|
|
This chapter covers the following topics:
 |
Note All changes made using the Administrator program are reflected in the database, and all changes made to the database are visible on the Administrator program, after you have refreshed it. |
|
Note Many of the operations described in this chapter can also be carried out through the CiscoSecure command-line interface. For a description of the command-line interface, see the CiscoSecure ACS 2.3 for UNIX Reference Guide. |
This section describes the basic steps to log in to the CiscoSecure Administrator GUI and how to change the superuser password.
To manage the CiscoSecure ACS using the Administrator program, you need a web browser that supports Java and JavaScript. The Administrator program operates on any hardware platform that supports the web browsers listed in the readme.txt file and release notes.
To access and log in to the CiscoSecure Administrator:
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
|
Note URLs and server names are case sensitive; they must be typed with uppercase and lowercase letters exactly as shown. |
The CiscoSecure ACS Logon page displays.
Step 3 Enter your username and password and click Submit.
After you log in, the CiscoSecure ACS main page appears, displaying the main menu options along the top.
|
Note CiscoSecure ACS for UNIX allows Date Encryption Standard (DES) encrypted password and SecurID ACE/Server authentication at the same time. To use both methods of authentication, do not specify the -D option when starting CiscoSecure ACS for UNIX. |
The CiscoSecure ACS Main menu page will only appear if the user provides a name and password that have an administrator privilege level. If the user provides a name and password that has only user-level privileges, then a different screen appears. Refer to the "User-Level Functions (Changing a Password)" section.
Several options appear at the top of the page:
| Button | Description |
Main | Return to the Main menu. |
Member | Display the user and group related suboptions: Add, Edit, Delete, Browse, and View. |
| Add users to existing database. |
| Edit privileges, passwords, access, and other parameters for a specified user. |
| Delete users from existing database. |
| Provide a means to browse a group or user hierarchy. |
| Enable the administrator to view the profile of a specified user. |
AAA | Display server and NAS related suboptions: General, NAS1, Domain, Re-Initialize. |
| Configure the current CiscoSecure ACS with TACACS+-related options. |
| Add and configure TACACS+-enabled NASes as CiscoSecure ACS clients. |
| Configure the CiscoSecure ACS to authenticate or route users logging in with local or remote domain name strings. |
| Initialize the new CiscoSecure ACS General, NAS, or Domain settings without terminating and restarting server operations. |
Help | Access instructions for a specified aspect of CiscoSecure ACS. |
Advanced | Takes the user to the CiscoSecure Administrator Java-based advanced configuration program. For details on using this program, see "Starting the Advanced Configuration Program" in "Advanced Group and User Management." |
Log Off | Log off CiscoSecure. |
| 1NAS = network access server. |
|
Note The CiscoSecure ACS web menu bar appears in every HTML page throughout the CiscoSecure ACS web interface, so there is no need to return to the Main menu in order to access a new function. |
The default administrator of the CiscoSecure ACS is "superuser," and the default password is "changeme." As a security measure, Cisco recommends that you change the password for superuser as quickly as possible after installing the CiscoSecure ACS.
Step 2 In the Edit a User page, enter superuser in the User Name to Edit field.
Step 3 Click Edit.
Step 4 Enter your new password string in the Password field.
Valid characters for passwords are:
Step 5 Verify your entry by entering the new password again in the Confirm field and clicking Save.
CiscoSecure displays a confirmation of the password change.
The operations described in this section are carried out through the CiscoSecure ACS web pages. They are the quickest and most frequently executed of CiscoSecure operations. These operations include:
To add a user to the CiscoSecure ACS database, use the Add a User web page. The Add a User web page enables you to quickly set up a user profile with basic password information.
|
Note To set up more complex authentication, authorization, and accounting requirements for large numbers of similar users, Cisco recommends first using the Java-based CiscoSecure Administrator advanced configuration program to configure these requirements for a group profile. After the group profile is defined, you can use the Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user. See "Creating a Group Profile" in "Advanced Group and User Management" for details. |
Add a user profile:
Step 2 Enter the Group of which this user will be a member.
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more on using the Browse function, refer to the section, "Browsing Groups and Users" later in this chapter. Enter the new user's name in the User Name field.
Step 3 Enter the name of the new user in the User Name field.
Step 4 Enter an optional password for this user in the Password field. Valid characters for passwords are:
An asterisk will appear in place of each letter.
Step 5 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 6 Click any of the 3 check boxes to indicate the type of authentication methods to use with the specified password:
|
Note You can use Clear Text or CHAP passwords with RADIUS profiles.This allows you to use external databases with RADIUS. |
Step 7 Specify the level of ACS administration this user can exercise using the Web Privilege button. Click one of the following:
|
Note If you select any web privilege option other than None, you must also specify a password in the Password field. To satisfy the web privilege password requirement, a single blank space is minimally acceptable. |
Step 8 Click More to access more authentication options for this user. The Add a User page changes. (See Figure 4-4.)
