User Guide for Cisco Secure ACS Appliance 3.2 - Index [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

A

AAA

See also AAA clients

See also AAA servers

definition 1-1

pools for IP address assignment 7-10

AAA clients

AAA Clients table 4-2

adding and configuring 4-17

configuration 4-11

definition 1-5

deleting 4-21

editing 4-20

interaction with AAA servers 1-5

IP pools 7-10

multiple IP addresses for 4-12

searching for 4-9

supported Cisco AAA clients 1-2

timeout values 14-8

AAA servers

AAA Servers table 4-2

adding 4-25

configuring 4-22

deleting 4-28

editing 4-27

enabling in interface (table) 3-5

functions and concepts 1-4

in distributed systems 4-3

master 9-3

overview 4-22

primary 9-3

replicating 9-3

searching for 4-9

secondary 9-3

troubleshooting A-1

access devices 1-5

accessing Cisco Secure ACS

how to 1-29

URL 1-27

with SSL enabled 1-27

access policies

See administrative access policies

accountActions File 9-28

account disablement

Account Disabled check box 7-4

manual 7-55

resetting 7-57

setting options for 7-19

accounting

See also logging

logs 11-5

overview 1-20

ACLs

See downloadable IP ACLs

action codes

for initializing and modifying access filters E-15

for modifying network configuration E-27

for modifying TACACS+ and RADIUS settings E-19

for setting and deleting values E-5

in accountActions E-5

ActivCard user databases

configuring 13-61

group mappings 15-2

RADIUS-based group specifications 15-13

Administration Audit log

viewing 11-14

administration logs 11-7

administrative access policies

See also administrators

configuring 12-14

limits 12-11

options 12-12

overview 2-13

administrative sessions

and HTTP proxy 1-28

network environment limitations of 1-27

session policies 12-16

through firewalls 1-28

through NAT (network address translation) 1-29

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

adding 12-6

deleting 12-11

editing 12-8

locked out 12-10

locking out 12-17

overview 12-2

privileges 12-3

separation from general users 2-15

troubleshooting A-2

unlocking 12-10

advanced options in interface 3-6

age-by-date rules for groups 6-24

Aironet

AAA client configuration 4-14

RADIUS parameters for group 6-39

RADIUS parameters for user 7-39

appliance

configuration 8-22

hardware specifications 1-2

Appliance Status report

description 11-8

viewing 11-11

ARAP

compatible databases 1-9

in User Setup 7-4

protocol supported 1-10

architectural components of Cisco Secure ACS F-1

ASCII/PAP

compatible databases 1-9

protocol supported 1-10

attributes

enabling in interface 3-2

group-specific (table) E-37

logging of user data 11-2

per-group 3-2

per-user 3-2

user-specific (table) E-36

attribute-value pairs

See AV (attribute value) pairs

authentication

configuration 10-25

denying external user databases 14-11

options 10-32

overview 1-8

request handling 14-4

via external user databases 13-5

Windows 13-10

authorization 1-16

authorization sets

See command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS C-2

IETF C-12

TACACS+

accounting B-4

general B-1

Axent user databases

See PassGo user databases

B

backups

components backed up 8-9

disabling scheduled 8-13

filenames 8-14

options 8-9

overview 8-8

performing manually 8-10

reports 8-9

scheduled vs. manual 8-8

scheduling 8-11

vs. replication 9-10

browsers

See also HTML interface

troubleshooting A-4

C

cab file 8-24

callback options

in Group Setup 6-6

in User Setup 7-8

cascading replication 9-6, 9-12

certificate database for LDAP servers 13-47

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates 10-36

background 10-1

backups 8-9

certificate enrollment 10-33

certificate signing request generation 10-39

editing the certificate trust list 10-38

installing certificate 10-33

replacing certificate 10-40

updating certificate 10-40

CHAP

compatible databases 1-9

in User Setup 7-4

protocol supported 1-10

Cisco IOS

RADIUS

AV (attribute value) pairs C-2

group attributes 6-38

user attributes 7-38

TACACS+ AV (attribute value) pairs B-1

troubleshooting A-5

Cisco Secure ACS Active Service Management

overview 8-17

Cisco Secure ACS Active Service Monitoring log

viewing 11-14

Cisco Secure ACS administration overview 1-21

Cisco Secure ACS Backup and Restore log

viewing 11-14

Cisco Secure ACS backups

See backups

Cisco Secure ACS service management

event logging configuration 8-20

system monitoring

configuring 8-19

options 8-18

Cisco Secure ACS Service Monitoring log

CSV (comma-separated values) file directory 11-26

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent 1-15, 6-20

CiscoSecure database replication

See replication

CiscoSecure user database

See also databases

overview 13-2

codes

See action codes

command authorization sets

See also shell command authorization sets

adding 5-19

configuring 5-15, 5-19

deleting 5-23

editing 5-22

overview 5-15

pattern matching 5-19

PIX command authorization sets 5-15

conventions xxv

CRYPTOCard user databases

configuring 13-61

group mappings 15-2

RADIUS-based group specifications 15-13

CSAdmin F-2

CSAuth F-3

CSDBSync 9-28, F-3

CSLog F-4

CSMon

See also Cisco Secure ACS Active Service Management

configuration F-4

failure events

customer-defined actions F-7

predefined actions F-7

functions F-4

log F-6

overview F-4

CSRadius F-7

CSTacacs F-7

CSV (comma-separated values) files

downloading 11-14

viewing 11-14

custom attributes

in group-level TACACS+ settings 6-29

in user-level TACACS+ settings 7-22

D

database group mappings

configuring

for token servers 15-3

for Windows domains 15-8

no access groups 15-6

order 15-11

deleting

group set mappings 15-10

Windows domain configurations 15-11

in external user databases 15-1

overview 15-1

Database Replication log

description 11-12

viewing 11-14

databases

authentication protocol compatibility of 1-9

CiscoSecure user database 13-2

deleting 13-64

deployment considerations 2-16

external

See also external user databases

See also unknown user policies

group mappings

See database group mappings

performance 14-8

remote agent selection 13-23

replication

See replication

search order 14-10

search process 14-9, 14-10

selecting user databases 13-1

synchronization

See RDBMS synchronization

token cards

See token servers

troubleshooting A-6, A-16

types

See ActivCard user databases

See CRYPTOCard user databases

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See Novell NDS user databases

