Cisco 3.3 User Manual

An overview of Cisco Secure ACS and its features, network diagrams, and system requirements.

Details on hardware, operating system, and network requirements for Cisco Secure ACS.

Explains AAA server functions, concepts, protocols like TACACS+ and RADIUS, authentication, authorization, accounting, administration, and posture validation.

Discusses the Cisco Secure ACS HTML interface, its layout, URLs, and administrative sessions.

Details the minimum hardware, operating system, third-party software, and network/port requirements for deploying Cisco Secure ACS.

Discusses key factors like network topology, remote access policy, security, administrative access, database, and network latency.

Provides a recommended sequence of tasks for deploying Cisco Secure ACS, covering administrators, interface, system, network, and user databases.

Explains basic precepts of system operation and effective interface configuration, including user-to-group relationships and per-user/per-group features.

Details how to add or edit fields for recording user information and defining new user data fields.

Allows configuration of which advanced features Cisco Secure ACS displays, simplifying the interface by hiding unused features.

Details the configuration of the Cisco Secure ACS HTML interface for TACACS+ settings, enabling display or hiding of options.

Explains how to customize displayed attributes for RADIUS and provides details on IETF, Cisco IOS/PIX, and other vendor-specific settings.

Describes the appearance of the Network Configuration page and the tables that may appear, such as AAA Clients, AAA Servers, and Network Device Groups.

Explains how Cisco Secure ACS can be used in a distributed system with multiple ACSes communicating with each other.

Details the proxy feature, enabling Cisco Secure ACS for authentication in networks with multiple AAA servers and character string matching.

Explains how to configure the order in which Cisco Secure ACS checks remote AAA servers when a connection fails.

Describes how to search for any network device configured in the Network Configuration section.

Provides procedures for configuring AAA clients, including options for hostname, IP address, key, network device group, and authentication method.

Details procedures for configuring AAA servers, including name, IP address, key, network device group, log options, and server type.

Explains the advanced feature of grouping network devices as a single logical unit for easier administration.

Describes the Proxy Distribution Table and procedures for working with it, including adding, sorting, editing, and deleting entries.

Explains the Shared Profile Components section for developing reusable authorization components like NAFs, ACLs, NARs, and command sets.

Describes Network Access Filters (NAFs) and provides instructions for creating and managing them.

Describes downloadable ACLs and provides instructions for configuring and managing them, allowing creation of ACL definitions for many users or groups.

Describes network access restrictions (NARs) and provides instructions for configuring and managing shared NARs.

Describes command authorization sets and pattern matching, providing detailed instructions for configuring and managing them.

Explains the Group Setup section as a centralized location for user group configuration and administration.

Presents basic activities for configuring a new user group, including group disablement, VoIP support, time-of-day access, callback options, and restrictions.

Details configuration procedures applicable to specific network security setups, such as token card settings, privilege options, and password aging.

Describes how to use the Group Setup section to perform various managerial tasks like listing users, resetting quotas, renaming, and saving settings.

Describes the User Setup section as a centralized location for user account configuration and administration.

Details the various databases used for user authentication, including CiscoSecure and external databases like Windows, LDAP, Novell NDS, ODBC, and Token Servers.

Presents basic activities for configuring a new user, including specifying name, external database/password, and submitting information.

Covers user-level TACACS+ and RADIUS enable parameters, including privilege options, enable password options, and outbound passwords.

Describes how to use the User Setup section to perform user account managerial tasks like listing, finding, disabling, and deleting users.

Provides basic status information about services and enables stopping, starting, or restarting them.

Explains how to configure Cisco Secure ACS to generate logs for administrative and accounting events.

Allows selection between two date formats (month/day/year or day/month/year) for logs, reports, and the administrative interface.

Configures settings for managing passwords stored in the CiscoSecure user database, including validation and remote change options.

Provides information about the Cisco Secure ACS Backup feature, including manual and scheduled backups, options, and file locations.

Details the Cisco Secure ACS System Restore feature, including procedures for restoring from backup files.

Describes ACS Active Service Management, a service monitoring tool with features for system monitoring and event logging.

Covers CiscoSecure Database Replication, including process, frequency, implementation, configuration of secondary ACS, replication options, and event errors.

Provides information on implementing RDBMS Synchronization, including components, considerations, CSV-based sync, data source name, and options.

Explains the IP Pools feature, including creating, maintaining, allowing overlapping pools, refreshing tables, and recovering addresses.

Details the IP Pools Address Recovery feature, enabling recovery of assigned IP addresses not used for a specified period.

Addresses authentication and certification features, discussing digital certificates, EAP-TLS, PEAP, and machine authentication.

Provides a means to enable or disable authentication protocols and configure options for PEAP, EAP-TLS, and EAP-FAST.

Covers installing server certificates, adding CA certificates, editing the trust list, managing CRLs, and generating CSRs.

Describes the two formats for logging data: CSV files and ODBC-compliant database tables.

Explains special logging attributes like User Attributes, ExtDB Info, Access Device, Network Device Group, Filter Information, Device Command Set, and Remote Logging Result.

Discusses posture validation attributes used by NAC that can be logged, including Application-Posture-Token and System-Posture-Token.

Explains how to configure Cisco Secure ACS to record update packets (watchdog packets) in accounting logs.

Divides logs into four types: Accounting logs, Dynamic Admin reports, System logs, and Service logs.

Provides instructions on configuring CSV logs, including file names, locations, enabling/disabling, viewing reports, and log content.

Details how to prepare for ODBC logging, configure system data source names, and configure individual ODBC logs.

Discusses remote logging capabilities, including implementing centralized logging, options, and enabling/disabling remote logging.

Explains service logs as diagnostic tools for troubleshooting and debugging, containing records of all service actions and activities.

Provides details about Cisco Secure ACS administrators, including accounts, privileges, adding, editing, unlocking, and deleting accounts.

Affects access to the Cisco Secure ACS HTML interface, allowing limits by IP address, TCP port range, and SSL enablement.

Controls administrative sessions, including idle timeout, automatic local login, response to invalid IP, and administrator lockout.

Controls the generation of the Administrative Audit log.

Describes the internal Cisco Secure ACS database, supporting various authentication methods and crucial for the authorization process.

Explains how to configure Cisco Secure ACS to forward authentication to external databases, leveraging existing user data.

Details support for Windows external user databases, including user authentication, machine authentication, group mapping, and password aging.

Covers support for generic LDAP authentication, including instances, organizational units, groups, domain filtering, and failover.

Explains support for Novell NetWare Directory Services (NDS) servers for user authentication and group mapping.

Details support for ODBC-compliant relational databases, including authentication, group specification, and stored procedures.

Describes support for LEAP Proxy RADIUS server authentication, including group specification and mapping.

Explains support for token servers for one-time password (OTP) authentication, including RADIUS-enabled and RSA SecurID servers.

Explains NAC, its components, posture validation process, posture tokens, and non-responsive NAC-client computers.

Defines the components of the NAC AAA paradigm: NAC-client computer, AAA client, Cisco Secure ACS, NAC server, and Remediation server.

Describes how Cisco Secure ACS determines computer posture using credentials, steps involved, and how it derives application posture tokens.

Explains posture tokens representing computer state, including system and application posture tokens, and predefined non-configurable tokens.

Details how NAC-compliant AAA clients handle computers that do not respond to posture validation sessions.

Provides steps for implementing NAC support in Cisco Secure ACS, including server certificates, external policies, and logs.

Covers NAC databases, including their purpose, components, configuration options, and policy selection.

Explains how Cisco Secure ACS applies policies to validation requests based on selected NAC database policies.

Defines user types for authentication/posture validation: Known Users, Unknown Users, and Discovered Users.

Provides information about using the Unknown User Policy with authentication and NAC.

Explains the Unknown User Policy as a form of authentication forwarding to external databases.

Describes how Cisco Secure ACS attempts to authenticate unknown users by checking internal and external databases.

Details how Cisco Secure ACS handles authentication for users with identical usernames across trusted Windows domains.

Explains how the Unknown User Policy automates user association with NAC databases for posture validation requests.

Discusses how Cisco Secure ACS is responsible for all authorizations sent to AAA clients and end-user clients.

Specifies what Cisco Secure ACS does for posture validation and unknown user authentication.

Explains how to configure the order Cisco Secure ACS checks selected databases for posture validation and unknown authentication.

Provides steps to configure the Unknown User Policy for processing unknown users and external databases.

Provides information about group mapping and specification for assigning users to Cisco Secure ACS groups.

Explains how to map an external database to a Cisco Secure ACS group for automatic authorization inheritance.

Describes creating group mappings based on combinations of external user database groups.

Provides means to connect a system posture token (SPT) to a user group for NAC authorization.

Supports assignment of users to Cisco Secure ACS groups based on RADIUS authentication responses, overriding group mapping.