The additional fields in the Add a User page include several new authentication methods:
|
Note If you select the Enigma authentication method and save the user profile, you will be given access to the SafeWord configuration pages after you add this profile. The next time you edit the profile, an Edit Enigma Token button appears. Click this button to configure the current user as a SafeWord user also. Refer to "Configuring Users for Secure Computing Token Card Use" in "Token Server Support." |
Each of these encryption types requires custom configurations. For more information on S/Key, CRYPTOCard, Enigma, and SDI, see "Token Server Support."
|
Note The functionality of any password type except ARAP, CHAP, PAP, and Outbound PAP is affected by its position in the user profile. If multiple unexpired password statements appear in a user profile, the AAA server will use the first appropriate password type that appears in the profile. |
Step 9 Select one or more of the check boxes if one or more of the additional password types is required.
Step 10 When you have finished, click one of the following:
Use the Edit a User web page to modify the configuration of an existing user profile:
Step 2 In the User Name to Edit field, enter the name of the user whose password and privilege you want to edit.
If you don't know the name of the user you want to edit, click Browse at the top of the menu to access the edit menu. See the "Browsing Groups and Users" section for details.
Step 3 When the name you need appears in the User Name to Edit field, click Edit.
The full Edit a User page appears.
Step 4 Specify the Group this user will be a member of, if required. If the specified user is a member of another group, this reassigns the user.
|
Note A user can only be a member of one group. |
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more information about using the Browse function, refer to the "Browsing Groups and Users" section.
Step 5 Enter an optional password for this user in the Password field. Valid characters for passwords are:
An asterisk will appear for each letter you type.
Step 6 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 7 Specify the level of ACS administration this user can exercise using the Web Privilege button. Click one of the following:
|
Note If you select any web privilege option other than None, you must also specify a password in the Password field. To satisfy the web privilege password requirement, a single blank space is minimally acceptable. |
Step 8 If you want this user's password to be specified in a UNIX password formatted file rather than on this web page, indicate the path to that file in the Password File field.
Step 9 If required, select one or more of these check box options:
Step 10 If required, select/deselect one or more of these check box options:
|
Note If you select the Enigma authentication method and save the user profile, you will be given access to the SafeWord configuration pages after you add this profile. The next time you edit the profile, an Edit Enigma Token button appears. Click this button to configure the current user as a SafeWord user also. See "Configuring Users for Secure Computing Token Card Use" in "Token Server Support." |
|
Note Each of these encryption types requires custom configuration. For more information about S/Key, CRYPTOCard, Enigma, and SDI, refer to "Token Server Support." |
Step 11 When you have finished, click one of the following:
If you select Save, a confirmation of the edit appears.
Step 12 Continue to edit users as required or click Main to return to the Main menu.
Use the Delete a User button to delete a user from the CiscoSecure database:
Step 2 Enter the name of the current user whose profile you want to delete in the field.
If you don't know the name of the user you want to delete, click Browse at the top of the menu and delete the user through that option. For more on the Browse option, refer to the "Browsing Groups and Users" section.
Step 3 When the name you need appears in the User Name field, click Delete.
Step 4 Continue to delete users as required.
Step 5 When you are finished, click the Main button to return to the Main menu.
The Browse option can be used to review the CiscoSecure ACS database for both users and groups. Through this option, you can:
To access a user or group directly, use the View option. See the "Viewing Groups and Users" section for more information.
To browse the CiscoSecure database:
This screen consists of two sections:
In addition to names, each section contains several icons. The names to the right of these icons serve as links to other menu options within the program.
| Icon: | Means: |
| A group. Click this symbol to access the Profile and member information for the specified group. |
| A user. Click this symbol to access the Profile information for the specified user. |
| Add a user to the specified group. This is another way to access the Add a User screen. |
| This represents one of the RADIUS dictionaries stored in the database. These include IETF, Cisco, and Ascend. The HTML-based GUI is not designed to edit these dictionaries. |
| This represents a NAS. All values to the right of this indicate the NAS configuration. The HTML-based GUI is not designed to edit this information. |
| This represents a AAA server (one type of which is a CiscoSecure ACS). All values to the right of this indicate the AAA configuration. The HTML-based GUI is not designed to edit this information. |
| Edit the specified user. This is another way to access the Edit a User screen. |
| Delete the specified user. This is another way to access the Delete a User screen. |
Step 2 To view the profile for a specific group or user, click the group/username. Alternatively, click on the icon to the left of the name. The group or user profile for the selected item appears.
For more on deciphering the meaning of the terms and statistics appearing in the profiles, refer to the "Viewing Groups and Users" section.
Step 3 Click the icons indicated above to add users to a specific group, edit a specific user profile, or delete a user from the database:
a. To add a user to a specified group, click the Add User icon. The Add a User screen appears. Refer to the "Creating a Quick User Profile" section. 
b. To edit a specific user, click the Pencil icon to the right of that user's name. The Edit a User screen appears with the user's information displayed. Refer to the section "Editing a User Profile" section for details.
c. To delete a specific user, click the Delete User icon to the right of the user's name. The Delete a User screen appears. Refer to the "Deleting a User Profile" section for details.
Step 4 Review data and perform operations as required. To return to the Main menu, click Main.
