Академический Документы
Профессиональный Документы
Культура Документы
Software/PIX
firewalls that
authenticate users using the Cisco
IOS /PIX RADIUS protocol
Enter ACL once, download to any
number of Cisco PIX
firewalls that
authenticate users using the Cisco
IOS /PIX RADIUS protocol
List of calling/point of access
locations to be used for permitting or
denying user access based on IP
address, CLI, or DNIS
List of calling/point of access
locations to be used for permitting or
denying user access based on IP
address, CLI, or DNIS
Set of administrative commands to
permit or deny during an administrative
session
Set of administrative commands to
permit or deny during an administrative
session
Shared Profile Components
Shared profile components are configured once and then applied to many users or user groups,
making it unnecessary to repeatedly enter long lists of devices or commands when defining
network access parameters. Without this ability, flexible and comprehensive authorization could
be accomplished only by explicitly configuring the authorization of each user group for each
possible command on each possible device. The Cisco Secure ACS Shared Profile Components
task enables administrators to develop and name these reusable, shared sets of authorization
components that may be applied to one or more users or groups of users during their
configuration.
The configurable shared profile components include:
Downloadable Cisco PIX ACLsCreate ACLs to be downloaded to any number of Cisco PIX
devices when users attempt to authenticate through the firewall.
Network access restrictionsUser access can be permitted or denied based on IP address,
calling-line ID, dialed number identification service (DNIS), or port for a set of AAA clients.
Command authorization setsThis is a list of administrative commands to be permitted or denied
during an administrative session on a device.
To create or edit existing shared profile components, select the Shared Profile Components task
from the Cisco Secure ACS navigation menu, followed by the appropriate Shared Profile
Component. Note that the shared profile components listed are controlled by selections enabled
in the Advanced Options of the Interface Configuration task.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 101
101 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Downloadable Cisco PIX ACLs
Shared Profile Components
Home
Office
Cisco PIX RADIUS
Authentication
Request
Cisco PIX RADIUS
Authentication
Request
Cisco
Secure ACS
Cisco PIX
Firewall
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
Downloadable Cisco PIX ACLs
Cisco Secure ACS v3.0 allows for the creation of Cisco PIX ACLs of any size to be grouped
together for download to a Cisco PIX Firewall (with Version 6.2 or later) when associated with a
user/group profile of a user attempting to authenticate through a Cisco PIX using the RADIUS
Cisco IOS/PIX protocol. Downloadable Cisco PIX ACLs enable you to enter an ACL when in Cisco
Secure ACS, and then load that ACL to any number of Cisco PIX Firewalls. This is far more
efficient than directly entering the ACL into each Cisco PIX Firewall via its command-line
interface. Below is an outline of how the Cisco PIX Firewall obtains the ACLs from the Cisco
Secure ACS.
When a user accesses the network through a Cisco PIX Firewall, the Cisco PIX Firewall issues a
RADIUS authentication request packet to the AAA server for the requisite user session. If
successfully authenticated, Cisco Secure ACS returns a RADIUS access accept packet containing
the named ACL set for that user. The ACL is packaged within the Cisco VSA AV-Pair: Cisco
Secure ACS:CiscoSecure-Defined-ACL=<acl set name>.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 102
102 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Downloadable Cisco PIX ACLs
Shared Profile Components
Home
Office
Cisco PIX RADIUS
Authentication
Request
Cisco PIX RADIUS
Authentication
Request
Cisco
Secure ACS
Cisco PIX
Firewall
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
Downloadable Cisco PIX ACLs - continued
The Cisco PIX Firewallchecks the returned profile and examines the returned ACL set name. If the
Cisco PIX Firewall already has a valid cache entry for the named ACL set, the communication is
complete and the Cisco PIX Firewall applies the ACL it has cached to the user session. If the ACL
set has not previously been downloaded, the Cisco PIX Firewall issues a new RADIUS
authentication request using the ACL set name as the username in the RADIUS request along
with a null password attribute.
Upon receipt of a RADIUS authentication request packet containing a username attribute
containing the name of an ACL set, the Cisco Secure ACS accepts the authentication and
responds with an access accept packet containing the individual ACLs comprising the named
set. Initially the Cisco PIX Firewall will support only a single type of ACL (ip:inacl), although the
Cisco Secure ACS design will not preclude the use of other types/directions at a later date. The
ACLs will be packaged in the standard fashion using Cisco AV-Pair VSAs: Av-pair =
ip:inacl#1 = <acl 1>
Av-pair = ip:inacl#2 = <acl 2>
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 103
103 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Downloadable Cisco PIX ACLs
Shared Profile Components
Home
Office
Cisco PIX RADIUS
Authentication
Request
Cisco PIX RADIUS
Authentication
Request
Cisco
Secure ACS
Cisco PIX
Firewall
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
Cisco PIX RADIUS receives
access accept packet
containing named ACL for that user.
ACS:CiscoSecure-Defined-ACL= <acl set name>
For more efficient Cisco PIX processing, Cisco Secure ACS employs a versioning timestamp for
ensuring that the Cisco PIX Firewall has cached the latest ACL version. If a Cisco PIX Firewall
responds that it does not have the current version of the named ACL in its cache (that is, the ACL
is new or has changed), Cisco Secure ACS automatically uploads the ACL update to the Cisco
PIX Firewall cache.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 104
104 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Downloadable Cisco PIX ACLs
Configure Authorization - Shared Profile Components
Click to edit or delete.
Click to edit or delete.
Use standard Cisco PIX
ACLs, simply enable their use and pick the appropriate set of
downloadable ACLs to use for this user group. If a Cisco PIX Firewall is making an
authentication request for a user, the set of ACLs associated with the user group of the user
being authenticated will be downloaded to the Cisco PIX Firewall.
In the case of NARs, you can select as many sets of NARs as you want and decide on the
Boolean logic to use; it must match all selected NARs to result in an access permit (AND), or it
must match at least one selected NAR to result in an access permit (OR).
Finally, the command authorization sets provide the most flexibility, because you can use
different command sets for different sets of devices, or one command set for all devices.
These become active when selecting Submit + Restart for the associated group they were
configured in.
Note: User group settings also allow for the setting of NARs and command authorizations sets
independent of the shared profile components. Of course, if you wish to use these same settings
for another user group, you will need to reenter them for that other group.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 112
112 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Create Cisco Secure ACS Administrators for Groups
Configure Authorization
More Privileges
(see next page)
More Privileges
(see next page)
Select groups and edit
features this administrator
will be responsible for.
Select groups and edit
features this administrator
will be responsible for.
Create Cisco Secure ACS Administrators for Groups
Earlier in this chapter, we discussed how to create a Cisco Secure ACS administrator who had
privileges to perform any Cisco Secure ACS function or task. Lets revisit the addition of a Cisco
Secure ACS administrator, but this time discuss limiting the administrators privileges. Like
before, to create a new administrator, click the Administration Control task from the navigation
menu to display the list of administrators currently defined. From this table select Add
Administrator to create a new administrator or click the name of an existing administrator to edit
the administrators profile. Enter a name and password to use for authentication. Remember that
all remote access to Cisco Secure ACS must be authenticated, and the administrator session
policy determines if local access must also be authenticated.
Previously when creating the superuser account, the Grant All button was selected in the
Administrator Privileges section, granting all administrative privileges. This time, administrators
can be created with limited privileges. The first section of Administrator Privileges allows the
administrator to have Add/Edit/Setup rights for only a select number of groups localizing
authority and accountability.
The next page shows the other privileges that can be granted per administrator.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 113
113 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Create Cisco Secure ACS Administrators for Groups (continued)
Configure Authorization
Set which functions
within Cisco Secure ACS
this administrator is
authorized to configure.
