Inhaltszusammenfassung zur Seite Nr. 1
User Guide for Cisco Secure ACS for
Windows Server
Version 3.3
May 2004
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7816592=
Text Part Number: 78-16592-01
Inhaltszusammenfassung zur Seite Nr. 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Inhaltszusammenfassung zur Seite Nr. 3
CONTENTS Preface xxix Audience xxix Organization xxix Conventions xxxi Product Documentation xxxii Related Documentation xxxiii Obtaining Documentation xxxv Cisco.com xxxvi Ordering Documentation xxxvi Documentation Feedback xxxvi Obtaining Technical Assistance xxxvii Cisco Technical Support Website xxxvii Submitting a Service Request xxxvii Definitions of Service Request Severity xxxviii Obtaining Additional Publications and Information xxxix CHAPTER 1 Overview 1-1 The Cisco Secure ACS Paradi
Inhaltszusammenfassung zur Seite Nr. 4
Contents AAA Protocols—TACACS+ and RADIUS 1-6 TACACS+ 1-7 RADIUS 1-7 Authentication 1-8 Authentication Considerations 1-9 Authentication and User Databases 1-10 Authentication Protocol-Database Compatibility 1-10 Passwords 1-11 Other Authentication-Related Features 1-16 Authorization 1-17 Max Sessions 1-18 Dynamic Usage Quotas 1-18 Shared Profile Components 1-19 Support for Cisco Device-Management Applications 1-19 Other Authorization-Related Features 1-21 Accounting 1-22 Other Accounting-Rela
Inhaltszusammenfassung zur Seite Nr. 5
Contents Administrative Sessions through a NAT Gateway 1-31 Accessing the HTML Interface 1-32 Logging Off the HTML Interface 1-33 Online Help and Online Documentation 1-33 Using Online Help 1-34 Using the Online Documentation 1-34 CHAPTER 2 Deployment Considerations 2-1 Basic Deployment Requirements for Cisco Secure ACS 2-2 System Requirements 2-2 Hardware Requirements 2-2 Operating System Requirements 2-2 Third-Party Software Requirements 2-3 Network and Port Requirements 2-4 Basic Deployment
Inhaltszusammenfassung zur Seite Nr. 6
Contents CHAPTER 3 Interface Configuration 3-1 Interface Design Concepts 3-2 User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2 User Data Configuration Options 3-3 Defining New User Data Fields 3-3 Advanced Options 3-4 Setting Advanced Options for the Cisco Secure ACS User Interface 3-6 Protocol Configuration Options for TACACS+ 3-7 Setting Options for TACACS+ 3-9 Protocol Configuration Options for RADIUS 3-11 Setting Protocol Configuration Options for IETF RADIUS Attributes 3-1
Inhaltszusammenfassung zur Seite Nr. 7
Contents AAA Client Configuration 4-11 AAA Client Configuration Options 4-11 Adding a AAA Client 4-16 Editing a AAA Client 4-19 Deleting a AAA Client 4-21 AAA Server Configuration 4-21 AAA Server Configuration Options 4-22 Adding a AAA Server 4-24 Editing a AAA Server 4-26 Deleting a AAA Server 4-28 Network Device Group Configuration 4-28 Adding a Network Device Group 4-29 Assigning an Unassigned AAA Client or AAA Server to an NDG 4-30 Reassigning a AAA Client or AAA Server to an NDG 4-31 Rena
Inhaltszusammenfassung zur Seite Nr. 8
Contents Deleting a Network Access Filter 5-7 Downloadable IP ACLs 5-7 About Downloadable IP ACLs 5-8 Adding a Downloadable IP ACL 5-10 Editing a Downloadable IP ACL 5-13 Deleting a Downloadable IP ACL 5-14 Network Access Restrictions 5-14 About Network Access Restrictions 5-15 About IP-based NAR Filters 5-17 About Non-IP-based NAR Filters 5-18 Adding a Shared Network Access Restriction 5-19 Editing a Shared Network Access Restriction 5-23 Deleting a Shared Network Access Restriction 5-24 Comm
Inhaltszusammenfassung zur Seite Nr. 9
Contents Basic User Group Settings 6-3 Group Disablement 6-4 Enabling VoIP Support for a User Group 6-4 Setting Default Time-of-Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-7 Setting Network Access Restrictions for a User Group 6-8 Setting Max Sessions for a User Group 6-12 Setting Usage Quotas for a User Group 6-14 Configuration-specific User Group Settings 6-16 Setting Token Card Settings for a User Group 6-18 Setting Enable Privilege Options for a User Group 6
Inhaltszusammenfassung zur Seite Nr. 10
Contents Configuring BBSM RADIUS Settings for a User Group 6-51 Configuring Custom RADIUS VSA Settings for a User Group 6-53 Group Setting Management 6-54 Listing Users in a User Group 6-54 Resetting Usage Quota Counters for a User Group 6-55 Renaming a User Group 6-55 Saving Changes to User Group Settings 6-56 CHAPTER 7 User Management 7-1 About User Setup Features and Functions 7-1 About User Databases 7-2 Basic User Setup Options 7-3 Adding a Basic User Account 7-4 Setting Supplementary Use
Inhaltszusammenfassung zur Seite Nr. 11
Contents Configuring Device-Management Command Authorization for a User 7-30 Configuring the Unknown Service Setting for a User 7-32 Advanced TACACS+ Settings (User) 7-33 Setting Enable Privilege Options for a User 7-33 Setting TACACS+ Enable Password Options for a User 7-35 Setting TACACS+ Outbound Password for a User 7-37 RADIUS Attributes 7-37 Setting IETF RADIUS Parameters for a User 7-38 Setting Cisco IOS/PIX RADIUS Parameters for a User 7-39 Setting Cisco Aironet RADIUS Parameters for a
