|
|
This chapter provides information on configuring CiscoSecure Global Roaming Server (GRS) using the graphical user interface (GUI) as well as on enabling and using the CiscoSecure GRS features.
You can configure CiscoSecure GRS by the following methods:
The default directory for the GUI startup script, grs_gui, is /opt/CSCOgrs/bin. If you did not select the default directory during installation, modify your entries accordingly.
To start the CiscoSecure GRS GUI, start CiscoSecure GRS as described in the "Starting CiscoSecure GRS" section, then enter the following command:
./grs_gui
If this is not the first time you are starting the CiscoSecure GRS GUI and you have not changed data stores (from flatfile to Oracle or vice versa), skip to the "Additional Configuration for CiscoSecure GRS Using the GUI" section.
If this is the first time you are starting the CiscoSecure GRS GUI or if you have changed data stores, the Express Setup Wizard guides you through the steps necessary for basic CiscoSecure GRS configuration. The CiscoSecure GRS Express Setup Welcome window opens. (See Figure 3-1.)
The Local Domain Setup window opens automatically. (See Figure 3-2.)
Enter the information for your system. (See the "Preparing to Install CiscoSecure GRS" section.)
After you have entered the required information in the Local Domain Setup window, the Default NAS Setup window opens automatically. (See Figure 3-3.)
Enter some or all of the following information for the network access server (NAS), depending on which AAA protocols you are using on the NAS:
The message shown in Figure 3-4 appears.
At this point, your CiscoSecure GRS local domain is configured and remote domains are configured to use the defaults. You must now configure any remote domains and additional NASes. You might also need to configure Properties. Click Dismiss. The CiscoSecure GRS GUI opens to the GRS Configuration window. (See Figure 3-5.)
This section provides additional instructions for configuring CiscoSecure GRS using the GUI. For information on configuring CiscoSecure GRS using the CLI, see the "Minimum Configuration for CiscoSecure GRS Using the CLI" section.
The GRS Configuration window features a navigation tree on the left and a workspace with tabs on the right. (See Figure 3-5.)
The icons and tabs change according to what is selected in the navigation tree.
The GRS Configuration Summary tab opens in the workspace and displays a summary of the data in the data store:
No ACS information for this domain
The row of buttons at the top of the window is called a toolbar. (See Figure 3-6.)
Use the toolbar to perform the following tasks:
All of the drop-down menu selections are the same as the buttons in the toolbar, with one addition. From the File menu, you can click Save Summary to File to save a summary of the information on the active tab to an ASCII file.
This section contains information on adding and configuring domains using the GUI.
To add a domain, follow these steps:
Step 1 From the GRS Configuration window, click Insert. You are asked whether to add a domain or NAS. (See Figure 3-7.)
Step 2 Click Domain. The New Domain window opens.
Step 3 Click the General tab and enter the name of the new domain.
Step 4 Click the ACS tab and enter the following information:
Step 5 Click Commit.
To delete a domain, follow these steps:
Step 1 In the navigation tree, select the name of the domain to delete.
Step 2 Click Delete. You are prompted to confirm the deletion.
Step 3 Click Yes to confirm or No to cancel the deletion.
In the navigation tree, click the name of the domain to configure. The following tabs display in the workspace:
To view a summary of the domain information, click the Domain Summary tab. The Domain Summary tab opens in the workspace. (See Figure 3-8.)
To view or change the domain general information, click the Domain General tab. The Domain General tab opens in the workspace. (See Figure 3-9.)
You can view or change the information for the domain. See the "GRS Configuration Window" section for an explanation of each field.
This control restricts or allows the domain to accept only VPDN, non-VPDN, or both types of authentication requests.
To insert the domain name into the information listed in accounting packets, check the Insert domain AV pair into local domain accounting packets check box. This adds the domain name to the end of accounting packets going to the local domain in the format domain=domainname. This item is not available if your local domain is RADIUS. The other effect is removal of the domain name from the username in the accounting packet. For example, mary@isp1.com becomes mary, and domain=isp1.com is added to the end of the packet. See the "Accounting for the ISP" section for more information.
