-
User Guide for Cisco Secure Access Control Server 4.2
-
Preface
-
List of Tables
-
Overview
-
Web Interface
-
Network Configuration
-
Shared Profile Components
-
Group Management
-
User Management
-
System Configuration Basic
-
System Configuration Advanced
-
System Configuration Authentication
-
Logging and Reports
-
Administration
-
External Databases
-
Posture Validation
-
Network Access Profiles
-
Unknown User
-
Group Mapping
-
T+ Attributes
-
RADIUS Attributes
-
CS Utility
-
Virtual Private Dial-up Network
-
RDBMS
-
Architecture
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
Numerics
3COMUSR
settings 2-14
A
AAA
pools for IP address assignment 6-7
AAA clients 1-1
adding and configuring 3-12
configuration management 8-18
configuring 3-8
deleting 3-14
editing 3-13
IP pools 6-7
multiple IP addresses for 3-8
number of 1-22
searching for 3-6
table 3-1
timeout values 15-6
AAA protocols
TACACS+ and RADIUS 1-3
AAA-related logs 10-1
AAA servers 1-3
adding 3-17
configuring 3-15
deleting 3-18
editing 3-17
enabling in interface (table) 2-15
functions and concepts 1-3
in distributed systems 3-2
master 8-2
overview 3-15
primary 8-2
replicating 8-2
searching for 3-6
secondary 8-2
accessing Cisco Secure ACS
how to 2-3
URL 1-21
with SSL enabled 1-21
Account Actions
RDBMS Setup 8-33
accountActions codes
ADD_USER E-5
CREATE_DACL E-28
CREATE_USER_DACL E-28
deleting 8-26
READ_DACL 8-25
READ_NAS 8-23
UPDATE_DACL 8-26
UPDATE_NAS 8-23
accountActions File 8-29
accountActions table 8-27, 8-28
account disablement
Account Disabled check box 6-3
manual 6-38
resetting 6-40
setting options for 6-13
accounting
administrative 1-15
overview 1-15
RADIUS 1-15
TACACS+ 1-15
VoIP 1-15
accounting logs
updating packets 10-37
Account Never Expires option 11-3
ACLs
default 14-12
ACS
additional features 1-5
features, functions and concepts 1-3
internal database 1-3
introduction to 1-1
managing and administrating 1-16
specifications 1-22
Windows Services 1-23
ACS internal database
overview 12-1
password encryption 12-2
replication 2-15
action codes
for creating and modifying user accounts E-5
for initializing and modifying access filters E-10
for modifying network configuration E-18
for modifying TACACS+ and RADIUS settings E-13
for setting and deleting values E-4
in accountActions E-3
Active Service Management
See Cisco Secure ACS Active Service Management
ADD_USER E-5
adding
external audit servers 13-25
ADF
importing for vendors 13-13
Administration Audit logs 10-5
administrative accounting 1-15
administrative sessions
and HTTP proxy 2-2
network environment limitations of 2-1
through firewalls 2-2
through NAT (network address translation) 2-2
Administrator Entitlements reports 10-12
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
deleting 11-7
locked out 11-3
locking out 11-18
unlocking 11-3
Aentless Host for L2 and L3 template 14-20
AES 128 algorithm 12-2
age-by-date rules for groups 5-18
Agentless Host for L2 (802.1x Fallback) 14-17
Agentless Host for L2 Template 14-17
Agentless Request Processing 14-24
Aironet
AAA client configuration 3-10
RADIUS parameters for group 5-30
RADIUS parameters for user 6-27
anonymous TLS renegotiation 9-16
appliance
configuration 7-22
Appliance Administration Audit logs 10-5
Appliance Status report 10-11
viewing 10-35
ARAP 1-9
in User Setup 6-4
attribute definition file
see also ADF 13-13
attributes 13-5
adding 8-47
adding external audit device types C-40
definition file 8-44
definition file sample 8-51
deleting 8-48
dumping 8-50
enabling in interface 2-5
exporting 8-50
extended entity 8-49
extended property 8-50
group-specific (table) E-26
logging 10-3
management 8-44
NAC (posture validation) 8-44
per-group 2-5
per-user 2-5
posture validation (NAC) 8-44
user-specific (table) E-25
attribute-value pairs
See AV (attribute value) pairs
audit device types
external, adding attributes C-40
audit logs 10-5
audit server
functionality 14-30
setting up 13-25
audit servers
setting up 13-25
Authenticate MAC With 14-47
authentication 1-7
configuration 9-21
configuring policies 14-27
considerations 1-7
denying unknown users 15-9
options 9-21
overview 1-7
protocol-database compatibility 1-8
request handling 15-3
user databases 1-7
via external user databases 12-4
Windows 12-7
authorization 1-12
configuring policies 14-34
ordering rules 14-37
rules 14-34
sets
See command authorization sets
setsSee command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS B-3
IETF B-11
TACACS+
accounting A-3
general A-1
Available Credentials 14-48
AV pairs 14-11
B
Backup and Restore logs 10-5
backups
components backed up 7-9
directory management 7-9
disabling scheduled 7-14
filename 7-9
filenames 7-15
locations 7-9
manual 7-11
options 7-10
overview 7-8
reports 7-10
scheduled vs. manual 7-8
scheduling 7-12
vs. replication 8-6
with CSUtil.exe C-3
browsers
See also web interface 1-19
C
cab file 7-25
cached users
CA configuration 9-28
callback options
in Group Setup 5-5
in User Setup 6-6
cascading replication 8-4, 8-9
cautions
significance of I-XXIX
certificate database for LDAP servers 12-47
DB path 12-30
trusted root CA 12-30
certificate trust list
certification
adding certificate authority certificates 9-26
background 9-1
backups 7-9
Certificate Revocation Lists 9-29
certificate signing request generation 9-32
deleting the certificate from the Certificate Trust List 9-29
editing the certificate trust list 9-28
replacing certificate 9-36
self-signed certificates
configuring 9-35
NAC 13-13
overview 9-33
server certificate installation 9-22
updating certificate 9-36
Change Password page 11-4
CHAP 1-9
in User Setup 6-4
Cisco
Identity-Based Networking Services (IBNS) 1-2
Cisco Discovery Protocol 2-12
Cisco IOS
RADIUS
AV (attribute value) pairs B-2
group attributes 5-28
user attributes 6-26
TACACS+ AV (attribute value) pairs A-1
Cisco Secure ACS Active Service Management
event logging configuration 7-20
overview 7-18
system monitoring
configuring 7-19
custom actions 7-19
Cisco Secure ACS administration overview 1-16
Cisco Secure ACS backups
Cisco Secure ACS system restore
CiscoSecure Authentication Agent 5-16
Cisco Secure DBSync 8-20
Cisco Security Agent 1-17
integration 1-17
logging 1-17
policies 1-18
restrictions 1-18
viewing logs 7-27
CLID-based filters 4-20
cloning
Network Access Profiles 14-6
policies or rules 13-20
codes
collect log files
diagnostic log information 7-25
collect previous days logs
archive system logs 7-25
collect user database
ACS internal database collection in support file 7-25
command authorization sets
See also shell command authorization sets
adding 4-29
deleting 4-31
editing 4-30
overview 4-25
pattern matching 4-28
PIX command authorization sets 4-25
command-line database utility
condition sets, defining 13-17
configuration provider
remote agent logs on 10-28
configuring
internal policies 13-17
configuring advanced filtering
Network Access Profiles 14-2
conventions I-XXVIII
copying
policies or rules 13-20
CREATE_DACL E-28
CREATE_USER_DACL E-28
creating
credentials 13-5
Credential Validation Databases 14-27, 14-46
critical loggers 10-23
Critical Loggers Configuration Page 10-38
CRLs 9-29
CSAdmin
Windows Services 1-23
CSAdmin service 7-2
CSAgent F-8
behavior 1-18
disabling 7-22
enabling 7-22
logging 1-17
overview 1-17
policies 1-18
CSAuth
Windows Services 1-23
CSDBSync 8-27
Windows Services 1-23
CSLog
Windows Services 1-23
CSMon
See also Cisco Secure ACS Active Service Management
configuration F-10
log F-11
windows Services 1-23
CSNTacctInfo 12-41, 12-42, 12-43
CSNTAuthUserPap 12-39
CSNTerrorString 12-41, 12-42, 12-43
CSNTExtractUserClearTextPw 12-40
CSNTFindUser 12-40
CSNTgroups 12-41, 12-42, 12-43
CSNTresults 12-41, 12-42, 12-43
CSNTusernames 12-40, 12-41, 12-42
CSRadius F-12
Windows Services 1-23
CSTacacs F-12
Windows Services 1-23
CSUtil.exe
add and delete posture validation attributes C-29
adding external audit device type attributes C-40
backing up with C-3
cleaning up database with C-8
decoding error numbers with C-17
dumping database file with C-6
exporting data with C-15
exporting group information with C-16
import text file (example) C-15
initializing database with C-5
loading database file with C-7
overview C-1
restoring with C-4
updating database with C-9
CSV (comma-separated values) logs
configuring 10-24
downloading 10-33
enabling and disabling 10-24
filename formats 10-31
locations 10-6
logging to 10-6
size and retention 10-7
viewing 10-31
CSV file
local 8-18
RDBMS Synchronization 8-18
CSV log File Configuration Page 10-40
CTL
CTL editing 9-28
custom attributes
in group-level TACACS+ settings 5-22
in user-level TACACS+ settings 6-15
customer support
collecting data for 10-29
providing package.cab file 10-29
D
database group mappings
configuring
for token servers 16-2
for Windows domains 16-6
no access groups 16-4
order 16-8
deleting
group set mappings 16-7
Windows domain configurations 16-7
Database Replication logs 10-5
databases