Lists common conditions related to remote administrator access to the HTML interface and their recovery actions.

Details common browser issues that affect the Cisco Secure ACS HTML interface, such as Java messages and proxy configurations.

Addresses issues related to Cisco IOS commands, RADIUS attributes not supported, and enable mode errors.

Covers problems with RDBMS Synchronization, Database Replication, and external user databases not being available.

Addresses issues preventing dial-in users from connecting to AAA clients, including configuration and database problems.

Explains recovery actions for failure messages when running debug aaa authentication on AAA clients.

Covers recovery actions when proxying requests to another server fails, including shared secret and character string matching.

Addresses issues that may occur during Cisco Secure ACS installation or upgrade, such as invalid or corrupted files.

Covers problems with MaxSessions over VPN or unreliable user MaxSessions values and provides recovery actions.

Addresses issues with reports being blank, missing unknown user information, or duplicate entries for user sessions.

Covers issues with implementing RSA token servers and authentication requests not hitting external databases.

Addresses problems with user authentication, including failure messages, incorrect configurations, and timeout issues.

Covers issues where TACACS+ and RADIUS attributes do not appear on the Group Setup page.

Lists supported Cisco IOS RADIUS AV pairs and provides information on requirements and considerations.

Lists TACACS+ AV pairs supported by Cisco Secure ACS and refers to Cisco IOS documentation for descriptions.

Lists TACACS+ accounting AV pairs supported by Cisco Secure ACS, referring to Cisco IOS documentation for descriptions.

Lists Cisco IOS RADIUS AV pairs supported by Cisco Secure ACS, confirming AAA client compatibility.

Lists supported Cisco IOS/PIX vendor-specific attributes (VSAs) for Cisco Secure ACS.

Explains the cisco-av-pair attribute format for Cisco IOS/PIX RADIUS implementation, supporting inclusion of many AV pairs.

Lists supported Cisco VPN 3000 RADIUS VSAs and provides control for Microsoft MPPE settings.

Lists supported Cisco VPN 5000 RADIUS VSAs and provides control for Microsoft MPPE settings.

Lists supported Cisco BBSM RADIUS VSAs.

Lists supported RADIUS (IETF) attributes and details their formats.

Supports Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE).

Lists Ascend RADIUS AV pairs, providing translations for parsing requests and generating responses.

Lists Juniper RADIUS VSAs supported by Cisco Secure ACS.

Lists Nortel RADIUS VSAs supported by Cisco Secure ACS.

Details the default installation directory for CSUtil.exe and related files.

Provides the command-line syntax for the CSUtil.exe utility.

Details various actions CSUtil.exe can perform, listed alphabetically.

Explains how to display command-line syntax for CSUtil.exe.

Describes using the -b option to create a system backup of all Cisco Secure ACS internal data.

Details using the -r option to restore Cisco Secure ACS internal data from a backup file.

Explains how to use the -n option to create a CiscoSecure user database.

Describes using the -d option to dump all Cisco Secure ACS internal data into a text file.

Details using the -l option to overwrite Cisco Secure ACS internal data from a dump text file.

Explains how to periodically compact the CiscoSecure user database to reduce its size.

Details the -i option to update Cisco Secure ACS with data from a colon-delimited text file for users and AAA clients.

Details the accountActions specification for RDBMS Synchronization, outlining requirements and action codes.

Provides action codes for initializing, modifying, creating, and deleting users, groups, and network configurations.

Describes the modular service modules of Cisco Secure ACS, including CSAdmin, CSAuth, CSDBSync, CSLog, CSMon, CSTacacs, and CSRadius.

Indicates the location of Cisco Secure ACS information in the Windows Registry and advises against modification.

Explains CSAdmin as the service providing the web server for the Cisco Secure ACS HTML interface.

Describes CSAuth as the authentication and authorization service, managing user access and defining privileges.

Explains CSDBSync as the service for synchronizing the Cisco Secure ACS database with third-party RDBMS systems.

Details CSLog as the service for capturing and placing logging information into CSV files.

Describes CSMon as a service for minimizing downtime by monitoring system parameters and application performance.

Explains how CSMon monitors overall system status and key system parameters like disk space and processor utilization.

Describes how CSMon records exception events in logs for diagnosing problems.

Details how CSMon can be configured to notify system administrators of exception events, responses, and outcomes.

Explains how CSMon detects exception events and responds by logging, sending notifications, or taking actions.

Describes how CSTacacs and CSRadius services communicate between CSAuth and access devices for authentication and authorization.