CiscoSecure ACS 2.4 for Windows NT User Guide
Interface Design

Table of Contents

Interface Design

Interface Design

After CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS) has been installed, you configure and manage it through the HTML user interface. The hypertext markup language (HTML) interface allows you to easily modify the authentication and authorization configuration of any user or group in CiscoSecure ACS from any connection on your LAN or WAN.

The CiscoSecure ACS interface is designed to be viewed using a web browser. See the "System Requirements" section for a list of supported browsers.

The design uses primarily HTML, along with some Java functions to enhance ease of use. This design keeps the interface responsive and straightforward, and it means that the browser must support Java.

The web-based interface not only makes viewing and editing user and group information possible, it also allows you to restart services, add remote administrators, change network access server (NAS) information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and show administrators' recent tasks.

You can configure and perform almost all functions for CiscoSecure ACS through the user interface, including:

  • Viewing and editing group profiles

  • Viewing and editing user profiles

  • Viewing and configuring NAS and server information, including network device groups (NDGs)

  • Stopping and starting the CiscoSecure ACS services

  • Backing up the system information

  • Restoring the system information from backup

  • Configuring the user interface

  • Adding and configuring local and remote administrators

  • Configuring distributed system settings

  • Configuring how unknown users are to be handled

  • Troubleshooting

  • Replicating the database information

  • Synchronizing the server information

  • Viewing reports and activity

  • Viewing the Online Documentation

The HTML interface displays an online help window with information specific to the section displayed. If more extensive information is needed, click Section Information at the bottom of the online help window to see the related point in the Online Documentation.

You can configure the HTML interface to display or hide the options of your choice. See the "Interface Configuration" section for instructions.

Accessing the CiscoSecure ACS Web-Based Interface

To access the CiscoSecure ACS web-based interface, enter one of the following uniform resource locators (URLs) on the address line of a browser:

From the browser at the server on which CiscoSecure ACS is installed:

From a browser on a remote workstation:

Note To connect to the CiscoSecure ACS HTML interface from a LAN or dial-up connection, you must enter a username and password in the CiscoSecure Administration Control window. To access the interface remotely (from a machine other than the local Windows NT Server) you must configure an administrator's username and password in the Administration Control window of the HTML interface.

Display Layout

The display has three vertical sections:

Note Most windows have a Submit button at the bottom. Click Submit to confirm your changes. If you do not click Submit, changes are not saved.

Interface Design

The overriding design of the interface is centered on ease of use. The intricate concepts of network security are presented from a user's perspective. This section describes implicit and explicit relationships among the different components that comprise network security.

User-to-Group Relationship

A user can belong to only one group at a time. As long as there are no conflicting attributes, users inherit group settings.

Note If a user profile has an attribute configured that is also configured in the group setting, the user setting will override the group setting.

If a user has a unique configuration requirement, you can make that user a part of a group and set the unique requirements in the User Setup window, or you can assign that user to his or her own separate group.

Per-User or Per-Group Attributes

You can configure most parameters at both the group and user levels. Parameters configurable only at the user level include static IP address, password, and expiration. Password aging and time-of-day/day-of-week restrictions are configurable only at the group level.

Display of TACACS+ and RADIUS Attributes

To maintain ease of use, the default configuration options support the most common applications. Not every TACACS+ and RADIUS is listed. You can select additional attributes to display in the Group or User Setup window. If you want to use an attribute that is not listed, or if you do not use some of the default options, you can display or hide them in the Interface Configuration window. For more information, see the "Interface Configuration" section.

Selecting Protocols

CiscoSecure ACS can simultaneously communicate with different access devices that use any of the following protocol selections:



  • RADIUS (Cisco)

  • RADIUS (Ascend)

When you add or configure a NAS, a menu with these choices opens. CiscoSecure ACS can communicate with a NAS with any of these choices. TACACS+ and RADIUS (IETF) are protocols with attributes defined by the IETF. RADIUS (Cisco) is RADIUS (IETF) support plus IETF Attribute 26, the vendor specific attribute (VSA) for Cisco. It is under the VSA that any TACACS+ command can be sent to an access device through RADIUS. RADIUS (Ascend) is the RADIUS (IETF) support plus the Ascend proprietary attributes.

Note Some of the proprietary attributes conflict with the IETF attributes. Proprietary attributes override IETF attributes.

Display of TACACS+ Time-of-Day Access per Service

You can control the use of each TACACS+ service by the time of day and day of week. For example, you can restrict Exec (Telnet) access to business hours but permit PPP-IP access at any time.

The default setting is to control time-of-day access for all services as part of authentication. However, you can override the default and display a time-of-day access grid for every service. This keeps User and Group Setup easy to manage, while making this feature available for the most sophisticated environments. This feature applies only to TACACS+ because it can separate the authentication and authorization processes. RADIUS time-of-day access applies to all services. If both TACACS+ and RADIUS are used simultaneously, the default time-of-day access applies to both. This provides a common method to control access regardless of the access control protocol.

Displaying of Custom Commands per Service

CiscoSecure ACS can also display a custom command field for each service. This text field lets you make specialized configurations to be downloaded for a particular service for users in a particular group; for example, you can define an access control list (ACL) at the CiscoSecure ACS. The IP addresses to which a user is limited are downloaded to the access device at the time of authentication and authorization. After the user ends the session to the access device, the ACL is suspended until a user of the same group accesses the device again.

This feature is not limited to ACLs; you can use it to send many TACACS+ commands to the access device for the service, provided that the device supports the command, and that the command's syntax is correct. This feature is disabled by default, but you can enable it the same way you enable attributes and time-of-day access.

Interface Configuration

This is the section in which you configure the CiscoSecure ACS user interface. Note that if you enable a protocol, you must have a NAS configured with that protocol for the protocol information to display.

User Data Configuration

This section allows you to add or edit up to five user-defined fields that will display in the User Setup window for each user. For example, you could add the user's company name, department, billing information, and so on. You can also include these fields in the Accounting logs.

Protocol Options

These sections allow you to display or hide TACACS+ or RADIUS administrative and accounting options. You can simplify the window by turning off the features that you do not use.

Note The interface will still display any options that you have turned off here if those options are enabled or have non-default values. This stops active settings from being hidden from view. If you later disable the setting, it will then be hidden.

Advanced Options

This feature lets you determine which advanced features will appear on the CiscoSecure ACS interface. You can simplify the entry windows by turning off the features that you do not use. Many of these options do not display if they are not enabled.

Note The interface will still display any options that you have turned off here if those options are enabled or have non-default values. This stops active settings from being hidden from view. If you later disable the setting, it will then be hidden.

The advanced option features include: