Author(s): Cisco Systems
Series: Cisco carer certifications; Cisco certified network associate
Publisher: Cisco Press
Year: 1999
Language: English
Pages: 642
City: Indianapolis, In
Contents......Page 3
Organization......Page 25
Conventions......Page 26
Product Documentation......Page 27
Cisco.com......Page 28
Cisco Product Security Overview......Page 29
Obtaining Technical Assistance......Page 30
Definitions of Service Request Severity......Page 31
Obtaining Additional Publications and Information......Page 32
Introduction to ACS......Page 35
ACS Features, Functions and Concepts......Page 36
RADIUS......Page 37
Additional Features in ACS Version 4.0......Page 38
Authentication Considerations......Page 40
Authentication Protocol-Database Compatibility......Page 41
Passwords......Page 42
Other Authentication-Related Features......Page 45
Max Sessions......Page 46
Support for Cisco Device-Management Applications......Page 47
Accounting......Page 48
Web Interface Security......Page 49
Web Interface Layout......Page 50
Using Online Help......Page 52
System Performance Specifications......Page 53
ACS Windows Services......Page 54
Basic Deployment Factors for ACS......Page 55
Dial-Up Topology......Page 56
Wireless Network......Page 58
Remote Access using VPN......Page 60
Remote Access Policy......Page 61
Administrative Access Policy......Page 62
Separation of Administrative and General Users......Page 63
Network Latency and Reliability......Page 64
Suggested Deployment Sequence......Page 65
Administrative Sessions......Page 67
Administrative Sessions Through a NAT Gateway......Page 68
Logging Off the Web Interface......Page 69
User Data Configuration Options......Page 70
Advanced Options......Page 71
Protocol Configuration Options for TACACS+......Page 73
Protocol Configuration Options for RADIUS......Page 75
Setting Protocol Configuration Options for IETF RADIUS Attributes......Page 78
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes......Page 79
About Network Configuration......Page 81
AAA Servers in Distributed Systems......Page 82
Proxy in Distributed Systems......Page 83
Stripping......Page 84
Other Features Enabled by System Distribution......Page 85
Searching for Network Devices......Page 86
AAA Client Configuration......Page 87
AAA Client Configuration Options......Page 88
Adding AAA Clients......Page 91
Editing AAA Clients......Page 93
Deleting AAA Clients......Page 94
AAA Server Configuration Options......Page 95
Adding AAA Servers......Page 96
Editing AAA Servers......Page 98
Network Device Group Configuration......Page 99
Adding a Network Device Group......Page 100
Reassigning AAA Clients or AAA Servers to an NDG......Page 101
Deleting a Network Device Group......Page 102
About the Proxy Distribution Table......Page 103
Adding a New Proxy Distribution Table Entry......Page 104
Editing a Proxy Distribution Table Entry......Page 105
Deleting a Proxy Distribution Table Entry......Page 106
About Shared Profile Components......Page 107
Network Access Filters......Page 108
Adding a Network Access Filter......Page 109
Editing a Network Access Filter......Page 111
RADIUS Authorization Components......Page 112
Vendors......Page 113
Before You Begin Using RADIUS Authorization Components......Page 114
Adding RADIUS Authorization Components......Page 115
Editing a RADIUS Authorization Component......Page 116
Deleting a RADIUS Authorization Component......Page 117
About Downloadable IP ACLs......Page 119
Adding a Downloadable IP ACL......Page 121
Editing a Downloadable IP ACL......Page 122
Network Access Restrictions......Page 123
About Network Access Restrictions......Page 124
About Non-IP-based NAR Filters......Page 125
Adding a Shared NAR......Page 126
Editing a Shared NAR......Page 128
Deleting a Shared NAR......Page 129
Command Authorization Sets Description......Page 130
Case Sensitivity and Command Authorization......Page 132
About Pattern Matching......Page 133
Adding a Command Authorization Set......Page 134
Editing a Command Authorization Set......Page 135
Deleting a Command Authorization Set......Page 136
User Group Management......Page 137
Group TACACS+ Settings......Page 138
Group Disablement......Page 139
Enabling VoIP Support for a User Group......Page 140
Setting Callback Options for a User Group......Page 141
Setting Network Access Restrictions for a User Group......Page 142
Setting Max Sessions for a User Group......Page 145
Setting Usage Quotas for a User Group......Page 146
Configuration-Specific User Group Settings......Page 148
Setting Enable Privilege Options for a User Group......Page 149
Setting Token Card Settings for a User Group......Page 150
Varieties of Password Aging Supported by ACS......Page 151
Password Aging Feature Settings......Page 152
Enabling Password Aging for Users in Windows Databases......Page 155
Setting IP Address Assignment Method for a User Group......Page 157
Configuring TACACS+ Settings for a User Group......Page 158
Configuring a Shell Command Authorization Set for a User Group......Page 160
Configuring a PIX Command Authorization Set for a User Group......Page 161
Configuring Device Management Command Authorization for a User Group......Page 162
Configuring IETF RADIUS Settings for a User Group......Page 163
Configuring Cisco IOS/PIX 6.0 RADIUS Settings for a User Group......Page 164
Configuring Cisco Airespace RADIUS Settings for a User Group......Page 165
Configuring Cisco Aironet RADIUS Settings for a User Group......Page 166
Configuring Ascend RADIUS Settings for a User Group......Page 168
Configuring VPN 3000/ASA/PIX v7.x+ RADIUS Settings for a User Group......Page 169
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group......Page 170
Configuring Microsoft RADIUS Settings for a User Group......Page 171
Configuring Nortel RADIUS Settings for a User Group......Page 172
Configuring Juniper RADIUS Settings for a User Group......Page 173
Configuring BBSM RADIUS Settings for a User Group......Page 174
Group Setting Management......Page 175
Renaming a User Group......Page 176
Saving Changes to User Group Settings......Page 177
About User Setup Features and Functions......Page 179
Basic User Setup Options......Page 180
Adding a Basic User Account......Page 181
Setting Supplementary User Information......Page 182
Assigning a User to a Group......Page 183
Setting the User Callback Option......Page 184
Assigning a User to a Client IP Address......Page 185
Setting Network Access Restrictions for a User......Page 186
Setting Max Sessions Options for a User......Page 189
Options for Setting User Usage Quotas......Page 190
Setting Options for User Account Disablement......Page 191
Assigning a Downloadable IP ACL to a User......Page 192
Advanced User Authentication Settings......Page 193
Configuring TACACS+ Settings for a User......Page 194
Configuring a Shell Command Authorization Set for a User......Page 195
Configuring a PIX Command Authorization Set for a User......Page 197
Configuring Device-Management Command Authorization for a User......Page 198
Configuring the Unknown Service Setting for a User......Page 199
Setting Enable Privilege Options for a User......Page 200
Setting TACACS+ Enable Password Options for a User......Page 201
RADIUS Attributes......Page 202
Setting IETF RADIUS Parameters for a User......Page 203
Setting Cisco IOS/PIX 6.0 RADIUS Parameters for a User......Page 204
Setting Cisco Airespace RADIUS Parameters for a User......Page 205
Setting Cisco Aironet RADIUS Parameters for a User......Page 206
Setting Ascend RADIUS Parameters for a User......Page 207
Setting Cisco VPN 3000/ASA/PIX 7.x+ RADIUS Parameters for a User......Page 208
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User......Page 209
Setting Microsoft RADIUS Parameters for a User......Page 210
Setting Nortel RADIUS Parameters for a User......Page 211
Setting Juniper RADIUS Parameters for a User......Page 212
Setting Custom RADIUS Attributes for a User......Page 213
User Management......Page 214
Finding a User......Page 215
Deleting a User Account......Page 216
Resetting a User Account after Login Failure......Page 217
Removing Dynamic Users......Page 218
Saving User Settings......Page 219
Service Control......Page 221
Stopping, Starting, or Restarting Services......Page 222
Date Format Control......Page 223
Local Password Management......Page 224
Configuring Local Password Management......Page 226
About ACS Backup......Page 227
Reports of ACS Backups......Page 228
Scheduling ACS Backups......Page 229
