ملخص المحتوى في الصفحة رقم 1
Cisco Secure ACS 3.0 for Windows
2000/NT Servers User Guide
November 2001
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7813751=
Text Part Number: 78-13751-01
ملخص المحتوى في الصفحة رقم 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE I
ملخص المحتوى في الصفحة رقم 3
CONTENTS Preface xxvii Document Objectives xxvii Who Should Read This Guide xxvii How This Guide is Organized xxviii Conventions Used in This Guide xxx Related Documentation xxxi Obtaining Documentation xxxii World Wide Web xxxii Documentation CD-ROM xxxii Ordering Documentation xxxii Documentation Feedback xxxiii Obtaining Technical Assistance xxxiii Cisco.com xxxiii Technical Assistance Center xxxiv Cisco TAC Web Site xxxiv Cisco TAC Escalation Center xxxv CHAPTER 1 Overview of Cisco Secure AC
ملخص المحتوى في الصفحة رقم 4
Contents AAA Server Functions and Concepts 1-4 Cisco Secure ACS and the AAA Client 1-5 AAA Protocols—TACACS+ and RADIUS 1-5 TACACS+ 1-6 RADIUS 1-6 Authentication 1-7 Authentication Considerations 1-8 Authentication and User Databases 1-8 Passwords 1-10 Other Authentication-Related Features 1-14 Authorization 1-15 Max Sessions 1-16 Dynamic Usage Quotas 1-16 Other Authorization-Related Features 1-17 Accounting 1-17 Other Accounting-Related Features 1-18 Administration 1-18 HTTP Port Allocation for
ملخص المحتوى في الصفحة رقم 5
Contents Remote Administrative Sessions through a NAT Gateway 1-25 Accessing the HTML Interface 1-26 Logging Off the HTML Interface 1-26 Online Help and Online Documentation 1-27 Using Online Help 1-27 Using the Online Documentation 1-28 CHAPTER 2 Deploying Cisco Secure ACS 2-1 Basic Deployment Requirements for Cisco Secure ACS 2-2 System Requirements 2-2 Hardware Requirements 2-2 Operating System Requirements 2-3 Third-Party Software Requirements 2-3 Network Requirements 2-4 Basic Deployment F
ملخص المحتوى في الصفحة رقم 6
Contents Network Speed and Reliability 2-18 Suggested Deployment Sequence 2-18 CHAPTER 3 Setting Up the Cisco Secure ACS HTML Interface 3-1 Interface Design Concepts 3-2 User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2 User Data Configuration Options 3-3 Defining New User Data Fields 3-3 Advanced Options 3-4 Setting Advanced Options for the Cisco Secure ACS User Interface 3-6 Protocol Configuration Options for TACACS+ 3-7 Setting Options for TACACS+ 3-9 Protocol Configuration Op
ملخص المحتوى في الصفحة رقم 7
Contents Default Distributed System Settings 4-3 Proxy in Distributed Systems 4-4 Fallback on Failed Connection 4-5 Character String 4-6 Stripping 4-6 Proxy in an Enterprise 4-6 Remote Use of Accounting Packets 4-7 Other Features Enabled by System Distribution 4-8 AAA Client Configuration 4-8 Adding and Configuring a AAA Client 4-9 Editing an Existing AAA Client 4-12 Deleting a AAA Client 4-14 AAA Server Configuration 4-15 Adding and Configuring a AAA Server 4-16 Editing a AAA Server Configurati
ملخص المحتوى في الصفحة رقم 8
Contents Editing a Proxy Distribution Table Entry 4-28 Deleting a Proxy Distribution Table Entry 4-29 CHAPTER 5 Setting Up and Managing Shared Profile Components 5-1 Downloadable PIX ACLs 5-2 About Downloadable PIX ACLs 5-2 Downloadable PIX ACL Configuration 5-3 Adding a Downloadable PIX ACL 5-3 Editing a Downloadable PIX ACL 5-4 Deleting a Downloadable PIX ACL 5-5 Network Access Restrictions 5-6 About Network Access Restrictions 5-6 Shared Network Access Restrictions Configuration 5-7 Adding
ملخص المحتوى في الصفحة رقم 9
Contents Group TACACS+ Settings 6-2 Common User Group Settings 6-3 Enabling VoIP Support for a User Group 6-4 Setting Default Time of Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-6 Setting Network Access Restrictions for a User Group 6-7 Setting Max Sessions for a User Group 6-11 Setting Usage Quotas for a User Group 6-13 Configuration-specific User Group Settings 6-15 Setting Token Card Settings for a User Group 6-17 Setting Enable Privilege Options for a User Gro
ملخص المحتوى في الصفحة رقم 10
Contents Configuring Microsoft RADIUS Settings for a User Group 6-41 Configuring Nortel RADIUS Settings for a User Group 6-42 Configuring Juniper RADIUS Settings for a User Group 6-44 Configuring Cisco BBSM RADIUS Settings for a User Group 6-45 Configuring Custom RADIUS VSA Settings for a User Group 6-46 Group Setting Management 6-48 Listing Users in a User Group 6-48 Resetting Usage Quota Counters for a User Group 6-49 Renaming a User Group 6-49 Saving Changes to User Group Settings 6-50 CHAPTE
ملخص المحتوى في الصفحة رقم 11
Contents Advanced User Authentication Settings 7-23 TACACS+ Settings (User) 7-24 Configuring TACACS+ Settings for a User 7-24 Configuring a Shell Command Authorization Set for a User 7-26 Configuring a PIX Command Authorization Set for a User 7-29 Configuring the Unknown Service Setting for a User 7-31 Advanced TACACS+ Settings (User) 7-31 Setting Enable Privilege Options for a User 7-32 Setting TACACS+ Enable Password Options for a User 7-34 Setting TACACS+ Outbound Password for a User 7-35 RAD