Set which functions
within Cisco Secure ACS
this administrator is
authorized to configure.
Submit to add administrator
and their privileges.
Submit to add administrator
and their privileges.
Create Cisco Secure ACS Administrators for Groups - continued
For any given, Cisco Secure ACS administrator, the items displayed in the Cisco Secure ACS
interface may be limited by what the administrator has been given privileges to configure. Thus,
not only will the options selected in the Interface Configuration task limit what is displayed for all
administrators, but the display may be further limited based on granted privileges on a per Cisco
Secure ACS administrator basis. As shown in the figure above, privileges to all functional areas
of Cisco Secure ACS can be granted, some with a finer level of granularity than others.
When the administrators privileges are configured, select Submit for the settings to take effect.
The configuration process of Cisco Secure ACS is almost complete. The chapter has so far
looked at general configurations (including accounting - logging), adding AAA clients, and
configuring authorizations. The final piece is the configuration of the actual users who need to
be authenticated and authorized prior to receiving access to the network.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 114
View
Cisco Secure
ACS Reports
View
Cisco Secure
ACS Reports
Configure
Cisco Secure
ACS Network
Configure
Cisco Secure
ACS Network
Configure
Cisco Secure
ACS Users
Configure
Cisco Secure
ACS Users
Getting
Started
Getting
Started
General
Configuration
General
Configuration
Planning
Planning
Cisco Secure
ACS Roadmap
Configure Cisco Secure ACS Users
Configure
Authorization
Configure
Authorization
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 115
115 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
ACS Database and Authorization
User Profiles
Handling Unknown Users
Configure Users
Configure Cisco
Secure ACS Users
Configure Cisco
Secure ACS Users
Configure Users
Cisco Secure ACS provides the flexibility to authenticate users against either the internal Cisco
Secure ACS database or one of several possible external databases. No matter which database is
used to authenticate a user, authorization is always performed using information configured in
the Cisco Secure ACS database. Therefore, all users must have either an explicit account within
the Cisco Secure ACS user database or a mechanism to associate them with an authorization
policy (user group). This section looks at the different methods to create users in the Cisco
Secure ACS database, and the methods to associate authorization policies with unknown users
(users without Cisco Secure ACS user records).
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 116
116 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Database and Authorization
Configure Users
UID: Billy
PWD: letmein
NT
UID: Rick
PWD: hereiam
ODBC
Cisco Secure ACS
interface
Unknown user policy
Database replication
RDBMS synchronization
CSUtil.exe (Database Import
utility)
~~~~
~~~~
~~~~
Group 1
Authorizations
~~~~
~~~~
~~~~
Group 2
Authorizations
~~~~
~~~~
~~~~
User specific
Authorizations
User: Sally
PWD: imlocal
~~~~
~~~~
~~~~
User specific
Authorizations
User: Billy
Authentication: NT
Check: NT
ODBC
Unknown User
Policy
Database Group
Mappings
NT: Group 1
ODBC: Group 2
Cisco Secure
ACS Database
Authorization is
always handled
by the Cisco
Secure ACS
database,
regardless of
where
authenticated.
Authorization
How Users Can Be Added
Cisco Secure ACS Database and Authorization
The Cisco Secure ACS database is crucial for the authorization process. Regardless of whether a
user is authenticated by the internal user database or by an external user database, Cisco Secure
ACS authorizes network services for users based upon group membership and specific user
settings configured in the Cisco Secure ACS database. Thus, all users authenticated by Cisco
Secure ACS, even those whose authentication is performed with an external user database, must
have a means to be associated with a user group in the Cisco Secure ACS database.
There are five ways to add user profiles to the Cisco Secure ACS database:
Cisco Secure ACS interfaceThe Cisco Secure ACS administrator enters the user profile,
including: the database (internal or external) to use for authentication, the user group the user will be
a member of, and any user-specific authorizations.
Unknown user policy and database group mappingA user who is attempting to be authenticated
but is not found in the Cisco Secure ACS user database can be sent to external databases for
authentication. The Cisco Secure ACS administrator creates the unknown user policy, detailing the
order of external databases to search. The Cisco Secure ACS administrator can also map
unknown users in the various databases to a user group. If an unknown user is authenticated by
one of the external databases, a new user profile is created based on the external database
authenticating the user and the user group membership dictated by the database group mapping
policy.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 117
117 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Database and Authorization
Configure Users
UID: Billy
PWD: letmein
NT
UID: Rick
PWD: hereiam
ODBC
Cisco Secure ACS
interface
Unknown user policy
Database replication
RDBMS synchronization
CSUtil.exe (Database Import
utility)
~~~~
~~~~
~~~~
Group 1
Authorizations
~~~~
~~~~
~~~~
Group 2
Authorizations
~~~~
~~~~
~~~~
User specific
Authorizations
User: Sally
PWD: imlocal
~~~~
~~~~
~~~~
User specific
Authorizations
User: Billy
Authentication: NT
Check: NT
ODBC
Unknown User
Policy
Database Group
Mappings
NT: Group 1
ODBC: Group 2
Cisco Secure
ACS Database
Authorization is
always handled
by the Cisco
Secure ACS
database,
regardless of
where
authenticated.
Authorization
How Users Can Be Added
Cisco Secure ACS Database and Authorization
Database replicationCisco Secure ACS allows for the replication of the database with other
Cisco Secure ACS systems. This feature allows one Cisco Secure ACS system to mirror its
database with another Cisco Secure ACS system for backup.
RDBMS synchronizationCisco Secure ACS allows for the synchronization of the database with
other ODBC databases.
CSUtil.exeThis is a command line utility to import users via a file. See Appendix E of the Cisco
Secure ACS User Guide for more information on command-line utilities.
The remainder of this section discusses how to configure users via the Cisco Secure ACS
interface, create an unknown user policy, and map unknown users to a user group.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 118
118 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
User Profiles
Configure Users
Basic User Information
Supplementary User Information
Where to Authenticate
Group Assignment
Callback
IP Address Assignment
Max Sessions for User
User Usage Quotas
Advanced User Settings
Shared NARs
Per-User NARs
Downloadable Cisco PIX
ACLs
Shared Command Authorization Sets
Per-User Command Authorization
Security Protocol Settings
Account Management Settings
Account Disable
Current User Usage
The configurable user settings are
determined by enabled options in the
Interface Configurations task and the
configuration of the Cisco Secure
ACS system.
The configurable user settings are
determined by enabled options in the
Interface Configurations task and the
configuration of the Cisco Secure
ACS system.
User Profiles
A user profile is an entry in the Cisco Secure ACS database that contains the method to
authenticate the user and a set of authorizations for the user to further define access rights. Like
the settings available for configuration in the user group setup, the settings available for
configuration in a users profile vary, depending on enabled options in the Interface
Configuration task and configured Cisco Secure ACS system components (that is, external
databases and security protocols used).
Many of the available settings in the users profile are identical to the settings in the user group
setup except they are applied only to this user and not a group of users. The settings in the
users profile can be arranged into three categories:
Basic user informationThese settings include who the user is, what database to authenticate against or
passwords used for authentication, which user group this user is assigned to, how to supply an IP address,
maximum session settings for the user, usage quotas for the user, and some callback controls. Many of
these settings have an option to use the settings configured for the group instead. Remember, if the same
type of setting is configured in both the user profile and the user group, the settings in the user profile take
precedence.
Advance user settingsThese authorization settings are similar to the ones in the group settings for NARs,
downloadable Cisco PIX ACLs, command authorizations, and security protocols. Again, if the same type of
setting is configured in both the user profile and the user group, the settings in the user profile take
precedence.
