|
|
This chapter covers the following topics:
When you installed the CiscoSecure ACS, you either specified a single NAS as a TACACS+-enabled ACS client or you allowed any NAS with a matching secret TACACS+ key to act as an ACS client. The CiscoSecure ACS AAA NAS web page enables you to add, configure, and delete profiles of TACACS+-enabled NASes as ACS clients.
Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and NAS to display the AAA NAS web page.
Step 2 When the AAA NAS page appears, specify the name of the NAS client that you want to add or configure.
The NAS configuration page appears.
Step 3 Fill in or edit the appropriate fields:
Step 4 Click Save and then click Re-Initialize at the top right of the page to effect the changes.
To delete an existing profile of a TACACS+-enabled NAS client, do as follows:
Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and NAS to display the AAA NAS web page.
Step 2 In the TACACS+ NAS Configurations list box, select the profile name of the NAS that you want to disable as a CiscoSecure ACS client and click Delete.
Step 3 Click Re-Initialize at the top right of the page to effect the change.
The CiscoSecure Administrator advanced configuration program provides a special tabbed NASes page for adding NASes as RADIUS-enabled clients to the CiscoSecure ACS.
To display, add, copy, delete, edit, or unlock the NASes configured as RADIUS-enabled clients, follow these steps:
Step 1 Start the Java-based CiscoSecure Administrator advanced configuration program and click the NASes tab.
Step 2 (Optional) To update the list of NASes, click the NASes button at the top of the list of available NASes. The Administrator window will reload from the database and get the current list of available NASes. This is useful when more than one person is making changes to NAS profiles.
Step 3 Click the IP address in the left column to display NAS profile information. (See Figure 5-3.)
The following information displays:
To add a NAS to the list of CiscoSecure ACS clients:
Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click New. You will be prompted to enter the IP address of the new NAS.
Step 2 Enter the IP address of the new NAS in the NAS IP Address field.
Step 3 If necessary, log in to the NAS and input the appropriate NAS configuration commands as described in the "Changing Profile Information for a RADIUS-Enabled NAS" section.
 | TimeSaver To create a NAS profile with characteristics similar to one already created, just click the IP address of the similar NAS, then click Copy. You can then modify individual characteristics of the new NAS by clicking Edit. |
To change the information for a NAS RADIUS-enabled NAS client, follow these steps:
Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click the name of the NAS for which you want to change information.
Step 2 Click Edit.
Step 3 Click the field you want to change. The following information can be changed:
Step 4 Type or select the new information.
Step 5 When you have finished, click one of the following:
To delete a NAS as a RADIUS-enabled client:
Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click the name of the NAS you want to delete.
Step 2 Click Delete. The name of the NAS will be removed from the list.
The CiscoSecure ACS AAA General web page enables you to specify authentication methods, time zone, and logging mode options for the CiscoSecure ACS server.
Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click General to display the AAA General configuration page.
Step 2 Check off the authentication methods that you want the ACS to support. The choices are:
Max Sessions Enabled selections are:
Step 6 In the Max. Failed Authentications field, specify the maximum number of failed authentication attempts allowed per user. This field specifies the number of failed logins allowed each user before CiscoSecure disables that user's account. This feature minimizes the possibility of successful third party "random password generator" attacks on CiscoSecure user accounts.
Step 8 If necessary, select additional logging options in the Logging Options pane. This specifies the types of system messages that the CiscoSecure ACS will record to a system log file that you specify through the UNIX syslog utility.
 | Caution Cisco recommends that you leave these logging options unchanged. If necessary these options can be selected for troubleshooting purposes in communication with Cisco Technical Support. |
The logging options you can enable are as follows:
Step 9 Click Re-Initialize at the top of the page to implement the changes you have made in the AAA>General page.
Step 10 In addition, if you have made changes to the Max Sessions Enabled selection, you must also stop and restart the CiscoSecure ACS for that selection change to take effect.
