Cisco 2509 - Router - EN

To Next Page

To Previous Page

E-5

User Guide for Cisco Secure ACS for Windows Server

78-14696-01, Version 3.1

Appendix E Cisco Secure ACS and Virtual Private Dial-up Networks

VPDN Process

Figure E-7 NAS Authenticates Tunnel with ACS

After authenticating, the tunnel is established. Now the actual user

(mary@corporation.us) must be authenticated. See Figure E-8.

Figure E-8 VPDN Tunnel is Established

The HG now authenticates the user as if the user dialed directly in to the HG.

The HG might now challenge the user for a password. The Cisco Secure ACS

at RSP can be configured to strip off the @ and domain before it passes the

authentication to the HG. (The user is passed as mary@corporation.us.) The

HG uses its ACS to authenticate the user. See Figure E-9.

S6651

Username = home_gate

Password = CHAP_stuff

Corporation

VPDN user

User = mary@corporation.us

ACS

RSP

ACS

CHAP response

S6652

Corporation

VPDN user

User = mary@corporation.us

ACS

RSP

ACS

Main Page

Default Chapter4
- Table of Contents4
- Related Documentation29
- Obtaining Documentation30
- Ordering Documentation30
- World Wide Web30
- Documentation Feedback31
- Obtaining Technical Assistance31
- Technical Assistance Center32
- AAA Protocols-TACACS+ and RADIUS40
  - Tacacs40
  - Radius40
- Authentication41
- Authorization49
- Accounting54
  - Other Accounting-Related Features54
- Administration55
- Cisco Secure ACS HTML Interface57
Chapter 2 Deploying Cisco Secure ACS67
- Basic Deployment Requirements for Cisco Secure ACS68
  - System Requirements68
  - Network Requirements70
- Basic Deployment Factors for Cisco Secure ACS71
- Suggested Deployment Sequence84
Chapter 3 Setting up the Cisco Secure ACS HTML Interface87
- Interface Design Concepts88
  - User-To-Group Relationship88
  - Per-User or Per-Group Features88
- User Data Configuration Options89
  - Defining New User Data Fields89
- Advanced Options90
  - Setting Advanced Options for the Cisco Secure ACS User Interface92
- Protocol Configuration Options for TACACS93
  - Setting Options for TACACS95
- Protocol Configuration Options for RADIUS96
CHAPTER 4 Setting up and Managing Network Configuration106
- About Network Configuration106
- About Distributed Systems107
  - AAA Servers in Distributed Systems107
  - Default Distributed System Settings108
- Proxy in Distributed Systems108
- Network Device Searches112
  - Network Device Search Criteria113
  - Searching for Network Devices114
- AAA Client Configuration115
- AAA Server Configuration124
- Network Device Group Configuration131
- Proxy Distribution Table Configuration136
  - About the Proxy Distribution Table136
Chapter 5 Setting up and Managing Shared Profile Components141
- About Shared Profile Components141
- Downloadable PIX Acls142
  - About Downloadable PIX Acls142
  - Downloadable PIX ACL Configuration144
- Network Access Restrictions146
  - About Network Access Restrictions146
  - Shared Network Access Restrictions Configuration148
- Command Authorization Sets153
Chapter 6 Setting up and Managing User Groups161
- User Group Setup Features and Functions162
  - Default Group162
  - Group TACACS+ Settings162
- Common User Group Settings163
- Configuration-Specific User Group Settings175
- Group Setting Management211
Chapter 7 Setting up and Managing User Accounts215
- User Setup Features and Functions216
- About User Databases216
- Basic User Setup Options218
- Advanced User Authentication Settings236
- User Management267
CHAPTER 8 Establishing Cisco Secure276
- Service Control276
  - Determining the Status of Cisco Secure ACS Services276
