User Guide for Cisco Secure ACS for Windows Version 4.0 Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816992= Text Part Number: 78-16992-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0601R) User Guide for Cisco Secure Access Control Server for Windows © 2002-2006 Cisco Systems, Inc All rights reserved C O N T E N T S Preface xxv Audience xxv Organization xxv Conventions xxvi Product Documentation xxvii Related Documentation xxviii Obtaining Documentation xxviii Cisco.com xxviii Product Documentation DVD xxix Ordering Documentation xxix Documentation Feedback xxix Cisco Product Security Overview xxix Reporting Security Problems in Cisco Products xxx Obtaining Technical Assistance xxx Cisco Technical Support & Documentation Website Submitting a Service Request xxxi Definitions of Service Request Severity xxxi Obtaining Additional Publications and Information CHAPTER Overview xxxi xxxii 1-1 Introduction to ACS 1-1 ACS Features, Functions and Concepts 1-2 ACS as the AAA Server 1-3 AAA Protocols—TACACS+ and RADIUS 1-3 TACACS+ 1-3 RADIUS 1-3 Additional Features in ACS Version 4.0 1-4 Authentication 1-6 Authentication Considerations 1-6 Authentication and User Databases 1-7 Authentication Protocol-Database Compatibility Passwords 1-8 Other Authentication-Related Features 1-11 1-7 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 iii Contents Authorization 1-12 Max Sessions 1-12 Dynamic Usage Quotas 1-13 Shared Profile Components 1-13 Support for Cisco Device-Management Applications Other Authorization-Related Features 1-14 Accounting 1-14 Other Accounting-Related Features 1-15 1-13 Managing and Administrating ACS 1-15 Web Interface Security 1-15 HTTP Port Allocation for Administrative Sessions 1-16 Web Interface Layout 1-16 Uniform Resource Locator for the Web Interface 1-18 Online Help and Online Documentation 1-18 Using Online Help 1-18 Using the Online User Guide 1-19 ACS Specifications 1-19 System Performance Specifications ACS Windows Services 1-20 CHAPTER Deployment Considerations 1-19 2-1 Basic Deployment Factors for ACS 2-1 Network Topology 2-2 Dial-Up Topology 2-2 Wireless Network 2-4 Remote Access using VPN 2-6 Remote Access Policy 2-7 Security Policy 2-8 Administrative Access Policy 2-8 Separation of Administrative and General Users Database 2-10 Number of Users 2-10 Type of Database 2-10 Network Latency and Reliability 2-10 Suggested Deployment Sequence 2-9 2-11 User Guide for Cisco Secure Access Control Server for Windows iv 78-16992-02 Contents CHAPTER Using the Web Interface 3-1 Administrative Sessions 3-1 Administrative Sessions and HTTP Proxy 3-2 Administrative Sessions Through Firewalls 3-2 Administrative Sessions Through a NAT Gateway Accessing the Web Interface 3-3 Logging Off the Web Interface 3-3 Interface Design Concepts 3-4 Introduction of Network Access Profiles User-to-Group Relationship 3-4 Per-User or Per-Group Features 3-4 User Data Configuration Options 3-4 Configuring New User Data Fields 3-2 3-4 3-5 Advanced Options 3-5 Setting Advanced Options for the ACS User Interface Protocol Configuration Options for TACACS+ Setting Options for TACACS+ 3-9 3-7 3-7 Protocol Configuration Options for RADIUS 3-9 Setting Protocol Configuration Options for IETF RADIUS Attributes 3-12 Setting Protocol Configuration Options for Non-IETF RADIUS Attributes 3-13 CHAPTER Network Configuration 4-1 About Network Configuration 4-1 About Distributed Systems 4-2 AAA Servers in Distributed Systems Default Distributed System Settings 4-2 4-3 Proxy in Distributed Systems 4-3 Fallback on Failed Connection 4-4 Character String 4-4 Stripping 4-4 Proxy in an Enterprise 4-5 Remote Use of Accounting Packets 4-5 Other Features Enabled by System Distribution 4-5 Network Device Searches 4-6 Network Device Search Criteria 4-6 Searching for Network Devices 4-6 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 v Contents AAA Client Configuration 4-7 AAA Client Configuration Options 4-8 Adding AAA Clients 4-11 Editing AAA Clients 4-13 Configuring a Default AAA Client 4-14 Deleting AAA Clients 4-14 AAA Server Configuration 4-15 AAA Server Configuration Options Adding AAA Servers 4-16 Editing AAA Servers 4-18 Deleting AAA Servers 4-19 4-15 Network Device Group Configuration 4-19 Adding a Network Device Group 4-20 Assigning an