See PassGo user databases

See RADIUS user databases

See SafeWord user databases

unknown users 14-2

user

import methods 13-2

Windows user databases 13-6

date and time setting 8-22

date format control 8-3

debug logs

detail levels 11-27

frequency 11-27

troubleshooting A-12

default group in Group Setup 6-2

default group mapping for Windows 15-6

default time-of-day/day-of-week specification 3-4

default time-of-day access settings for groups 6-5

deleting logged-in users 11-10

deployment

overview 2-1

sequence 2-17

device command sets

See command authorization sets

device groups

See network device groups

device management applications support 1-18

DHCP with IP pools 9-39

diagnostic logs 8-27

dial-in permission to users in Windows 13-23

dial-in troubleshooting A-8

dial-up networking clients 13-10

dial-up topologies 2-4

digital certificates

See certification

Disabled Accounts report

description 11-8

viewing 11-11

discovered users 14-2

distributed systems

See also proxy

AAA servers in 4-3

overview 4-3

settings

configuring 4-42

default entry 4-4

enabling in interface 3-5

distribution table

See Proxy Distribution Table

documentation

conventions xxv

objectives xxiii

online 1-31

organization xxiv

related xxvii

domain lists

configuring 13-29

inadvertent user lockouts 13-12, 13-26

overview 13-11

domain name and hostname configuration 8-23

domain names

Windows operating systems 13-10

downloadable IP ACLs

adding 5-4

assigning to groups 6-28

assigning to users 7-20

deleting 5-6

editing 5-5

enabling in interface

group-level 3-5

user-level 3-4

overview 5-2

draft-ietf-radius-tunnel-auth 1-6

E

EAP (Extensible Authentication Protocol)

overview 1-12

with Windows authentication 13-12

EAP-FAST

compatible databases 1-9

enabling 10-23

identity protection 10-13

logging 10-12

master keys

definition 10-13

states 10-14

master server 10-22

options 10-26

overview 10-12

PAC

automatic provisioning 10-17

definition 10-15

manual provisioning 10-18

refresh 10-19

states 10-17

phases 10-12

replication 10-20

EAP-TLS

See also certification

authentication configuration 10-25

comparison methods 10-4

compatible databases 1-9

domain stripping 13-13

enabling 10-5

limitations 10-5

options 10-29

overview 10-2

session resume 10-4

enable password options for TACACS+ 7-34

enable privilege options for groups 6-18

event logging 8-20

exception events F-6

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

external token servers

See token servers

external user databases

See also databases

authentication via 13-5

configuring 13-3

deleting configuration 13-64

latency factors 14-8

search order 14-8, 14-10

supported 1-9

turning off authentication from 14-11

unknown user policy 14-1

F

Failed Attempts log

configuring CSV 11-15

enabling

log 11-13

viewing 11-14

failed log-on attempts F-6

failure events

customer-defined actions F-7

predefined actions F-7

fallbacks on failed connection 4-6

finding users 7-54

firewalls

administering AAA servers through 1-22

troubleshooting A-16

FTP setup options 9-31

G

gateways D-3

generic LDAP user databases

authentication 13-30

certificate database downloading 13-47

configuring

database 13-42

options 13-36

directed authentications 13-32

domain filtering 13-32

failover 13-34

mapping database groups to AAA groups 15-4

multiple instances 13-31

organizational units and groups 13-32

Global Authentication Setup 10-32

grant dial-in permission to users 13-9, 13-23

greeting after login 6-23

group-level interface enabling

downloadable IP ACLs 3-5

network access restrictions 3-5

password aging 3-5

group-level network access restrictions

See network access restrictions

groups

See also network device groups

assigning users to 7-7

configuring RADIUS settings for

See RADIUS

Default Group 6-2, 15-6

enabling VoIP (Voice-over-IP) support for 6-4

listing all users in 6-53

mapping order 15-11

mappings 15-1

multiple mappings 15-5

no access groups 15-5

overriding settings 3-2

relationship to users 3-2

renaming 6-54

resetting usage quota counters for 6-53

settings for

callback options 6-6

configuration-specific 6-15

configuring common 6-3

device management command authorization sets 6-35

enable privilege 6-18

IP address assignment method 6-27

management tasks 6-52

max sessions 6-11

network access restrictions 6-7

password aging rules 6-20

PIX command authorization sets 6-33

shell command authorization sets 6-31

TACACS+ 6-2, 6-29

time-of-day access 6-5

token cards 6-17

usage quotas 6-13

setting up and managing 6-1

sort order within group mappings 15-5

GUI

See HTML interface

H

handle counts F-5

hard disk space F-5

Help 1-26

host and domain names configuration 8-23

host system state F-5

HTML interface

See also Interface Configuration

encrypting 12-13

logging off 1-30

overview 1-24

security 1-24

SSL 1-24

web server F-2

HTTP port allocation

configuring 12-14

overview 1-22

HTTPS 12-13

I

IETF 802.1x 1-12

inbound authentication 1-13

inbound password configuration 1-14

installation

related documentation xxvii

system requirements 2-2

troubleshooting A-13

Interface Configuration

See also HTML interface

advanced options 3-4

configuring 3-1

customized user data fields 3-3

security protocol options 3-9

IP addresses

in User Setup 7-9

multiple IP addresses for AAA client 4-12

requirement for CSTacacs and CSRadius F-7

setting assignment method for user groups 6-27

IP pools

address recovery 9-44

deleting 9-43

DHCP 9-39

editing IP pool definitions 9-41

enabling in interface 3-5

IP pools address recovery 3-5

overlapping 9-39, 9-40

refreshing 9-40

resetting 9-42

servers

adding IP pools 9-40

overview 9-38

replicating IP pools 9-38

user IP addresses 7-10

L

LAN manager 1-12

latency in networks 2-17

LDAP databases

See generic LDAP user databases

LEAP proxy RADIUS user databases

configuring external databases 13-56

group mappings 15-2

overview 13-55

RADIUS-based group specifications 15-13

list all users

in Group Setup 6-53

in User Setup 7-54

Logged-In Users report

deleting logged-in users 11-10

description 11-8

viewing 11-9

logging

See also Reports and Activity

accounting logs 11-5

configuring 11-16, 11-17

configuring remote agent logs 11-24, 11-25

debug log detail levels 11-27

diagnostic logs 8-27

domain names 11-2

dynamic administration reports 11-7

event logging 8-20

external user databases 11-2

format 11-1

overview 11-4

remote agent logging

configuration 11-22

options 11-22

remote logging

centralized 11-18

configuring 11-20

disabling 11-22

enabling 11-20

enabling in interface 3-5

local configuration 11-19

options 11-19

overview 11-17

replication 9-11

services

configuring service logs 11-27

list of logs generated 11-26

system logs 11-12

troubleshooting A-14

user data attributes 11-2

watchdog packets 11-3

logins

greeting upon 6-23

password aging dependency 6-22

login testing frequency 8-18

M

machine authentication

overview 13-13

with Microsoft Windows 13-16

management application support 1-18

mappings

database groups to AAA groups 15-4

database to AAA groups 15-2

master AAA servers 9-3

master key

definition 10-13

states 10-14

max sessions

enabling in interface 3-5

in Group Setup 6-11

in User Setup 7-15

overview 1-17

troubleshooting A-14

memory utilization F-5

monitoring

configuring 8-19

CSMon F-5

overview 8-18

services 8-26

MS-CHAP

compatible databases 1-9

configuring 10-25

overview 1-12

protocol supported 1-10

multiple group mappings 15-5

multiple IP addresses for AAA clients 4-12

N

NAR

See network access restrictions

NAS

See AAA clients

NDG

See network device groups

network access filters

See network access restrictions

network access quotas 1-18

network access restrictions

adding 5-9

configuring 5-9

deleting 5-14

editing 5-12

enabling in interface

group-level 3-4

user-level 3-4

in Group Setup 6-7

Interface Configuration 3-5

in User Setup 6-7, 7-10

overview 5-7

network access servers

See AAA clients

Network Configuration 4-1

network device groups

adding 4-37

assigning AAA clients to 4-38

assigning AAA servers to 4-38

configuring 4-36

deleting 4-40

enabling in interface 3-6

overview 1-22, 4-2

reassigning AAA clients to 4-39

reassigning AAA servers to 4-39

renaming 4-39

network devices

See AAA clients

searches for 4-9

network requirements 2-2

networks

latency 2-17

reliability 2-17

network time protocol

See NTP server

network topologies

deployment 2-4

wireless 2-7

notifications F-6

Novell NDS user databases

authentication 13-49

configuring 13-53

mapping database groups to AAA groups 15-4

options 13-51

user contexts 13-50

NTP server 8-22

O

Online Documentation 1-31

online Help

location in HTML interface 1-26

using 1-31

outbound password configuration 1-14

overview of Cisco Secure ACS 1-1

P

PAC

automatic provisioning 10-17

definition 10-15

manual provisioning 10-18

refresh 10-19

PAP

compatible databases 1-9

in User Setup 7-4

vs. ARAP 1-11

vs. CHAP 1-11

Passed Authentications log

configuring CSV (comma-separated values) 11-15

enabling CSV (comma-separated values) logging 11-13

viewing 11-14

PassGo user databases

configuring external databases 13-61

group mappings 15-2

RADIUS-based group specifications 15-13

password aging

age-by-uses rules 6-22

Cisco IOS release requirement for 6-20

EAP-FAST 13-22

interface configuration 3-5

in Windows databases 6-25

MS-CHAP 13-22

overview 1-15

PEAP 13-22

rules 6-20

passwords

See also password aging

CHAP/MS-CHAP/ARAP 7-6

configurations

caching 1-14

inbound passwords 1-14

outbound passwords 1-14

separate passwords 1-13

single password 1-13

token caching 1-14

token cards 1-13

expiration 6-22

local management 8-5

post-login greeting 6-23

protocols and user database compatibility 1-9

protocols supported 1-10

remote change of 8-5

user-changeable 1-15

validation options in System Configuration 8-5

pattern matching in command authorization 5-19

PEAP

See also certification

compatible databases 1-9

configuring 10-25

enabling 10-10

identity protection 10-8

options 10-25

overview 10-7

password aging 6-26

phases 10-7

with Unknown User Policy 10-9

performance monitoring F-5

performance specifications 1-2

per-group attributes

See also groups

enabling in interface 3-2

per-user attributes

enabling in interface 3-2

TACACS+/RADIUS in Interface Configuration 3-4

PIX ACLs

See downloadable IP ACLs

PIX command authorization sets

See command authorization sets

PIX Firewall troubleshooting A-16

PKI (public key infrastructure)

See certification

port 2002

in HTTP port ranges 12-13, F-2

in URLs 1-27

port allocation

See HTTP port allocation

ports

See also HTTP port allocation

See also port 2002

RADIUS 1-6

requirements 2-2

TACACS+ 1-6

PPP password aging 6-20

processor utilization F-5

profile components

See shared profile components

proxy

See also Proxy Distribution Table

character strings

defining 4-6

stripping 4-6

configuring 4-41

in enterprise settings 4-7

overview 4-4

sending accounting packets 4-7

troubleshooting A-13

Proxy Distribution Table

See also proxy

adding entries 4-43

configuring 4-42

default entry 4-4, 4-42

deleting entries 4-46

editing entries 4-45

match order sorting 4-44

overview 4-3, 4-42

Q

quotas

See network access quotas

See usage quotas

R

RADIUS

See also RADIUS VSAs (vendor specific attributes)

attributes

See also RADIUS VSAs (vendor specific attributes)

in User Setup 7-36

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

Cisco IOS C-2

IETF C-12

overview C-1

Cisco Aironet 4-14

IETF

in Group Setup 6-37

interface configuration 3-16

in User Setup 7-37

interface configuration overview 3-11

password aging 6-25

ports 1-6

specifications 1-6

troubleshooting A-18

tunneling packets 4-19

vs. TACACS+ 1-6

RADIUS Accounting log

configuring CSV (comma-separated values) 11-14, 11-15

enabling CSV (comma-separated values) 11-13

RADIUS user databases

configuring 13-61

group mappings 15-2

RADIUS-based group specifications 15-13

RADIUS VSAs (vendor specific attributes)

Ascend

in Group Setup 6-41

in User Setup 7-41

supported attributes C-30

Cisco Aironet

in Group Setup 6-39

in User Setup 7-39

Cisco BBSM (Building Broadband Service Manager)