  - Stopping, Starting, or Restarting Services276
- Logging277
- Date Format Control277
  - Setting the Date Format278
- Local Password Management279
  - Configuring Local Password Management281
- Ciscosecure Database Replication283
APPENDIX E Ciscosecure ACS and Virtual Private Dial-Up Networks303
RDBMS Synchronization303
- About RDBMS Synchronization304
  - Users305
  - User Groups306
  - Network Configuration306
  - Custom RADIUS Vendors and Vsas307
- RDBMS Synchronization Components307
  - About Csdbsync307
  - About the Accountactions Table308
- Cisco Secure ACS Database Recovery Using the Accountactions Table310
- Reports and Event (Error) Handling311
- Preparing to Use RDBMS Synchronization311
- Considerations for Using CSV-Based Synchronization312
  - Preparing for CSV-Based Synchronization313
- Configuring a System Data Source Name for RDBMS Synchronization314
- RDBMS Synchronization Options315
  - RDBMS Setup Options315
  - Synchronization Scheduling Options316
  - Synchronization Partners Options316
- Performing RDBMS Synchronization Immediately317
- Scheduling RDBMS Synchronization318
- Disabling Scheduled RDBMS Synchronizations320
- Cisco Secure ACS Backup321
  - About Cisco Secure ACS Backup321
  - Backup File Locations322
  - Directory Management322
  - Components Backed up322
  - Reports of Cisco Secure ACS Backups323
  - Backup Options323
  - Performing a Manual Cisco Secure ACS Backup324
  - Scheduling Cisco Secure ACS Backups324
  - Disabling Scheduled Cisco Secure ACS Backups325
- Cisco Secure ACS System Restore326
  - About Cisco Secure ACS System Restore326
  - Backup File Names and Locations327
  - Components Restored328
  - Reports of Cisco Secure ACS Restorations328
  - Restoring Cisco Secure ACS from a Backup File328
- Cisco Secure ACS Active Service Management329
  - System Monitoring330
    - System Monitoring Options330
    - Setting up System Monitoring331
  - Event Logging332
    - Setting up Event Logging332
- IP Pools Server333
  - About IP Pools Server334
  - Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges335
  - Refreshing the AAA Server IP Pools Table336
  - Adding a New IP Pool337
  - Editing an IP Pool Definition338
  - Resetting an IP Pool339
  - Deleting an IP Pool340
- IP Pools Address Recovery341
  - Enabling IP Pool Address Recovery341
- Voip Accounting Configuration342
  - Configuring Voip Accounting342
- Cisco Secure ACS Certificate Setup343
  - Background on Protocols and Certification343
  - Installing a Cisco Secure ACS Server Certificate348
  - Adding a Certificate Authority Certificate350
  - Editing the Certificate Trust List351
  - Generating a Certificate Signing Request352
  - Updating or Replacing a Cisco Secure ACS Certificate354
- Global Authentication Setup355
  - Configuring Authentication Options355
- Logging Formats359
- Special Logging Attributes360
Chapter 9 Working with Logging and Report361
- Update Packets in Accounting Logs362
- About Cisco Secure ACS Logs and Reports362
- Working with CSV Logs371
- Working with ODBC Logs377
- Remote Logging381
- Service Logs386
  - Services Logged387
  - Configuring Service Logs388
CHAPTER 10 Setting up and Managing Administrators and Policy391
- Administrator Accounts391
- Access Policy401
  - Access Policy Options402
  - Setting up Access Policy404
- Session Policy406
  - Session Policy Options406
  - Setting up Session Policy407
- Audit Policy408
- Ciscosecure User Database410
  - About the Ciscosecure User Database410
Chapter 11 Working with User Database411
- User Import and Creation411