Disabling Scheduled ACS Backups......Page 230
Backup Filenames and Locations......Page 231
Restoring ACS from a Backup File......Page 232
System Monitoring Options......Page 233
Setting Up System Monitoring......Page 234
VoIP Accounting Configuration......Page 235
Configuring VoIP Accounting......Page 236
ACS Internal Database Replication......Page 237
About ACS Internal Database Replication......Page 238
Replication Process......Page 239
Important Implementation Considerations......Page 241
Database Replication Versus Database Backup......Page 242
Replication Components Options......Page 243
Outbound Replication Options......Page 245
Implementing Primary and Secondary Replication Setups on ACSs......Page 246
Configuring a Secondary ACS......Page 247
Replicating Immediately......Page 248
Scheduling Replication......Page 250
Disabling ACS Database Replication......Page 251
Database Replication Event Errors......Page 252
About RDBMS Synchronization......Page 253
User Groups......Page 254
RDBMS Synchronization Components......Page 255
About the accountActions Table......Page 256
ACS Database Recovery Using the accountActions Table......Page 257
Preparing to Use RDBMS Synchronization......Page 258
Configuring a System Data Source Name for RDBMS Synchronization......Page 259
RDBMS Setup Options......Page 260
Performing RDBMS Synchronization Immediately......Page 261
Scheduling RDBMS Synchronization......Page 262
About IP Pools Server......Page 264
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges......Page 265
Adding a New IP Pool......Page 266
Editing an IP Pool Definition......Page 267
Deleting an IP Pool......Page 268
Enabling IP Pool Address Recovery......Page 269
Digital Certificates......Page 271
About the EAP-TLS Protocol......Page 272
EAP-TLS and ACS......Page 273
Enabling EAP-TLS Authentication......Page 274
About the PEAP Protocol......Page 275
PEAP and ACS......Page 276
Enabling PEAP Authentication......Page 277
About EAP-FAST......Page 278
About Master Keys......Page 280
About PACs......Page 281
Types of PACs......Page 282
Replication and EAP-FAST......Page 285
Enabling EAP-FAST......Page 287
Stateless Session Server Resume......Page 288
Configuring Authentication Options......Page 289
Installing an ACS Server Certificate......Page 295
Editing the Certificate Trust List......Page 297
Managing Certificate Revocation Lists......Page 298
Certificate Revocation List Configuration Options......Page 299
Generating a Certificate Signing Request......Page 301
Using Self-Signed Certificates......Page 302
Self-Signed Certificate Configuration Options......Page 303
Generating a Self-Signed Certificate......Page 304
Updating or Replacing an ACS Certificate......Page 305
Logging Formats......Page 307
Special Logging Attributes......Page 308
Update Packets in Accounting Logs......Page 309
Accounting Logs......Page 310
Dynamic Administration Reports......Page 312
Deleting Logged-in Users......Page 313
ACS System Logs......Page 314
Configuring the Administration Audit Log......Page 315
CSV Log File Locations......Page 316
Enabling or Disabling a CSV Log......Page 317
Viewing a CSV Report......Page 318
Log Filtering......Page 319
Configuring a CSV Log......Page 320
Preparing for ODBC Logging......Page 322
Configuring an ODBC Log......Page 323
About Remote Logging......Page 325
Implementing Centralized Remote Logging......Page 326
Enabling and Configuring Remote Logging......Page 327
Disabling Remote Logging......Page 328
Services Logged......Page 329
Configuring Service Logs......Page 330
Helping Customer Support Gather Data......Page 331
About Administrator Accounts......Page 333
Administrator Privileges......Page 334
Adding an Administrator Account......Page 336
Editing an Administrator Account......Page 337
Deleting an Administrator Account......Page 339
Access Policy Options......Page 340
Setting Up Access Policy......Page 341
Setting Up Session Policy......Page 343
Audit Policy......Page 344
ACS Internal Database......Page 345
User Import and Creation......Page 346
About External User Databases......Page 347
External User Database Authentication Process......Page 348
Windows User Database......Page 349
Authentication with Windows User Databases......Page 350
