|
|
This chapter covers the following topics:
This section describes the basic steps to log in to the CiscoSecure Administrator GUI interface and how to change the superuser password.
To manage the CiscoSecure ACS using the web-based interface, you need a web browser that supports Java and JavaScript. The web-based interface operates on any hardware platform that supports the web browsers listed in the readme.txt file and release notes.
To access and log in to the CiscoSecure Administrator:
Step 1 From any workstation with a web connection to the ACS, open your web browser.
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
http://your_server/cs
https://your_server/cs
The CiscoSecure ACS Logon page displays.
Step 3 Enter your user name and password and click Submit.
After you log in, the CiscoSecure ACS main page appears, displaying the main menu options along the top.
The CiscoSecure ACS Main menu page will only appear if the user provides a name and password that have an administrator privilege level. If the user provides a name and password that has only user level privileges, then a different screen appears. For more on this, refer to the section "User-Level Functions (Changing a Password)" later in this chapter.
Several options appear at the top of the page:
| Button | Description |
| Main | Return to the Main menu. |
| Member | Display the user and group related sub-options: Add, Edit, Delete, Browse, and View. |
|
Add users to existing database. |
|
Edit privileges, passwords, access, and other parameters for a specified user. |
|
Delete users from existing database. |
|
Provide a means to browse a group or user hierarchy. |
|
Enable the administrator to view the profile of a specified user. |
| AAA | Display server and NAS related sub-options: General, NAS1, Domain, Re-initialize. |
|
Configure the current CiscoSecure ACS with TACACS+-related options. |
|
Add and configure TACACS+-enabled NASes as CiscoSecure ACS clients. |
|
Configure the CiscoSecure ACS to authenticate or route users logging in with local or remote domain name strings. |
|
Initialize the new CiscoSecure ACS General, NAS, or Domain settings without terminating and restarting server operations. |
| Help | Access instructions for a specified aspect of CiscoSecure ACS. |
| Advanced | Takes the user to the CiscoSecure Administrator Java-based advanced configuration program. For details on using this program, see "Starting the Advanced Configuration Program" in the chapter, "Advanced Group and User Management." |
| Log Off | Log off CiscoSecure. |
The default administrator of the CiscoSecure ACS is "superuser," and the default password is "changeme." As a security measure, Cisco recommends that you change the password for superuser as quickly as possible after installing the CiscoSecure ACS.
Step 1 In the CiscoSecure ACS web menu bar, click Member and then click Edit.
Step 2 In the Edit a User page, enter superuser in the User Name to Edit field.
Step 3 Click Edit.
Step 4 Enter your new password string in the Password field.
Valid characters for passwords are:
Step 5 Verify your entry by entering the new password again in the Confirm field and clicking Save.
CiscoSecure displays a confirmation of the password change.
The operations described in this section are carried out through the CiscoSecure ACS web pages. They are the quickest and most frequently executed of CiscoSecure operations. These operations include:
To add a user to the CiscoSecure ACS database, use the Add a User web page. The Add a User web page enables you to quickly set up a user profile with basic password information.
Add a user profile as follows:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Add. The Add a User page appears.
Step 2 Enter the Group of which this user will be a member.
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more on using the Browse function, refer to the section, "Browsing Groups and Users" later in this chapter. Enter the new user's name in the User Name field.
Step 3 Enter the name of the new user in the User Name field.
Step 4 Enter a password for this user in the Password field. An asterisk will appear in place of each letter.
Step 5 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 6 Click any of the three check boxes to indicate the type of authentication methods to use with the specified password:
Step 7 Specify the level of ACS administration this user can exercise using the Web Privilege radio button. Click one of the following:
Step 8 Click More to access more Authentication options for this user. The Add a User page changes. See Figure 3-4.
The additional fields in the Add a User page include several new authentication methods:
Each of these encryption types require custom configurations. For more information on S/Key, CRYPTOCard, Enigma, and SDI, see the chapter, "Token Server Support."
Step 9 Select one or more of the check boxes if one or more of the additional password types is required.
Step 10 When you have finished, click one of the following:
Use the Edit a User web page to modify the configuration of an existing user profile:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Edit. The initial Edit a User page appears.
Step 2 In the User Name to Edit field, enter the name of the user whose password and privilege you want to edit.