When you have finished making changes, click Commit.
To restrict IP addresses and IP address pools from the ACS, follow these steps:
Step 1 In the GRS Configuration window, select the domain of the ACS.
Step 2 Check the Restrict IP Address and Pools from ACS check box. A darker shade of gray in the box indicates that this feature is enabled. When this feature is enabled, the NAS or ACS always controls the IP address pools and addresses. CiscoSecure GRS limits the allowed IP addresses and pools returned by the ACS to those configured for the domain. See the "Domain IP Address Range Tab" section and the "Domain IP Pools Tab" section for more information.
Step 3 When you have finished making changes, click Commit.
To view or change the Domain ACS information, click the Domain ACS tab. The Domain ACS tab opens in the workspace. (See Figure 3-10.)
Enter the host name and shared secret for each ACS you want to add. You can enter as many ACSes as you want. If CiscoSecure GRS fails to connect to the first ACS on the list, it will try to connect to the next ACS, and so on down the list. The amount of time CiscoSecure GRS waits before moving to the next ACS on the list depends on the values for the Number of retries and Seconds between retries parameters set on the Domain General tab. See the "Domain General Tab" section for more information.
Use the Type drop-down list to select the type of control access control. The options are described below.
A+A+A | Authentication, authorization, and accounting |
A+A+X | Authentication and authorization only |
X+X+A | Accounting only |
Additionally, the NAS timeout must be set to an interval smaller than the Seconds between retries setting so that the NAS does not time out before CiscoSecure GRS can retry. To change the order of the ACSes on the list, you must delete and reenter the applicable ACS.
To add an ACS, enter the information in the Host Name (name or IP address) and Secret (shared secret) dialog boxes, then click Add.
To update information for an existing ACS, select the ACS whose information you want to change, enter the new information, then click Update.
When you have finished making changes, click Commit.
To view or change the IP Address Range information, click the Domain IP Address Range tab. The IP Address Range tab opens in the workspace. (See Figure 3-11.)
To add a domain IP address range, enter the information in the Start IP Address and Stop IP Address dialog boxes, then click Add.
To update information for an existing domain IP address range, select the address range whose information you want to change, enter the new information, and click Update.
To delete an existing range, click the range, then click Delete.
You can enter multiple address ranges. CiscoSecure GRS will check all of the ranges to determine if the address returned by the ACS for the dial-in user is valid for the domain. When you have finished making changes, click Commit.
To view or change the IP Pools information, click the Domain IP Pools tab. The Domain IP Pools tab opens in the workspace. (See Figure 3-12.)
This tab serves as a translation table and as a range-checking table if the range-checking box is highlighted on the General tab.
To add a domain IP address pool, enter the following information:
For example, if a TACACS+ ACS returns an IP Pool Name of ippool1, the IP address pool name that is returned to the TACACS+ NAS is ippool2. The RADIUS IP address pool name is returned to the NAS as 1. This allows you to perform the following actions:
When you have finished entering information, click Add.
To update information for an existing domain IP address pool, select the pool name whose information you want to change, enter the new information, then click Update.
To delete an existing domain IP address pool, select the name of the pool, then click Delete.
When you have finished making changes, click Commit.
To view or change the domain stripping information, click the Domain Stripping tab. The Domain Stripping tab opens in the workspace. (See Figure 3-13.)
To enable stripping, follow these steps:
Step 1 Check one or more of the following boxes to select the packet types for which you want to enable stripping:
Step 3 Click Commit.
Follow these steps to enable partial domain matching:
Step 1 Enable stripping as described in the "Enabling Stripping" section.
Step 2 Check Allow Partial Domain Matches.
Step 3 Enter the name of the subdomain for which to enable partial domain stripping. You can use any special character, such as percent (%), asterisk (*), pound (#), and so on, to indicate a prefix, suffix, or subdomain delimiter.
If you try to use the same character to indicate more than one type of delimiter, CiscoSecure GRS will return an error message.
Step 4 When you have finished making changes, click Commit.
Alternatively, you can set this feature in the grs.ini file.