in Group Setup 6-50

in User Setup 7-51

supported attributes C-12

Cisco IOS/PIX

in Group Setup 6-38

interface configuration 3-17

in User Setup 7-38

supported attributes C-5

Cisco VPN 3000

in Group Setup 6-42

in User Setup 7-43

supported attributes C-7

Cisco VPN 5000

in Group Setup 6-44

in User Setup 7-45

supported attributes C-11

custom

about 9-27

in Group Setup 6-51

in User Setup 7-52

Juniper

in Group Setup 6-49

in User Setup 7-50

supported attributes C-43

Microsoft

in Group Setup 6-45

in User Setup 7-46

supported attributes C-27

Nortel

in Group Setup 6-47

in User Setup 7-48

supported attributes C-42

overview C-1

user-defined

about 9-27

action codes for E-19

replicating 9-27

RDBMS synchronization

accountActions file

as a transaction queue 9-28

overview 9-28

configuring 9-34

CSDBSync 9-28

disabling 9-37

enabling in interface 3-5

FTP configuration 9-31

FTP setup options 9-31

group-related configuration 9-26

import definitions E-1

log

description 11-12

viewing 11-14

network configuration 9-26

overview 9-24

partners 9-32

preparations for 9-29

scheduling options 9-32

starting manually 9-32

user-related configuration 9-25

rejection mode

general 14-4

Windows user databases 14-5

related documentation xxvii

reliability of network 2-17

remote access policies 2-12

remote agent logging

configuration 11-22

options 11-22

remote agents

adding 4-32

configuring 4-29

deleting 4-35

editing 4-34

options 4-30

overview 4-29

Remote Agents table 4-2

selecting for authentication 13-23

remote logging

centralized 11-18

configuring remote agent logs 11-23

disabling 11-22

local configuration 11-19

options 11-19

overview 11-17

replication

backups recommended (Caution) 9-10

cascading 9-6, 9-12

certificates 9-3

client configuration 9-16

components

overwriting (Caution) 9-16

overwriting (Note) 9-11

selecting 9-11

configuring 9-20

corrupted backups (Caution) 9-10

disabling 9-23

EAP-FAST 10-20

frequency 9-7

immediate 9-18

implementing primary and secondary setups 9-15

important considerations 9-8

in System Configuration 9-20

interface configuration 3-5

IP pools 9-3, 9-38

logging 9-11

manual initiation 9-18

master AAA servers 9-3

notifications 9-23

options 9-11

overview 9-2

partners

configuring 9-22

options 9-12

process 9-4

scheduling 9-20

scheduling options 9-12

selecting data 9-11

user-defined RADIUS vendors 9-9

vs. backup 9-10

Reports and Activity

See also logging

configuring 11-16, 11-17

CSV logs 11-12

in interface 1-26

overview 11-4

request handling

general 14-4

Windows user databases 14-5

requirements

network 2-2

system installation 2-2

resource consumption F-5

restarting services 8-2

restore

components restored

configuring 8-15

overview 8-15

filenames 8-14

in System Configuration 8-13

overview 8-14

performing 8-15

reports 8-15

RFC2138 1-6

RFC2139 1-6

RSA user database group mappings 15-2

S

SafeWord user databases

configuring 13-61

group mappings 15-2

RADIUS-based group specifications 15-13

search order of external user databases 14-10

security policies 2-13

security protocols

Cisco AAA client devices 1-2

CSRadius F-7

CSTacacs F-7

interface options 3-9

RADIUS 1-6, C-1

TACACS+

custom commands 3-9

overview 1-6

time-of-day access 3-8

service control in System Configuration 11-27

Service Monitoring log

See Cisco Secure ACS Service Monitoring log

services

determining status of 8-2

logs

configuring 11-27

list of logs generated 11-26

management 8-17

monitoring 8-26

overview 1-4, F-1

starting 8-2

stopping 8-2

session policies

configuring 12-17

options 12-16

overview 12-16

shared profile components

See also command authorization sets

See also network access restrictions

downloadable IP ACLs 5-2

overview 5-1

shared secret F-7

shell command authorization sets

See also command authorization sets

in Group Setup 6-31

in User Setup 7-25

single password configurations 1-13

SMTP (simple mail-transfer protocol) F-6

specifications

RADIUS

RFC2138 1-6

RFC2139 1-6

system performance 1-2, 1-3

TACACS+ 1-6

SSL (secure socket layer) 12-13

starting services 8-2

static IP addresses 7-9

stopping services 8-2

supplementary user information

in User Setup 7-5

setting 7-5

support page 8-24

synchronization

See RDBMS synchronization

system

configuration

advanced 9-1

authentication 10-1

basic 8-1

certificates 10-1

health F-5

messages in interface 1-26

services

See services

system installation requirements 2-2

system monitoring

See monitoring

technical support file 8-24

T

TACACS+

advanced TACACS+ settings

in Group Setup 6-2

in User Setup 7-32

AV (attribute value) pairs

accounting B-4

general B-1

custom commands 3-9

enable password options for users 7-34

enable privilege options 7-32

interface configuration 3-7

interface options 3-9

outbound passwords for users 7-36

ports 1-6

SENDAUTH 1-14

settings

in Group Setup 6-2, 6-29

in User Setup 7-21, 7-22

specifications 1-6

time-of-day access 3-8

troubleshooting A-18

vs. RADIUS 1-6

TACACS+ Accounting log

configuring CSV (comma-separated values) 11-15

enabling CSV (comma-separated values) 11-13

viewing 11-14

TACACS+ Administration log

configuring CSV (comma-separated values) 11-15

enabling CSV (comma-separated values) 11-13

viewing 11-14

Telnet

See also command authorization sets

password aging 6-20

test login frequency 8-18

thread used F-6

time and date setting 8-22

time-of-day/day-of-week specification enablement 3-4

timeout values on AAA clients 14-8

TLS (transport level security)

See certification

token caching 1-14, 13-59

token cards

password configuration 1-13

settings in Group Setup 6-17

token servers

ISDN terminal adapters 13-59

overview 13-58

supported servers 1-9

token caching 13-59

topologies

See network topologies

troubleshooting

AAA servers A-1

administration issues A-2

browser issues A-4

Cisco IOS issues A-5

database issues A-6

debug logs 11-25, A-12

dial-in issues A-8

installation issues A-13

max sessions issues A-14

PIX Firewall issues A-16

proxy issues A-13

RADIUS issues A-18

report issues A-14

TACACS+ issues A-18

third-party server issues A-16

upgrade issues A-13

user issues A-17

trust lists

See certification

trust relationships 13-9

U

unknown service user setting 7-31

unknown user policies

See also unknown users

configuring 14-10

in external user databases 14-10

overview 14-9

unknown users

See also unknown user policies

authentication processing 14-8

handling methods 14-2

network access authorization 14-9

update packets

See watchdog packets

upgrade

applying 8-35

distribution server requirements 8-29

overview 8-28

process 8-30

transferring 8-32

troubleshooting A-13

usage quotas

in Group Setup 6-13

in Interface Configuration 3-5

in User Setup 7-17

overview 1-18

resetting

for groups 6-53

for single users 7-57

user-changeable passwords

overview 1-15

with Windows user databases 13-22

User Data Configuration 3-3

user groups

See groups

user-level

See also per-user attributes

downloadable ACLs interface 3-4

network access restrictions

See also network access restrictions

enabling in interface 3-4

users

See also User Setup

adding

basic steps 7-3

methods 13-2

assigning client IP addresses to 7-9

assigning to a group 7-7

callback options 7-8

configuring 7-2

configuring device management command authorization sets for 7-29

configuring PIX command authorization sets for 7-28

configuring shell command authorization sets for 7-25

customized data fields 3-3

data configuration

See User Data Configuration

deleting 11-10

deleting accounts 7-56

disabling accounts 7-4

finding 7-54

import methods 13-2

in multiple databases 14-6

in multiple domains 14-6

listing all users 7-54

number allowed 2-16

RDBMS synchronization 9-25

relationship to groups 3-2

resetting accounts 7-57

saving settings 7-59

supplementary information 7-5

troubleshooting A-17

types

discovered 14-3

known 14-2

unknown 14-2

VPDN dialup D-2

User Setup

account management tasks 7-53

basic options 7-2

configuring 7-2

deleting user accounts 7-56

saving settings 7-59

Users in Group button 6-53

V

validation of passwords 8-5

Vasco user databases

group mappings 15-2

RADIUS-based group specifications 15-13

vendor-specific attributes

See RADIUS VSAs (vendor specific attributes)

viewing logs and reports

See logging

VoIP (Voice-over-IP)

accounting configuration 8-21

accounting configuration in Interface Configuration 3-6

Accounting log

configuring 11-15

enabling csv log 11-13

viewing 11-14

enabling in interface 3-6

group settings in Interface Configuration 3-6

in Group Setup 6-4

VPDN

advantages 2-10

authentication process D-1

domain authorization D-2

home gateways D-3

IP addresses D-3

tunnel IDs D-3

users D-2

VSAs

See RADIUS VSAs (vendor specific attributes)