(a) Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:
# /etc/rc0.d/K80CiscoSecure
(b) To restart the CiscoSecure ACS, enter:
# /etc/rc2.d/S80CiscoSecure
| Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result. |
The Servers tab in the Java-based CiscoSecure Administrator advanced configuration program enables you to carry out simple RADIUS-specific configuration of all CiscoSecure ACSes installed on the network and using the same CiscoSecure database. To configure another ACS on the network, you create a profile for that ACS and edit its parameters.
To display, add, copy, delete, edit, or unlock the available CiscoSecure ACS RADIUS settings profiles:
Step 1 Start Java-based CiscoSecure Administrator advanced configuration program and click the Servers tab.
Step 2 (Optional) To update the list of access control servers, click Servers at the top of the list of available servers. The Administrator window will reload the current list of available access control server profiles from the database. This is useful when more than one person can make changes to the ACS profiles.
Step 3 Click a server's IP address in the left window. The CiscoSecure ACS displays information about the server. (See Figure 5-5.)
The following fields and information displays:
To add an access control server profile to the list:
Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click New. You will be prompted to enter the IP address of the new server.
Step 2 Enter the IP address for the access server in the Server Name field.
Step 3 If necessary, change the configuration as described in the "Changing RADIUS Profile Information for an ACS" section.
| TimeSaver To create a server profile with characteristics similar to those of an existing server profile, click the IP address of the existing server profile, then click Copy. You can then modify individual characteristics, if necessary, by clicking Edit. |
To change RADIUS profile information for an ACS server:
Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click Edit.
Step 2 Click the field for the information you want to change for your server.
Step 3 Type or select the new information. Some of the information cannot be changed. The information you can change depends on your system and desired operation of the ACS. For an explanation of the fields on this screen, see the "Managing RADIUS Settings on the ACS" section.
Step 4 When you have finished, click one of the following:
To delete an access control server profile:
Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click the IP address of the server profile you want to delete.
Step 2 Click Delete. The IP address of the server profile will be removed from the list.
The following RADIUS dictionaries are installed when you select the RADIUS protocol during installation:
To display the RADIUS dictionaries:
Step 1 Start the CiscoSecure Administrator advanced configuration program and click the Dictionaries tab.
Step 2 (Optional) To update the list of dictionaries, click Dictionaries at the top of the list of available dictionaries. The Administrator window will reload from the database and get the current list of available dictionaries. This is useful when more than one person can make changes to the dictionary profiles.
Step 3 Click the name of the dictionary for which you want to display information.
The dictionary attributes display.
For each attribute, a summary line is displayed containing the following information:
| Attribute | Type | Format |
|---|---|---|
string | Displayable ASCII | Length cannot exceed 253 characters |
ipaddr | 4 octets | Octets must be in network byte order |
integer | 32 bit value | Big endian order (high byte first) |
date | 32 bit value | Big endian order; seconds since 00:00:00 GMT, January 1, 1970 |
abinary | ASCII character set | Length cannot exceed 254 characters |
enum | 32-bit value | Subset of integers |
Step 4 To view the detailed information for a specific attribute, click that attribute's magnifying glass icon.
When you click the attribute's magnifying glass, its detailed information appears in an attribute editor frame at the bottom of the page. The detailed information includes:
To add a dictionary to the list:
Step 1 In the Dictionaries page of the Java-based CiscoSecure Administrator advanced configuration program, click New.
Step 2 Enter the name of the dictionary to add.
Step 3 If necessary, change the configuration as described in the "Changing RADIUS Dictionary Information" section.
| TimeSaver To create a dictionary with characteristics similar to one already created, just click the name of the similar dictionary, then click Copy. You can then modify individual characteristics of the new dictionary by clicking Edit. |
| Caution Use caution when editing dictionaries. Changes to a dictionary will affect all users who are using that dictionary. Only experienced RADIUS system administrators should attempt to edit dictionaries. |
Take the following steps to change the information for a dictionary:
Step 1 In the Dictionaries page of the Java-based CiscoSecure Administrator advanced configuration program, click the name of the dictionary for which you want to change information.
Step 2 Click Edit. The magnifying glass view icons become pencil edit icons. (See Figure 5-7.)
Step 3 If you want to change the vendor ID for the entire dictionary, click vendor= in the lower right corner, enter a new ID number in the Enter Vendor ID dialog box, and click OK.
Step 4 If you want to change the detailed information for a specific attribute, click that attribute's pencil icon.
You can then edit that attribute's detailed information fields in the attribute edit frame at the bottom of the page:
(a) Click the pencil icon to edit the values or the paper icon to add a new value.
(b) Click the checkmark icon to apply changes, the broken pencil icon to cancel changes, or the X icon to delete a value.
For details on the fields, see the "Managing RADIUS Dictionaries" section.
Step 5 When you have finished, click one of the following:
For more information on the Dictionaries window, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
To delete a dictionary:
Step 1 In the Dictionaries page of the CiscoSecure Administrator advanced configuration program, click the name of the dictionary you want to delete.
Step 2 Click Delete. The name of the dictionary will be removed from the list.
The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 5-9.)
To view expired passwords, click the Expired Passwords tab. (See Figure 5-10.)
If the number of consecutive failed logins for a given user exceeds the number set in the Max. Failed Authentications field of the CiscoSecure ACS AAA General web page, that user's account is temporarily disabled.
To reenable a user account disabled by too many consecutive failed authentications:
Step 1 In the Members page of the CiscoSecure Administrator advanced configuration program, deselect Browse, find and click the profile of the user whose account was disabled in the Navigator pane, and click Profile in the Profile pane.
Step 2 Reset the failed logins count by locating and selecting the server-current-failed logins icon in the Profile pane. Then, do one of the following:
The ACS increments the counter by one for each failed login attempt. If the current count for a user is below the global number and the user logs in successfully, the counter is reset to zero.
Step 3 Reenable the user profile by locating and selecting the profile status icon on the Profile pane. Then do one of the following:
Step 4 Click Submit to confirm the user profile's enabled status.
If you maintain an Internet service accessed by various customers maintaining separate virtual private dial-up networks (VPDNs), the CiscoSecure ACS Domain web page enables you to authenticate VPDN users logging in to access local domains and route VPDN users logging in to access remote domains.
You can configure the CiscoSecure ACS to recognize and authenticate users logging in with specific local domain name strings. You can also configure CiscoSecure ACS to recognize and route users logging in with specific remote domain name strings to the home gateway NAS of those domains.
To configure the ACS to handle user login strings with domain names:
Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click Domain to display the AAA Domain configuration page.
Step 2 In the Domain Name field, enter the name of the remote domain that CiscoSecure users might want to access.
For example, in the login string "sam@zephyr.com," "zephyr.com" is the domain name.
Step 3 In the Delimiter field, select the delimiter character.
This is the character that separates the username from the domain name. For example, for the login string, "sam@zephyr.com," "@" is the delimiter.
Step 4 In the Domain Name Position field, specify the domain name position in relation to the delimiter. Select Before or After.
Step 5 In the Domain Type field, specify whether the domain is local or remote.
Step 6 Click Add Domain.
The domain name string you specified is displayed either in the Local Domains or Remote Domains list box.
Step 7 Click Re-Initialize at the top of the page to effect the changes.
To delete access to a local or remote domain:
Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click Domain to display the AAA Domain configuration page.
Step 2 In the Local Domains or Remote Domains list box, select the domain name string you want to disable, then click either Delete Local or Delete Remote, whichever is applicable.
The selected domain name string disappears from the list box.
Step 3 Click Re-Initialize at the top of the page to effect the changes.
To exit the Administrator program, click Logoff.
|
|