Use the View option to see the profile for a selected user or group. Depending on the complexity of the values assigned to a particular user or group, the profile can contain many different attributes, each of which is defined in this section.
To view a selected profile:
Step 2 Select one of the following:
Step 3 Enter the user or group name in the Name field.
If you can't remember the name, click Browse to look through the entire database.
Step 4 Click Submit Query. A page appears displaying profile information for the specified group or user.
This provides a profile of the selected user or group. While the example profile above is relatively simple, the profile can contain a great deal of information on the attributes and values assigned to the selected user or group.
To learn more about an attribute, click on the attribute word. Each attribute word is linked to its definition.
Step 5 When you are finished inspecting the profile, select View to see another profile, or click another button to access another function.
The profile seen on the View screen can contain information on any number of attributes assigned to a selected user or group. Attributes are derived from several internetworking protocols, including TACACS+ and RADIUS.
Attributes are normally arranged by rows with greater levels of detail arranged in columns from left to right of each row. For example, the Password attribute usually follows the rows identifying the profile_id, profile_cycle, and group name. In the password row, there are a number of columns which from right to left define: the attribute name, the password type, the password value, the beginning and ending dates when this password is effective.
| Attribute | Definition | Value |
|---|---|---|
ID number assigned to the profile by the database. This number is generated internally and cannot be edited by the user. |
- | |
This number starts at 1 and is incremented by one each time the profile is modified. This number is generated internally and cannot be edited by the user. |
- | |
| If this is a user profile, the group to which the user is currently assigned. Groups can also be members of other groups. |
- |
Type of password, followed by the actual password in quotation marks, followed by the beginning and ending dates during which this password is effective. | CHAP, PAP, clear, and so on | |
Whether this profile is web-enabled and what the privilege level is. There are three privilege levels. Only valid when Privilege = Web. | None---No privileges |
In many cases, the profile won't be more complicated than the profile shown in Figure 4-10. There are occasions, however, when profiles can be far more complex, particularly when a large number of authentication and response attributes have been assigned for a particular user or group. In such cases, the profile might look more like the example in Figure 4-11.
As Figure 3-11 shows, a great deal of diverse information can be contained in a profile. This includes:
CiscoSecure users have two ways of connecting to the CiscoSecure ACS for the purpose of changing their personal passwords.
CiscoSecure users to whom you assign web privilege (privilege level 1) have the ability to access the CiscoSecure CSUser web page for the purpose of changing their individual password.
|
Note See the "Creating a Quick User Profile" section or the "Editing a User Profile" section for details on assigning a CiscoSecure user web privilege. |
CiscoSecure users with web privilege can access this web page as follows:
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
|
Note URLs and server names are case sensitive; they must be typed with uppercase and lowercase letters exactly as shown. |
The CiscoSecure ACS user logon page displays.
User-Level Screen
Step 3 Click Change Password.
A new screen appears.
Step 4 Specify the type of password that you want to change. For example CHAP or PAP.
Enter a new password in the Password field. Valid characters for passwords are:
Step 5 Verify this new password by entering the same password in the Verify field.
Step 6 Click Submit. The new password is stored in the database.
Step 7 Click Finish to exit this screen.
Users can change their own login passwords during a VTY or Telnet session if the NAS through which they are accessing the network is using the TACACS+ protocol.
Step 2 Enter your username at the NAS prompt.
Step 3 Press Return at the prompt requesting you to enter a password.
Step 4 Enter yes at the prompt asking if you want to change your password.
Step 5 Enter your existing password at the prompt.
Step 6 Enter your new password at the prompt.
Step 7 Enter your new password a second time to verify that it is correct.
|
Note This procedure cannot be used to change an encrypted password, such as a CHAP password. Additionally, one-time passwords (OTPs), such as token server passwords, cannot be changed. |
If a future password is specified for a user, the user will not be able to log on with the future password until the date specified as the "from" date. After the date specified as the "until" date, the password is invalid, and the user will no longer be able to log on with it.
To exit the Administrator program, click Logoff.
|
Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface. |
|
Note If you are using Netscape and you want to log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down. |
Normally the CiscoSecure ACS software starts up automatically when you shut down and restart the SPARCstation where it is installed. There are times, however, where you might want to start CiscoSecure ACS manually or shut it down without shutting down the entire SPARCStation.
Step 2 Invoke the script files to either start or stop the CiscoSecure ACS from the SPARCStation's UNIX command line.
 |
Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result. |
The CiscoSecure ACS startup process has been enhanced to autorestart the CiscoSecure ACS if its AAA or DBServer components abnormally abort. To provide this functionality, a new process, "CiscoAuto," is started during CiscoSecure startup. If the AAA or DBServer component aborts, CiscoAuto detects this event and performs a CiscoSecure restart. During this process, the following events occur:
1. The CiscoSecure ACS is shut down.
2. Any core files in the CSU or DBServer directories are moved to $BASEDIR/corefiles and compressed.
3. The CiscoSecure ACS is restarted.
The AutoRestart feature can be customized or disabled by specifying several command-line switches with the S80CiscoSecure startup command. The switches are as follows:
Posted: Sun Apr 2 16:12:45 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