Account management settingsThese setting allow you to disable the account or set up a policy (date or
number of failed attempts) as to when to disable the account. Also, if usage quotas by user are enabled, the
user profile contains a table displaying the current usage.
This section discusses some of the above settings. Generally, all the settings and their
configuration are self-explanatory. For more information on any of the settings, consult either
the Cisco Secure ACS User Guide or the content-sensitive help provided in the right display area
of the Cisco Secure ACS desktop.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 119
119 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Adding Users via the Cisco Secure ACS Interface
Configure Users - User Profiles
Edit or delete user.
Edit or delete user.
Enter new user ID, existing
user ID, or user ID (wildcard
OK for find).
Enter new user ID, existing
user ID, or user ID (wildcard
OK for find).
Adding Users via the Cisco Secure ACS Interface
The configuration of users is the functional configuration area within Cisco Secure ACS that will
probably be the most visited. As previously stated, all users, regardless of their authentication
method, must have an entry in the Cisco Secure ACS user database to associate them with a user
group. Using the Cisco Secure ACS interface, the Cisco Secure ACS administrator can add users
no matter what their authentication method is. This provides the ultimate control in setting
authorizations for each user (associate with a user group or per-user authorizations). Later in
this section, we discuss how all users in external databases can easily be added to the Cisco
Secure ACS database as members of the same user group.
To create a new user, click the User Setup task from the navigation menu, enter a user ID for the
new user in the User field of the User Setup dialog box, and click Add/Edit. A users profile can
be edited at any time by entering the users name in this same field and also clicking the Add/Edit
button. Because there will probably be a large number of users, this screen also allows you to
find users (use wildcards) or list users by the first letter/digit of their account name. Results of
the list or find operations are displayed in the right display area of the Cisco Secure ACS
desktop. Click on the desired user from this list to begin editing the user profile.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 120
120 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Basic User Settings
Configure User - User Profiles
Select database to
use for
authentication.
Select database to
use for
authentication.
Assign user to
group.
Assign user to
group.
Enter password
information for ACS
database.
Enter password
information for ACS
database.
Fields Enabled from Interface
Configuration Task
Fields Enabled from Interface
Configuration Task
Password authentication
method is required!
(figure does not display all possible
fields to configure)
Password authentication
method is required!
(figure does not display all possible
fields to configure)
Basic User Settings
The figure above shows just a few of the possible basic user settings. The top of the User Profile
screen indicates the user ID being created (ID followed by the words (New User)) or edited. The
User Data Configuration option in the Interface Configuration task allows you to include up to five
additional fields of information to associate with the user. Values for these fields can be entered
in the Supplementary User Info configuration box.
The most important configuration for the user is the authentication database and user group
association. The Cisco Secure ACS Administrator can associate this user with any configured
database. Only the configured databases will be available for selection from the pull-down list. If
you select the internal Cisco Secure ACS database, you have two options for specifying a
password:
Use a single passwordused for PAP, CHAP, MS-CHAP, and ARAP
Use separate passwordsone for PAP and the second for CHAP/MS-CHAP/ARAP
Note: When a token card server is used for authentication, a separate CHAP/MS-CHAP password
can be supplied for a token card user to permit CHAP/MS-CHAP authentication. This is especially
useful when token caching is enabled.
To make this user a member of a user group, simply select the desired group from the pull-down
list. Note: Cisco Secure ACS administrators that were given only privileges to configure a subset
of all the groups will only see the groups that they can administer.
At this point you can click Submit and the user can now be authenticated and authorized (via
associated user group settings) for network access via Cisco Secure ACS. The user profile also
allows for the configuration of additional user-specific authorizations. These authorizations will
take precedence over the authorizations defined in the user group associated with the selected
user.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 121
121 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Account Management Settings
Configure User - User Profiles
Existing User
Existing User
View Usage for User
View Usage for User
Administratively Disable Account
Administratively Disable Account
Disable Account Policy
Disable Account Policy
Account Management Settings
Cisco Secure ACS provides the capability to perform simply account management tasks. Any
user account can be disabled at any time to prevent any further access by simply clicking the
Account Disabled check box at the top of the users profile. Accounts can also be disabled
based on a date or a number of failed login attempts. These values can be configured in the
Account Disable settings configurations box.
Finally, if the Usage Quotas option was enabled in the Advanced Options of the Interface
Configuration task, the current usage values for a user can be viewed in a table located in the
Usage Quotas settings configuration box. These values can be reset by checking the On submit
reset all usage counters check box and clicking Submit.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 122
122 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Unknown User Policy
Authentication: NT,ODBC
Database Group Mapping
NT: New York Admins
ODBC: Consultants
Cisco Secure ACS DB
New York Admins
Access Policies
Consultants
Access Policies
Handling Unknown Users
Configure Users
UID: Rick
PWD: hereiam
UID: Rick
PWD: hereiam
ODBC
Authentication
Authorization
User: Rick
Authentication: ODBC
No User Access Policies
Group: Consultants
NT
Look in First
Look in Second
Create new Cisco
Secure ACS DB
entry for faster
processing the
next time.
OK
No user profile for user
Rick is found in Cisco
Secure ACS database.
No user profile for user
Rick is found in Cisco
Secure ACS database.
Handling Unknown Users
Entering all users represented in an external database into the Cisco Secure ACS database can
be a very time-consuming process. Cisco Secure ACS has a mechanism to automate the addition
of these users. A figure similar to the one above was seen earlier in this chapter and is repeated
here to explain the automatic user profile addition to the Cisco Secure ACS database for users
authenticated by external databases with no user profile in the Cisco Secure ACS database.
Because initially there is no entry in the Cisco Secure ACS database for these external database
users, they are considered unknown to Cisco Secure ACSsimply meaning they have no user
profile. To first authenticate these unknown users (no user profile means Cisco Secure ACS
doesnt know which external database the user is in), the Cisco Secure ACS administrator creates
the Unknown Users Policy. This policy simply lists the external databases in the order they
should be searched for any unknown users. The Cisco Secure ACS Administrator also creates a
Database to Group Mapping policy, which states which User Group to associate with Unknown
Users from a given external database.
When an unknown user attempts to authenticate with Cisco Secure ACS, Cisco Secure ACS
searches its database for the users profile. When no user profile is found matching this user ID,
Cisco Secure ACS then sends the login information to the external databases for authentication
in the order listed in the Unknown User Policy. When an external database authenticates this
login, the OK is sent back to Cisco Secure ACS. Cisco Secure ACS looks up the database it
received this OK from in the Database Group Mapping table to determine which user group to
associate with this unknown user.
Cisco Secure ACS now has all the basic information needed to create a user profile for this
previously unknown user. The new profile is added to Cisco Secure ACS, where it can now be
viewed using the User Setup edit feature and used for authentication when the previously
unknown users attempt to log in again.
Lets look at how to set up this time-saving feature.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 123
123 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Unknown User Profile
Configure Users - Handling Unknown Users
Choose the order
of the external user
databases defined
to be searched for
the unknown user.
Choose the order
of the external user
databases defined
to be searched for
the unknown user.
Submit to have the Unknown User
Policy immediately put into use.
Submit to have the Unknown User
Policy immediately put into use.
Unknown User Profile
Because unknown users are users authenticated in external databases without Cisco Secure ACS
user profiles, it makes sense that to configure the Unknown User Profile using the navigation
menu item, External User Databases. Two Unknown User Policies can be configured. The first
says that if the user is unknown to Cisco Secure ACS, fail the attempt. The second provides a
search order of external user databases to ask to authenticate the unknown user. To configure
this list, simply select the external databases to search from the provided list (currently
configured external user databases) and click the -> button to add them to the search list. The
search list can be reordered by selecting an external database in the search list and clicking the
Up or Down button to place it in the proper order. When the search order is set, click the Submit
button to make the Unknown User Policy become immediately effective.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 124
124 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Database Group Mappings
Configure Users - Handling Unknown Users
Select group to be
associated with
any unknown user
from a particular
external database.