Unassigned AAA Client or AAA Server to an NDG Reassigning AAA Clients or AAA Servers to an NDG 4-21 Renaming a Network Device Group 4-22 Deleting a Network Device Group 4-22 Proxy Distribution Table Configuration 4-23 About the Proxy Distribution Table 4-23 Adding a New Proxy Distribution Table Entry 4-24 Sorting the Character String Match Order of Distribution Entries Editing a Proxy Distribution Table Entry 4-25 Deleting a Proxy Distribution Table Entry 4-26 CHAPTER Shared Profile Components 4-21 4-25 5-1 About Shared Profile Components 802.1X Example Setup 5-2 5-1 Network Access Filters 5-2 About Network Access Filters 5-3 Adding a Network Access Filter 5-3 Editing a Network Access Filter 5-5 Deleting a Network Access Filter 5-6 RADIUS Authorization Components 5-6 About RADIUS Authorization Components 5-7 Understanding RACs and Groups 5-7 Migrating Away from Groups to RACs 5-7 Vendors 5-7 Attribute Types 5-8 User Guide for Cisco Secure Access Control Server for Windows vi 78-16992-02 Contents Before You Begin Using RADIUS Authorization Components Enabling Use of RAC 5-9 Adding RADIUS Authorization Components 5-9 Cloning a RADIUS Authorization Component 5-10 Editing a RADIUS Authorization Component 5-10 Deleting a RADIUS Authorization Component 5-11 5-8 Downloadable IP ACLs 5-13 About Downloadable IP ACLs 5-13 Adding a Downloadable IP ACL 5-15 Editing a Downloadable IP ACL 5-16 Deleting a Downloadable IP ACL 5-17 Network Access Restrictions 5-17 About Network Access Restrictions 5-18 About IP-based NAR Filters 5-19 About Non-IP-based NAR Filters 5-19 Adding a Shared NAR 5-20 Editing a Shared NAR 5-22 Deleting a Shared NAR 5-23 Command Authorization Sets 5-24 About Command Authorization Sets 5-24 Command Authorization Sets Description 5-24 Command Authorization Sets Assignment 5-26 Case Sensitivity and Command Authorization 5-26 Arguments and Command Authorization 5-27 About Pattern Matching 5-27 Adding a Command Authorization Set 5-28 Editing a Command Authorization Set 5-29 Deleting a Command Authorization Set 5-30 CHAPTER User Group Management 6-1 About User Group Setup Features and Functions Default Group 6-2 Group TACACS+ Settings 6-2 Group RADIUS Settings 6-3 6-2 Basic User Group Settings 6-3 Group Disablement 6-3 Enabling VoIP Support for a User Group 6-4 Setting Default Time-of-Day Access for a User Group Setting Callback Options for a User Group 6-5 6-5 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 vii Contents Setting Network Access Restrictions for a User Group Setting Max Sessions for a User Group 6-9 Setting Usage Quotas for a User Group 6-10 6-6 Configuration-Specific User Group Settings 6-12 Setting Enable Privilege Options for a User Group 6-13 Setting Token Card Settings for a User Group 6-14 Enabling Password Aging for the ACS Internal Database 6-15 Varieties of Password Aging Supported by ACS 6-15 Password Aging Feature Settings 6-16 Enabling Password Aging for Users in Windows Databases 6-19 Setting IP Address Assignment Method for a User Group 6-21 Assigning a Downloadable IP ACL to a Group 6-22 Configuring TACACS+ Settings for a User Group 6-22 Configuring a Shell Command Authorization Set for a User Group 6-24 Configuring a PIX Command Authorization Set for a User Group 6-25 Configuring Device Management Command Authorization for a User Group 6-26 Configuring IETF RADIUS Settings for a User Group 6-27 Configuring Cisco IOS/PIX 6.0 RADIUS Settings for a User Group 6-28 Advanced Configuration Options 6-29 Configuring Cisco Airespace RADIUS Settings for a User Group 6-29 Configuring Cisco Aironet RADIUS Settings for a User Group 6-30 Configuring Ascend RADIUS Settings for a User Group 6-32 Configuring VPN 3000/ASA/PIX v7.x+ RADIUS Settings for a User Group 6-33 Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group 6-34 Configuring Microsoft RADIUS Settings for a User Group 6-35 Configuring Nortel RADIUS Settings for a User Group 6-36 Configuring Juniper RADIUS Settings for a User Group 6-37 Configuring BBSM RADIUS Settings for a User Group 6-38 Configuring Custom RADIUS VSA Settings for a User Group 6-39 Group Setting Management 6-39 Listing Users in a User Group 6-40 Resetting Usage Quota Counters for a User Group Renaming a User Group 6-40 Saving Changes to User Group Settings 6-41 CHAPTER