See also external user databases
ACS internal database 12-1
authentication search process 15-3
cleaning up C-8
deleting 12-57
external
See also external user databases
initializing C-5
remote agent selection 12-17
replication
search order 15-7
search process 15-7
selecting user databases 12-1
synchronization
token cards
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
unknown users 15-1
user databases 6-2
user import methods 12-2
Windows user databases 12-5
data source names
for ODBC logging 10-9
for RDMBS synchronization 8-33
using with ODBC databases 12-35, 12-44, 12-45
data types, NAC attribute 13-6
date and time setting 7-23
date format control 7-3
debug logs, detail levels 10-29
default ACLs 14-12
default group
in Group Setup 5-2
mapping for Windows 16-4
default time-of-day/day-of-week specification 2-14
default time-of-day access settings for groups 5-5
DELETE_DACL 8-26
deleting 14-6
external audit servers 13-27
logged-in users 10-34
Network Access Profiles 14-6
policies or rules 13-21
device command sets
See command authorization sets
device management applications support 1-14
DHCP with IP pools 8-40
dial-in permission to users in Windows 12-17
dial-up networking clients 12-6, 12-7
digital certificates
Disabled Accounts report 10-11
viewing 10-35
Disabling NETBIOS F-12
discovered users 15-2
Distinguished Name Caching 12-26
distributed systems
AAA servers in 3-2
overview 3-2
settings
configuring 3-28
default entry 3-3
enabling in interface 2-15
distribution table
DNIS-based filters 4-20
documentation
conventions I-XXVIII
objectives I-XXVII
online 1-21
Domain List
configuring 12-22
inadvertent user lockouts 12-9, 12-21
overview 12-9
unknown user authentication 15-5
domain name and hostname configuration 7-24
domain names
Windows operating systems 12-8, 12-9
downloadable ACLs 14-9
downloadable IP ACLs
adding 4-15
assigning to groups 5-22
assigning to users 6-14
deleting 4-17
editing 4-16
enabling in interface
group-level 2-15
user-level 2-14
overview 4-13
draft-ietf-radius-tunnel-auth 1-4
dump files
loading a database from C-7
loading a database to C-6
dynamic administration logs 10-11
viewing 10-34
dynamic usage quotas 1-13
dynamic users
removing 6-41
E
EAP (Extensible Authentication Protocol)
Configuration 14-25
overview 1-10
supported protocols 1-10
with Windows authentication 12-10
EAP authentication
protocol 1-8
EAP FAST
for anonymous TLS renegotiation 9-16
EAP-FAST 1-10
enabling 9-19
identity protection 9-11
logging 9-10
master keys
definition 9-11
states 9-11
master server 9-18
overview 9-9
PAC
automatic provisioning 9-14
definition 9-12
manual provisioning 9-15
refresh 9-17
states 9-14
PAC Files Generation 9-37
password aging 5-20
phases 9-10
replication 9-17
EAP-FAST PKI Authorization Bypass 9-16
EAPoUDP failure 14-24
EAPoUDP support 14-24
EAP-TLS 1-10
authentication configuration 9-21
comparison methods 9-3
enabling 9-4
limitations 9-4
options 9-42
overview 9-2
with RADIUS Key Wrap 14-25
EAP-TLS authentication
outer identity 9-44
editing
external audit servers 13-27
external posture validation servers 13-23, 13-24
internal policies 13-19
Network Access Profiles 14-5
enable password options for TACACS+ 6-23
enable privilege options for groups 5-13
entitlement reports 10-11
entity field 13-6
error number decoding with CSUtil.exe C-17
Event log
configuring 7-20
exception events F-11
event logging 7-20
exception events F-11
exemption list
external audit 13-10
exports
of user lists C-15
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol (EAP) 1-2
external audit policy
what triggers an 13-10
external audit server
setting up 13-25
external audit servers
about 13-9
adding 13-25
deleting 13-27
editing 13-27
external policies 13-8
exemption list support 13-10
external servers
external token servers
external user databases
authentication via 12-4
configuring 12-3
deleting configuration 12-57
latency factors 15-6
supported 1-7
Unknown User Policy 15-1
F
Failed Attempts logs 10-2
failed log-on attempts F-11
failure events
customer-defined actions F-11
predefined actions F-11
fallbacks on failed connection 3-4
finding users 6-37
FTP server 7-8
G
gateways D-2
generating 9-39
Generic LDAP 1-7
generic LDAP user databases
authentication 12-23
certificate database downloading 12-47
configuring
database 12-31
options 12-27
directed authentications 12-24
domain filtering 12-24
failover 12-25
multiple instances 12-24
organizational units and groups 12-24
Global Authentication Setup 9-21
