Index

INDEX

A

AAA Server

: control file for (CSU.cfg) 4-2
: module definition and description 1-3
: warning messages 2-4

about this guide ix

access control list (ACL) 6-5

access-enable 6-5

accounting

: data 8-10
: data files 8-10

Acct-Authentic attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

Acct-Delay-Time attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

AcctExport,overview description 1-5

Acct-Input-Octets attribute 7-4

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-6

Acct-Input-Packets attribute

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-6

Acct-Input-packets attribute

: in Cisco-RADIUS dictionary 7-4

Acct-Link-Count attribute, in IETF-RADIUS dictionary 7-7

Acct-Multi-Session-Id attribute, in IETF-RADIUS dictionary 7-6

Acct-Ouput-packets attribute, in Cisco-RADIUS dictionary 7-4

Acct-Output-Octets attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

Acct-Output-Packets attribute

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-6

AcctPurgeInterval parameter

: setting to support DBServer-based max sessions counting 4-22

AcctPurgeTimeout parameter

: setting to support DBServer-based max sessions counting 4-23

Acct-Session-Id attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

Acct-Session-Time attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

Acct-Status-Type attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-6

Acct-Terminate-Cause attribute, in IETF-RADIUS dictionary 7-6

AddProfile command line 5-3

Ascend 7-1

Ascend attributes dictionary 7-8

Ascend-Add-Seconds attribute 7-13

Ascend-Ara-PW attribute 7-11

Ascend-Assign-IP-Client attribute, in Ascend-RADIUS dictionary 7-9

Ascend-Assign-IP-Global-Pool attribute, in Ascend-RADIUS dictionary 7-9

Ascend-Assign-IP-Pool attribute 7-12

Ascend-Assign-IP-Server attribute, in Ascend-RADIUS dictionary 7-9

Ascend-Authen-Alias attribute 7-12

Ascend-Backup attribute 7-11

Ascend-Base-Channel-Count attribute 7-11

Ascend-Billing-Number attribute 7-14

Ascend-Bridge attribute 7-13

Ascend-Bridge-Address attribute 7-10

Ascend-Callback attribute 7-14

Ascend-Call-By-Call attribute 7-14

Ascend-Call-Filter attribute 7-13

Ascend-Call-Type attribute 7-11

Ascend-Connect-Progress attribute 7-12

Ascend-Data-Filter attribute 7-13

Ascend-Data-Rate attribute 7-12

Ascend-Data-Svc attribute 7-14

Ascend-DBA-Monitor attribute 7-11

Ascend-Dec-Channel-Count attribute 7-13

Ascend-DHCP-Pool-Number attribute, in Ascend-RADIUS dictionary 7-9

Ascend-DHCP-Reply attribute, in Ascend-RADIUS dictionary 7-9

Ascend-Dial-Number attribute 7-13

Ascend-Disconnect-Cause attribute 7-12

Ascend-Expect-Callback attribute, in Ascend-RADIUS dictionary 7-9

Ascend-First-Dest attribute 7-11

Ascend-Force-56 attribute 7-14

Ascend-FR-Circuit-Name attribute 7-10

Ascend-FR-DCE-N392 attribute 7-10

Ascend-FR-DCE-N393 attribute 7-10

Ascend-FR-Direct attribute 7-12

Ascend-FR-Direct-DLCI attribute 7-13

Ascend-FR-Direct-Profile attribute 7-13

Ascend-FR-DLCI attribute 7-11