To view or change the dialed number identification service (DNIS) information, click the DNIS tab. The DNIS tab opens in the workspace. (See Figure 3-14.)
This tab associates telephone numbers with the selected domain.
To add a telephone number, enter a number in the DNIS Number field and click Add. Repeat this for each telephone number that will be associated with this domain. When you are finished, click Commit.
If a user dials in and the DNIS authentication fails, or the DNIS number is not configured into CiscoSecure GRS, a domain-based proxy will be attempted.
To view or change the attributes that are filtered or modified, click the Attr Insert/Modify tab. The Attr Insert/Modify tab opens in the workspace. (See Figure 3-15.)
To filter an attribute, follow these steps:
Step 1 Select an attribute to filter from the Attribute list box.
Step 2 Select Filter from the Action list box.
Step 3 Click Add. This attribute will be filtered.
Step 4 Repeat this procedure for each attribute to filter. When you are finished, click Commit.
To filter an attribute and replace it with a different value, follow these steps:
Step 1 Select an attribute to filter from the Attribute list box.
Step 2 Select Insert/Modify from the Action list box.
Step 3 Enter a value in the Destination Value field.
Step 4 Click Add. This attribute's value will be replaced with the Destination Value setting.
Step 5 Repeat this procedure for each attribute to modify. When you are finished, click Commit.
This section contains information on adding and configuring NASes using the GUI.
To see a list of the NASes configured for use with your CiscoSecure GRS, in the navigation tree, click NAS. The NAS Summary tab opens in the workspace. (See Figure 3-16.)
The NAS Summary tab displays the following information:
To add a NAS, follow these steps:
Step 1 From the GRS Configuration window, click Insert. The Insert New Item dialog box opens. (See Figure 3-17.)
Step 2 Click NAS. The New NAS window opens in the workspace. (See Figure 3-18).
Step 3 Enter the name of the new NAS.
Step 4 Enter the shared secret (password) to be used.
Step 5 From the AAA Protocol Type drop-down box, select one of the following AAA protocol types:
Step 6 (Optional) To make the selected NAS the default NAS for the TACACS+ or RADIUS protocol, check the Set As Default check box. A darker shade of gray indicates that this option is enabled.
Step 7 In the Timeout text box, enter the number of seconds that should pass before a reply has been received from the NAS. The authentication will be canceled if this time is reached.
Step 8 Click Commit.
Step 9 Click Yes to confirm changes or No to cancel changes.
To delete a NAS, follow these steps:
Step 1 In the navigation tree, select the name of the NAS to delete.
Step 2 Click Delete. You are prompted to confirm the deletion.
Step 3 Click Yes to confirm or No to cancel the deletion.
In the navigation tree, click the name of the NAS to configure.
The NAS Summary tab opens in the workspace. (See Figure 3-19.)
The following information displays:
To view or change the general information for the selected NAS, click the General tab. The NAS General tab opens in the workspace. (See Figure 3-20.)
Information you can change on this tab includes the following:
When you have finished making changes, click Commit.
To see a list of AV pairs that will be translated between the listed AAA protocols, in the navigation tree, click Translation. The Translation Summary tab opens in the workspace. (See Figure 3-21.)
To see a list of the AV pairs that are translated for each listed translation (for example, IETF standard RADIUS-to-Cisco TACACS+), in the navigation tree, click the type of translation you want to view. The Summary tab for the selected translation opens in the workspace. (See Figure 3-22.)
To configure CiscoSecure GRS properties, click Properties in the navigation tree. The Properties Summary tab opens in the workspace. (See Figure 3-23.)
The Properties Summary tab lets you view the following information. See the applicable section for each tab for more information.
To configure general attributes, click the Properties General tab. The Properties General tab opens in the workspace. (See Figure 3-24.)
Use the Properties General tab to configure the following parameters:
When you have finished making changes, click Commit Properties.
To configure the port number that the web browser should use to view statistics and the machine on which to use the browser, follow these steps:
Step 1 Click the Properties WWW Monitor tab. The Properties WWW Monitor tab opens in the workspace. (See Figure 3-25.)
Step 2 To enable or disable the ability to view statistics using a web browser, click the Enable Web Browser Access check box. A darker gray color in this box indicates that browser access is enabled.
Step 3 To change the port on which to run the web browser, check the Accept Web Browser Requests on Port check box and enter the new port number.
Step 4 To add a workstation to the list of those allowed to monitor CiscoSecure GRS using a web browser, enter the name or IP address in the Client Host Name text box and click Add. The name or IP address appears in the Client Access List box.
Step 5 To delete a workstation from the list of those allowed to monitor CiscoSecure GRS using a web browser, in the Client Access List box, click the name or IP address of the workstation to delete and click Delete.
Step 6 When you have finished making changes, click Commit Properties.
See the "Viewing CiscoSecure GRS Status and Current Users" section for more information.
To change data stores from flatfile to Oracle and vice versa, click the Properties Data Store tab. The Properties Data Store tab opens in the workspace. (See Figure 3-26.)
You can change the following information:
When you have finished making changes, click Commit.
To configure stripping of domains, follow these steps:
Step 1 Click the Properties Stripping tab. The Properties Stripping tab opens in the workspace. (See Figure 3-27.)
Step 2 Enter the matching domain information to strip. You can use any alphanumeric character, but it is best to use special characters such as pound (#), dollar ($), percent (%), and ampersand (&) so that they do not conflict with user and domain names.
Step 3 When you have finished making changes, click Commit.
The CiscoSecure GRS online help is in HyperText Markup Language (HTML) format, so CiscoSecure GRS must have a web browser configured to view the online help file. Follow these steps:
Step 1 Click the Properties GUI tab. The Properties GUI tab opens in the workspace. (See Figure 3-28.)
Step 2 To change the browser you use to view the CiscoSecure GRS online help, highlight the current information and enter the exact command to start the browser you want to use. The default is netscape. See your browser documentation for more information.
Step 3 To change the print command, highlight the current information and enter the exact command for your printer. The default is lp (line printer). See your printer documentation for more information.
Step 4 When you have finished making changes, click Commit Properties.
To save a summary of your CiscoSecure GRS configuration, follow these steps:
Step 1 From the File menu, select Save Summary. The Save Summary window opens. (See Figure 3-29.)
Step 2 Change to the path or folder you want, and enter a name for the file, then click OK to create a new file or Update to overwrite an existing file.
To exit the GUI, follow these steps:
Step 1 Click Exit. You are prompted to confirm that you want to exit.
Step 2 Click Yes.
There is a Restart button on the toolbar. To manually restart CiscoSecure GRS, click Restart in the toolbar.
To view domain session information for CiscoSecure GRS, you must use a web browser such as Netscape Navigator or Microsoft Internet Explorer. During installation, you should have specified a machine on which to run the web browser. See "Installing and Starting CiscoSecure GRS." If you did not select a browser during installation, see the "WWW Monitor" section for the instructions to configure this option.
Step 1 Run CiscoSecure GRS.
Step 2 Open your web browser. See your browser documentation for more information.
Step 3 Open the URL for the CiscoSecure GRS monitor. This URL is the name of the server on which CiscoSecure GRS is running, followed by a colon (:) and the number of the port you configured for monitoring CiscoSecure GRS via the web. For example, if CiscoSecure GRS is running on a server named server1 and is configured to run the web browser on port 1025, the URL would be:
http://server1:1025
To find the port number:
(a) From the GRS Configuration window of the GUI, click Properties.
(b) Click the WWW Browser tab. The port number is listed in the Accept Web Browser Requests on Port section.
Alternatively, you can view or set the port number in the grs.ini file.
The CiscoSecure Global Roaming Server Status window opens.
(See Figure 3-30.)
The CiscoSecure Global Roaming Server Status window shows the following information:
10.1.1.1PRI:0maryStep 4 To refresh the information, click Reload in Netscape Navigator or Refresh in Internet Explorer. See your web browser documentation for more information.
Step 5 To exit the monitor, exit your web browser. See your web browser documentation for more information.
Posted: Wed Feb 24 12:12:22 PST 1999
Copyright 1989-1999©Cisco Systems Inc.