global authentication setup
enabling posture validation 13-14
grant dial-in permission to users 12-6, 12-17
greeting after login 5-18
group-level interface enabling
downloadable IP ACLs 2-15
network access restrictions 2-15
network access restriction sets 2-15
password aging 2-15
group-level network access restrictions
See network access restrictions
groups
See also network device groups
assigning users to 6-5
configuring RADIUS settings for
enabling VoIP (Voice-over-IP) support for 5-4
exporting group information C-16
listing all users in 5-40
mapping order 16-8
mappings 16-1
no access groups 16-4
overriding settings 2-4
relationship to users 2-4
renaming 5-41
resetting usage quota counters for 5-40
settings for
callback options 5-5
configuration-specific 5-12
configuring common 5-3
device management command authorization sets 5-26
enable privilege 5-13
IP address assignment method 5-21
management tasks 5-40
max sessions 5-9
network access restrictions 5-6
password aging rules 5-15
PIX command authorization sets 5-25
shell command authorization sets 5-23
time-of-day access 5-5
token cards 5-14
usage quotas 5-10
setting up and managing 5-1
specifications by ODBC authentications 12-41, 12-42, 12-43
H
handle counts F-10
hard disk space F-10
HCAP errors 10-4
host and domain names configuration 7-24
Host Credentials Authorization Protocol (HCAP) 9-6
host system state F-10
HTML interface
logging off 2-4
HTTP port allocation
for administrative sessions 1-19
I
IEEE 802.1x 1-2
IETF 802.1x 1-10
IETF RADIUS attributes 1-4
importing passwords C-9
imports with CSUtil.exe C-9
inbound
authentication 1-10
password configuration 1-11
installation
related documentation I-XXXI, 1-24
Interface Configuration
advanced options 2-6
configuring 2-1
customized user data fields 2-5
Internal ACS Database 14-47
internal architecture F-1
editing 13-19
steps to set up 13-17
invalid PAC 9-45
IP ACLs
IP addresses
in User Setup 6-7
multiple, for AAA client 3-8
requirement for CSTacacs and CSRadius F-12
setting assignment method for user groups 5-21
IP pools
address recovery 8-44
deleting 8-43
DHCP 8-40
editing IP pool definitions 8-42
enabling in interface 2-15
refreshing 8-41
resetting 8-42
servers
adding IP pools 8-41
overview 8-39
replicating IP pools 8-39
user IP addresses 6-7
K
Key Wrap
configuring for AAA client 3-9
configuring for NDG 3-24
key wrap
enabling 14-26
Key Wrap, RADIUS 14-25
L
LAN manager 1-10
LDAP
Admin Logon Connection Management 12-26
Distinguished Name 12-26
group attributes 14-24
LDAP Server 14-47
LEAP 1-10
LEAP proxy RADIUS user databases
configuring external databases 12-49
group mappings 16-1
overview 12-48
RADIUS-based group specifications 16-8
list all users
in Group Setup 5-40
in User Setup 6-37
local policies
log files
storage directory 7-3
Logged-In Users report 10-11
deleting logged-in users 10-34
viewing 10-34
logging 10-1
attributes 10-3
configuring
configuring
logs 1
configuring CSV (comma-separated values) 10-24
configuring ODBC 10-25
configuring remote logging server 10-26
configuring service logs 10-29
configuring syslog 10-24
critical loggers 10-23
CSAgent 1-17
CSV (comma-separated values) 10-6
custom RADIUS dictionaries 8-2
debug logs, detail levels 10-29
diagnostic logs 7-27
enabling and disabling ODBC 10-25
enabling CSV (comma-separated values) 10-24
enabling syslog 10-24
formats and targets 10-5
ODBC 10-9
RDBMS synchronization 8-2
remote, configuring ACS to send data to 10-27
remote, configuring and enabling 10-26
remote, for ACS for Windows 10-10
remote, hosts for 10-10
remote agents, configuring logs on configuration provider 10-28
remote agents, configuring to 10-27
remote agents,sending data to 10-28
remote agents for ACS SE remote agents
for remote logging for ACS SE 10-10
service logs 10-12
service logs for customer support 10-29
syslog 10-7
watchdog packets 10-37
Logging Configuration Page 10-37
Login Process Fail page 11-3
login process test frequency 7-18
logins
greeting upon 5-18
password aging dependency 5-17
logs 10-1
AAA-related 10-1
Administration Audit 10-5
Appliance Administration Audit 10-5
audit 10-5
Backup and Restore 10-5
Database Replication 10-5
dynamic administration 10-11
Failed Attempts 10-2
logged-in users 10-11
Passed Authentications 10-2
RADIUS accounting 10-2
RDBMS Synchronization 10-5
service 10-12
Service Monitoring 10-5
TACACS+ accounting 10-2
TACACS+ administration 10-2
User Password Changes 10-5
viewing and downloading 10-30
VOIP accounting 10-2