W

warning events F-5, F-7

watchdog packets

configuring on AAA clients 4-19

configuring on AAA servers 4-26

logging 11-3

web servers F-2

Windows operating systems

authentication order 14-6

dial-up networking 13-10

dial-up networking clients

domain field 13-10

password field 13-10

username field 13-10

Domain List effect 14-6

domains

domain names 13-10, 14-5

trusted 13-10

rejection mode 14-5

request handling 14-5

user databases

configuring 13-29

Windows user databases

Active Directory 13-23

Domain list

inadvertent user lockouts 13-26

domain mapping 15-8

domains

trusted 13-9

grant dial-in permission to users 13-9, 13-23

group mappings

editing 15-8

no access groups 15-6

remapping 15-8

mapping database groups to AAA groups 15-4

overview 13-6

password aging 6-25

passwords 1-10

trust relationships 13-9

user-changeable passwords 13-22

user manager 13-23

wireless network topologies 2-7

Z

	User Guide for Cisco Secure ACS Appliance 3.2
	Index
User Guide for Cisco Secure ACS Appliance 3.2 Preface Overview Deployment Considerations Interface Configuration Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Unknown User Policy User Group Mapping and Specification Troubleshooting TACACS+ Attribute-Value Pairs RADIUS Attributes VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter Index Download the complete book User Guide for Cisco Secure ACS Appliance (whole-book pdf) (PDF - 6 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z Index A AAA See also AAA clients See also AAA servers definition 1-1 pools for IP address assignment 7-10 AAA clients AAA Clients table 4-2 adding and configuring 4-17 configuration 4-11 definition 1-5 deleting 4-21 editing 4-20 interaction with AAA servers 1-5 IP pools 7-10 multiple IP addresses for 4-12 searching for 4-9 supported Cisco AAA clients 1-2 timeout values 14-8 AAA servers AAA Servers table 4-2 adding 4-25 configuring 4-22 deleting 4-28 editing 4-27 enabling in interface (table) 3-5 functions and concepts 1-4 in distributed systems 4-3 master 9-3 overview 4-22 primary 9-3 replicating 9-3 searching for 4-9 secondary 9-3 troubleshooting A-1 access devices 1-5 accessing Cisco Secure ACS how to 1-29 URL 1-27 with SSL enabled 1-27 access policies See administrative access policies accountActions File 9-28 account disablement Account Disabled check box 7-4 manual 7-55 resetting 7-57 setting options for 7-19 accounting See also logging logs 11-5 overview 1-20 ACLs See downloadable IP ACLs action codes for initializing and modifying access filters E-15 for modifying network configuration E-27 for modifying TACACS+ and RADIUS settings E-19 for setting and deleting values E-5 in accountActions E-5 ActivCard user databases configuring 13-61 group mappings 15-2 RADIUS-based group specifications 15-13 Administration Audit log viewing 11-14 administration logs 11-7 administrative access policies See also administrators configuring 12-14 limits 12-11 options 12-12 overview 2-13 administrative sessions and HTTP proxy 1-28 network environment limitations of 1-27 session policies 12-16 through firewalls 1-28 through NAT (network address translation) 1-29 administrators See also Administration Audit log See also Administration Control See also administrative access policies adding 12-6 deleting 12-11 editing 12-8 locked out 12-10 locking out 12-17 overview 12-2 privileges 12-3 separation from general users 2-15 troubleshooting A-2 unlocking 12-10 advanced options in interface 3-6 age-by-date rules for groups 6-24 Aironet AAA client configuration 4-14 RADIUS parameters for group 6-39 RADIUS parameters for user 7-39 appliance configuration 8-22 hardware specifications 1-2 Appliance Status report description 11-8 viewing 11-11 ARAP compatible databases 1-9 in User Setup 7-4 protocol supported 1-10 architectural components of Cisco Secure ACS F-1 ASCII/PAP compatible databases 1-9 protocol supported 1-10 attributes enabling in interface 3-2 group-specific (table) E-37 logging of user data 11-2 per-group 3-2 per-user 3-2 user-specific (table) E-36 attribute-value pairs See AV (attribute value) pairs authentication configuration 10-25 denying external user databases 14-11 options 10-32 overview 1-8 request handling 14-4 via external user databases 13-5 Windows 13-10 authorization 1-16 authorization sets See command authorization sets AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) RADIUS Cisco IOS C-2 IETF C-12 TACACS+ accounting B-4 general B-1 Axent user databases See PassGo user databases B backups components backed up 8-9 disabling scheduled 8-13 filenames 8-14 options 8-9 overview 8-8 performing manually 8-10 reports 8-9 scheduled vs. manual 8-8 scheduling 8-11 vs. replication 9-10 browsers See also HTML interface troubleshooting A-4 C cab file 8-24 callback options in Group Setup 6-6 in User Setup 7-8 cascading replication 9-6, 9-12 certificate database for LDAP servers 13-47 certification See also EAP-TLS See also PEAP adding certificate authority certificates 10-36 background 10-1 backups 8-9 certificate enrollment 10-33 certificate signing request generation 10-39 editing the certificate trust list 10-38 installing certificate 10-33 replacing certificate 10-40 updating certificate 10-40 CHAP compatible databases 1-9 in User Setup 7-4 protocol supported 1-10 Cisco IOS RADIUS AV (attribute value) pairs C-2 group attributes 6-38 user attributes 7-38 TACACS+ AV (attribute value) pairs B-1 troubleshooting A-5 Cisco Secure ACS Active Service Management overview 8-17 Cisco Secure ACS Active Service Monitoring log viewing 11-14 Cisco Secure ACS administration overview 1-21 Cisco Secure ACS Backup and Restore log viewing 11-14 Cisco Secure ACS backups See backups Cisco Secure ACS service management event logging configuration 8-20 system monitoring configuring 8-19 options 8-18 Cisco Secure ACS Service Monitoring log CSV (comma-separated values) file directory 11-26 Cisco Secure ACS system restore See restore CiscoSecure Authentication Agent 1-15, 6-20 CiscoSecure database replication See replication CiscoSecure user database See also databases overview 13-2 codes See action codes command authorization sets See also shell command authorization sets adding 5-19 configuring 5-15, 5-19 deleting 5-23 editing 5-22 overview 5-15 pattern matching 5-19 PIX command authorization sets 5-15 conventions xxv CRYPTOCard user databases configuring 13-61 group mappings 15-2 RADIUS-based group specifications 15-13 CSAdmin F-2 CSAuth F-3 CSDBSync 9-28, F-3 CSLog F-4 CSMon See also Cisco Secure ACS Active Service Management configuration F-4 failure events customer-defined actions F-7 predefined actions F-7 functions F-4 log F-6 overview F-4 CSRadius F-7 CSTacacs F-7 CSV (comma-separated values) files downloading 11-14 viewing 11-14 custom attributes in group-level TACACS+ settings 6-29 in user-level TACACS+ settings 7-22 D database group mappings configuring for token servers 15-3 for Windows domains 15-8 no access groups 15-6 order 15-11 deleting group set mappings 15-10 Windows domain configurations 15-11 in external user databases 15-1 overview 15-1 Database Replication log description 11-12 viewing 11-14 databases authentication protocol compatibility of 1-9 CiscoSecure user database 13-2 deleting 13-64 deployment considerations 2-16 