User Management 6-40 7-1 About User Setup Features and Functions About User Databases 7-1 7-2 User Guide for Cisco Secure Access Control Server for Windows viii 78-16992-02 Contents Basic User Setup Options 7-2 Adding a Basic User Account 7-3 Setting Supplementary User Information 7-4 Setting a Separate CHAP/MS-CHAP/ARAP Password Assigning a User to a Group 7-5 Setting the User Callback Option 7-6 Assigning a User to a Client IP Address 7-7 Setting Network Access Restrictions for a User 7-8 Setting Max Sessions Options for a User 7-11 Options for Setting User Usage Quotas 7-12 Setting Options for User Account Disablement 7-13 Assigning a Downloadable IP ACL to a User 7-14 7-5 Advanced User Authentication Settings 7-15 TACACS+ Settings (User) 7-16 Configuring TACACS+ Settings for a User 7-16 Configuring a Shell Command Authorization Set for a User 7-17 Configuring a PIX Command Authorization Set for a User 7-19 Configuring Device-Management Command Authorization for a User 7-20 Configuring the Unknown Service Setting for a User 7-21 Advanced TACACS+ Settings for a User 7-22 Setting Enable Privilege Options for a User 7-22 Setting TACACS+ Enable Password Options for a User 7-23 Setting TACACS+ Outbound Password for a User 7-24 RADIUS Attributes 7-24 Setting IETF RADIUS Parameters for a User 7-25 Setting Cisco IOS/PIX 6.0 RADIUS Parameters for a User 7-26 Setting Cisco Airespace RADIUS Parameters for a User 7-27 Setting Cisco Aironet RADIUS Parameters for a User 7-28 Setting Ascend RADIUS Parameters for a User 7-29 Setting Cisco VPN 3000/ASA/PIX 7.x+ RADIUS Parameters for a User 7-30 Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User 7-31 Setting Microsoft RADIUS Parameters for a User 7-32 Setting Nortel RADIUS Parameters for a User 7-33 Setting Juniper RADIUS Parameters for a User 7-34 Setting BBSM RADIUS Parameters for a User 7-35 Setting Custom RADIUS Attributes for a User 7-35 User Management 7-36 Listing All Users 7-37 Finding a User 7-37 Disabling a User Account 7-38 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 ix Contents Deleting a User Account 7-38 Resetting User Session Quota Counters 7-39 Resetting a User Account after Login Failure 7-39 Removing Dynamic Users 7-40 Saving User Settings 7-41 CHAPTER System Configuration: Basic 8-1 Service Control 8-1 Determining the Status of ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Setting Service Log File Parameters 8-3 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Local Password Management 8-4 Configuring Local Password Management 8-6 ACS Backup 8-7 About ACS Backup 8-7 Backup File Locations 8-8 Directory Management 8-8 Components Backed Up 8-8 Reports of ACS Backups 8-8 Backup Options 8-9 Performing a Manual ACS Backup 8-9 Scheduling ACS Backups 8-9 Disabling Scheduled ACS Backups 8-10 ACS System Restore 8-11 About ACS System Restore 8-11 Backup Filenames and Locations 8-11 Components Restored 8-12 Reports of ACS Restorations 8-12 Restoring ACS from a Backup File 8-12 ACS Active Service Management 8-13 System Monitoring 8-13 System Monitoring Options 8-13 Setting Up System Monitoring 8-14 Event Logging 8-15 Setting Up Event Logging 8-15 User Guide for Cisco Secure Access Control Server for Windows x 78-16992-02 Index formats L 11-1 Logged-In Users reports LAN manager 1-9 ODBC logs latency in networks 2-10 enabling in interface LDAP overview Admin Logon Connection Management Distinguished Name LEAP 13-26 13-26 3-7 11-1 working with overview 1-9 11-16 11-4 Passed Authentication logs LEAP proxy RADIUS user databases configuring external databases group mappings overview RADIUS logs 13-47 centralized 17-8 disabling 6-40 11-22 logging hosts local policies options see internal policies log files 8-3 11-21 11-19 service logs A-12 services configuring service logs deleting logged-in users 11-7 list of logs generated 11-6 system logs 11-7 logging TACACS+ logs 11-4 troubleshooting A-12 user data attributes accounting logs VoIP logs 11-4 Administration Audit log configuring 11-9 11-23 11-2 11-4 watchdog packets 11-6 11-3 login process test frequency 11-15 11-24 11-8 See also Reports and Activity administration reports 3-6 11-19 overview Logged-In Users report description 11-21 enabling in interface 7-37 storage directory 11-20 configuring list all users in User Setup 9-2 remote logging 13-46 in Group Setup 11-4 11-4 RDBMS synchronization 17-1 RADIUS-based group specifications viewing 11-6 8-13 logins CSV (comma-separated values) files custom RADIUS dictionaries 11-1 9-2 debug logs greeting upon 6-18 password aging dependency 6-17 logs detail levels frequency 11-24 See logging 11-24 See Reports and Activity Disabled Accounts reports domain names 11-6 11-2 external user databases Failed Attempts logs 11-2 11-4 User Guide for Cisco Secure Access Control Server for Windows IN-10 78-16992-02 Index M N MAC-Authentication Bypass NAC 15-29 Machine Access Restrictions (MAR) 1-6 machine authentication enabling about deleting 1-13 mappings databases to AAA groups D-28 about 9-2 logging 10-10 about 3-6 1-12 in Group Setup in User Setup overview 6-9 7-11 14-5 14-18 external 14-11 internal 14-9 results 14-18 remediation server 1-12 troubleshooting url-redirect attribute A-11 C-6 rules 1-12 memory utilization about G-4 monitoring 14-10, 15-6 default configuring 15-6 self-signed certificates definition 1-9 14-3 descriptions of 10-19 14-3 returned by internal policies 1-9 protocol supported 14-5 tokens 8-13 configuring 14-11 operators 8-14 G-4 overview overview 14-4 policies 1-12 enabling in interface MS-CHAP 14-7 overview 10-10 max sessions 14-4 credentials 17-1 implementing definition CSMon D-28 configuring ACS for support for 17-3 master key user 14-8 exporting database groups to AAA groups group D-28 data types 13-14 management application support master AAA servers 14-14 14-7 adding 13-11 with Microsoft Windows states agentless host see also NAH attributes 13-16 overview 1-2 NAC Agentless Host 1-8 multiple IP addresses for AAA clients 4-8 NAC L2 IP 15-17 NAC L3 IP 15-15 14-9 15-25 NAFs See network access filters NAH policies 14-14 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-11 Index NAR See network access restrictions 4-21 Network Access Filters (NAF) 1-6, 15-4 2-10 deployment 5-2 Network Access Profiles 1-5, 15-1, 15-10, 15-28 wireless 2-2 2-4 noncompliant devices 15-9 configuring advanced filtering 15-7 1-2 non-EAP authentication protocol 15-9 setting up 2-10 network topologies 5-6 cloning latency reliability 5-3 overview 4-6 networks 5-5 deleting 4-22 searches for Network Access Filter (NAF) editing reassigning AAA servers to network devices See AAA clients adding 4-21 renaming NAS editing reassigning AAA clients to 1-7 Novell NDS user databases 15-3 network access quotas mapping database groups to AAA groups 1-13 17-3 network access restrictions deleting editing 5-23 O 5-22 enabling in interface group-level ODBC features 3-6 user-level accountActions table 3-5 in Group Setup authentication 6-6 CHAP interface configuration in User Setup 3-6 6-6, 7-8 non-IP-based filters overview 5-19 5-18 13-37 EAP-TLS 13-37 overview 13-34 PAP 13-37 preparation process network access servers 13-36 process with external user database See AAA clients result codes Network Admission Control 13-38 CHAP authentication sample procedure network configuration 4-1 configuring network device groups 13-39 13-44 data source names 4-20 13-35 13-43 case-sensitive passwords see NAC adding 9-21 11-17, 13-34 DSN (data source name) configuration 13-43 assigning AAA clients to 4-21 EAP-TLS authentication sample procedure assigning AAA servers to 4-21 features supported configuring deleting 4-19 group mappings 4-22 enabling in interface 13-39 13-35 17-1 group specifications 3-6 CHAP 13-41 User Guide for Cisco Secure Access Control Server for Windows IN-12 78-16992-02 Index EAP-TLS PAP CSV (comma-separated values) file directory 13-42 enabling CSV (comma-separated values) logging 13-40 vs group mappings viewing 17-2 PAP authentication sample procedures password case sensitivity password aging EAP-FAST 13-37 PAP authentication type definitions user databases 13-40 13-38 ODBC logs 3-6 in Windows databases 6-19 PEAP See logging online documentation rules 1-6 13-17 1-11 13-17 6-15 password configurations 1-18 basic 1-18 location in HTML interface using interface configuration overview 1-10 passwords 1-17 See also password aging 1-18 online user guide case sensitive 1-19 Open Database Connectivity (ODBC) ordering rules, in policies overview of Cisco Secure ACS 13-38 CHAP/MS-CHAP/ARAP 1-7 caching 1-10 1-10 inbound passwords 