Select group to be
associated with
any unknown user
from a particular
external database.
Submit to have the unknown user group
mappings immediately put into use.
Submit to have the unknown user group
mappings immediately put into use.
Database Group Mappings
The database group mappings are also configured from the External User Databases task. When
selecting the Database Group Mappings option, you are presented with a list of all configured
external databases. Select the external database from the list and associate it with the user
group. From the pull-down list of user groups, select the user group to associate with this
database. Click Submit to make the Database Group Mappings become immediately effective.
Note: Windows databases allow you to associate a user group with a domain of users.
At this point Cisco Secure ACS is all configured and ready for use. Of course, there will be times
when various configurations will need to be revisited to fine-tune the Cisco Secure ACS
deployment or to add additional features, groups, or users. To finish this chapter, let's look at
how to view the various reports provided by Cisco Secure ACS.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 125
View
Cisco Secure
ACS Reports
View
Cisco Secure
ACS Reports
Configure
Authorization
Configure
Authorization
Getting
Started
Getting
Started
Configure
Cisco Secure
ACS Users
Configure
Cisco Secure
ACS Users
Configure
Cisco Secure
ACS Network
Configure
Cisco Secure
ACS Network
General
Configuration
General
Configuration
Planning
Planning
Cisco Secure
ACS Roadmap
View Cisco Secure ACS Reports
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 126
126 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
View Cisco Secure ACS Reports
Reports and Activities
Sample Reports
View Cisco Secure
ACS Reports
View Cisco Secure
ACS Reports
View Cisco Secure ACS Reports
The Cisco Secure ACS Administrator can review the various log file reports generated by Cisco
Secure ACS to determine system/user/administrator activity and accounting information sent by
AAA clients. The configuration of the log files was discussed in the General Configuration
section of this chapter.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 127
127 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Reports and Activities
View Cisco Secure ACS Reports
Reports listed depend on security
protocols in use and configured logging.
Reports listed depend on security
protocols in use and configured logging.
Current Log
Current Log
Reports and Activities
When Cisco Secure ACS is configured according to the deployment plan, day-to-day use is
typically limited to the review of activity and accounting logs and the occasional change or
addition to the existing Cisco Secure ACS configuration. The logs should be periodically
reviewed to determine proper system behavior and to detect any possible misconfigurations.
To view any of the enabled reports generated by Cisco Secure ACS, select the Reports and
Activity task from the navigation menu. A list of all available report categories is displayed.
Select the desired report type, and the right display area of the Cisco Secure ACS desktop
displays the actual report or reports of this type available for viewing. The top report listed is the
current log being used by Cisco Secure ACS. The remaining logs are listed in chronological
order from most recent to oldest stored. To view any report, simply click on it.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 128
128 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Sample Reports
View Cisco Secure ACS Reports
Reports are displayed in the
right display area of the
Cisco Secure ACS desktop.
Reports are displayed in the
right display area of the
Cisco Secure ACS desktop.
Sample Reports
The figure above displays samples of three different reports. Note that there may be many more
fields to display for these reports if so configured (see General Configuration section of this
chapter for details on configuring logs). The data in the reports can be sorted by the data in a
column by clicking the column header. The reports are displayed in the right display area of the
Cisco Secure ACS desktop.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 129
129 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Review of Cisco Secure ACS Key
Points
Centralized Authentication, Authorization, and Accounting
(AAA) Services
Can Utilize Either Local or External Databases for Authentication
Flexible Configuration of Access Authorizations
Easy-to-Use HTML Interface
Protocol Flexibility (RADIUS/TACACS+, many password protocols)
Configurable Administrator Configuration Privileges
Highly Scalable
Review of Cisco Secure ACS Key Points
Cisco Secure ACS is a powerful access control server that allows for the centralization of AAA
services. Cisco Secure ACS can provide AAA services via either the RADUIS or TACACS+
security protocols and offers support for a large number of password authentication protocols.
Cisco Secure ACS is easy to use, utilizing an HTML interface that is configurable to display only
the items of Cisco Secure ACS being deployed, and can be accessed remotely. Administrator
configuration privileges can be limited to provide a more secure environment. Log files track
every action and activity of Cisco Secure ACS for reporting, troubleshooting, and accountability
purposes. Cisco Secure ACS can scale to fit most any size network, with support for redundant
servers and external user databases. Finally, Cisco Secure ACS provides flexible time-saving
authorization configuration mechanisms that allow for fine-granularity access policies that can be
applied to single users or groups of users.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 130
Congratulations!
We hope that this chapter has helped you to understand what Cisco Secure ACS can do for you.
Continue on with Chapter 3 to experience a sample deployment of Cisco Secure ACS.
Cisco Systems
130 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved. 130
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 131
Chapter 3
Deployment Scenario
Cisco Secure Access Control Server v3.0
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 132
132 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Chapter 3 Topics
Cisco Secure ACS Deployment Scenario
The Customers Network
Planning the Cisco Secure ACS Deployment
Cisco Secure ACS Deployment Scenario
Getting Started
General Configuration
Configure Cisco Secure ACS Network
Configure Authorization
Configure Users
Using Cisco Secure ACS
Chapter 3 Objectives
Chapter 2 provided information on the features and capabilities of Cisco Secure ACS for
centralizing command and control for all user authentication, authorization, and accounting
(AAA) from a Web-based, graphical interface. Please review Chapter 2 if you havent done so
already. This chapter reviews several of these key features of Cisco Secure ACS by illustrating a
simple Cisco Secure ACS deployment scenario. This scenario will help you to understand how to
provide AAA services using Cisco Secure ACS, as well as help you to understand how to
administer the Cisco Secure ACS application.
By going through this sample deployment, you will view specific examples on how to configure
and administer the Cisco Secure ACS application. This scenario does not illustrate how to
configure the end users workstation or the commands to enable on the AAA client.
Now, lets describe the customers network to be used in this scenario.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 133
133 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
The Customers Network
Creative Engineering Corporation
Cisco VPN 3000
PSTN
Cisco AS5300
Access Server
Mobile
Worker
Dial-Up
Public
Internet
Remote
Office
Home
Office
DSL
VPN
Cisco
Aironet
Switch
ACS-1 Primary
ACS-2 Backup
Corporate
Network
Creative Engineering - Deploying Cisco Secure Cisco Secure ACS
Today, many corporations are making network management and security enhancements by
centralizing user access control . In doing so, corporations can minimize administrative costs,
optimize security, manage the access of networked resources, and lower operational costs.
Tom Smith of Creative Engineering has made that transition for his company by recently
deploying several Cisco Secure Access Control Servers (ACSs) to control network and device
access for local administrator, dial-up, wireless, and virtual private network (VPN) users. In the
deployment of Cisco Secure ACS, Tom has made the following considerations:
Creative Engineering has a large number of remote users (dialup, VPN, and wireless). Dial-up users access
the network through a network access server (NAS), the Cisco AS5300. The wireless users access the
network using a wireless access point (AP), such as the Cisco Aironet
Series.
With Cisco Secure ACS v3.0, the network administrators can quickly manage wireless user accounts and
globally administer and distribute wireless encryption keys using Remote Access Dial In-User Service
(RADIUS). This improves their ability to scale and deploy secure wireless services, and saves time by
centralizing that control, access management, accounting, and wireless key distribution within the Cisco
Secure ACS framework.