If you don't know the name of the user you want to edit, click Browse at the top of the menu to access the edit menu. See the section "Browsing Groups and Users" later in this chapter for details.
Step 3 When the name you need appears in the User Name to Edit field, click Edit.
The full Edit a User page appears.
Step 4 Specify the Group this user will be a member of, if required. If the specified user is a member of another group, this reassigns the user.
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more on using the Browse function, refer to the section "Browsing Groups and Users" later in this chapter.
Step 5 Enter a password for this user in the Password field. An asterisk will appear for each letter you type.
Step 6 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 7 If you want this user's password to be specified in a UNIX password formatted file rather than on this web page, indicate the path to that file in the Password File field.
Step 8 If required, select one or more of these check box options:
Step 9 If required, select/deselect one or more of these check box options:
Step 10 When you have finished, click one of the following:
If you select Save, a confirmation of the edit appears.
Step 11 Continue to edit users as required or click Main to return to the Main menu.
Use the Delete a User button to delete a user from the CiscoSecure database:
Step 1 In the CiscoSecure ACS web menu bar, click Member and click Delete. The Delete a User page appears.
Step 2 Enter the name of the current user whose profile you want to delete in the User Name field.
If you don't know the name of the user you want to delete, click Browse at the top of the menu and delete the user through that option. For more on the Browse option, refer to the section "Browsing Groups and Users" later in this chapter.
Step 3 When the name you need appears in the User Name field, click Delete.
Step 4 Continue to delete users as required.
Step 5 When you are finished, click the Main button to return to the Main menu.
The Browse option can be used to review the CiscoSecure ACS database for both users and groups. Through this option, you can:
To access a user or group directly, use the View option. See the next section "Viewing Groups and Users" for more information.
To browse the CiscoSecure database:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Browse. The Browse page appears.
This screen consists of two sections:
In addition to names, each section contains several icons. The names to the right of these icons serve as links to other menu options within the program.
| Icon: | Means: |
 | A group. Click this symbol to access the Profile and member information for the specified group. |
 | A user. Click this symbol to access the Profile information for the specified user. |
 | Add a user to the specified group. This is another way to access the Add a User screen. |
 | This represents one of the RADIUS dictionaries stored in the database. These include: IETF, Cisco, and Ascend. The HTML-based GUI is not designed to edit these dictionaries. |
| This represents a NAS. All values to the right of this indicate the NAS configuration. The HTML-based GUI is not designed to edit this information. |
| This represents a AAA server (one type of which is a CiscoSecure ACS). All values to the right of this indicate the AAA configuration. The HTML-based GUI is not designed to edit this information. |
 | Edit the specified user. This is another way to access the Edit a User screen. |
 | Delete the specified user. This is another way to access the Delete a User screen. |
Step 2 To view the profile for a specific group or user, click the group/user name. Alternatively, click on the icon to the left of the name. The group or user profile for the selected item appears.
For more on deciphering the meaning of the terms and statistics appearing in the profiles, refer to the next section "Viewing Groups and Users."
Step 3 Click the icons indicated above to add users to a specific group, edit a specific user profile, or delete a user from the database.
(a) To add a user to a specified group, click on the
Add User icon. The Add a User screen appears. Refer to the section "Creating a Quick User Profile" earlier in this chapter for details.
(b) To edit a specific user, click the
Pencil icon to the right of that user's name. The Edit a User screen appears with the user's information displayed. Refer to the section "Quick Editing a User Profile" earlier in this chapter for details.
(c) To delete a specific user, click the
Delete User icon to the right of the user's name. The Delete a User screen appears. Refer to the section "Deleting a User Profile" earlier in this chapter for details.
Step 4 Review data and perform operations as required. To return to the Main menu, click Main.
Use the View option to see the profile for a selected user or group. Depending on the complexity of the values assigned to a particular user or group, the profile can contain many different attributes, each of which is defined in this section.
To view a selected profile:
Step 1 In the CiscoSecure ACS web menu bar, select Member and View. A screen appears prompting you specify the group or the user whose profile data you want to view.
Step 2 Select one of the following:
Step 3 Enter the user or group name in the Name field.
If you can't remember the name, click Browse to look through the entire database.
Step 4 Click Submit Query. A page appears displaying profile information for the specified group or user.