1-1 1-10 outbound passwords separate passwords P single password token caching PAC automatic provisioning refresh 10-14 1-10 1-10 1-10 13-2 expiration 6-17 D-9 local management 11-25 1-10 1-10 encryption import utility 10-15 package.cab file PAP token cards 10-13 10-11 manual provisioning 7-5 configurations 14-10 outbound password configuration definition 6-16 13-17 MS-CHAP 13-34 One-time Passwords (OTPs) 6-17 Cisco IOS release requirement for 13-42 9-16 1-11 age-by-uses rules 13-41 EAP-TLS authentication implementing 11-12 automatic change password configuration 13-38 CHAP authentication 11-11 password 13-38 stored procedures online help 11-11 8-4 password change log management 1-9 in User Setup 7-4 post-login greeting 6-18 1-8 vs ARAP 1-9 protocols supported vs CHAP 1-9 remote change user-changeable Passed Authentications log configuring CSV (comma-separated values) 11-14 8-5 8-5 1-11 validation options in System Configuration 8-4 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-13 Index pattern matching in command authorization PEAP rule order 5-27 setting up an external audit server 1-9 See also certification configuring enabling setting up external servers Populate from Global 10-19 options in HTTP port ranges in URLs 10-5 password aging 12-9 1-18 See HTTP port allocation with Unknown User Policy performance monitoring ports 10-7 See also HTTP port allocation G-4 performance specifications See also port 2002 1-19 per-group attributes RADIUS See also groups enabling in interface enabling in interface 1-3 TACACS+ 1-3 Posture Validation 3-4 for Agentless Hosts per-user attributes 15-41 posture validation 3-4 TACACS+/RADIUS in Interface Configuration 3-5 PIX ACLs attributes 14-7 configuring ACS for See downloadable IP ACLs credentials PIX command authorization sets See command authorization sets CTL 14-5 enabling 14-5 implementing See certification Point-to-Point Protocol (PPP) 1-20 policies 14-4 14-7 failed attempts log PKI (public key infastructure) 14-5 14-4 internal policy configuration options options policy overview 14-17 14-21 process flow deleting 14-23 and profile-based policies external 14-11 profiles, adding user groups internal 14-12 14-9 local NAH 14-14 overview 14-7 renaming 14-22 14-6 14-27 14-5 rule assigning posture tokens rules, about see internal policies 14-5 14-7 copying configuration options 14-10 14-17 passed authentications log 14-21 configuring 15-28 port allocation 6-19 10-6 cloning 14-24 port 2002 10-6 10-20 overview 14-25 15-28 Network Access Profiles 10-7 identity protection phases 14-10 14-6 14-10 server certificate requirement 14-4 Posture Validation Policies configuring 15-35 PPP password aging 6-16 User Guide for Cisco Secure Access Control Server for Windows IN-14 78-16992-02 Index privileges Q See administrators processor utilization profile quotas G-4 See network access quotas 15-1 Profile-based Policies See usage quotas 15-2 profile components See shared profile components profiles 15-47 profile templates RAC and Groups 15-13 protocols supported R RADIUS 1-8 protocol support 15-47 1-3 See also RADIUS VSAs (vendor specific attributes) EAP authentication accounting 1-8 non-EAP authentication 1-15 attributes See also RADIUS VSAs (vendor specific attributes) 1-7 protocol types in User Setup Network Access Profiles 15-5 proxy 7-24 AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) See also Proxy Distribution Table Cisco IOS character strings IETF C-3 C-11 defining 4-4 overview stripping 4-4 Cisco Aironet 4-23 compliant token servers configuring in enterprise settings overview in Group Setup sending accounting packets troubleshooting A-11 Proxy Distribution Table See also proxy 4-23 4-3, 4-24 in User Setup editing entries interface configuration overview match order sorting 4-23 4-25 3-9 6-19 1-3 specifications 1-3 token servers 13-49 A-15 tunneling packets 4-25 3-12 7-25 troubleshooting 4-26 1-7 6-27 interface configuration ports 4-24 deleting entries overview 4-5 password aging adding entries default entry 4-9 IETF 4-5 4-3 configuring C-1 vs TACACS+ 4-12 1-3 RADIUS Accounting log configuring CSV (comma-separated values) ODBC 11-14 11-17 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-15 Index configuring CSV (comma-separated values) CSV (comma-separated values) file directory 11-12 