Note: In Cisco Secure ACS v3.0, all RADIUS attributes are shared by all RADIUS devices for a given group
or users. One of these attributes is session timeout. Session timeouts are generally long periods of time on
the "normal" network access device. VPN concentrators, dial-in servers and so on can share a common
timeout period without serious impact. However, with the dynamic Wired Equivalent Privacy (WEP) rekeying
feature of the Cisco Aironet Series, this poses a different problem. A shorter period of 10 to 30 minutes is
recommended for security reasons. Therefore, if the same Cisco Secure ACS system is used to manage the
wired and wireless community, an access point will use the same session timeout value as a Cisco VPN
3000 Concentrator, resulting in VPN users being logged off at the same rate as wireless users. This is
known as the "attribute 27" problem. In an upcoming release, Cisco Secure ACS will separate the session
timeout attribute for RADIUS.
And finally, Tom has considered deploying multiple Cisco Secure ACS platforms to ensure that network
access will not be comprised if access to the primary Cisco Secure ACS is lost.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 134
134 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Cisco VPN 3000
PSTN
Cisco AS5300
Access Server
Mobile
Worker
Dial-Up
Public
Internet
Remote
Office
Home
Office
DSL
VPN
Cisco
Aironet
Switch
ACS-1 Primary
ACS-2 Backup
Corporate
Network
The Customers Network
Creative Engineering Corporation
This scenario highlights how Tom has planned for deploying Cisco Secure ACS and its actual
configuration. For more information on deploying Cisco Secure ACS in various network
environment, refer to the reference section in Chapter 5 for a list of available white papers.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 135
135 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Planning the Cisco Secure ACS Deployment
The Customers Network
Cisco Secure ACS System Maintenance Policy
Two identical systems (primary/backup)
Authentication via Cisco Secure ACS
database or external Windows NT
Daily backups and replication
All logs and backup files kept for 7 days
Cisco Secure ACS System Maintenance Policy
Two identical systems (primary/backup)
Authentication via Cisco Secure ACS
database or external Windows NT
Daily backups and replication
All logs and backup files kept for 7 days
Cisco Secure ACS
Administration Policy
One super user
Access from anywhere
(must be authenticated)
CSV logging
Cisco Secure ACS
Administration Policy
One super user
Access from anywhere
(must be authenticated)
CSV logging
User types Network access policy Device admin policy
Network admin Unrestricted
Authentication: Windows NT
Unrestricted
Help desk No external access Show commands only
(all devices)
General users Unrestricted
Authentication: Windows NT
No access
Consultants Dial-in access only
Restrict time
Usage quotas
Account disable (date)
Authentication: Cisco Secure ACS
Show commands only
(all devices except access devices)
The First Step - Planning the Cisco Secure ACS Deployment
As with most projects, if the planning is carefully considered, the implementation is
straightforward. This is true with deploying AAA services using Cisco Secure ACS. Tom has
determined how to maintain the Cisco Secure ACS platform, has determined who can manage the
access policies, and has organized the network users into categories based on their network
access policy and device administration policy. This chapter illustrates how to deploy this plan
using Cisco Secure ACS.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 136
Getting Started
Accessing the Cisco Secure ACS
Application
Creating the Cisco Secure ACS Super User
Defining the Administration Policy
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 137
137 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Accessing the Cisco Secure ACS Application
Getting Started
aaaaaaaaa
aaaaaaaaa
Starting on port 2002,
Cisco Secure ACS
selects unique port for
administrative session.
Starting on port 2002,
Cisco Secure ACS
selects unique port for
administrative session.
Getting Started Accessing the Cisco Secure ACS Application
To initially administer the Cisco Secure ACS application, you must use a supported Web browser
with Java and JavaScript enabled and be physically at the Cisco Secure ACS platform.
(Thereafter, you can configure the Cisco Secure ACS application to allow remote access by
defining the Administration Control Access Policy, as discussed in Chapter 2.)
Follow the steps below to access the Cisco Secure ACS application.
Step 1: From the Cisco Secure ACS platform, launch a supported Web browser. Ensure that Java
and JavaScript are enabled.
Step 2: In the URL field, enter the IP address of the Cisco Secure ACS platform followed by the
TCP port number, 2002. For example:
http://127.0.0.1:2002
If the system has not yet been configured, the Cisco Secure ACS desktop will load
immediately. When the Cisco Secure ACS administrator and the administrators access
policy are defined, the user may be required to log in.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 138
138 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Create Cisco Secure ACS Admin Super User
Getting Started
Super user has
admin privileges for
all Cisco Secure
ACS functions.
Super user has
admin privileges for
all Cisco Secure
ACS functions.
Getting Started Creating the Cisco Secure ACS Admin Users
The first thing that should be configured is the administrator user or super user for the Cisco
Secure ACS application. The super user has privilege to all Cisco Secure ACS functions. This
account information must be protected. It provides the keys to all Cisco Secure ACS managed
resources.
Follow the steps below to configure the Cisco Secure ACS admin or super user.
Step 1: From the Cisco Secure ACS desktop, select the navigation button, Administration Control.
Initially, Cisco Secure ACS will illustrate that no administrator accounts have been
configured.
Step 2: Click the Add Administrator button.
Step 3: Provide a name and password for the admin or super user.
Step 4. An administrator can be limited to administering privileges to selected user groups.
Because Tom will be the only administrator for now, he will be granted all privileges for all
user groups. Click the Grant All button.
Step 5. Save the changes by clicking the Submit button.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 139
139 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Defining the Admin Policies
Getting Started
Use Default Access Policy
- Allow any IP Address to connect.
- Allow any TCP port to be allocated
for HTTP.
Use Default Access Policy
- Allow any IP Address to connect.
- Allow any TCP port to be allocated
for HTTP.
- Authenticate all Cisco
Secure ACS administrator
access.
- Lockout after 10 minutes.
- Authenticate all Cisco
Secure ACS administrator
access.
- Lockout after 10 minutes. Limit number of files.
Limit number of files.
Getting Started Defining the Administration Policy
The administration policy defines how the Cisco Secure ACS application will be accessed and
maintained. As previously stated, initially, the Cisco Secure ACS application can be accessed
only from the local console. When an administrator account has been established and the
administration policy is in place, the Cisco Secure ACS application can be accessed remotely
based on the established policy.
Based on the Cisco Secure ACS system maintenance and administrator access policies defined
in the planning steps, Tom can now configure the super user to have access to the Cisco Secure
ACS application from anywhere, require that a user log in and enter a password when at the
Cisco Secure ACS platform console, and delete audit logs older than one week. Users will also
be automatically logged out if the session is idle for more than 10 minutes. To configure these
policies, follow the steps below.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 140
140 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Defining the Admin Policies
Getting Started
Use Default Access Policy
- Allow any IP Address to connect.
- Allow any TCP port to be allocated
for HTTP.
Use Default Access Policy
- Allow any IP Address to connect.
- Allow any TCP port to be allocated
for HTTP.
- Authenticate all Cisco
Secure ACS administrator
access.
- Lockout after 10 minutes.
- Authenticate all Cisco
Secure ACS administrator
access.
- Lockout after 10 minutes. Limit number of files.
Limit number of files.
Getting Started Defining the Administration Policy
Step 1: From the Cisco Secure ACS desktop, select the navigation button, Administration
Control.
Step 2: Click the Access Policy button to configure Cisco Secure ACS to accept access by a client
using any IP address and allow Cisco Secure ACS to use any TCP port range between
1024 and 65535. This is the configuration by default.
Step 3: To save any changes, click the Submit button. This returns you to the Administration
Control window.
