the ACE Client for Windows NT software.

Step 2   Run the Setup program of the ACE Client software (following the setup instructions). Do not restart your Windows NT server when installation is complete.

Step 3   Locate the ACE Server data directory, for example /sdi/ace/data.

Step 4   Get the file named sdconf.rec and place it in your Windows NT directory: %SystemRoot%\system32

for example:

\winnt\system32

Step 5   Make sure the ACE server host machine name is in the Windows NT local host's file:

\winnt\system32\drivers\etc\hosts

Step 6   Restart your Windows NT server.

Step 7   Verify connectivity by running the Test Authentication function of your ACE client application. You can run this from the Control Panel.

NDS Database Authentication Configuration

If you selected NDS Server Support, follow these steps:


Step 1   See your Novell NetWare administrator to get the names and other information on the Tree, Container, and Context.

Step 2   Click NDS Server Support.

Step 3   Enter the Tree name.

Step 4   Enter the full Context List, separated by dots (.). You can enter more than one context list. If you do, separate them with a comma. For example, if your Organization is Corporation, your Organization Name is Chicago, and you want to enter two Context names, Marketing and Engineering, you would enter:

Engineering.Chicago.Corporation, Marketing.Chicago.Corporation

You do not need to add users in the Context List.

Step 5   Click Submit. Changes take effect immediately; you do not need to restart CiscoSecure ACS.


If you click Delete, your NDS database will be deleted.

You can allow your users to enter their own context as part of the log on process, and you can allow CiscoSecure ACS to allow NDS to search its own tree recursively. Follow these steps:


Step 1   The tree must already have its contexts set up. For example,

[Root] whose treename= ABC
OU=ABC-Company
OU=sales
CN=sales1user
CN=sales2user
OU=marketing
OU=marketing-research
CN=market1
OU=marketing-product
CN=market2

Step 2   In CiscoSecure ACS, enter in the context field:

ABC-Company

Step 3   When sales1user authenticates, the logon name would be:

Username:sales1user.sales

For market1 to authenticate, the logon name would be:

Username:market1.marketing-research.marketing

Windows NT Database Configuration

If you did not already do so during installation, you can enable CiscoSecure ACS to grant dial-in permission to users. Follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click Windows NT.

Step 3   Click Configure.

Step 4   Check the Grant dialin permission to user check box.

Step 5   Click Submit.


Note      Your Windows NT server must also be configured to allow grant dial-in permission to user. See your Microsoft documentation for more information.


Reports and Activity

Click Reports & Activity in the navigation bar to view reports. The Reports window opens. Select one of the following types of reports to view:

  • TACACS+ Accounting—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
  • TACACS+ Administration—Lists configuration commands entered on a TACACS+ (Cisco) NAS.
  • RADIUS Accounting—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session. You can configure CiscoSecure ACS to include accounting for VoIP in the RADIUS accounting report, in a separate VoIP accounting report, or in both places. Configure these reports in System Configuration.
  • Failed Attempts—Lists authentication and authorization failures with an indication of the cause.
  • Logged-in Users—Lists all users currently receiving services for a single NAS or all NASes with access to CiscoSecure ACS.

Note To use the logged-in user list feature, you must set up your NAS to perform Authentication and Accounting using the same protocol—either TACACS+ or RADIUS.


  • Disabled Accounts—Lists all user accounts that are currently disabled and the reason they were disabled.
  • ACS Backup and Restore—Lists ACS backup and restore activity.
  • RDBMS Synchronization—Lists RDBMS Synchronization activity.
  • Database Replication—Lists database replication activity.
  • Administration Audit—Lists actions taken by each system administrator.
  • ACS Service Monitoring—Lists when ACS services start and stop.
  • VoIP Accounting—Lists when Voice over IP (VoIP) sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session. You can configure CiscoSecure ACS to include accounting for VoIP in this separate VoIP accounting report, in the RADIUS accounting report, or in both places. Configure these reports in System Configuration.

When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. The reports are named and listed by the date on which they were created; for example, if you are using month/day/year format, a file created on October 5, 1999 would be named 1999-10-05.csv. If you are using the day/month/year format, a file created on that date would be named 1999-05-10.csv.

You can import the .csv files into most database and spreadsheet applications.

These reports are created daily and include information for a 24-hour period starting at midnight. To create a weekly report, merge the files together in the database or spreadsheet application. The files are located in the following directories:

  • TACACS+ Accounting Reports—Program Files\CiscoSecure ACS v2.4\Logs\TACACS+Accounting
  • TACACS+ Admin Accounting Reports—Program Files\CiscoSecure ACS v2.4\Logs\TACACS+Administration
  • RADIUS Accounting Reports—Program Files\CiscoSecure ACS v2.4\Logs\RADIUSAccounting
  • Failed Attempts Reports—Program Files\CiscoSecure ACS v2.4\Logs\Failed Attempts
  • ACS Backup & Restore—Program Files\CiscoSecure ACS v2.4\Logs\Backup and Restore
  • RDBMS Synchronization—Program Files\CiscoSecure ACS v2.4\Logs\DbSync
  • Database Replication—Program Files\CiscoSecure ACS v2.4\Logs\DBReplicate
  • Aministration Audit—Program Files\CiscoSecure ACS v2.4\Logs\AdminAudit
  • ACS Service Monitoring—Program Files\CiscoSecure ACS v2.4\Logs\ServiceMonitoring
  • VoIP Accounting—Program Files\CiscoSecure ACS v2.4\Logs\VoIP Accounting

Note      If you have upgraded from a previous version or reinstalled this version of CiscoSecure ACS, be sure to move all accounting files to another location; otherwise, the files will be removed.


Online Documentation

The online documentation provides more detailed information about the configuration, operation, and concepts of CiscoSecure.


Step 1   Click Online Documentation.

The Table of Contents opens in the left window.

Step 2   Click the applicable topic. The online documentation window opens.

Step 3   To print the online documentation, click in the right window, then click Print in your browser's navigation bar.


Note      Click Section Information in any `Quick Help...' window to view the online user guide.