11-11 enabling ODBC in Group Setup in User Setup 11-11 RADIUS user databases configuring 7-34 in User Setup 17-8 RADIUS VSAs (vendor specific attributes) Ascend 7-32 in Group Setup overview 7-29 C-21 in User Setup adding 7-28 in User Setup C-10 Cisco IOS/PIX in Group Setup 3-13 C-4 configuring disabling C-6 9-23, 9-24 9-28 3-6 9-18 F-1 log CSV (comma-separated values) file directory viewing 6-34 C-10 network configuration overview partners 9-19 6-39 7-35 11-11 11-12 manual initialization 7-31 custom in User Setup 9-21 9-26 import definitions 7-30 supported attributes in Group Setup 9-19, D-18 group-related configuration 6-33 Cisco VPN 5000 in User Setup replicating enabling in interface supported attributes in Group Setup D-20 data source name configuration 7-26 Cisco VPN 3000 in User Setup D-21 accountActions table as transaction queue 6-28 supported attributes in Group Setup D-19 RDBMS synchronization interface configuration in User Setup F-12 D-18 deleting listing 7-35 supported attributes 9-19, D-18 import files 6-38 C-28 C-1 action codes for 6-30 Cisco BBSM (Building Broadband Service Manager) in Group Setup 7-33 user-defined about Cisco Aironet in Group Setup 6-36 supported attributes 6-32 supported attributes C-19 Nortel in User Setup in User Setup 6-35 supported attributes 17-1 RADIUS-based group specifications in Group Setup C-28 Microsoft in Group Setup 13-50 group mappings 6-37 supported attributes 11-17 enabling CSV (comma-separated values) about Juniper 9-25 9-19 9-17 9-25 preparing to use 9-22 report and error handling 9-22 User Guide for Cisco Secure Access Control Server for Windows IN-16 78-16992-02 Index scheduling options group mappings 9-25 user-related configuration Registry immediate 9-18 Regular Expressions Syntax 11-14 rejection mode Windows user databases related documentation 9-5 in System Configuration 9-14 IP pools 16-4 logging xxviii reliability of network 2-10 remote access policies 2-7 notifications options Remove Dynamic Users 9-12 removing 9-2 9-16 9-7 overview 7-40 3-6 9-7 master AAA servers See logging 9-10 9-2, 9-29 manual initiation remote logging 9-2 partners external audit servers configuring 14-27 external servers 14-25 policies or rules 14-23 options process removing dynamic users 9-15 9-9 9-3 scheduling 7-40 renaming 9-14 scheduling options selecting data 14-22 replication auto change password settings 9-2 9-16 backups recommended (Caution) cascading 9-4, 9-9 certificates 9-2 client configuration 9-6 Reports and Activity 12-4 11-15 in interface 9-11 overview 9-7 general 9-14 11-4 9-7 9-2 16-3 Windows user databases Required Credential Types restarting services 10-15 16-4 15-38 G-5 8-2 restore 9-4 9-5 1-17 resource consumption 9-15, 9-16 external user databases 11-8 request handling 9-8 custom RADIUS dictionaries encryption 9-6 CSV (comma-separated values) logs corrupted backups (Caution) EAP-FAST vs backup configuring 9-11 overwriting (Note) disabling user-defined RADIUS vendors configuration privileges overwriting (Caution) configuring 9-2 See also logging components selecting 9-7 9-9 9-8 unsupported ACS Service Management page frequency important considerations interface configuration 16-3 policies 9-12 implementing primary and secondary setups G-2 general 9-2 9-2 components restored configuring 8-12 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-17 Index overview filenames logs 8-12 configuring 8-11 in System Configuration on a different server overview reports list of logs generated 8-11 management 8-11 starting 8-11 performing 8-13 8-2 session policies 8-12 with CSUtil.exe configuring D-4 RFC2138 1-3 options RFC2139 1-3 overview RSA SecurID Token Server 12-11 12-11 Network Access Profiles 15-3 shared profile components 13-53 group mappings 12-11 setting up 1-7 RSA user databases See also command authorization sets 17-1 rules about 11-23 8-2 stopping 8-12 configuring 11-24 See also downloadable IP ACLs See also network access filters 14-10 internal policy See also network access restrictions 14-10 overview 5-1 Shared Profile Components (SPC) S search order of external user databases security policies 16-8 Shared RAC 15-46 shared secret G-6 shell command authorization sets 2-8 See also command authorization sets security protocols CSRadius G-6 in Group Setup CSTacacs G-6 in