|
|
This chapter covers the following topics:
When you installed the CiscoSecure ACS, you either specified a single NAS as a TACACS+-enabled ACS client or you allowed any NAS with a matching secret TACACS+ key to act as an ACS client. The CiscoSecure ACS AAA NAS web page enables you to add, configure, and delete profiles of TACACS+-enabled NASes as ACS clients.
Step 2 When the AAA NAS page appears, specify the name of the NAS client that you want to add or configure.
The NAS configuration page appears.
Step 3 Fill in or edit the appropriate fields:
 |
Note If you use their IP addresses to specify your NASes, use either all regular expressions (for example, 10.10.1) or all fully defined IP addresses (for example, 10.10.1.48). Do not define one of your NASes with a regular expression and other NASes with fully defined subsets of that expression. |
Step 4 Click Save and then click Re-Initialize at the top right of the page to effect the changes.
To delete an existing profile of a TACACS+-enabled NAS client, do as follows:
Step 2 In the TACACS+ NAS Configurations list box, select the profile name of the NAS that you want to disable as a CiscoSecure ACS client and click Delete.
Step 3 Click Re-Initialize at the top right of the page to effect the change.
The CiscoSecure Administrator advanced configuration program provides a special tabbed NASes page for adding NASes as RADIUS-enabled clients to the CiscoSecure ACS.
To display, add, copy, delete, edit, or unlock the NASes configured as RADIUS-enabled clients, follow these steps:
Step 2 (Optional) To update the list of NASes, click the NASes button at the top of the list of available NASes. The Administrator window will reload from the database and get the current list of available NASes. This is useful when more than one person is making changes to NAS profiles.
Step 3 Click the IP address in the left column to display NAS profile information. (See Figure 6-3.)
The following information displays:
To add a NAS to the list of CiscoSecure ACS clients:
Step 2 Enter the IP address of the new NAS in the NAS IP Address field.
Step 3 If necessary, log in to the NAS and input the appropriate NAS configuration commands as described in the "Changing Profile Information for a RADIUS-Enabled NAS" section.
 |
TimeSaver To create a NAS profile with characteristics similar to one already created, just click the IP address of the similar NAS, then click Copy. You can then modify individual characteristics of the new NAS by clicking Edit. |
To change the information for a NAS RADIUS-enabled NAS client, follow these steps:
Step 2 Click Edit.
Step 3 Click the field you want to change. The following information can be changed:
Step 4 Type or select the new information.
Step 5 When you have finished, click one of the following:
To delete a NAS as a RADIUS-enabled client:
Step 2 Click Delete. The name of the NAS will be removed from the list.
The CiscoSecure ACS AAA General web page enables you to specify authentication methods, time zone, and logging mode options for the CiscoSecure ACS server.
Step 2 Check off the authentication methods that you want the ACS to support. The choices are:
|
Note For any Max Sessions Enabled selection to take effect, the CiscoSecure ACS must be stopped and restarted, not simply "Re-Initialized." See step 10 of this procedure. |
Max Sessions Enabled selections are:
Step 6 In the Max. Failed Authentications field, specify the maximum number of failed authentication attempts allowed per user. This field specifies the number of failed logins allowed each user before CiscoSecure disables that user's account. This feature minimizes the possibility of successful third party "random password generator" attacks on CiscoSecure user accounts.
|
Note To enable user accounts that are disabled by this feature, see the "Clearing the Failed Logins Counter" section. |
Step 8 If necessary, select additional logging options in the Logging Options pane. This specifies the types of system messages that the CiscoSecure ACS will record to a system log file that you specify through the UNIX syslog utility.
|
Note To implement RADIUS logging options, first open the Java-based CiscoSecure Administrator advanced configuration program, click the Servers tab, select the current server, click Edit, enable the Debugging option and click Done. Then return to the AAA General page and enable the appropriate logging options described below. |
|
Note For details on setting up the UNIX system log file, see "UNIX Syslog Configuration" in the chapter "Troubleshooting Information" in the CiscoSecure ACS 2.3 for UNIX Reference Guide. |
 |
Caution Cisco recommends that you leave these logging options unchanged. If necessary these options can be selected for troubleshooting purposes in communication with Cisco Technical Support. |
The logging options you can enable are as follows:
Step 9 Click Re-Initialize at the top of the page to implement the changes you have made in the AAA>General page.