Step 4: Click the Session Policy button to configure Cisco Secure ACS to force the user to enter a
username and password when physically at the Cisco Secure ACS platform and to
automatically log out the user if the session is idle for more than 10 minutes.
Step 5: To save any changes, click the Submit button. This returns you to the Administration
Control window.
Step 6: Click the Audit Policy button to configure Cisco Secure ACS to delete log files older than
one week.
Step 7: To save any changes, click the Submit button. This returns you to the Administration
Control window.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 141
General Configuration
Configure External Windows NT User
Databases
Configure Interface
Schedule Backups
Configure Logs
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 142
142 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
General Configuration Topics
Cisco Secure ACS Deployment Scenario
Configure External
Windows NT User
Databases
Configure Interface
Schedule Backups
Configure Logs
General Configuration
In this part of the Cisco Secure ACS deployment scenario, Tom will configure some general
things that help define the Cisco Secure ACS system and its use. Tom will first add the external
Windows NT database used to authenticate the users to Cisco Secure ACS, and will then set the
options in the Interface Configuration task to simplify the screens used to configure the rest of
the Cisco Secure ACS application.
As part of this general configuration, Tom decides to schedule the backups and configure the
logs. These two tasks can be performed any time after the Interface Configuration task is
completed.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 143
143 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Configuring External Windows Database
General Configuration
Cisco
Secure ACS
Windows
NT Database Specific Cisco
Secure ACS
Configuration
for External
Windows NT
Database
General Configuration Configuring External User Database
Creative Engineering already has a large user database stored in the Windows primary domain
controller. Tom can take advantage of the work already invested in building the database by
configuring the Cisco Secure ACS system to authenticate usernames and passwords against
those already in the Windows user database.
To inform Cisco Secure ACS of the existence of an external Windows user database to be used
for authentication purposes, follow these steps:
Step 1: In the navigation menu, click the External User Databases button.
Step 2: Click Database Configuration from the options presented. Cisco Secure ACS displays a list of all
possible external user database types.
Step 3: Click Windows NT/2000.
Step 4: To create a new configuration:
a. Click Create New Configuration.
b. Provide a name for the new configuration in the box provided, or accept the default.
c. Click Submit to save the change.
Result: Cisco Secure ACS lists the new configuration on the External User Database Configuration
page.
Step 5: Click Configure.
The Windows NT/2000 User Database Configuration page appears. This page has three
configuration boxes.
Step 6: Enable password changes using Microsoft Challenge Handshake Authentication Protocol (MS-
CHAP) Version 1.
Step 7: Click Submit to save the changes.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 144
144 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Interface Configuration
General Configuration
Include two additional
fields for user
supplemental information.
Include two additional
fields for user
supplemental information.
Selections are based on
planned Cisco Secure
ACS features to utilize.
Selections are based on
planned Cisco Secure
ACS features to utilize.
General Configuration Interface Configuration
Cisco Secure ACS provides a wide variety of configuration possibilities. Because Tom has
already created a detailed deployment plan, he knows which features he actually needs to
configure to achieve his stated objectives. Tom will use the Interface Configuration task to
enable the display of only the options he wishes to configure. As Toms network grows, the
Cisco Secure ACS configuration can include some of the features hidden from the displays by
revisiting this section and enabling them.
Step 1: Select the Interface Configuration task from the navigation menu.
Step 2: For easy reference, Tom wishes to store the users phone number and department name for each
user. Select User Data Configuration.
Step 3: Enable fields 3 and 4 and change the field names to Department and Phone #.
Step 4: Click Submit. These fields will now be displayed on the User Setup screen.
Step 5: Click Advanced Options.
Step 6: Enable/disable according to plan.
- Disable all user-level authorizations. All authorizations will be based on group policies.
- Enable group-level policies except for downloadable Cisco PIX access control lists (ACLs).
- Enable usage quotas (used for the consultant group).
- Enable distributed systems and Cisco Secure Cisco Secure ACS database replication to make
sure the primary and backup Cisco Secure ACS systems are identical.
- Enable network device groups (NDGs) because they will help make the network access
restrictions (NARs) and command set authorization policies easier to configure.
- Disable the remaining categories because they are not necessary for configuration according to
the deployment plan.
Step 7: Click Submit to save the changes.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 145
145 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Schedule Backups
General Configuration
Daily Backups
M-F, Twice on
Friday
Daily Backups
M-F, Twice on
Friday
Limit number of files.
Limit number of files.
General Configuration - Schedule Backups
If a catastrophe occurs, Tom wants to make sure he can quickly get back to a working Cisco
Secure ACS configuration. Though Tom will perform a manual backup after each major change
he makes to the system, he also wants to capture the quick small changes he may make in the
course of a day without performing a backup for each change. To do this, he schedules a backup
to occur every workday, and twice on Friday, just to be sure. According to Toms Cisco Secure
ACS deployment plan, he also manages the number of backup files kept in order to better
manage disk utilization.
Step 1: From the Cisco Secure ACS navigation menu, select the System Configuration task.
Step 2: From the presented options, select Cisco Secure ACS Backup.
Step 3: Select the radio button, At specific times.
Step 4: Click on the appropriate square on the graph for the time to perform the backup.
Step 5: To delete backup files older than one week, select Manage Directories and keep the default
of Delete files older than 7 days.
Step 6: Click Submit to save the changes.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 146
146 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Configure Logs
General Configuration
Limit number of files.
Limit number of files.
Enable log.
Enable log.
Select attributes to
include in log.
Select attributes to
include in log.
Perform for all CSV Logs
(VoIP not needed according to plan).
Perform for all CSV Logs
(VoIP not needed according to plan).
General Configuration - Configure Logs
Tom wants to capture as much information about AAA service activity and Cisco Secure ACS
usage. So Tom will enable all accounting logs. According to the Cisco Secure ACS deployment
plan, all logs will be stored in a comma-separated value (CSV) format. The Open Database
Connectivity (ODBC) logs should not be displayed because that option was not enabled in the
Interface Configuration task. Within each accounting log, Tom wants to include all attributes that
make sense to help him to troubleshoot his deployment. As needed, Tom can enable additional
attributes or disable selected attributes for logging.
Step 1: From the Cisco Secure ACS navigation menu, select System Configuration.
Step 2: From the presented options, select Logging. The Accounting Log files available are
displayed.
Step 3: Select the log file to configure.
Step 4: If not already checked, select the Log to <log type> report check box.
Step 5: Select the attributes to include in the log from the left column and click the --> button.
Step 6: Select Manage Directories and keep the defaults of Generate a New File Every Day and
Delete files older than 7 days.
Step 7: Click Submit to save the changes.
Repeat for all log files, except the voice over IP (VoIP) accounting.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 147
Configure Cisco
Secure ACS Network
Create Network Device Groups
Add AAA Clients
Add Backup Cisco Secure ACS Server
Schedule Database Replication
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 148
148 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Configure Cisco Secure ACS Network Topics
Cisco Secure ACS Deployment Scenario
Create Network Device Groups
Add AAA Clients
Add Backup Cisco Secure
ACS Server
Schedule Database Replication
Configure Cisco Secure ACS Network
In this part of the deployment scenario, we illustrate how to perform the following tasks:
Categorize the networked devices based on their purpose or how or why the end users access the
devices. The networked devices will be organized using the NDGs feature in Cisco Secure ACS.
When the network device groups are in place, we will add the devices (AAA clients).