User Setup interface options RADIUS 1-13 6-24 7-17 Simple Network Management Protocol (SNMP) 3-9 single password configurations 1-3, C-1 1-10 SMTP (simple mail-transfer protocol) TACACS+ custom commands overview G-5 specifications 3-8 RADIUS 1-3 time-of-day access Selected Credentials 1-12 3-8 15-38 server certificate installation 1-3 RFC2139 1-3 system performance 10-25 service control in System Configuration RFC2138 11-24 TACACS+ 1-3 SSL (secure socket layer) Service Monitoring logs See Cisco Secure ACS Service Monitoring logs starting services static IP addresses services determining status of 1-19 8-2 stopping services 12-9 8-2 7-7 8-2 User Guide for Cisco Secure Access Control Server for Windows IN-18 78-16992-02 Index performance specifications stored procedures services CHAP authentication configuring 13-45 See services input values 13-41 system performance output values specifications 13-41 result codes configuring 13-46 input values 13-42 output values T TACACS+ 13-42 implementing 13-37 in Group Setup 13-45 input values 13-40 in User Setup accounting 13-43 sample procedures general 13-38 13-38 B-1 3-8 enable privilege options interface configuration supplementary user information interface options 7-4 7-4 ports supported password protocols synchronization 3-9 1-8 1-13 system settings in Group Setup specifications 6-2, 6-3, 6-22 7-15, 7-16 1-3 time-of-day access configuration troubleshooting 9-1 authentication basic vs RADIUS 10-1 privileges 3-8 A-15 1-3 TACACS+ Accounting log 8-1 certificates 7-24 1-10 in User Setup See RDBMS synchronization advanced 3-7 1-3 SENDAUTH Cisco Device-Management Applications 7-23 7-22 outbound passwords for users support health B-3 enable password options for users 13-38 setting 7-22 custom commands type definitions in User Setup 6-2, 6-3 AV (attribute value) pairs 13-40 result codes 1-15 advanced TACACS+ settings configuring output values 1-3 accounting PAP authentication string 1-19 13-43 EAP-TLS authentication integer 1-19 configuring 10-1 CSV (comma-separated values) 12-3 ODBC G-4 messages in interface monitoring See monitoring 11-14 11-17 CSV (comma-separated values) file directory 1-17 enabling CSV (comma-separated values) enabling for ODBC viewing 11-11 11-11 11-17 11-12 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-19 Index TACACS+ Administration log database issues debug logs configuring CSV(comma-separated values) ODBC A-8 installation issues 11-17 CSV (comma-separated values) file directory 11-11 enabling enabling CSV (comma-separated values) 11-11 report issues A-15 A-12 TACACS+ issues 11-12 Telnet A-11 A-11 RADIUS issues 11-17 A-11 max sessions issues proxy issues ODBC viewing 11-23 dial-in issues 11-14 A-6 A-15 third-party server issues See also command authorization sets upgrade issues password aging user issues 6-16 test login frequency internally thread used 8-13 time-of-day/day-of-week specification A-14 trusted root certificate authority enabling in interface 13-7 3-6 timeout values on AAA clients 16-6 TLS (transport level security) See certification U UNIX passwords 1-10, 13-49 D-12 unknown service user setting 1-20 Unknown User Policy 1-10 See also unknown users settings in Group Setup 6-14 configuring token servers 13-49 13-49 13-49 RADIUS token servers 16-9 See also Unknown User Policy 13-50 13-53 authentication 16-3 authentication performance supported servers token caching turning off 1-7 authentication processing 13-49 unmatched user requests See network topologies AAA servers Cisco IOS issues 16-6 15-10 See watchdog packets A-1 browser issues 16-6 update packets 15-47 upgrade troubleshooting administration issues 16-6 network access authorization topologies troubleshooting 13-2, 16-7 unknown users RADIUS-enabled RSA 16-8 in external user databases ISDN terminal adapters 7-21 13-18 password configuration overview 14-13 See certification trust relationships See also date format control token cards A-11 trust lists G-5 token caching A-14 A-2 A-3 A-3 A-11 usage quotas in Group Setup 6-10 in Interface Configuration 3-6 User Guide for Cisco Secure Access Control Server for Windows IN-20 78-16992-02 Index in User Setup overview disabling accounts 7-12 finding 1-13 resetting listing all users 7-39 user-changeable passwords overview 13-2 in multiple databases 6-40 