Step 10 In addition, if you have made changes to the Max Sessions Enabled selection, you must also stop and restart the CiscoSecure ACS for that selection change to take effect.
a. Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:
b. To restart the CiscoSecure ACS, enter:
|
Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result. |
The Servers tab in the Java-based CiscoSecure Administrator advanced configuration program enables you to carry out simple RADIUS-specific configuration of all CiscoSecure ACSes installed on the network and using the same CiscoSecure database. To configure another ACS on the network, you create a profile for that ACS and edit its parameters.
To display, add, copy, delete, edit, or unlock the available CiscoSecure ACS RADIUS settings profiles:
Step 2 (Optional) To update the list of access control servers, click Servers at the top of the list of available servers. The Administrator window will reload the current list of available access control server profiles from the database. This is useful when more than one person can make changes to the ACS profiles.
Step 3 Click a server's IP address in the left window. The CiscoSecure ACS displays information about the server. (See Figure 6-5.)
|
Note You can move between fields by clicking the field with the mouse or pressing the Tab key. |
The following fields and information display:
|
Note The Perform Profile Caching field applies to both RADIUS and TACACS+ server profiles. |
To add an access control server profile to the list:
Step 2 Enter the IP address for the access server in the Server Name field.
Step 3 If necessary, change the configuration as described in the "Changing RADIUS Profile Information for an ACS" section.
|
TimeSaver To create a server profile with characteristics similar to those of an existing server profile, click the IP address of the existing server profile, then click Copy. You can then modify individual characteristics, if necessary, by clicking Edit. |
To change RADIUS profile information for an ACS server:
Step 2 Click the field for the information you want to change for your server.
Step 3 Type or select the new information. Some of the information cannot be changed. The information you can change depends on your system and desired operation of the ACS. For an explanation of the fields on this screen, see the "Managing RADIUS Settings on the ACS" section.
|
Note The directories mentioned in the following list should already exist. |
Step 4 When you have finished, click one of the following:
To delete an access control server profile:
Step 2 Click Delete. The IP address of the server profile will be removed from the list.
The following RADIUS dictionaries are installed when you select the RADIUS protocol during installation:
|
Note These dictionaries cannot be changed or deleted; however, you can create copies and change the copies. |
|
Note You do not need to configure dictionary support for the TACACS+ protocol. |
To display the RADIUS dictionaries:
Step 2 (Optional) To update the list of dictionaries, click Dictionaries at the top of the list of available dictionaries. The Administrator window will reload from the database and get the current list of available dictionaries. This is useful when more than one person can make changes to the dictionary profiles.
Step 3 Click the name of the dictionary for which you want to display information.
The dictionary attributes display.
For each attribute, a summary line is displayed containing the following information:
| Attribute | Type | Format |
|---|---|---|
string | Displayable ASCII | Length cannot exceed 253 characters |
ipaddr | 4 octets | Octets must be in network byte order |
integer | 32 bit value | Big endian order (high byte first) |
date | 32 bit value | Big endian order; seconds since 00:00:00 GMT, January 1, 1970 |
abinary | ASCII character set | Length cannot exceed 254 characters |
enum | 32-bit value | Subset of integers |
Step 4 To view the detailed information for a specific attribute, click that attribute's magnifying glass icon.
When you click the attribute's magnifying glass, its detailed information appears in an attribute editor frame at the bottom of the page. The detailed information includes:
To add a dictionary to the list:
Step 2 Enter the name of the dictionary to add.
Step 3 If necessary, change the configuration as described in the "Changing RADIUS Dictionary Information" section.
|
TimeSaver To create a dictionary with characteristics similar to one already created, just click the name of the similar dictionary, then click Copy. You can then modify individual characteristics of the new dictionary by clicking Edit. |
Step 2 Click New. A dialog with the prompt "Create a Dictionary Mnemonic using ID XX, or enter another, unused ID" opens.