The backup Cisco Secure ACS server will be defined along with the components to be replicated
and the schedule for replication.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 149
149 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Create Network Device Groups
Configure Cisco Secure ACS Network
Network
Access Devices
(use for network access only)
Network
Access Devices
(use for admin access only)
Core
Network Devices
(use for admin access only)
TACACS+
RADIUS (Cisco IOS
Software/
Cisco PIX
Firewall)
RADIUS (Aironet) - LEAP
TACACS+
Configure Network - Create Network Device Groups
Tom is ready to add the AAA clients to the Cisco Secure ACS application. Remember that the
AAA clients are the networked devices that have TACACS+ or RADIUS enabled. It was
determined that Tom would utilize NDGs to assist in the configuration of group-based command
authorization sets and network access restrictions. Based on the Cisco Secure ACS deployment
plan, Tom realizes that much of his access policy is based on network access and device
administrative access (shell access). Further, the consultants need administrative access only to
the core network devices, and not the network access devices. Hence, Tom decides to create
three NDGs.
1. AccessDevicesGroup for network access via the network access server devices
2. AccessDeviceAdminGroup for administrative access to the network access server devices
3. NetworkDevicesAdminGroup for administrative access to the core network devices
The following steps are used to create these three NDGs.
Step 1: From the Cisco Secure ACS navigation menu, select the Network Configuration task.
Step 2: From the Network Device Groups (NDG) list box, select Add Entry.
Step 3: Type in the name of the NDG to be created (AccessDevices, AccessDeviceAdmin, or
NetworkDevicesAdmin).
Step 4: Click Submit.
Repeat Steps 24 to add the other two groups.
When finished, four NDGs should be listed, as illustrated above. The (Not Assigned) NDG is
where the local Cisco Secure ACS server is initially assigned.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 150
150 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Add AAA Clients (AccessDevices NDG)
Configure Cisco Secure ACS Network
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Add all AAA clients.
Add all AAA clients.
Configure Network - Add AAA Clients (AccessDevices NDG)
The AAA clients to be added to the AccessDevices NDG are the various devices that users
connect through to access the corporate network, such as the Cisco AS5300 Access Server, the
Cisco PIX Firewall, and the Cisco Aironet devices. Each of these AAA clients will request AAA
services from the Cisco Secure ACS via the RADIUS security protocol.
In Toms network, there are three devices used for remote network access, the Cisco Aironet
Access Point, a Cisco AS5300, and a PIX firewall. To add these devices to the Cisco Secure ACS
network configuration, use the following steps:
Step 1: From the Cisco Secure ACS navigation menu, select the Network Configuration task.
Step 2: From the Network Device Groups list box, select the AccessDevices NDG.
Step 3: From the AccessDevices AAA clients list box, select Add Entry.
Step 4: Enter a name for this AAA client (that is, AS5300).
Step 5: Enter the IP address for this AAA client.
Step 6: Enter the shared secret key. (This is configured on the network device and must match
here for communication between the client and Cisco Secure ACS to occur.)
Step 7: Select RADIUS (Cisco IOS/PIX) from the pull-down list to set the authentication security
protocol for the Cisco PIX Firewall and Cisco AS5300 devices. Use the RADIUS (Cisco Aironet
device) for the Cisco Aironet AP 340 or 350; this utilizes the Cisco Lightweight Extensible
Authentication Protocol (LEAP) authentication method and Extensible Authentication Protocol-
transparent LAN services (EAP-TLS) as a backup method.
Step 8: Click the Log/Update/Watchdog Packets from the AAA Client check box to enter this
additional accounting information into the RADIUS accounting log. (Note that Cisco Aironet access
points using software releases earlier than v11.10 do not send accounting records.)
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 151
151 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Add AAA Clients (AccessDevices NDG)
Configure Cisco Secure ACS Network
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Add all AAA clients.
Add all AAA clients.
Step 9: Click Submit to save changes. A message is displayed informing Tom that The current
configuration has been changed. Restart Cisco Secure ACS in "System Configuration:Service
Control" to adopt the new settings. Tom will restart the Cisco Secure ACS after all changes have
been made.
Repeat Steps 3 to 9 to add all other access devices to the AccessDevices NDG.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 152
152 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Add AAA Clients (AccessDeviceAdmin NDG)
Configure Cisco Secure ACS Network
Add all AAA clients.
(Note: same devices as in the
AccessDevices NDG but with different
names and different security protocol)
Add all AAA clients.
(Note: same devices as in the
AccessDevices NDG but with different
names and different security protocol)
0
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Configure Network - Add AAA Clients (AccessDeviceAdmin NDG)
The previous step created a group of devices that users connect to when accessing the
corporate network. Cisco Secure ACS would use the RADIUS protocol when authenticating
these users. Now Tom wants to group these devices together again to allow Cisco Secure ACS
to authenticate administrators using TACACS+ when someone wants to access the devices for
administration purposes (that is, Shell access, Telnet).
Using the AccessDeviceAdmin NDG, Tom will add the same AAA clients. However, in this case,
Tom must enter a different hostname and configure this NDG to use the TACACS+ security
protocol instead of RADIUS.
Step 1: From the Cisco Secure ACS navigation menu, select the Network Configuration task.
Step 2: From the Network Device Groups list box, select the AccessDeviceAdmin NDG.
Step 3: From the AccessDeviceAdmin AAA clients list box, select Add Entry.
Step 4: Enter a name for this AAA client that is different from the one used in the AccessDevices NDG (that
is, AS5300Admin).
Step 5: Enter the IP address for this AAA client (same as before).
Step 6: Enter the shared secret key. (This is configured on the client and must match here for communication
between the client and Cisco Secure ACS to occur.)
Step 7: Select TACACS+ (Cisco IOS) from the pull-down list to use as the authentication security protocol.
Step 8: Click Submit to save changes. A message is displayed informing Tom that The current configuration
has been changed. Restart Cisco Secure ACS in "System Configuration:Service Control" to adopt
the new settings. Tom will restart the Cisco Secure ACS after all additions have been made. This
will speed up the configuration process.
Repeat steps 3 to 8 to add all other access devices to the AccessDeviceAdmin NDG.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 153
153 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Add AAA Clients (NetworkDevicesAdmin NDG)
Configure Cisco Secure ACS Network
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
Just submit for now and restart Cisco
Secure ACS after all configuration is done.
The AAA client in this NDG includes
all devices on three subnets.
The AAA client in this NDG includes
all devices on three subnets.
Configure Network - Add AAA Clients (NetworkDevicesAdmin NDG)
The third NDG will group all remaining network devices together. This group will be used to
authenticate administrators attempting to access Cisco IOS
Firewall
Cisco VPN 3000, 5000 Concentrators
Cisco IOS Routers
Cisco 2509, 2511, 3620, 3640
Cisco Aironet
Software) or
RADIUS (Cisco Aironet
Software/Cisco PIX
Software
Just say no!
Cisco Secure ACS v3.0 Installation Questions continued
Question: How are users authenticated?
Your options are to use the Cisco Secure ACS database only, a Windows 2000/NT Security
Access Manager (SAM) user database only, or a Windows 2000 Active Directory user database
in addition to the Cisco Secure ACS user database. If selecting both the Cisco Secure ACS
database and an external Windows database authentication method, the administrator has the
option to use the Windows Dial-in Permission features. Cisco Secure ACS can apply the users
Windows dial-in permissions to determine whether to grant the user access to the network.
If the user installing the software elects to use only the Cisco Secure ACS database, the user
can still configure authentication support for all external databases at a later date; however,
electing this option during the installation step saves several setup procedures in configuring the
Windows database.
Authentication using the Cisco Secure ACS database is preferred for performance reasons.
Question: Would you like to have the Cisco IOS Software for the previously entered AAA client
automatically configured now?