Inhaltszusammenfassung zur Seite Nr. 12
Contents CHAPTER 8 System Configuration: Basic 8-1 Service Control 8-1 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Local Password Management 8-5 Configuring Local Password Management 8-7 Cisco Secure ACS Backup 8-9 About Cisco Secure ACS Backup 8-9 Backup File Locations 8-10 Directory Management 8-10 Components Backed Up 8-10 Reports of Cisco Secure ACS Backups 8-11 Backup
Inhaltszusammenfassung zur Seite Nr. 13
Contents Event Logging 8-20 Setting Up Event Logging 8-20 VoIP Accounting Configuration 8-21 Configuring VoIP Accounting 8-21 CHAPTER 9 System Configuration: Advanced 9-1 CiscoSecure Database Replication 9-1 About CiscoSecure Database Replication 9-2 Replication Process 9-4 Replication Frequency 9-7 Important Implementation Considerations 9-7 Database Replication Versus Database Backup 9-10 Database Replication Logging 9-10 Replication Options 9-11 Replication Components Options 9-11 Outbound
Inhaltszusammenfassung zur Seite Nr. 14
Contents RDBMS Synchronization Components 9-29 About CSDBSync 9-29 About the accountActions Table 9-31 Cisco Secure ACS Database Recovery Using the accountActions Table 9-32 Reports and Event (Error) Handling 9-33 Preparing to Use RDBMS Synchronization 9-33 Considerations for Using CSV-Based Synchronization 9-35 Preparing for CSV-Based Synchronization 9-36 Configuring a System Data Source Name for RDBMS Synchronization 9-37 RDBMS Synchronization Options 9-38 RDBMS Setup Options 9-38 Synchroniz
Inhaltszusammenfassung zur Seite Nr. 15
Contents EAP-TLS Authentication 10-2 About the EAP-TLS Protocol 10-3 EAP-TLS and Cisco Secure ACS 10-4 EAP-TLS Limitations 10-6 Enabling EAP-TLS Authentication 10-7 PEAP Authentication 10-8 About the PEAP Protocol 10-8 PEAP and Cisco Secure ACS 10-9 PEAP and the Unknown User Policy 10-11 Enabling PEAP Authentication 10-12 EAP-FAST Authentication 10-13 About EAP-FAST 10-13 About Master Keys 10-15 About PACs 10-17 Master Key and PAC TTLs 10-21 Replication and EAP-FAST 10-22 Enabling EAP-FAST 10-
Inhaltszusammenfassung zur Seite Nr. 16
Contents Generating a Certificate Signing Request 10-45 Using Self-Signed Certificates 10-47 About Self-Signed Certificates 10-47 Self-Signed Certificate Configuration Options 10-48 Generating a Self-Signed Certificate 10-49 Updating or Replacing a Cisco Secure ACS Certificate 10-50 CHAPTER 11 Logs and Reports 11-1 Logging Formats 11-2 Special Logging Attributes 11-2 NAC Attributes in Logs 11-4 Update Packets in Accounting Logs 11-5 About Cisco Secure ACS Logs and Reports 11-6 Accounting Logs
Inhaltszusammenfassung zur Seite Nr. 17
Contents Configuring an ODBC Log 11-23 Remote Logging 11-26 About Remote Logging 11-26 Implementing Centralized Remote Logging 11-27 Remote Logging Options 11-28 Enabling and Configuring Remote Logging 11-29 Disabling Remote Logging 11-31 Service Logs 11-31 Services Logged 11-32 Configuring Service Logs 11-33 CHAPTER 12 Administrators and Administrative Policy 12-1 Administrator Accounts 12-1 About Administrator Accounts 12-2 Administrator Privileges 12-3 Adding an Administrator Account 12-6 E
Inhaltszusammenfassung zur Seite Nr. 18
Contents CHAPTER 13 User Databases 13-1 CiscoSecure User Database 13-2 About the CiscoSecure User Database 13-2 User Import and Creation 13-3 About External User Databases 13-4 Authenticating with External User Databases 13-5 External User Database Authentication Process 13-6 Windows User Database 13-7 What’s Supported with Windows User Databases 13-8 Authentication with Windows User Databases 13-9 Trust Relationships 13-9 Windows Dial-up Networking Clients 13-10 Windows Dial-up Networking Cli
Inhaltszusammenfassung zur Seite Nr. 19
Contents Generic LDAP 13-32 Cisco Secure ACS Authentication Process with a Generic LDAP User Database 13-33 Multiple LDAP Instances 13-33 LDAP Organizational Units and Groups 13-34 Domain Filtering 13-34 LDAP Failover 13-36 Successful Previous Authentication with the Primary LDAP Server 13-36 Unsuccessful Previous Authentication with the Primary LDAP Server 13-37 LDAP Configuration Options 13-37 Configuring a Generic LDAP External User Database 13-43 Novell NDS Database 13-49 About Novell ND
Inhaltszusammenfassung zur Seite Nr. 20
Contents PAP Procedure Output 13-65 CHAP/MS-CHAP/ARAP Authentication Procedure Input 13-66 CHAP/MS-CHAP/ARAP Procedure Output 13-66 EAP-TLS Authentication Procedure Input 13-67 EAP-TLS Procedure Output 13-68 Result Codes 13-69 Configuring a System Data Source Name for an ODBC External User Database 13-70 Configuring an ODBC External User Database 13-71 LEAP Proxy RADIUS Server Database 13-75 Configuring a LEAP Proxy RADIUS Server External User Database 13-76 Token Server User Databases 13-78