This provides a profile of the selected user or group. While the example profile above is relatively simple, the profile can contain a great deal of information on the attributes and values assigned to the selected user or group.
To learn more about an attribute, click on the attribute word. Each attribute word is linked to its definition.
Step 5 When you are finished inspecting the profile, select View to see another profile, or click another button to access another function.
The profile seen on the View screen can contain information on any number of attributes assigned to a selected user or group. Attributes are derived from several internetworking protocols, including TACACS+ and RADIUS.
Attributes are normally arranged by rows with greater levels of detail arranged in columns from left to right of each row. So, for example, the Password attribute usually follows the rows identifying the profile_id, profile_cycle, and group name. In the password row, there are number of columns which from right to left define: the attribute name, the password type, the password value, the beginning and ending dates when this password is effective.
| Attribute | Definition | Value |
|---|---|---|
| profile_id | ID number assigned to the profile by the database. This number is generated internally and cannot be edited by the user. |
- |
| profile_cycle | This number starts at 1 and is incremented by one each time the profile is modified. This number is generated internally and cannot be edited by the user. |
- |
| | If this is a user profile, the group to which the user is currently assigned. Groups can also be members of other groups. |
- |
| password | Type of password this is followed by the actual password in quotation marks, followed by the beginning and ending dates during which this password is effective. | CHAP, PAP, clear, and so on |
| privilege | Whether this profile is web-enabled and what the privilege level is. There are three privilege levels.
Only valid when Privilege = Web. | None--No privileges User--Users can change their password via CiscoSecure ACS GUI Administrator--Users can add/delete/modify their own and other users' profiles |
In many cases the profile won't be more complicated than the profile shown in Figure 3-10. There are occasions, however, when profiles can be far more complex, particularly when a large number of authentication and response attributes have been assigned for a particular user or group. In such cases, the profile may look more like the following example.
As Figure 3-11 shows, a great deal of diverse information can be contained in a profile. This includes:
CiscoSecure users have two ways of connecting the CiscoSecure ACS for the purpose of changing their personal passwords.
CiscoSecure users to whom you assign web privilege (privilege level 1) have the ability to access the CiscoSecure CSUser web page for the purpose of changing their individual password.
CiscoSecure users with web privilege can access this web page as follows:
Step 1 From any workstation with a web connection to the ACS, open up your web browser.
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
http://your_server/cs
https://your_server/cs
The CiscoSecure ACS user logon page displays.
Step 3 Click Change Password.
A new screen appears.
Step 4 Specify the type of password that you want to change. For example CHAP or PAP.
Step 5 Enter a new password in the Password field.
Step 6 Verify this new password by entering the same password in the Verify field.
Step 7 Click Submit. The new password is stored in the database.
Step 8 Click Finish to exit this screen.
Users can change their own login passwords during a VTY or Telnet session if they are using the TACACS+ protocol, as follows:
Step 1 Connect to the NAS.
Step 2 Enter your username at the NAS prompt.
Step 3 Press Return at the prompt requesting you to enter a password.
Step 4 Enter yes at the prompt asking if you want to change your password.
Step 5 Enter your existing password at the prompt.
Step 6 Enter your new password at the prompt.
Step 7 Enter your new password a second time to verify that it is correct.
To exit the web-based interface, click Logoff.
Normally the CiscoSecure ACS software starts up automatically when you shut down and restart the SPARCstation where it is installed. There are times, however, where you may want to start CiscoSecure ACS manually or shut it down without shutting down the entire SPARCStation.
Step 1 Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS.
Step 2 Invoke the script files to either start or stop the CiscoSecure ACS from the SPARCStation's UNIX command line.
# /etc/rc2.d/S80CiscoSecure
# /etc/rc0.d/K80CiscoSecure
The autorestart feature of CiscoSecure automatically closes down and restarts the CiscoSecure ACS if its AAA or DBServer components abnormally abort.
A process called "CiscoAuto," is started during CiscoSecure startup. If the AAA or DBServer component aborts, CiscoAuto detects this event and performs the following actions:
1 ) Shuts down the CiscoSecure ACS.
2 ) Saves any core files in the CSU or DBServer directories to $BASE/corefiles directory and compresses them.
3 ) Restarts the CiscoSecure ACS.
You can customize or disable the AutoRestart feature by specifying several command-line switches with the S80CiscoSecure startup command. The switches are as follows:
|
|