Windows Dial-Up Networking Clients without a Domain Field......Page 351
Username Formats and Windows Authentication......Page 352
Domain-Qualified Usernames......Page 353
EAP-TLS Domain Stripping......Page 354
Machine Authentication......Page 355
Machine Access Restrictions......Page 357
Microsoft Windows and Machine Authentication......Page 358
Enabling Machine Authentication......Page 360
User-Changeable Passwords with Windows User Databases......Page 361
Windows User Database Configuration Options......Page 362
Configuring a Windows External User Database......Page 365
Generic LDAP......Page 366
LDAP Organizational Units and Groups......Page 367
Domain Filtering......Page 368
Unsuccessful Previous Authentication with the Primary LDAP Server......Page 369
LDAP Configuration Options......Page 370
Configuring a Generic LDAP External User Database......Page 374
ODBC Database......Page 378
ACS Authentication Process with an ODBC External User Database......Page 379
Preparing to Authenticate Users with an ODBC-Compliant Relational Database......Page 380
Implementation of Stored Procedures for ODBC Authentication......Page 381
Sample Routine for Generating a PAP Authentication SQL Procedure......Page 382
Sample Routine for Generating an EAP-TLS Authentication Procedure......Page 383
PAP Procedure Output......Page 384
CHAP/MS-CHAP/ARAP Procedure Output......Page 385
EAP-TLS Procedure Output......Page 386
Configuring a System Data Source Name for an ODBC External User Database......Page 387
Configuring an ODBC External User Database......Page 388
LEAP Proxy RADIUS Server Database......Page 390
Configuring a LEAP Proxy RADIUS Server External User Database......Page 391
Token Server User Databases......Page 392
RADIUS-Enabled Token Servers......Page 393
Configuring a RADIUS Token Server External User Database......Page 394
Configuring an RSA SecurID Token Server External User Database......Page 397
Deleting an External User Database Configuration......Page 398
Network Access Control Overview......Page 399
NAC Architecture Overview......Page 400
Posture Tokens......Page 401
Configuring NAC in ACS......Page 402
Posture Validation Process......Page 404
About Posture Credentials and Attributes......Page 405
Extended Attributes......Page 406
About Internal Policies......Page 407
Internal Policy Configuration Options......Page 408
About External Policies......Page 409
External Policy Configuration Options......Page 410
About External Audit Servers......Page 412
External Audit Server Configuration Options......Page 414
Configuring Policies......Page 415
Creating an Internal Policy......Page 416
Editing a Policy......Page 418
Cloning a Policy or Policy Rule......Page 419
Renaming a Policy......Page 420
Deleting a Condition Component or Condition Set......Page 421
Setting Up an External Policy Server......Page 422
Setting Up an External Audit Posture Validation Server......Page 423
Editing an External Posture Validation Audit Server......Page 424
How Posture Validation Fits into Profile-Based Policies......Page 425
Overview of NAPs......Page 427
Profile-based Policies......Page 428
Setting Up a Profile......Page 429
NAFs......Page 430
Advanced Filtering......Page 431
About Rules, Rule Elements, and Attributes......Page 432
Adding a Profile......Page 433
Cloning a Profile......Page 435
Processing Unmatched User Requests......Page 436
NAP Administration Pages......Page 437
Shared-profile Components......Page 439
Selecting a Profile Template......Page 440
Downloadable ACLs......Page 441
NAC L2 IP......Page 443
ACS and AV Pairs......Page 445
NAC Layer 2 802.1x......Page 446
Microsoft IEEE 802.1x......Page 449
Authentication Bypass......Page 450
NAC Agentless Host......Page 451
Configuring Authentication Policies......Page 453
Authentication Protocols......Page 454
EAP Configuration......Page 455
Setting Authentication Policies......Page 456
Configuring MAC Authentication Bypass......Page 457
Configuring Posture-Validation Policies......Page 461
Import Vendor Attribute-Value Pairs (AVPs)......Page 462
Setting a Posture-Validation Policy......Page 463
Mapping an Audit Server to a Profile......Page 466
Configuring Fail Open......Page 467
Authorization Rules......Page 469