Step 3 Enter the appropriate identification and click OK. The new attribute will be created with the ID you entered.
|
Caution Use caution when editing dictionaries. Changes to a dictionary will affect all users who are using that dictionary. Only experienced RADIUS system administrators should attempt to edit dictionaries. |
Take the following steps to change the information for a dictionary:
|
Note The Cisco11.1, Cisco11.2, Cisco11.3, Ascend, Ascend5, and IETF dictionaries cannot be changed. |
Step 2 Click Edit. The magnifying glass view icons become pencil edit icons. (See Figure 6-7.)
Step 3 If you want to change the vendor ID for the entire dictionary, click vendor= in the lower right corner, enter a new ID number in the Enter Vendor ID dialog box, and click OK.
Step 4 If you want to change the detailed information for a specific attribute, click that attribute's pencil icon.
You can then edit that attribute's detailed information fields in the attribute edit frame at the bottom of the page:
a. Click the pencil icon to edit the values or the paper icon to add a new value.
b. Click the checkmark icon to apply changes, the broken pencil icon to cancel changes, or the X icon to delete a value.
For details on the fields, see the "Managing RADIUS Dictionaries" section.
|
Note Clicking the checkmark icon applies changes to memory only. Changes are not applied to the database until you click Done or Save. |
Step 5 When you have finished, click one of the following:
For more information on the Dictionaries window, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
To delete a dictionary:
Step 2 Click Delete. The name of the dictionary will be removed from the list.
The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 6-9.)
To view expired passwords, click the Expired Passwords tab. (See Figure 6-10.)
If the number of consecutive failed logins for a given user exceeds the number set in the Max. Failed Authentications field of the CiscoSecure ACS AAA General web page, that user's account is temporarily disabled.
To reenable a user account disabled by too many consecutive failed authentications:
Step 2 Reset the failed logins count by locating and selecting the server-current-failed logins icon in the Profile pane. Then, do one of the following:
The ACS increments the counter by one for each failed login attempt. If the current count for a user is below the global number and the user logs in successfully, the counter is reset to zero.
Step 3 Reenable the user profile by locating and selecting the profile status icon on the Profile pane. Then do one of the following:
Step 4 Click Submit to confirm the user profile's enabled status.
If you maintain an Internet service accessed by various customers maintaining separate virtual private dial-up networks (VPDNs), the CiscoSecure ACS Domain web page enables you to authenticate VPDN users logging in to access local domains and route VPDN users logging in to access remote domains.
You can configure the CiscoSecure ACS to recognize and authenticate users logging in with specific local domain name strings. You can also configure CiscoSecure ACS to recognize and route users logging in with specific remote domain name strings to the home gateway NAS of those domains.
|
Note This section provides information only on setting up the CiscoSecure ACS to support login to existing VPDNs. For background information on setting up VPDNs, see the Cisco IOS Release 11.3 Dial Solutions Configuration Guide, Cisco document number 78-4732-01. |
To configure the ACS to handle user login strings with domain names:
Step 2 In the Domain Name field, enter the name of the remote domain that CiscoSecure users might want to access.
For example, in the login string "sam@zephyr.com," "zephyr.com" is the domain name.
Step 3 In the Delimiter field, select the delimiter character.
This is the character that separates the username from the domain name. For example, for the login string, "sam@zephyr.com," "@" is the delimiter.
Step 4 In the Domain Name Position field, specify the domain name position in relation to the delimiter. Select Before or After.
Step 5 In the Domain Type field, specify whether the domain is local or remote.
Step 6 Click Add Domain.
The domain name string you specified is displayed either in the Local Domains or Remote Domains list box.
Step 7 Click Re-Initialize at the top of the page to effect the changes.
You can enter a local domain name in the CiscoSecure Administrator GUI in the Domain Name\User Name format.
To delete access to a local or remote domain:
Step 2 In the Local Domains or Remote Domains list box, select the domain name string you want to disable, then click either Delete Local or Delete Remote, whichever is applicable.
The selected domain name string disappears from the list box.
Step 3 Click Re-Initialize at the top of the page to effect the changes.
To exit the Administrator program, click Logoff.
|
Note When you log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down. |
Posted: Sun Apr 2 16:13:07 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.