ملخص المحتوى في الصفحة رقم 12
Contents Deleting a User Account 7-54 Resetting User Session Quota Counters 7-55 Resetting a User Account after Login Failure 7-55 Saving User Settings 7-56 CHAPTER 8 Establishing Cisco Secure ACS System Configuration 8-1 Service Control 8-2 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Password Validation 8-4 Setting Password Validation Options 8-5 CiscoSecure Database Replic
ملخص المحتوى في الصفحة رقم 13
Contents Configuring a Secondary Cisco Secure ACS Server 8-17 Replicating Immediately 8-18 Scheduling Replication 8-20 Disabling CiscoSecure Database Replication 8-23 Database Replication Event Error Alert Notification 8-23 RDBMS Synchronization 8-24 About RDBMS Synchronization 8-24 RDBMS Synchronization Components 8-25 About CSDBSync 8-25 About the accountActions Table 8-26 Cisco Secure ACS Database Recovery Using the accountActions Table 8-28 Reports and Event (Error) Handling 8-29 Preparing t
ملخص المحتوى في الصفحة رقم 14
Contents Components Backed Up 8-41 Reports of Cisco Secure ACS Backups 8-42 Performing a Manual Cisco Secure ACS Backup 8-42 Scheduling Cisco Secure ACS Backups 8-43 Disabling Scheduled Cisco Secure ACS Backups 8-44 Cisco Secure ACS System Restore 8-45 About Cisco Secure ACS System Restore 8-45 Backup File Names and Locations 8-45 Components Restored 8-47 Reports of Cisco Secure ACS Restorations 8-47 Restoring Cisco Secure ACS from a Backup File 8-47 Cisco Secure ACS Active Service Management 8-
ملخص المحتوى في الصفحة رقم 15
Contents VoIP Accounting Configuration 8-60 Configuring VoIP Accounting 8-61 Cisco Secure ACS Certificate Setup 8-61 Background on Certification 8-62 EAP-TLS Setup Overview 8-63 Requirements for Certificate Enrollment 8-63 Generating a Request for a Certificate 8-64 Installing Cisco Secure ACS Certification with Manual Enrollment 8-66 Installing Cisco Secure ACS Certification with Automatic Enrollment 8-68 Performing Cisco Secure ACS Certification Update or Replacement 8-69 Certification Authori
ملخص المحتوى في الصفحة رقم 16
Contents Passed Authentications Log 9-10 Dynamic Cisco Secure ACS Administration Reports 9-10 Logged-In Users Report 9-11 Disabled Accounts Report 9-14 Cisco Secure ACS System Logs 9-15 ACS Backup and Restore Log 9-15 RDBMS Synchronization Log 9-16 Database Replication Log 9-16 Administration Audit Log 9-17 ACS Service Monitoring Log 9-18 Working with CSV Logs 9-19 CSV Log File Names 9-19 Enabling or Disabling a CSV Log 9-19 Viewing a CSV Report 9-20 Configuring a CSV Log 9-22 Working with ODBC
ملخص المحتوى في الصفحة رقم 17
Contents Service Logs 9-34 Services Logged 9-34 Configuring Service Logs 9-35 CHAPTER 10 Setting Up and Managing Administrators and Policy 10-1 Administrator Accounts 10-1 Administrator Privileges 10-2 Adding an Administrator Account 10-6 Editing an Administrator Account 10-7 Deleting an Administrator Account 10-9 Access Policy 10-10 Access Policy Options 10-10 Setting Up Access Policy 10-12 Session Policy 10-13 Session Policy Options 10-13 Setting Up Session Policy 10-14 Audit Policy 10-16 CH
ملخص المحتوى في الصفحة رقم 18
Contents Windows Dial-up Networking Clients 11-9 About the Windows NT/2000 Dial-up Networking Client 11-9 About the Windows 95/98/Millennium Edition Dial-up Networking Client 11-10 Windows NT/2000 Authentication 11-10 User-Changeable Passwords with Windows NT/2000 User Databases 11-12 Preparing Users for Authenticating with Windows NT/2000 11-12 Configuring a Windows NT/2000 External User Database 11-13 Generic LDAP 11-14 Cisco Secure ACS Authentication Process with a Generic LDAP User Databas
ملخص المحتوى في الصفحة رقم 19
Contents Implementation of Stored Procedures for ODBC Authentication 11-33 Type Definitions 11-34 Microsoft SQL Server and Case-Sensitive Passwords 11-34 Sample Routine for Generating a PAP Authentication SQL Procedure 11-35 Sample Routine for Generating an SQL CHAP Authentication Procedure 11-36 PAP Authentication Procedure Input 11-36 PAP Procedure Output 11-37 CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-38 CHAP/MS-CHAP/ARAP Procedure Output 11-38 Result Codes 11-39 Configuring a Syst
ملخص المحتوى في الصفحة رقم 20
Contents Configuring an AXENT Token Server External User Database AXENT 11-55 Configuring an RSA SecurID Token Server External User Database 11-56 Deleting an External User Database Configuration 11-58 CHAPTER 12 Administering External User Databases 12-1 Unknown User Processing 12-1 Known, Unknown, and Cached Users 12-2 General Authentication Request Handling and Rejection Mode 12-3 Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database 12-4 Windows Authenti