Ascend-FR-DTE-N392 attribute 7-10

Ascend-FR-DTE-N393 attribute 7-10

Ascend-FR-Link-Mgt attribute 7-10

Ascend-FR-LinkUp attribute 7-10

Ascend-FR-N391 attribute 7-10

Ascend-FR-Nailed-Grp attribute 7-10

Ascend-FR-Profile-Name attribute 7-11

Ascend-FR-T391 attribute 7-10

Ascend-FR-T392 attribute 7-10

Ascend-FR-Type attribute 7-10

Ascend-FT1-Caller attribute 7-11

Ascend-Group attribute 7-11

Ascend-Handle-IPX attribute 7-13

Ascend-History-Weigh-Type attribute 7-13

Ascend-Home-Agent-IP-Addr attribute 7-11

Ascend-Home-Agent-Password attribute 7-11

Ascend-Home-Agent-UDP-Port attribute 7-11

Ascend-Home-Network-Name attribute 7-11

Ascend-Host-Info attribute 7-14

Ascend-Idle-Limit attribute 7-14

Ascend-IF-Netmask attribute 7-10

Ascend-Inc-Channel-Count attribute 7-13

Ascend-IP-Direct attribute 7-12

Ascend-IP-Pool-Definition attribute 7-12

Ascend-IPX-Alias attribute 7-13

Ascend-IPX-Node-Addr attribute 7-11

Ascend-IPX-Peer-Mode attribute 7-12

Ascend-IPX-Route attribute 7-11

Ascend-Link-Compression attribute 7-13

Ascend-Maximum-Channels attribute 7-13

Ascend-Maximum-Time attribute 7-11

Ascend-Menu-Item attribute 7-12

Ascend-Menu-Selector attribute 7-12

Ascend-Metric attribute 7-13

Ascend-Minimum-Channels attribute 7-11

Ascend-MPP-Idle-Percent attribute 7-14

Ascend-Multicast-Client attribute 7-10

Ascend-Multicast-Rate-Limit attribute 7-10

Ascend-Multilink-ID attribute 7-11

Ascend-Netware-timeout attribute 7-13

Ascend-Number-Sessions attribute 7-12

Ascend-Num-In-Multilink attribute 7-11

Ascend-PPP-Address attribute 7-14

Ascend-PPP-Async-Map attribute 7-12

Ascend-PPP-VJ-1172 attribute 7-12

Ascend-PPP-VJ-Slot-Comp attribute 7-12

Ascend-Preempt-Limit attribute 7-14

Ascend-Pre-Input-Octets attribute 7-11

Ascend-Pre-Input-Packets attribute 7-11

Ascend-Pre-Output-Octets attribute 7-11

Ascend-Pre-Output-Packets attribute 7-11

Ascend-PreSession-Time attribute 7-12

Ascend-PRI-Number-Type attribute 7-13

Ascend-PW-Expiration attribute, in Ascend-RADIUS dictionary 7-8

Ascend-PW-Lifetime attribute 7-12

Ascend-PW-Warntime attribute 7-12

Ascend-Receive-Secret attribute 7-12

Ascend-Remote-Addr attribute 7-10

Ascend-Remove-Seconds attribute 7-13

Ascend-Require-Auth attribute 7-12

Ascend-Route-IP attribute 7-13

Ascend-Route-IPX attribute 7-13

Ascend-Seconds-Of-History attribute 7-13

Ascend-Send-Auth attribute 7-13

Ascend-Send-Passwd attribute 7-13

Ascend-Send-Secret attribute 7-12

Ascend-Session-Svr-Key attribute 7-10

Ascend-Target-Util attribute 7-13

Ascend-Third-Prompt attribute 7-12

Ascend-Token-Expiry attribute 7-12

Ascend-Token-Idle attribute 7-12

Ascend-Token-Immediate attribute 7-12

Ascend-Transit-Number attribute 7-14

Ascend-TS-Idle-Limit attribute 7-10

Ascend-TS-Idle-Mode attribute 7-11

attributes

: Ascend dictionary 7-8
: Cisco IOS dictionary 7-3
: dictionary of Ascend-RADIUS attributes 7-8 to 7-14
: dictionary of Cisco-RADIUS attributes 7-3 to 7-4
: dictionary of IETF-RADIUS attributes 7-5 to 7-7
: IETF dictionary 7-5

attribute-value pairs 7-1 to 7-8

: RADIUS 7-1

audience ix

authentication

: messages 2-12

B

: backing up SQLAnywhere database 8-18

C

Callback-Id attribute, in IETF-RADIUS dictionary 7-5

Callback-Name attribute, in Ascend-RADIUS dictionary 7-8

Callback-Number attribute

: in Ascend-RADIUS dictionary 7-8
: in IETF-RADIUS dictionary 7-5

Called-Station-Id attribute, in IETF-RADIUS dictionary 7-6

Caller-Id attribute

: in Ascend-RADIUS dictionary 7-9

Calling-Station-Id attribute, in IETF-RADIUS dictionary 7-6

Challenge-Response attribute, in Ascend-RADIUS dictionary 7-8

Challenge-State attribute, in Cisco-RADIUS dictionary 7-4

ChangeParent command line 5-11

Change-Password attribute, in Ascend-RADIUS dictionary 7-8

ChangePassword command line 5-13

CHAP-Password attribute 7-3

CHAP-Password attribute, in IETF-RADIUS dictionary 7-5

CiscoSecure ACS

: database structure 1-1, 8-1
: file formats and syntax 4-1
: shutting down 2-15

CiscoSecure command line, using to restart with logging options 2-16

CiscoSecure Web Interface, definition and description 1-4

Class attribute

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-6

CLI see command-line interface

Client-Id attribute

: in Cisco-RADIUS dictionary 7-3

Client-Port-DNIS attribute

: in Ascend-RADIUS dictionary 7-9

Client-Port-Id attribute

: in Cisco-RADIUS dictionary 7-3

command-line interface

: AddProfile 5-3
: ChangeParent 5-11
: ChangePassword 5-13
: DeleteProfile 5-7
: overview definition and description 1-5
: parameter errors 5-17
: running remotely 5-2
: UpdatePassword 5-15
: ViewProfile 5-9

concurrent logins 2-14

config_acct_filename variable 4-3

config_acct_fn_enable variable 4-4

config_cache_group_timeout variable 4-4

config_callerid_enable variable 4-5

config_defaultuser_enable variable 4-5

config_distmaxsessions_enable variable 4-6

config_expiry_period variable 4-6

config_get_names_from_dns variable 4-6

config_hex_string_support_enable variable 4-7

config_license_key variable 4-3, 4-7

config_limit_for_idle_connection variable 4-7

config_local_timezone variable 4-7

config_logging_configuration variable 4-8

config_max_failed_authentication variable 4-8

config_maxsession_enable variable 4-9

config_maxsessions_purge_interval variable 4-10

: setting to support AAA server-based maxsessions counting 4-17

config_maxsessions_session_timeout variable 4-9

: setting to support AAA server-based max sessions counting 4-16

config_metrics_enable variable 4-10

config_metrics_log_interval variable 4-11

config_nas_config variable 4-11

config_nodelay_for_tcp variable 4-11

config_priv_level_for_own_CHPASS variable 4-12

config_receive_buffer_size variable 4-12

config_record_write_frequency variable 4-12

config_send_buffer_size variable 4-12

config_server_ip_address variable 4-12

config_system_logging_level variable 4-12

config_system_priority_level variable 4-12

config_token_cache_absolute_timeout variable 4-13

config_update_log_filename variable 4-13

config_use_keepalives variable 4-13

config_warning_period variable 4-13

configuration examples

: ISDN dial-up to a Cisco AS5200 6-12
: lock and key with CiscoSecure ACS 6-4
: RADIUS with CiscoSecure ACS 6-1
: remote node IP and IPX dial-up with CiscoSecure ACS 6-8

console authorization 2-15

controlling CiscoSecure ACS logging 2-17

converting from an existing installation to CiscoSecure 3-1

cs_accounting_log 8-11

cs_accounting_log data table 8-10

cs_blob data table 8-5

cs_group_profile data table 8-3

cs_lock 8-10

cs_lock data table 8-8

cs_password data table 8-6

cs_privilege data table 8-7

cs_user_profile data table 8-2

CSConfig.ini

: editing to restrict ACS administration access 4-17
: editing to tune profile caching 4-21
: managing accounting performance 4-19

csdblog file

: DBServer log file 2-22

csdblog file

: accessing 2-21

CSdbTool, overview description 1-5

csecure.db 8-18

CSimport

: command syntax 3-2
: overview description 1-5

CSmigrate

: command syntax 3-5
: overview description 1-5

CSU.cfg

: configuration file for the AAA Server module 4-2
: disabling features to improve authentication performance 4-14
: enabling AAA Server metrics information 4-14
: variables 1-3, 4-1, 4-3

csuslog file, reading AAA server metrics 4-14

cycle_number 8-2

D

database

: backing up the 8-18
: csecure.db file 8-18
: import utility for RADIUS 3-3
: schema 8-1
: transaction log file 8-18
: upgrade utility for TACACS+ 3-2

database replication

: example of Master-to-Master or Peer-to-Peer replication 9-3
: example of Master-to-Snapshot or Primary-to-Replicate replication 9-2
: Oracle and CiscoSecure integration 9-4 to 9-16
: overview 9-1
: Sybase and CiscoSecure integration 9-18 to 9-29

DBServer

: configuring to manage accounting performance 4-19
: configuring to restrict access to ACS adtministration 4-17
: module definition and description 1-3
: tuning through CSConfig.ini 4-17

dbserver.log file

: logging catastrophic events 2-22

DEBUG 2-20

debugging, NAS commands 2-20

DeleteProfile command line 5-7

Dialback-Name attribute, in Cisco-RADIUS dictionary 7-4

Dialback-No attribute, in Cisco-RADIUS dictionary 7-4

dictionaries

: Ascend attributes 7-8
: cisco IOS attribute-value pairs 7-3
: data 8-13
: IETF attributes 7-5
: management 7-1 to 7-8

Distributed Sessions Manger, definition and description 1-4

document conventions xii

document objectives ix

document organization x

E

editing the errmsg.dat file 2-2

errmsg.dat 2-2

error messages 2-2 to 2-13

: authentication 2-12
: RADIUS AAA 2-3
: TACACS+ 2-9

Expiration attribute, in Cisco-RADIUS dictionary 7-4

expire_date column 8-4

F

failed_login_count 8-2

file formats and syntax for CiscoSecure ACS 4-1

files the CSmigrate can convert 3-3

Filter-Id attribute, in IETF-RADIUS dictionary 7-5

firewall 6-5

Framed-Address attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-3

Framed-AppleTalk-Link attribute, in IETF-RADIUS dictionary 7-6

Framed-AppleTalk-Network attribute, in IETF-RADIUS dictionary 7-6

Framed-AppleTalk-Zone attribute, in IETF-RADIUS dictionary 7-6

Framed-Compression attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

Framed-Filter attribute, in Ascend-RADIUS dictionary 7-8

Framed-Filter-Id attribute, in Cisco-RADIUS dictionary 7-4

Framed-IP-Address attribute, in IETF-RADIUS dictionary 7-5

Framed-IP-Netmask attribute, in IETF-RADIUS dictionary 7-5

Framed-IPX-Network attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

Framed-MTU attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

Framed-Netmask attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4

Framed-Protocol attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-3
: in IETF-RADIUS dictionary 7-5

Framed-Route attribute

: in Ascend-RADIUS dictionary 7-9
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

Framed-Routing attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

G

: group profiles, data tables 8-2

I

: Idle-Timeout attribute, in IETF-RADIUS dictionary 7-6
: IETF attributes dictionary 7-5
: IETF-RADIUS 7-1
: invocation options 2-16
: IP dial-up 6-16
: IPX dial-up 6-8
: ISDN dial-up 6-12

K

kill 2-15

known issues

: concurrent logins 2-14
: console authorization 2-15

L

lock and key 6-6

lock and key configuration 6-4

logging functions 2-17

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4

logins, concurrent 2-14

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-4
: in IETF-RADIUS dictionary 7-5

M

: manual startup and shutdown 2-16
: max_session 8-4
: max_session database field 8-4
: message catalogs, format 4-24

N

NAS

: AAA debugging commands 2-20
: as related to custom attributes 7-1
: ISDN dialup sample configuration 6-12
: Lock and Key sample configuration 6-4
: RADIUS sample configuration 6-1
: remote node IP and IPX dialup sample configuration 6-8
: remote node IP dialup sample configuration 6-16

NAS-Identifier attribute

: in Ascend-RADIUS dictionary 7-8
: in IETF-RADIUS dictionary 7-6

NAS-IP-Address attribute, in IETF-RADIUS dictionary 7-5

NAS-Port attribute

: in Ascend-RADIUS dictionary 7-8
: in IETF-RADIUS dictionary 7-5

NAS-Port-Type attribute, in IETF-RADIUS dictionary 7-7

O

Old-Password attribute, in Cisco-RADIUS dictionary 7-4

Oracle 8-1

: V7 database example 8-15

Oracle database replication, integrating with CiscoSecure 9-4 to 9-16

P

Password attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-3

Port-Limit attribute, in IETF-RADIUS dictionary 7-7

Port-Message attribute, in Cisco-RADIUS dictionary 7-4

Profile Cache, overview definition and description 1-5

profile caching, tuning through CSConfig.ini 4-21

profile_id column 8-2

protocol errors for TACACS+ 2-11

Proxy-State attribute

: in IETF-RADIUS dictionary 7-6

R

RADIUS

: AAA server error messages 2-3
: AAA server warning messages 2-4
: attribute-value pairs and dictionary management 7-1 to 7-8
: dictionaries 7-1

RADIUS-Ascend 7-1

RADIUS-Cisco 7-1

RDBMS, CiscoSecure-related defintion and description 1-4

S

Secure Socket Layer, enabling on the web server

security

: choosing a pasword 10-4
: controlling local network access 10-4
: enabling SSL on the web server
: ensuring secure installation of the CiscoSecure ACS 10-5
: firewall configurations 10-4
: managing password transmission 10-5
: physical security of the ACS 10-3
: physical security of the NASes 10-4
: restriciting non-CiscoSecure ACS use of the Netscape FastTrack server 10-6
: restricting client access to the CiscoSecure ACS web pages through CSConfig.ini 4-17
: restricting configuration information 10-5

SENDPASS 4-3

service and support 2-13

Service-Type attribute

: in IETF-RADIUS dictionary 7-5

Severe SQL Error messages, troubleshooting 2-20

shutdown 2-15

software control file

: variables 1-3, 4-1, 4-3

SQLAnywhere

: backing up the database 8-18
: offline backup 8-18
: online backup 8-19

SQLAnywhere database chart 8-17

SSL, see Secure Socket Layerr

State attribute

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-5

stopping the system 2-15

Sybase

: database chart 8-16
: SQL Server 8-1

Sybase database replication

: integrating with CiscoSecure 9-18 to 9-29

Syslog 2-19

system logging functions 2-17

T

TACACS+

: error messages and solutions 2-9
: protocol errors 2-11

Termination-Action attribute, in IETF-RADIUS dictionary 7-6

Token Cache, overview definition and description 1-5

troubleshooting 2-1 to 2-20

: checklist 2-14

U

UNIX syslog configuration 2-19

UpdatePassword, command-line interface syntax 5-15

user profiles, data tables 8-2

user_name 8-2

User-Name attribute

: in Ascend-RADIUS dictionary 7-8
: in Cisco-RADIUS dictionary 7-3
: in IETF-RADIUS dictionary 7-5

User-Password attribute, in IETF-RADIUS dictionary 7-5

User-Service attribute, in Ascend-RADIUS dictionary 7-8

User-Service-Type attribute, in Cisco-RADIUS dictionary 7-3

V

variables in software control files 1-3, 4-1, 4-3

Vendor specific attribute, in Cisco-RADIUS dictionary 7-4

Vendor-Specific attribute

: in Ascend-RADIUS dictionary 7-9
: in IETF-RADIUS dictionary 7-6

ViewProfile command line 5-9

W

: warning messages 2-4

Table of Contents

INDEX