external See also external user databases See also unknown user policies group mappings See database group mappings performance 14-8 remote agent selection 13-23 replication See replication search order 14-10 search process 14-9, 14-10 selecting user databases 13-1 synchronization See RDBMS synchronization token cards See token servers troubleshooting A-6, A-16 types See ActivCard user databases See CRYPTOCard user databases See generic LDAP user databases See LEAP proxy RADIUS user databases See Novell NDS user databases See PassGo user databases See RADIUS user databases See SafeWord user databases unknown users 14-2 user import methods 13-2 Windows user databases 13-6 date and time setting 8-22 date format control 8-3 debug logs detail levels 11-27 frequency 11-27 troubleshooting A-12 default group in Group Setup 6-2 default group mapping for Windows 15-6 default time-of-day/day-of-week specification 3-4 default time-of-day access settings for groups 6-5 deleting logged-in users 11-10 deployment overview 2-1 sequence 2-17 device command sets See command authorization sets device groups See network device groups device management applications support 1-18 DHCP with IP pools 9-39 diagnostic logs 8-27 dial-in permission to users in Windows 13-23 dial-in troubleshooting A-8 dial-up networking clients 13-10 dial-up topologies 2-4 digital certificates See certification Disabled Accounts report description 11-8 viewing 11-11 discovered users 14-2 distributed systems See also proxy AAA servers in 4-3 overview 4-3 settings configuring 4-42 default entry 4-4 enabling in interface 3-5 distribution table See Proxy Distribution Table documentation conventions xxv objectives xxiii online 1-31 organization xxiv related xxvii domain lists configuring 13-29 inadvertent user lockouts 13-12, 13-26 overview 13-11 domain name and hostname configuration 8-23 domain names Windows operating systems 13-10 downloadable IP ACLs adding 5-4 assigning to groups 6-28 assigning to users 7-20 deleting 5-6 editing 5-5 enabling in interface group-level 3-5 user-level 3-4 overview 5-2 draft-ietf-radius-tunnel-auth 1-6 E EAP (Extensible Authentication Protocol) overview 1-12 with Windows authentication 13-12 EAP-FAST compatible databases 1-9 enabling 10-23 identity protection 10-13 logging 10-12 master keys definition 10-13 states 10-14 master server 10-22 options 10-26 overview 10-12 PAC automatic provisioning 10-17 definition 10-15 manual provisioning 10-18 refresh 10-19 states 10-17 phases 10-12 replication 10-20 EAP-TLS See also certification authentication configuration 10-25 comparison methods 10-4 compatible databases 1-9 domain stripping 13-13 enabling 10-5 limitations 10-5 options 10-29 overview 10-2 session resume 10-4 enable password options for TACACS+ 7-34 enable privilege options for groups 6-18 event logging 8-20 exception events F-6 Extensible Authentication Protocol See EAP (Extensible Authentication Protocol) external token servers See token servers external user databases See also databases authentication via 13-5 configuring 13-3 deleting configuration 13-64 latency factors 14-8 search order 14-8, 14-10 supported 1-9 turning off authentication from 14-11 unknown user policy 14-1 F Failed Attempts log configuring CSV 11-15 enabling log 11-13 viewing 11-14 failed log-on attempts F-6 failure events customer-defined actions F-7 predefined actions F-7 fallbacks on failed connection 4-6 finding users 7-54 firewalls administering AAA servers through 1-22 troubleshooting A-16 FTP setup options 9-31 G gateways D-3 generic LDAP user databases authentication 13-30 certificate database downloading 13-47 configuring database 13-42 options 13-36 directed authentications 13-32 domain filtering 13-32 failover 13-34 mapping database groups to AAA groups 15-4 multiple instances 13-31 organizational units and groups 13-32 Global Authentication Setup 10-32 grant dial-in permission to users 13-9, 13-23 greeting after login 6-23 group-level interface enabling downloadable IP ACLs 3-5 network access restrictions 3-5 password aging 3-5 group-level network access restrictions See network access restrictions groups See also network device groups assigning users to 7-7 configuring RADIUS settings for See RADIUS Default Group 6-2, 15-6 enabling VoIP (Voice-over-IP) support for 6-4 listing all users in 6-53 mapping order 15-11 mappings 15-1 multiple mappings 15-5 no access groups 15-5 overriding settings 3-2 relationship to users 3-2 renaming 6-54 resetting usage quota counters for 6-53 settings for callback options 6-6 configuration-specific 6-15 configuring common 6-3 device management command authorization sets 6-35 enable privilege 6-18 IP address assignment method 6-27 management tasks 6-52 max sessions 6-11 network access restrictions 6-7 password aging rules 6-20 PIX command authorization sets 6-33 shell command authorization sets 6-31 TACACS+ 6-2, 6-29 time-of-day access 6-5 token cards 6-17 usage quotas 6-13 setting up and managing 6-1 sort order within group mappings 15-5 GUI See HTML interface H handle counts F-5 hard disk space F-5 Help 1-26 host and domain names configuration 8-23 host system state F-5 HTML interface See also Interface Configuration encrypting 12-13 logging off 1-30 overview 1-24 security 1-24 SSL 1-24 web server F-2 HTTP port allocation configuring 12-14 overview 1-22 HTTPS 12-13 I IETF 802.1x 1-12 inbound authentication 1-13 inbound password configuration 1-14 installation related documentation xxvii system requirements 2-2 troubleshooting A-13 Interface Configuration See also HTML interface advanced options 3-4 configuring 3-1 customized user data fields 3-3 security protocol options 3-9 IP addresses in User Setup 7-9 multiple IP addresses for AAA client 4-12 requirement for CSTacacs and CSRadius F-7 setting assignment method for user groups 6-27 IP pools address recovery 9-44 deleting 9-43 DHCP 9-39 editing IP pool definitions 9-41 enabling in interface 3-5 IP pools address recovery 3-5 overlapping 9-39, 9-40 refreshing 9-40 resetting 9-42 servers adding IP pools 9-40 overview 9-38 replicating IP pools 9-38 user IP addresses 7-10 L LAN manager 1-12 latency in networks 2-17 LDAP databases See generic LDAP user databases LEAP proxy RADIUS user databases configuring external databases 13-56 group mappings 15-2 overview 13-55 RADIUS-based group specifications 15-13 list all users in Group Setup 6-53 in User Setup 7-54 Logged-In Users report deleting logged-in users 11-10 description 11-8 viewing 11-9 logging See also Reports and Activity accounting logs 11-5 configuring 11-16, 11-17 configuring remote agent logs 11-24, 11-25 debug log detail levels 11-27 diagnostic logs 8-27 domain names 11-2 dynamic administration reports 11-7 event logging 8-20 external user databases 11-2 format 11-1 overview 11-4 remote agent logging configuration 11-22 options 11-22 remote logging centralized 11-18 configuring 11-20 disabling 11-22 enabling 11-20 enabling in interface 3-5 local configuration 11-19 options 11-19 overview 11-17 replication 9-11 services configuring service logs 11-27 list of logs generated 11-26 system logs 11-12 troubleshooting A-14 user data attributes 11-2 watchdog packets 11-3 logins greeting upon 6-23 password aging dependency 6-22 login testing frequency 8-18 M machine authentication