for single users number of 1-11 16-4 7-37 number allowed with Windows user databases 2-10 1-20 RDBMS synchronization 13-17 user databases relationship to groups See databases removing dynamic User Data Configuration resetting accounts 3-4 user groups saving settings See groups 7-40 7-39 user-level discovered downloadable ACLs interface known 3-5 network access restrictions A-14 enabling in interface 16-2 16-2 unknown See also network access restrictions 16-2 VPDN dialup E-1 User Setup 3-5 User Password Changes log location account management tasks 11-11 users basic options configuring adding deleting user accounts basic steps assigning client IP addresses to assigning to a group 7-38 7-41 Users in Group button 13-2 callback options 7-1 saving settings 7-3 6-40 7-7 7-5 V 7-6 7-1 validation of passwords configuring device management command authorization sets for 7-20 configuring PIX command authorization sets for configuring shell command authorization sets for customized data fields 3-4 data configuration 7-36 7-2 See also User Setup 7-19 7-17 8-4 vendors adding audit 14-25 vendor-specific attributes See RADIUS VSAs (vendor specific attributes) vendor-specific attributes (VSAs) 1-4 viewing logs and reports See User Data Configuration deleting 7-4 types 1-19 configuring 3-4 7-41 troubleshooting methods 9-18 supplementary information user guide online 7-37 import methods for groups 7-3 See logging 11-7 deleting accounts 7-38 Virtual Private Dial-Up Networks (VPDNs) 1-12 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-21 Index Voice-over-IP web interface See VoIP (Voice-over-IP) See also Interface Configuration VoIP (Voice-over-IP) layout accounting configuration security 3-7, 8-15 Accounting log Windows Callback 11-11 enabling in interface in Group Setup authentication order 3-6 services 16-5 8-2 dial-up networking configuring CSV (comma-separated values) 13-7 dial-up networking clients 11-14 domain field 11-17 CSV (comma-separated values) file directory 11-11 enabling 13-7 password field 13-7 username field 13-7 Domain List effect 11-17 VPDN 16-5 domains advantages domain names 2-6 authentication process domain authorization home gateways IP addresses tunnel IDs Event logs E-1 Registry E-2 G-2 CSAdmin E-2 1-20 CSDBSync E-1 CSLog See RADIUS VSAs (vendor specific attributes) W CSMon 1-20 CSRadius 1-20 CSTacacs 1-20 1-20 Windows user database G-4, G-5 passwords warnings significance of 1-20 1-20 overview warning events 1-20 1-20 CSAuth E-2 13-9, 16-4 G-5 Windows Services E-2 VSAs 1-7 1-8 Windows user databases xxvii See also databases watchdog packets configuring on AAA clients 4-12 Active Directory configuring on AAA servers 4-17 configuring logging 13-18 Cisco Secure ACS-related services 6-4 VoIP (Voice-over-IP) Accounting log users 13-18 Windows operating systems 3-6 group settings in Interface Configuration ODBC 1-18 Windows Database Callback 11-12 ODBC 1-15 uniform resource locator enabling csv log viewing 1-16 11-3 13-18 13-21 Domain list inadvertent user lockouts domain mapping 13-21 17-6 User Guide for Cisco Secure Access Control Server for Windows IN-22 78-16992-02 Index domains trusted 13-7 grant dial-in permission to users 13-6, 13-18 group mappings editing 17-6 limitations 17-3 no access groups remapping 17-4 17-6 mapping database groups to AAA groups overview 17-3 13-5 password aging 6-19 rejection mode 16-4 request handling trust relationships 16-4 13-7 user-changeable passwords user manager 13-17 13-18 wireless network topologies 2-4 User Guide for Cisco Secure Access Control Server for Windows 78-16992-02 IN-23 Index User Guide for Cisco Secure Access Control Server for Windows IN-24 78-16992-02 ... Cisco. com users can order technical documentation from 8 :00 a.m to 5 :00 p.m (08 00 to 1 700 ) PDT by calling 866 463-3487 in the United States and Canada, or elsewhere by calling 01 1 408 519- 505 5 You... 78-16992 -02 Contents About the cisco- av-pair RADIUS Attribute C-5 Cisco VPN 300 0 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs Cisco VPN 500 0 Concentrator Dictionary of RADIUS VSAs C- 10 Cisco. .. Ascend RADIUS Parameters for a User 7-29 Setting Cisco VPN 300 0/ASA/PIX 7.x+ RADIUS Parameters for a User 7- 30 Setting Cisco VPN 500 0 Concentrator RADIUS Parameters for a User 7-31 Setting Microsoft