If the installer specified a TACACS+ (Cisco IOS Software) or RADIUS (Cisco IOS Software/PIX
Firewall) as the AAA protocol for the first AAA client, the installation script asks the user if the
script should automatically configure the AAA functionality on the Cisco IOS network device. It is
recommended that for Cisco Secure ACS v3.0, the user clear the Yes, I want to configure Cisco
IOS software now check box. This feature assumes that the Cisco IOS Router is running Cisco
IOS 11.2 or later, but does not work well for devices running Cisco IOS 12.x.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 194
194 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Postinstallation Tasks or Options
Cisco Secure ACS Application
installed on a member server
Verify domain membership
Verify ownership of Cisco Secure ACS services
Service pack requirements
Windows NTService Pack 6a
Windows 2000 Service Pack 1 or 2
External authentication database
support
Configure within Cisco Secure ACS HTML interface
Cisco Secure ACS Postinstallations Tasks or Options
Depending upon your options or your environment, additional tasks may need to be performed following the
successful installation of Cisco Secure ACS.
If you install Cisco Secure ACS on a Windows member server and want to authenticate users with a Windows
Security Account Manager user database or an Active Directory user database, the installer must perform the
following Windows configuration steps to ensure that Windows permits authentication to occur from the member
server.
1. Verifying domain membershipOne common configuration error that prevents Windows authentication is the
erroneous assignment of the member server to a workgroup with the same name as the Windows domain
that is used to authenticate users. Although this may seem obvious, it is recommend that the installer verify
that the Cisco Secure ACS server is a member of the correct domain.
2. Services running from the administrative account of the domain controllerIf Cisco Secure ACS is installed
on a member server, the server must pass Windows authentication requests to a domain controller. For
these requests to succeed, the member server must run the Cisco Secure ACS services using the
administrative account of the domain controller.
If Cisco Secure ACS is reinstalled, this step must be repeated after each installation.
(Refer to the Cisco Secure ACS installation guide for the exact steps for verifying the domain membership and the
ownership of the Cisco Secure ACS services.)
If the Cisco Secure ACS server is using Windows NT, some features of Cisco Secure ACS depend upon Service
Pack 6a. The installation program checks for Service Pack 6a. If it determines that Service Pack 6a has not been
applied to the operating system, a warning message is displayed; continue the installation and then install the
required service pack before starting user authentication.
After Cisco Secure ACS has been installed, authentication services can be configured for all supported external
user database types in addition to Windows 2000/NT user databases. To configure the external user databases,
simply launch the Cisco Secure ACS HTML interface and select the External User Databases task.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 195
Troubleshooting
Tips
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 196
196 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Troubleshooting Guidelines
Online Documentation
Excellent guidelines
available in online
documentation
Information organized by
problem or condition
For each problem,
suggested recovery
actions provided
Online Documentation
As a first attempt to address potential problems, the network administrator should first review the
troubleshooting information found in the Online Documentation. Cisco has provided the user
with suggested recovery actions for common problems related to bringing up the Web browser or
HTML interface, users not being able to log in to the network or Cisco Secure ACS server,
authentication failures, installation errors, device configuration problems, and more.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 197
197 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Troubleshooting Guidelines
User and System Logging
Type of Logs
Accounting Logs (HTML)
Dynamic Administration
Reports (HTML)
Cisco Secure ACS System
Logs (HTML)
Service Logs
(/<ACS Service>/Logs subdirectory)
User and System Logging
Cisco Secure ACS generates numerous logs that provide auditing information and can aid in
troubleshooting authentication and service problems. The logs are divided into four groups:
accounting logs, administration reports, system logs, and service logs. Briefly, these logs
provide the following.
Accounting logs contain information about the use of remote access services by users, such as:
user session start and stop times, username, caller-line identification, session duration, failed
attempts, successful authentication requests, and more.
Dynamic administration reports show the status of user accounts at that given moment.
System logs show the history of backups and restores, database synchronization activity, Cisco
Secure ACS administrator use activity, and list Cisco Secure ACS services start and stop times.
Service logs are considered diagnostic logs and are used for troubleshooting or debugging
purposes only. These logs are not intended for general use by Cisco Secure ACS administrators;
instead, they are mainly sources of information for Cisco support personnel. Service logs contain a
record of all Cisco Secure ACS service actions and activities. Cisco Secure ACS generates these
logs whenever you log in to Windows NT/2000 and the services are started, whether or not the
administrative interface is started, and whether or not you are using the service. The services
monitored are CSAdmin, CSAuth, CSDBSync, CSLog, CSMon, CSRadius, and CSTacacs.
The service logs are files located in the \<service name>\logs subdirectory of the Cisco Secure
ACS programs directory. The most recent debug log is named SERVICE.log, where SERVICE is
the name of the applicable service. Older debug logs are named with the year, month, and date
they were created.
The accounting, dynamic administration reports, and system logs can be viewed using the Cisco
Secure ACS HTML Web interface, as illustrated above.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 198
198 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved.
Troubleshooting Guidelines
Cisco Secure ACS Service Management
Cisco Secure ACS Service Management
The Cisco Secure ACS Active Service Management (CSMon) feature enables you to monitor all
Cisco Secure ACS services. Two areas can be configured using the Cisco Secure ACS Service
Management link in the System Configuration task: system monitoring and event logging.
The system monitoring process can be configured to test the login process every x minutes. If the
login process fails the test, the system can be configured to restart the Cisco Secure ACS ervices,
restart RADIUS/TACACS+, restart only the RADIUS or TACACS+ protocol, reboot the system on
which Cisco Secure ACS is running, or take no action. The System Monitoring process can also
be configured to send an e-mail to the administrator and log the event when a user attempts to log
in to a disabled account.
Event loggingThe administrator can configure Cisco Secure ACS to log all events to the
Windows NT/2000 Event Log. To view the Windows NT/2000 event log, simply click
Start>Administrative Tools>Event Viewer from the Windows desktop. For more detailed
information about an event, click the applicable event, and then click View>Details. When a Cisco
Secure ACS event that you selected in the System Monitoring section occurs, the administrator
can be notified via e-mail. Simply configure the administrators e-mail address and the Simple
Mail Transfer Protocol (SMTP) address of the sending mail server.
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc 199
199 ACS v3.0 2002, Cisco Systems, Inc. All rights reserved. 199
Thank You!
We hope that you have enjoyed using the Cisco Secure ACS application and have found its
features to be an important part of your network security toolkit.
Cisco Systems
Chapter 5
References
Access Control Server v3.0
Reference Materials
Many Cisco reference documents have been created to help users understand the Cisco Secure Access
Control Server (ACS) application. However, finding them can often be a challenge. This reference chapter
has been created to assist you in your pursuit of additional product information. Below are links to
documents and web pages that provide further details on the Cisco Secure ACS application.
! ACS v3.0 Product Information
" Online Documentation (CCO URL)
" Release Notes (PDF)
" Data Sheet (PDF)
" Frequently Asked Questions (PDF)
" Product Bulletin (Upgrade Information) (PDF)
! White Papers
" ACS and Catalyst Switching Deployment Guide (PDF)
" Guidelines for Placing ACS in the Network (PDF)
" External ODBC Authentication (PDF)
" Configuring LDAP (PDF)
! Miscellaneous References
" Comparison of TACACS+ and RADIUS (PDF)
" The RADIUS Specification (URL)
" The RADIUS Accounting Standard (URL)
" The RADIUS Attributes for Tunnel Protocol Support (URL)
" Cisco Aironet AP Software Configuration Guide (PDF) (URL)
" Configuring ACS v2.6 and Aironet for LEAP and MAC Authentication (PDF) (URL)
" Cisco Addresses WEP Vulnerabilities (PDF)
" Cisco Aironet Response to An Initial Security Analysis of the IEEE 802.1x standard (PDF)
Cisco Secure ACS v3.0 2002 Cisco Systems, Inc References 5-1