overview 13-13 with Microsoft Windows 13-16 management application support 1-18 mappings database groups to AAA groups 15-4 database to AAA groups 15-2 master AAA servers 9-3 master key definition 10-13 states 10-14 max sessions enabling in interface 3-5 in Group Setup 6-11 in User Setup 7-15 overview 1-17 troubleshooting A-14 memory utilization F-5 monitoring configuring 8-19 CSMon F-5 overview 8-18 services 8-26 MS-CHAP compatible databases 1-9 configuring 10-25 overview 1-12 protocol supported 1-10 multiple group mappings 15-5 multiple IP addresses for AAA clients 4-12 N NAR See network access restrictions NAS See AAA clients NDG See network device groups network access filters See network access restrictions network access quotas 1-18 network access restrictions adding 5-9 configuring 5-9 deleting 5-14 editing 5-12 enabling in interface group-level 3-4 user-level 3-4 in Group Setup 6-7 Interface Configuration 3-5 in User Setup 6-7, 7-10 overview 5-7 network access servers See AAA clients Network Configuration 4-1 network device groups adding 4-37 assigning AAA clients to 4-38 assigning AAA servers to 4-38 configuring 4-36 deleting 4-40 enabling in interface 3-6 overview 1-22, 4-2 reassigning AAA clients to 4-39 reassigning AAA servers to 4-39 renaming 4-39 network devices See AAA clients searches for 4-9 network requirements 2-2 networks latency 2-17 reliability 2-17 network time protocol See NTP server network topologies deployment 2-4 wireless 2-7 notifications F-6 Novell NDS user databases authentication 13-49 configuring 13-53 mapping database groups to AAA groups 15-4 options 13-51 user contexts 13-50 NTP server 8-22 O Online Documentation 1-31 online Help location in HTML interface 1-26 using 1-31 outbound password configuration 1-14 overview of Cisco Secure ACS 1-1 P PAC automatic provisioning 10-17 definition 10-15 manual provisioning 10-18 refresh 10-19 PAP compatible databases 1-9 in User Setup 7-4 vs. ARAP 1-11 vs. CHAP 1-11 Passed Authentications log configuring CSV (comma-separated values) 11-15 enabling CSV (comma-separated values) logging 11-13 viewing 11-14 PassGo user databases configuring external databases 13-61 group mappings 15-2 RADIUS-based group specifications 15-13 password aging age-by-uses rules 6-22 Cisco IOS release requirement for 6-20 EAP-FAST 13-22 interface configuration 3-5 in Windows databases 6-25 MS-CHAP 13-22 overview 1-15 PEAP 13-22 rules 6-20 passwords See also password aging CHAP/MS-CHAP/ARAP 7-6 configurations caching 1-14 inbound passwords 1-14 outbound passwords 1-14 separate passwords 1-13 single password 1-13 token caching 1-14 token cards 1-13 expiration 6-22 local management 8-5 post-login greeting 6-23 protocols and user database compatibility 1-9 protocols supported 1-10 remote change of 8-5 user-changeable 1-15 validation options in System Configuration 8-5 pattern matching in command authorization 5-19 PEAP See also certification compatible databases 1-9 configuring 10-25 enabling 10-10 identity protection 10-8 options 10-25 overview 10-7 password aging 6-26 phases 10-7 with Unknown User Policy 10-9 performance monitoring F-5 performance specifications 1-2 per-group attributes See also groups enabling in interface 3-2 per-user attributes enabling in interface 3-2 TACACS+/RADIUS in Interface Configuration 3-4 PIX ACLs See downloadable IP ACLs PIX command authorization sets See command authorization sets PIX Firewall troubleshooting A-16 PKI (public key infrastructure) See certification port 2002 in HTTP port ranges 12-13, F-2 in URLs 1-27 port allocation See HTTP port allocation ports See also HTTP port allocation See also port 2002 RADIUS 1-6 requirements 2-2 TACACS+ 1-6 PPP password aging 6-20 processor utilization F-5 profile components See shared profile components proxy See also Proxy Distribution Table character strings defining 4-6 stripping 4-6 configuring 4-41 in enterprise settings 4-7 overview 4-4 sending accounting packets 4-7 troubleshooting A-13 Proxy Distribution Table See also proxy adding entries 4-43 configuring 4-42 default entry 4-4, 4-42 deleting entries 4-46 editing entries 4-45 match order sorting 4-44 overview 4-3, 4-42 Q quotas See network access quotas See usage quotas R RADIUS See also RADIUS VSAs (vendor specific attributes) attributes See also RADIUS VSAs (vendor specific attributes) in User Setup 7-36 AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) Cisco IOS C-2 IETF C-12 overview C-1 Cisco Aironet 4-14 IETF in Group Setup 6-37 interface configuration 3-16 in User Setup 7-37 interface configuration overview 3-11 password aging 6-25 ports 1-6 specifications 1-6 troubleshooting A-18 tunneling packets 4-19 vs. TACACS+ 1-6 RADIUS Accounting log configuring CSV (comma-separated values) 11-14, 11-15 enabling CSV (comma-separated values) 11-13 RADIUS user databases configuring 13-61 group mappings 15-2 RADIUS-based group specifications 15-13 RADIUS VSAs (vendor specific attributes) Ascend in Group Setup 6-41 in User Setup 7-41 supported attributes C-30 Cisco Aironet in Group Setup 6-39 in User Setup 7-39 Cisco BBSM (Building Broadband Service Manager) in Group Setup 6-50 in User Setup 7-51 supported attributes C-12 Cisco IOS/PIX in Group Setup 6-38 interface configuration 3-17 in User Setup 7-38 supported attributes C-5 Cisco VPN 3000 in Group Setup 6-42 in User Setup 7-43 supported attributes C-7 Cisco VPN 5000 in Group Setup 6-44 in User Setup 7-45 supported attributes C-11 custom about 9-27 in Group Setup 6-51 in User Setup 7-52 Juniper in Group Setup 6-49 in User Setup 7-50 supported attributes C-43 Microsoft in Group Setup 6-45 in User Setup 7-46 supported attributes C-27 Nortel in Group Setup 6-47 in User Setup 7-48 supported attributes C-42 overview C-1 user-defined about 9-27 action codes for E-19 replicating 9-27 RDBMS synchronization accountActions file as a transaction queue 9-28 overview 9-28 configuring 9-34 CSDBSync 9-28 disabling 9-37 enabling in interface 3-5 FTP configuration 9-31 FTP setup options 9-31 group-related configuration 9-26 import definitions E-1 log description 11-12 viewing 11-14 network configuration 9-26 overview 9-24 partners 9-32 preparations for 9-29 scheduling options 9-32 starting manually 9-32 user-related configuration 9-25 rejection mode general 14-4 Windows user databases 14-5 related documentation xxvii reliability of network 2-17 remote access policies 2-12 remote agent logging configuration 11-22 options 11-22 remote agents adding 4-32 configuring 4-29 deleting 4-35 editing 4-34 options 4-30 overview 4-29 Remote Agents table 4-2 selecting for authentication 13-23 remote logging centralized 11-18 configuring remote agent logs 11-23 disabling 11-22 local configuration 11-19 options 11-19 overview 11-17 replication backups recommended (Caution) 9-10 cascading 9-6, 9-12 certificates 9-3 client configuration 9-16 components overwriting (Caution) 9-16 overwriting (Note) 9-11 selecting 9-11 configuring 9-20 corrupted backups (Caution) 9-10 disabling 9-23 EAP-FAST 10-20 frequency 9-7 immediate 9-18 implementing primary and secondary setups 9-15 important considerations 9-8 in System Configuration 9-20 interface configuration 3-5 IP pools 9-3, 9-38 logging 9-11 manual initiation 9-18 master AAA servers 9-3 notifications 9-23 options 9-11 overview 9-2 