M
MAC address
standard formats 14-24
machine authentication
enabling 12-15
overview 12-10
with Microsoft Windows 12-13
management application support 1-14
mappings
databases to AAA groups 16-1
master AAA servers 8-2
master key
definition 9-11
states 9-11
max sessions 1-13
enabling in interface 2-15
group 1-13
in Group Setup 5-9
in User Setup 6-11
overview 1-13
user 1-13
memory utilization F-10
Microsoft Health Registration Authority 9-5
Microsoft Network Policy Server (NPS) 9-6
Microsoft Text Driver 8-20
monitoring
configuring 7-19
CSMon F-10
overview 7-18
services 7-26
MS-CHAP 1-9
configuring 9-21
overview 1-9
protocol supported 1-8
multiple IP addresses for AAA clients 3-8
N
NAC 1-2
agentless hosts 13-9
attributes
about 13-5
data types 13-6
deleting C-29
exporting C-29
configuring ACS for support for 13-13
credentials
about 13-5
implementing 13-4
logging 13-14
policies
about 13-16
external 13-8
internal 13-7
results 13-16
remediation server
url-redirect attribute B-6
rules
about 13-8
default 13-32
self-signed certificates 13-13
tokens
definition 13-3
descriptions of 13-3
returned by internal policies 13-7
NAC Agentless Host 14-18
NAC L2 IP 14-11
NAC L3 IP 14-9
NAFs
NAR
See network access restrictions
NAS
Network Access Filter (NAF)
editing 4-5
Network Access Filters (NAF) 14-2
adding 4-3
deleting 4-6
overview 4-2
Network Access Profiles 14-1, 14-6, 14-23
cloning 14-6
configuring advanced filtering 14-2
editing 14-5
network access quotas 1-13
network access restrictions
deleting 4-24
editing 4-23
enabling in interface
group-level 2-15
user-level 2-14
in Group Setup 5-6
interface configuration 2-15
non-IP-based filters 4-20
overview 4-18
network access servers
Network Admission Control
network configuration 3-1
network device groups
adding 3-24
assigning AAA clients to 3-25
assigning AAA servers to 3-25
configuring 3-23
deleting 3-27
editing 3-26
enabling in interface 2-15
reassigning AAA clients to 3-26
reassigning AAA servers to 3-26
network devices
searches for 3-6
network time protocol
noncompliant devices 1-2
non-EAP authentication
protocol 1-8
NTP server 7-23
O
ODBC features
authentication
CHAP 12-38
EAP-TLS 12-38
overview 12-35
PAP 12-38
preparation process 12-37
process with external user database 12-36
result codes 12-43
case-sensitive passwords 12-39
CHAP authentication sample procedure 12-40
configuring 12-44
data source names 12-35
DSN (data source name) configuration 12-44
EAP-TLS authentication sample procedure 12-40
features supported 12-36
group mappings 16-1
group specifications
CHAP 12-42
EAP-TLS 12-43
PAP 12-41
vs. group mappings 16-2
PAP authentication sample procedures 12-39
password case sensitivity 12-39
stored procedures
CHAP authentication 12-41
EAP-TLS authentication 12-42
implementing 12-38
PAP authentication 12-40
type definitions 12-38
user databases 12-35
ODBC log Configuration Page 10-42
ODBC logging 10-9
configuring 10-25
data source names 10-9
enabling and disabling 10-25
preparing for 10-9
One-time Passwords (OTPs) 1-7
online documentation 1-21
online help 1-21
location in HTML interface 1-20
using 1-21
online user guide 1-22
ordering rules, in policies 13-8
outbound password configuration 1-11
outer identity
EAP-TLS authentication 9-44
overview of Cisco Secure ACS 1-1
P
PAC
automatic provisioning 9-14
definition 9-12
manual provisioning 9-15
refresh 9-17
PAC File Generation
options 9-37
PAC files 9-39
generating 9-39
PAC Free EAP-FAST 9-16
package.cab file, for customer support 10-29
PAP 1-9
in User Setup 6-4
vs. ARAP 1-9
vs. CHAP 1-9
Passed Authentications logs 10-2
password
automatic change password configuration 8-16
password aging 1-11
age-by-uses rules 5-17
Cisco IOS release requirement for 5-16
EAP-FAST 12-16
interface configuration 2-15
in Windows databases 5-19
MS-CHAP 12-16
overview 1-11
PEAP 12-16
rules 5-15
password configurations
basic 1-10
passwords
case sensitive 12-39
CHAP/MS-CHAP/ARAP 6-5
configurations
caching 1-11
inbound passwords 1-11
outbound passwords 1-11
separate passwords 1-10
single password 1-10
token caching 1-11
token cards 1-11
encryption 12-2
expiration 5-17
import utility C-9
local management 7-4
post-login greeting 5-18
protocols supported 1-8
remote change 7-4
user-changeable 1-12
validation options in System Configuration 7-4
patch
overview 7-28
process 7-29
pattern matching in command authorization 4-28
PEAP 1-10
configuring 9-21
enabling 9-8
identity protection 9-7
overview 9-6
password aging 5-19
phases 9-6