Configuring an Authorization Rule......Page 470
Configuring a Default Authorization Rule......Page 471
Shared RACs......Page 472
Migrating from Groups to RACs......Page 473
Policy Replication and Backup......Page 474
Unknown User Policy......Page 475
Known, Unknown, and Discovered Users......Page 476
General Authentication of Unknown Users......Page 477
Domain-Qualified Unknown Windows Users......Page 478
Multiple User Account Creation......Page 479
Authorization of Unknown Users......Page 480
Database Search Order......Page 481
Configuring the Unknown User Policy......Page 482
Disabling Unknown User Authentication......Page 483
Group Mapping by External User Database......Page 485
Creating an ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Data.........Page 486
Group Mapping Order......Page 487
Creating an ACS Group Mapping for Windows or Generic LDAP Groups......Page 488
Editing a Windows or Generic LDAP Group Set Mapping......Page 490
Deleting a Windows Domain Group Mapping Configuration......Page 491
RADIUS-Based Group Specification......Page 492
Troubleshooting......Page 495
Administration Issues......Page 496
Cisco NAC Issues......Page 497
Database Issues......Page 500
Dial-in Connection Issues......Page 502
MaxSessions Issues......Page 505
Report Issues......Page 506
User Authentication Issues......Page 508
TACACS+ and RADIUS Attribute Issues......Page 509
TACACS+ AV Pairs......Page 511
TACACS+ Accounting AV Pairs......Page 513
Before Using RADIUS Attributes......Page 515
CiscoIOS Dictionary of RADIUS IETF......Page 516
CiscoIOS/PIX 6.0 Dictionary of RADIUS VSAs......Page 518
About the cisco-av-pair RADIUS Attribute......Page 519
CiscoVPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs......Page 520
Cisco Airespace Dictionary of RADIUS VSA......Page 524
IETF Dictionary of RADIUS IETF (AV Pairs)......Page 525
Microsoft MPPE Dictionary of RADIUS VSAs......Page 533
Ascend Dictionary of RADIUS AV Pairs......Page 535
Juniper Dictionary of RADIUS VSAs......Page 542
CSUtil Database Utility......Page 543
CSUtil Command Syntax......Page 544
Backing Up ACS with CSUtil.exe......Page 545
Restoring ACS with CSUtil.exe......Page 546
Creating an ACS Internal Database......Page 547
Creating an ACS Internal Database Dump File......Page 548
Loading the ACS Internal Database from a Dump File......Page 549
Compacting the ACS Internal Database......Page 550
Importing User and AAA Client Information......Page 551
User and AAA Client Import File Format......Page 552
ONLINE or OFFLINE Statement......Page 553
ADD Statements......Page 554
DELETE Statements......Page 555
ADD_NAS Statements......Page 556
Exporting User List to a Text File......Page 557
Exporting Group Information to a Text File......Page 558
Decoding Error Numbers......Page 559
Adding a Custom RADIUS Vendor and VSA Set......Page 560
Deleting a Custom RADIUS Vendor and VSA Set......Page 561
Listing Custom RADIUS Vendors......Page 562
RADIUS Vendor/VSA Import File......Page 563
Vendor and VSA Set Definition......Page 564
Attribute Definition......Page 565
Example RADIUS Vendor/VSA Import File......Page 566
PAC File Options and Examples......Page 567
Generating PAC Files......Page 569
Posture-Validation Attribute Definition File......Page 570
Importing Posture-Validation Attribute Definitions......Page 573
Deleting a Posture-Validation Attribute Definition......Page 575
Deleting an Extended Posture-Validation Attribute Definition......Page 576
Default Posture-Validation Attribute Definition File......Page 577
VPDN Process......Page 583
accountActions Format......Page 587
accountActions Mandatory Fields......Page 588
Action Codes......Page 589
Action Codes for Creating and Modifying User Accounts......Page 590
Action Codes for Initializing and Modifying Access Filters......Page 595
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings......Page 598
Action Codes for Modifying Network Configuration......Page 603
User-Specific Attributes......Page 608
Group-Specific Attributes......Page 610
An Example of accountActions......Page 611
Windows Services......Page 613
SQL Registry......Page 614
CSDBSync......Page 615
Monitoring......Page 616
Response......Page 617
CSTacacs and CSRadius......Page 618
Index......Page 619