- About External User Databases412
- Generic LDAP424
- Novell NDS Database441
- ODBC Database447
- Database458
  - Configuring an ODBC External User Database459
- LEAP Proxy RADIUS Server Database462
  - Configuring a LEAP Proxy RADIUS Server External User Database463
- Token Server User Databases465
- Deleting an External User Database Configuration474
CHAPTER 12 Administering External User Databases477
- Unknown User Processing477
APPENDIX A Troubleshooting Information for Cisco Secure ACS502
- Administration Issues502
- A P P E N D I X a Troubleshooting Information for Cisco Secure ACS503
- Browser Issues503
- Cisco IOS Issues503
- Database Issues505
- Dial-In Connection Issues506
- Debug Issues510
- Installation and Upgrade Issues511
- Proxy Issues511
- Maxsessions Issues512
- Report Issues512
- PIX Firewall Issues513
- Third-Party Server Issues513
- User Authentication Issues514
- TACACS+ and RADIUS Attribute Issues516
- Cisco Ios Av Pair Dictionary517
Appendix B TACAC+ Attribute-Value Pair518
APPENDIX B TACACS+ Attribute-Value Pairs518
- Cisco IOS AV Pair Dictionary518
  - TACACS+ AV Pairs518
  - TACACS+ Accounting AV Pairs520
Appendix C RADIU Attribute524
APPENDIX C RADIUS Attributesc-1525
- Cisco IOS Dictionary of RADIUS AV Pairs525
- Cisco IOS/PIX Dictionary of RADIUS Vsas528
- Cisco VPN 3000 Concentrator Dictionary of RADIUS Vsas530
- Cisco VPN 5000 Concentrator Dictionary of RADIUS Vsas533
- Cisco Building Broadband Service Manager Dictionary of RADIUS VSA534
- IETF Dictionary of RADIUS AV Pairs535
- Microsoft Mppe Dictionary of Radius Vsas549
- Microsoft MPPE Dictionary of RADIUS Vsas550
- Ascend Dictionary of Radius Av Pairs552
- Ascend Dictionary of RADIUS AV Pairs553
- Nortel Dictionary of RADIUS Vsas564
- Juniper Dictionary of Radius Vsas565
  - Juniper Dictionary of RADIUS Vsas566
  - A P P E N D I X D Cisco Secure ACS Command-Line Database Utility568
APPENDIX D Ciscosecure ACS Command-Line Database Utilityd-1568
- Csutil.exe Syntax568
- Location of Csutil.exe and Related Files568
- Csutil.exe Options569
- Backing up Cisco Secure ACS with Csutil.exe570
- Restoring Cisco Secure ACS with Csutil.exe571
- Creating a Ciscosecure User Database573
- Creating a Cisco Secure ACS Database Dump File574
- Loading the Cisco Secure ACS Database from a Dump File575
- Compacting the Ciscosecure User Database577
- User and AAA Client Import Option579
  - Importing User and AAA Client Information579
  - User and AAA Client Import File Format581
- Exporting User List to a Text File589
- Exporting Group Information to a Text File590
- Exporting Registry Information to a Text File591
- Decoding Error Numbers592
- Recalculating CRC Values593
- User-Defined RADIUS Vendors and VSA Sets593
- Vpdn Process607
  - A P P E N D I X E Cisco Secure ACS and Virtual Private Dial-Up Networks608
  - VPDN Process608
- Accountactions Specification613
APPENDIX F RDBMS Synchronization Import Definitions613
- A P P E N D I X F RDBMS Synchronization Import Definitions614
- Accountactions Format614
  - Accountactions Specification614
  - Accountactions Mandatory Fields615
- Accountactions Mandatory Fields616
- Accountactions Processing Order616
- Action Codes617
- Cisco Secure ACS Attributes and Action Codes646
- An Example of Accountactions650
APPENDIX G Ciscosecure ACS Internal Architectureg-1653
- Windows 2000 Services653
- Csadmin654
- Windows 2000 Registry654
- A P P E N D I X G Cisco Secure ACS Internal Architecture655
- Csauth655
- Csdbsync656
- Cslog656
- Csmon656
- Cstacacs and Csradius660

Cisco 2509 - Router - EN - Page 611

Table of Contents

Related product manuals