with Unknown User Policy 9-8
performance monitoring F-10
performance specifications 1-22
per-group attributes
enabling in interface 2-5
per-user attributes
enabling in interface 2-5
TACACS+/RADIUS in Interface Configuration 2-14
ping command 1-18
PIX ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
Point-to-Point Protocol (PPP) 1-23
policies
agentless hosts 13-9
cloning 13-20
configuring 13-15
copying 13-20
deleting 13-21
external 13-8
internal 13-7
local
overview 13-5
renaming 13-20
rule order 13-8
setting up an external audit server 13-25
setting up external servers 13-22, 13-23
Populate from Global 14-13, 14-23, 14-46
Network Access Profiles 14-23
port 2002
in HTTP port ranges 11-19
in URLs 1-21
ports
TACACS+ 1-3
Posture Validation
for Agentless Hosts 14-33
posture validation
attributes 13-5
adding C-29
configuring ACS for 13-13
credentials 13-5
CTL 13-13
enabling 13-14
failed attempts log 13-14
implementing 13-4
options 13-16
passed authentications log 13-14
policy overview 13-5
and profile-based policies 13-3
profiles, adding user groups 13-14
rule
assigning posture tokens 13-14
rules, about 13-8
server certificate requirement 13-13
Posture Validation Policies
configuring 14-29
PPP password aging 5-16
processor utilization F-10
profile 14-1
Profile-based Policies 14-3
profile components
profiles 14-38
profile templates 14-7
prerequisites 14-7
protocols supported 1-8
protocol support
EAP authentication 1-8
non-EAP authentication
protocol types
Network Access Profiles 14-2
proxy
See also Proxy Distribution Table
character strings
defining 3-5
stripping 3-5
configuring 3-28
in enterprise settings 3-4
overview 3-3
sending accounting packets 3-5
Proxy Distribution Table
adding entries 3-28
configuring 3-28
deleting entries 3-30
editing entries 3-30
match order sorting 3-29
overview 3-28
Q
quotas
R
RAC and Groups 4-7
RADIUS 1-4
See also RADIUS VSAs (vendor specific attributes)
accounting 1-15
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 6-24
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS B-3
IETF B-11
overview B-1
Cisco Aironet 3-10
IETF
in Group Setup 5-27
interface configuration 2-9
in User Setup 6-25
interface configuration overview 2-7
Key Wrap 14-25
Key Wrap, configuring for AAA client 3-9
Key Wrap, configuring for NDG 3-24
key wrap, enabling 14-26
password aging 5-19
specifications 1-4
token servers 12-51
vs. TACACS+ 1-3
RADIUS user databases
configuring 12-52
group mappings 16-1
RADIUS-based group specifications 16-8
RADIUS VSAs (vendor specific attributes)
3COM/USR
in Group Setup 5-37
in User Setup 6-34
supported attributes B-28
Ascend
in Group Setup 5-31
in User Setup 6-29
supported attributes B-21
Cisco Aironet
in Group Setup 5-30
in User Setup 6-27
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 5-38
in User Setup 6-35
supported attributes B-10
Cisco IOS/PIX
in Group Setup 5-28
interface configuration 2-9
in User Setup 6-26
supported attributes B-4
Cisco VPN 3000
in Group Setup 5-32
in User Setup 6-30
supported attributes B-6
Cisco VPN 5000
in Group Setup 5-33
in User Setup 6-30
supported attributes B-10
custom
about 8-27
in Group Setup 5-39
in User Setup 6-36
Juniper
in Group Setup 5-37
in User Setup 6-33
supported attributes B-28
Microsoft
in Group Setup 5-34
in User Setup 6-31
supported attributes B-19
Nortel
in Group Setup 5-36
in User Setup 6-33
supported attributes B-28
overview B-1
user-defined
action codes for E-13
adding C-18
deleting C-20
import files C-22
listing C-21
RDBMS Synchronization 8-17
RDBMS synchronization E-1
accountActions file
overview 8-29
configuring 8-36
data source name configuration 8-32, 8-33
disabling 8-37
enabling in interface 2-15
FTP configuration 8-34
group-related configuration 8-21
import definitions E-1
manual initialization 8-35
network configuration 8-22
overview 8-18
partners 8-34
preparing to use 8-30
report and error handling 8-30
scheduling options 8-34
user-related configuration 8-20
RDBMS Synchronization logs 10-5
READ_DACL 8-25
READ_NAS 8-23
Registry F-2
regular expressions syntax 10-32
rejection mode
general 15-3
Windows user databases 15-4
related documentation I-XXXI, 1-24
remote agent
selecting for authentication 12-17
remote agents
adding 3-21
configuration options 3-19
configuring 3-19
configuring logging to 10-27
configuring logs on configuration provider 10-28
deleting 3-23
editing 3-22
overview 3-19
Remote Agents table 3-2
selecting for authentication 12-17
sending data to 10-28
Remote Agents Reports Configuration Page 10-39
remote logging
configuring ACS to send data to 10-27
configuring and enabling 10-26
for ACS for Windows 10-10
hosts 10-10
remote agents, for ACS SE 10-10
server, configuring 10-26
using remote agents 10-27
Remote Logging Setup Page 10-39
Remove Dynamic Users 6-41
removing
external audit servers 13-27
policies or rules 13-21
removing dynamic users 6-41
renaming
policies 13-20
replication
ACS Service Management page 8-2
auto change password settings 8-16
backups recommended (Caution) 8-7
certificates 8-2
client configuration 8-11
components
overwriting (Caution) 8-11
overwriting (Note) 8-7
selecting 8-7
configuring 8-14
corrupted backups (Caution) 8-7
custom RADIUS dictionaries 8-2
disabling 8-16
EAP-FAST 9-17
encryption 8-4
external user databases 8-2
frequency 8-5
group mappings 8-2
immediate 8-13
implementing primary and secondary setups 8-10
important considerations 8-5
in System Configuration 8-14
interface configuration 2-15
logging 8-7
manual initiation 8-13
master AAA servers 8-2
notifications 8-17
options 8-7
overview 8-2
partners
configuring 8-15
options 8-9
process 8-3
scheduling 8-14
scheduling options 8-9
selecting data 8-7
unsupported 8-2
user-defined RADIUS vendors 8-6
vs. backup 8-6
reports 10-1
downloading CSV 10-33
entitlement 10-11
entitlement, viewing and downloading 10-36
See also logging reports
viewing and downloading 10-30
viewing appliance status 10-35
viewing CSV 10-31
viewing disabled accounts 10-35
viewing dynamic administration 10-34
viewing logged-in users, 10-34
Reports and Activity
in interface 1-20
Reports Page Reference 10-44
request handling
general 15-3
Windows user databases 15-4
Required Credential Types 14-48
resource consumption F-10
restarting services 7-2
restore
components restored
configuring 7-16
overview 7-16
filenames 7-15
in System Configuration 7-14
on a different server 7-14
overview 7-14
performing 7-16
reports 7-16
with CSUtil.exe C-4
restores
finding files 7-15
RFC2138 1-4
RFC2139 1-4
RSA user databases
configuring 12-54
group mappings 16-1
rule 13-8
rules
about 13-8
S
search order of external user databases 15-8
security protocols
CSRadius F-12
CSTacacs F-12
TACACS+
custom commands 2-12
overview 1-3
time-of-day access 2-12
Selected Credentials 14-48
server certificate installation 9-22
service control in System Configuration 10-29
Service Control Page Reference 10-43
service logs 10-12
configuring 10-29
for customer support 10-29
Service Monitoring logs 10-5
services
determining status of 7-2
logs generated 10-12
management 7-18
monitoring 7-26
starting 7-2
stopping 7-2
shared profile components
See also command authorization sets
See also network access filters
See also network access restrictions
overview 4-1
Shared Profile Components (SPC) 1-14
Shared RAC 14-35
shared secret F-12
shell command authorization sets
See also command authorization sets
in Group Setup 5-23
in User Setup 6-17
Simple Network Management Protocol (SNMP) 1-13
single password configurations 1-10
SMTP (simple mail-transfer protocol) F-11
SNMP, support on appliance 7-23
specifications
RADIUS
RFC2138 1-4
RFC2139 1-4
system performance 1-22
TACACS+ 1-4
SSL (secure sockets layer) 12-30
starting services 7-2
Statements of Health(SoHs) 9-5
static IP addresses 6-7
stopping services 7-2
stored procedures
CHAP authentication
configuring 12-46
input values 12-41
output values 12-42
result codes 12-43
EAP-TLS authentication
configuring 12-46
input values 12-42
output values 12-43
implementing 12-38
PAP authentication
configuring 12-46
input values 12-40
output values 12-41
result codes 12-43
sample procedures 12-39
type definitions
integer 12-38
string 12-38
supplementary user information
in User Setup 6-4
setting 6-4
support
Cisco Device-Management Applications 1-14
supported password protocols 1-8
Support Page 7-25
synchronization
Syslog log Configuration Page 10-41
syslog logging
configuring 10-24
enabling and disabling 10-24
message format 10-7
message length limitations 10-8
syslog logs
logging to 10-7
system
configuration
advanced 8-1
authentication 9-1
basic 7-1
certificates 9-1
health F-10
messages in interface 1-20
monitoring
performance specifications 1-22
services
system monitoring
technical support file 7-25
system performance
specifications 1-22
T
accounting 1-15
accounting logs 10-2
administration logs 10-2
advanced TACACS+ settings
in User Setup 6-21
AV (attribute value) pairs
accounting A-3
general A-1
custom commands 2-12
enable password options for users 6-23
enable privilege options 6-22
interface configuration 2-6
outbound passwords for users 6-24
ports 1-3
SENDAUTH 1-11
settings
in User Setup 6-15
specifications 1-4
time-of-day access 2-12
vs. RADIUS 1-3
Telnet
See also command authorization sets
password aging 5-16
test login frequency internally 7-18
thread used F-11
time and date setting 7-23
time format control 7-3
time-of-day/day-of-week specification
enabling in interface 2-14
timeout values on AAA clients 15-6
TLS (transport level security)
token cards 1-23
password configuration 1-11
settings in Group Setup 5-14
token servers
ISDN terminal adapters 12-51
overview 12-50
RADIUS-enabled 12-51
RADIUS token servers 12-51
supported servers 1-7
token caching 12-51
troubleshooting 14-38
debug logs 10-12
trust lists
trust relationships 12-6
U
UNIX passwords C-12
unknown service user setting 6-21
Unknown User Policy 12-18
configuring 15-8
in external user databases 12-2, 15-7
turning off 15-9
unknown users
authentication 15-3
authentication performance 15-6
authentication processing 15-6
network access authorization 15-6
unmatched user requests 14-3
UPDATE_DACL 8-26
UPDATE_NAS 8-23
updating packets in accounting logs 10-37
upgrade
applying 7-33
CSAgent 1-18
distribution server requirements 7-29
overview 7-28
process 7-29
restrictions 1-18
transferring 7-30
usage quotas
in Group Setup 5-10
in Interface Configuration 2-15
in User Setup 6-12
overview 1-13
resetting
for groups 5-40
for single users 6-39
user-changeable passwords
overview 1-12
with Windows user databases 12-16
user databases
User Data Configuration 2-5
User Entitlements report 10-12
user groups
user guide
online 1-22
user-level
downloadable ACLs interface 2-14
network access restrictions
See also network access restrictions
enabling in interface 2-14
User Password Changes logs 10-5
users
adding
basic steps 6-3
assigning client IP addresses to 6-7
assigning to a group 6-5
callback options 6-6
configuring 6-1
configuring device management command authorization sets for 6-20
configuring PIX command authorization sets for 6-19
configuring shell command authorization sets for 6-17
customized data fields 2-5
deleting 10-34
deleting accounts 6-39
disabling accounts 6-3
finding 6-37
import methods 12-2
in multiple databases 15-4
listing all users 6-37
number of 1-22
RDBMS synchronization 8-20
relationship to groups 2-4
removing dynamic 6-41
resetting accounts 6-40
saving settings 6-41
supplementary information 6-4
types
discovered 15-2
known 15-2
unknown 15-2
VPDN dialup D-1
User Setup
account management tasks 6-37
basic options 6-2
configuring 6-1
deleting user accounts 6-39
saving settings 6-41
Users in Group button 5-40
V
validation of passwords 7-4
vendors
adding audit 13-25
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
in RDBMS synchronization 4-8, 8-27
vendor-specific attributes (VSAs) 1-4
Viewing Dynamic Administration Reports 10-34
Virtual Private Dial-Up Networks (VPDNs) 1-13
Voice-over-IP
VoIP
accounting 1-15
VoIP (Voice-over-IP)
accounting configuration 2-16, 7-21
enabling in interface 2-15
group settings in Interface Configuration 2-15
in Group Setup 5-4
VPDN
authentication process D-1
domain authorization D-2
home gateways D-2
IP addresses D-2
tunnel IDs D-2
users D-1
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warnings
significance of I-XXIX
watchdog packets
logging 10-37
web interface
See also Interface Configuration
layout 1-19
security 1-16
uniform resource locator 1-21
Windows Authentication Configuration 12-21
Windows Callback 12-18
Windows Database Callback 12-18
Windows operating systems
authentication order 15-5
Cisco Secure ACS-related services
services 7-2
dial-up networking 12-6
dial-up networking clients
domain field 12-7
password field 12-7
username field 12-7
Domain List effect 15-5
domains
Event logs F-11
Registry F-2
Windows Services 1-23
CSAdmin 1-23
CSAuth 1-23
CSDBSync 1-23
CSLog 1-23
CSMon 1-23
CSRadius 1-23
CSTacacs 1-23
overview 1-23
Windows user database 1-7
passwords 1-8
Windows user databases
Active Directory 12-17
configuring 12-22
Domain list
inadvertent user lockouts 12-21
domain mapping 16-6
domains
trusted 12-6
grant dial-in permission to users 12-6, 12-17
group mappings
editing 16-6
no access groups 16-4
remapping 16-6
overview 12-5
password aging 5-19
rejection mode 15-4
request handling 15-4
trust relationships 12-6
user-changeable passwords 12-16
user manager 12-17