partners configuring 9-22 options 9-12 process 9-4 scheduling 9-20 scheduling options 9-12 selecting data 9-11 user-defined RADIUS vendors 9-9 vs. backup 9-10 Reports and Activity See also logging configuring 11-16, 11-17 CSV logs 11-12 in interface 1-26 overview 11-4 request handling general 14-4 Windows user databases 14-5 requirements network 2-2 system installation 2-2 resource consumption F-5 restarting services 8-2 restore components restored configuring 8-15 overview 8-15 filenames 8-14 in System Configuration 8-13 overview 8-14 performing 8-15 reports 8-15 RFC2138 1-6 RFC2139 1-6 RSA user database group mappings 15-2 S SafeWord user databases configuring 13-61 group mappings 15-2 RADIUS-based group specifications 15-13 search order of external user databases 14-10 security policies 2-13 security protocols Cisco AAA client devices 1-2 CSRadius F-7 CSTacacs F-7 interface options 3-9 RADIUS 1-6, C-1 TACACS+ custom commands 3-9 overview 1-6 time-of-day access 3-8 service control in System Configuration 11-27 Service Monitoring log See Cisco Secure ACS Service Monitoring log services determining status of 8-2 logs configuring 11-27 list of logs generated 11-26 management 8-17 monitoring 8-26 overview 1-4, F-1 starting 8-2 stopping 8-2 session policies configuring 12-17 options 12-16 overview 12-16 shared profile components See also command authorization sets See also network access restrictions downloadable IP ACLs 5-2 overview 5-1 shared secret F-7 shell command authorization sets See also command authorization sets in Group Setup 6-31 in User Setup 7-25 single password configurations 1-13 SMTP (simple mail-transfer protocol) F-6 specifications RADIUS RFC2138 1-6 RFC2139 1-6 system performance 1-2, 1-3 TACACS+ 1-6 SSL (secure socket layer) 12-13 starting services 8-2 static IP addresses 7-9 stopping services 8-2 supplementary user information in User Setup 7-5 setting 7-5 support page 8-24 synchronization See RDBMS synchronization system configuration advanced 9-1 authentication 10-1 basic 8-1 certificates 10-1 health F-5 messages in interface 1-26 services See services system installation requirements 2-2 system monitoring See monitoring technical support file 8-24 T TACACS+ advanced TACACS+ settings in Group Setup 6-2 in User Setup 7-32 AV (attribute value) pairs accounting B-4 general B-1 custom commands 3-9 enable password options for users 7-34 enable privilege options 7-32 interface configuration 3-7 interface options 3-9 outbound passwords for users 7-36 ports 1-6 SENDAUTH 1-14 settings in Group Setup 6-2, 6-29 in User Setup 7-21, 7-22 specifications 1-6 time-of-day access 3-8 troubleshooting A-18 vs. RADIUS 1-6 TACACS+ Accounting log configuring CSV (comma-separated values) 11-15 enabling CSV (comma-separated values) 11-13 viewing 11-14 TACACS+ Administration log configuring CSV (comma-separated values) 11-15 enabling CSV (comma-separated values) 11-13 viewing 11-14 Telnet See also command authorization sets password aging 6-20 test login frequency 8-18 thread used F-6 time and date setting 8-22 time-of-day/day-of-week specification enablement 3-4 timeout values on AAA clients 14-8 TLS (transport level security) See certification token caching 1-14, 13-59 token cards password configuration 1-13 settings in Group Setup 6-17 token servers ISDN terminal adapters 13-59 overview 13-58 supported servers 1-9 token caching 13-59 topologies See network topologies troubleshooting AAA servers A-1 administration issues A-2 browser issues A-4 Cisco IOS issues A-5 database issues A-6 debug logs 11-25, A-12 dial-in issues A-8 installation issues A-13 max sessions issues A-14 PIX Firewall issues A-16 proxy issues A-13 RADIUS issues A-18 report issues A-14 TACACS+ issues A-18 third-party server issues A-16 upgrade issues A-13 user issues A-17 trust lists See certification trust relationships 13-9 U unknown service user setting 7-31 unknown user policies See also unknown users configuring 14-10 in external user databases 14-10 overview 14-9 unknown users See also unknown user policies authentication processing 14-8 handling methods 14-2 network access authorization 14-9 update packets See watchdog packets upgrade applying 8-35 distribution server requirements 8-29 overview 8-28 process 8-30 transferring 8-32 troubleshooting A-13 usage quotas in Group Setup 6-13 in Interface Configuration 3-5 in User Setup 7-17 overview 1-18 resetting for groups 6-53 for single users 7-57 user-changeable passwords overview 1-15 with Windows user databases 13-22 User Data Configuration 3-3 user groups See groups user-level See also per-user attributes downloadable ACLs interface 3-4 network access restrictions See also network access restrictions enabling in interface 3-4 users See also User Setup adding basic steps 7-3 methods 13-2 assigning client IP addresses to 7-9 assigning to a group 7-7 callback options 7-8 configuring 7-2 configuring device management command authorization sets for 7-29 configuring PIX command authorization sets for 7-28 configuring shell command authorization sets for 7-25 customized data fields 3-3 data configuration See User Data Configuration deleting 11-10 deleting accounts 7-56 disabling accounts 7-4 finding 7-54 import methods 13-2 in multiple databases 14-6 in multiple domains 14-6 listing all users 7-54 number allowed 2-16 RDBMS synchronization 9-25 relationship to groups 3-2 resetting accounts 7-57 saving settings 7-59 supplementary information 7-5 troubleshooting A-17 types discovered 14-3 known 14-2 unknown 14-2 VPDN dialup D-2 User Setup account management tasks 7-53 basic options 7-2 configuring 7-2 deleting user accounts 7-56 saving settings 7-59 Users in Group button 6-53 V validation of passwords 8-5 Vasco user databases group mappings 15-2 RADIUS-based group specifications 15-13 vendor-specific attributes See RADIUS VSAs (vendor specific attributes) viewing logs and reports See logging VoIP (Voice-over-IP) accounting configuration 8-21 accounting configuration in Interface Configuration 3-6 Accounting log configuring 11-15 enabling csv log 11-13 viewing 11-14 enabling in interface 3-6 group settings in Interface Configuration 3-6 in Group Setup 6-4 VPDN advantages 2-10 authentication process D-1 domain authorization D-2 home gateways D-3 IP addresses D-3 tunnel IDs D-3 users D-2 VSAs See RADIUS VSAs (vendor specific attributes) W warning events F-5, F-7 watchdog packets configuring on AAA clients 4-19 configuring on AAA servers 4-26 logging 11-3 web servers F-2 Windows operating systems authentication order 14-6 dial-up networking 13-10 dial-up networking clients domain field 13-10 password field 13-10 username field 13-10 Domain List effect 14-6 domains domain names 13-10, 14-5 trusted 13-10 rejection mode 14-5 request handling 14-5 user databases configuring 13-29 Windows user databases Active Directory 13-23 Domain list inadvertent user lockouts 13-26 domain mapping 15-8 domains trusted 13-9 grant dial-in permission to users 13-9, 13-23 group mappings editing 15-8 no access groups 15-6 remapping 15-8 mapping database groups to AAA groups 15-4 overview 13-6 password aging 6-25 passwords 1-10 trust relationships 13-9 user-changeable passwords 13-22 user manager 13-23 wireless network topologies 2-7 Z
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks