|
|
Before you configure CiscoSecure ACS for the first time, make sure you have the required settings for the configuration you want. This chapter outlines the necessary settings for the following sample configurations:
1. Dialup Using the Windows NT User Database with TACACS+
2. Dialup Using the CiscoSecure ACS User Database with TACACS+
3. Dialup Using SDI Token-Card Server with TACACS+
4. Dialup Using NDS with TACACS+
5. ../../../../../../../../../home/home.htm
6. Dialup Using the CiscoSecure ACS User Database with Cisco RADIUS
7. Dialup for an ARAP Client Using the CiscoSecure ACS User Database with TACACS+
8. NAS Management Using the CiscoSecure ACS User Database with TACACS+
9. Password Aging and User-Changeable Passwords Using CiscoSecure ACS with CAA
10. Single Authentication Using CiscoSecure ACS and the CAA
11. Double Authentication Using CiscoSecure ACS and the CAA
12. Authentication Using CiscoSecure ACS and an MCIS LDAP Database
13. Authentication Using CiscoSecure ACS and a Directory Services Database
14. PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+
15. VPDN Using the CiscoSecure ACS User Database with TACACS+
16. Virtual Profiles Using the CiscoSecure ACS User Database with TACACS+
17. VPDN Using the CiscoSecure ACS User Database with RADIUS Tunnelling Attributes
Select the configuration that most closely meets your needs.
You must configure four components to successfully initiate connectivity and start the CiscoSecure ACS for Windows NT services:
1. Windows NT server---Computer hosting the CiscoSecure ACS software and the Windows NT user database
2. Cisco Secure ACS 2.4 for Windows NT Server---Software that provides centralized network security services
3. NAS---Network access servers, routers, or other devices, such as firewalls, that provide your users with access to specific networks
4. Client---Async or ISDN dialup user applications
This section presents a typical configuration that can be used in a Windows NT network using only the Windows NT user database to maintain access. This configuration would typically be used in businesses with significant or strategic investment in Windows NT. This configuration makes it possible to:
This option requires significant configuration in the Windows NT server environment because it depends heavily on Windows NT management functions. Configure these items in the User Manager on your Windows NT server that is running CiscoSecure ACS. Make sure that:
Follow these steps in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
If CiscoSecure ACS was originally installed to authenticate usernames against the CiscoSecure ACS database only; you must add a new configuration to allow it to also authenticate against the Windows NT database.
Step 1 Click External User Databases: Database Configuration.
Step 2 Click Windows NT.
Step 3 Click Create a new configuration.
Step 4 Click Submit to accept the default name.
Step 5 Click Configure to allow the additional capability to Grant dialin permission to user. CiscoSecure ACS verifies that dialup permission is granted for the user in the Windows NT user database. Authentication for a user without dialup permission on the Windows NT server fails, even if the user supplies the correct password. If you do not want to use this feature, clear the check box and click Submit.
Step 6 The Unknown User Policy window controls how CiscoSecure ACS handles usernames that are not found in the CiscoSecure ACS user database. Configure this option to ensure that all authentications without usernames in the CiscoSecure ACS user database are checked against the Windows NT database.
If this authentication succeeds, a record is automatically generated in the CiscoSecure ACS Database indicating that the Windows NT database should also be used for password authentication. User records added to the database in this way automatically become members of the selected group.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the applicable number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 6 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 7 To allow Telnet sessions to be run by the client or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
User setup is not necessary; users who successfully authenticate against the Windows NT user database are added to the CiscoSecure ACS user database as members of the default group, designated as "Default Group." You can reassign them to another group later.
Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. You can use PAP or MS-CHAP when authenticating against Windows NT.
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following command under each interface used for dial-in access:
ppp authentication pap
or
ppp authentication MS-CHAP
The client can be an async or Integrated Services Digital Network (ISDN) client. For an s client, be sure it is configured to use PAP or MS-CHAP.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the NAS dial number.
Step 2 Right-click the Connection icon and select Properties.
Step 3 Click Server Type.
Step 4 For the Type of Dial-Up Server, click PPP.
Step 5 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.
Step 6 Clear the require encrypted password check box.
Step 7 In Server Types: Allowed Network Protocols, click IP and/or IPX.
Step 8 If you are using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 To set up single login, install the Client for Microsoft Networks under the Network Configuration, and set the Primary Network Logon to Windows Logon.
Step 10 For single login, in the properties for Client for Microsoft Networks, leave Log on to Windows NT Domain disabled, but enter the desired domain in the Windows NT Domain field.
Step 11 When making a connection, enter the same username and password being used for the user account in the Windows NT user database.
Step 12 For single login, in the Connect To dialog box, click save password. Make sure you have the Windows 95 service pack installed so the password is saved. Check with your system administrator to find out if the service pack has been installed.
Consider the following:
This sample configuration lets you set a higher level of authentication security, such as CHAP, or increase authentication/authorization processing speed. Service providers can use this configuration when transaction speed is critical. Corporations in which the administrator would rather allow a single login to a Windows NT domain than have the added level of security of one-time passwords (OTPs) with CHAP can also use this configuration.
No Windows NT Server configuration is required; users do not need to exist in the Windows NT user database unless they need to log in to the Windows NT network.
Configure these items in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select the TACACS+ protocol.
Step 7 To allow the Service/Protocol to be configurable for a group, in the Protocol Configuration Options window, click TACACS+ (Cisco).
Step 8 Use the User Setup window to add a user.
Follow these steps in the External User Databases window:
Step 1 Click Unknown User Policy.
Step 2 Check Fail the attempt.
This sets CiscoSecure ACS to deny authentication unless the user has an active account in the CiscoSecure ACS database.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 6 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 7 To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select CiscoSecure Database as the method for password authentication.
Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.
Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter that address in the Static IP Address field.
Step 7 To set expiration conditions for the user, configure them here.
Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+.
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
To allow dial-in access, enter the following command for each interface:
ppp authentication chap
The client can be an async or ISDN client.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number for the NAS.
Step 2 Right-click the Connection icon and select Properties.
Step 3 Click Server Type and select PPP for Type Of Dial-up Server.
Step 4 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.
Step 5 Clear the require encrypted password check box.
Step 6 Under Server Types: allowed network protocols, check IP and/or IPX.
Step 7 If the NAS is using an IP pool rather than assigning the IP address at the client, set the TCP/IP settings to server assigned IP Address and server assigned name.
Step 8 When making a connection, enter the CiscoSecure ACS user database username and password.
Consider the following:
Using an SDI ACE server for authentication allows you to increase the level of security while still allowing CiscoSecure ACS to authorize the applicable services after a successful authentication.
Configure these items on the Windows NT Server:
Configure these items in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
To add a new configuration for the external user database, follow these steps:
Step 1 Click External User Databases.
Step 2 Click Database Configuration.
Step 3 Click SDI SecurID Token Card.
Step 4 Click Create New Configuration. Click Submit to accept the default name.
Step 5 Click Configure to configure and enable CiscoSecure ACS to use the external user database to authenticate users.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the default group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:
Step 5 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 6 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 7 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select SDI SecurID Token Card as the method for password authentication.
Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.
Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 7 To set expiration or aging conditions for the user, configure them here.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. CHAP can be used because the CiscoSecure ACS user database is being used.
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the one of the following commands under each interface used for dial-in access:
ppp authentication chap
or
ppp authentication pap
The client can be an async or ISDN client.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 When you make a connection, enter the username and the token one-time password (OTP) using the correct convention to authenticate successfully.
Consider the following:
This configuration presents examples of the information you need to use CiscoSecure ACS with Novell Directory Services (NDS). You can increase the level of security by using NDS for authentication while still allowing CiscoSecure ACS to authorize services after a successful authentication. This section includes examples for a TACACS+ NAS; however, the protocol is transparent to NDS.
Configure these items on the Windows NT Server:
Configure these items in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
To add a new configuration for the external user database:
Step 1 Click External User Databases.
Step 2 Click Database Configuration.
Step 3 Click NDS Database.
Step 4 Click Create New Configuration. Click Submit to accept the default name.
Step 5 Click Configure to configure and enable CiscoSecure ACS to use the external user database to authenticate users.
Step 6 (Optional) If this is a first-time configuration, click Initial NDS Configuration and enter the following information:
See your Novell documentation for more information on trees and contexts.
Step 7 Click OK.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 6 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select NDS Database as the method for password authentication.
Step 3 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 4 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 5 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 6 To set expiration conditions for the user, configure them here.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 Access Server using TACACS+. NDS requires PAP authentication.
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following command under each interface used for dial-in access:
ppp authentication pap
The client can be an async or ISDN client.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.
Consider the following:
This configuration shows how to implement CiscoSecure ACS with the CRYPTOCard token-card server. To increase the level of security by using a token card, you can use the CRYPTOCard server for authentication while still letting CiscoSecure ACS authorize the services after a successful authentication.
Configure these items on the Windows NT Server:
Configure these items in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
To add a new configuration for the external user database:
Step 1 Click External User Databases.
Step 2 Click Database Configuration.
Step 3 Click CRYPTOCard Token Card Configuration to allow CiscoSecure ACS to support the CRYPTOCard token card. Enter CRYPTOCard in the field.
Step 4 In the CRYPTOCard Directory field, enter the full directory path in which the CRYPTOCard files are located. The directory must contain the CRYPTOCard and CCSecret files; otherwise, a configuration error occurs. Click Submit. A window opens that allows you to test your CRYPTOCard token server configuration.
Step 5 (Optional) To verify the configuration of your CRYPTOCard token server, click Test.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more control for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click Use as Default and click the times and days to grant access. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:
Step 5 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 6 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 7 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select CRYPTOCard Token Card as the method for password authentication.
Step 3 If you are using CHAP authentication, enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.
Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 7 To set expiration or aging conditions for the user, configure them here.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. CHAP can be used because the CiscoSecure ACS user database is being used:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following command under each interface used for dial-in access:
ppp authentication chap
The client can be an async or ISDN client.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and select Properties.
Step 3 Click Server Type and select PPP for the Type of Dial-Up Server.
Step 4 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.
Step 5 Clear the require encrypted password check box.
Step 6 Under Server Types: allowed network protocols, check IP and/or IPX.
Step 7 If the NAS is using an IP pool rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.
Step 8 When making a connection, enter the username and the token OTP using the correct convention to authenticate successfully:
Consider the following:
This dialup configuration can be used by administrators who want to use RADIUS authentication/authorization processing. Administrators who need to support non-Cisco equipment might use RADIUS. CiscoSecure ACS supports Cisco, Internet Engineering Task Force (IETF) and Ascend RADIUS attributes.
No Windows NT server Configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these parameters in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Click RADIUS (Cisco) under the Protocol Configuration Options and make sure the vendor-specific attribute (26) is selected.
Step 7 Click RADIUS (IETF) under the Protocol Configuration Options to select the Protocol to be configurable for a group.
Follow these steps in the Interface Configuration window:
Step 1 To allow the attributes for RADIUS to be configurable for a group, click RADIUS (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Configure the following parameters in the Group Setup window for the desired group:
If these parameters are not displayed, configure them in the NAS Configuration window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select the CiscoSecure ACS user database as the method for password authentication.
Step 3 Enter and confirm a password in the first set CiscoSecure ACS User Database password fields.
Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 5 To set expiration conditions for the user, configure them here.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using RADIUS. CHAP can be used because the CiscoSecure ACS user database is being used:
aaa new-model aaa authentication login default radius aaa authentication ppp default radius aaa authorization exec radius aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius radius-server host ip_address radius-server key key enable secret password aaa authentication login no_radius enable line con 0 login authentication no_radius
Enter one of the following commands under each interface used for dial-in access:
ppp authentication chap
or
ppp authentication pap
The client can be an async or ISDN client.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.
Consider the following:
This section provides instructions for configuring a client using ARAP with TACACS+. The necessary (non-AAA) ARAP configuration parameters must already be configured on the NAS.
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
Step 7 Under the Protocol Configuration Options, click TACACS+ (Cisco) and select the ARAP Protocol.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the applicable number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 To allow the NAS to support dialup clients, enable ARAP.
Step 5 To allow Telnet sessions to be run by the client or to allow the CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the CiscoSecure ACS from User Setup:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select the CiscoSecure ACS user database as the method for Password authentication, and enter/reconfirm a password in the first set CiscoSecure ACS User Database password fields.
Step 3 Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.
Step 4 To set expiration or aging conditions for the user, configure them here.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ and ARAP:
aaa new-model aaa authentication arap default tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following commands under each line used for dial-in access with ARAP:
autoselect arap arap enable
The client configured in this example is an Apple Macintosh Power PC running MAC/OS 7.5.5 and using AppleTalk Remote Access V.2.1 software.
Step 1 In the Remote Access Client software, create a new profile.
Step 2 Configure these items in the Connect As section:
Step 3 Click Connect to initiate a call.
This section describes how to enhance security when accessing NAS configuration. Using command authorizations and administrative privilege levels can enhance secure access to the NAS's configuration. IS managers can use this method to control and monitor the administration activity of their NASes.
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items in CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
Step 7 If CiscoSecure ACS is configured on the NAS, select single TCP connection to configure it to use this feature.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 5 Assign the authorization privilege level for the group in the Shell (exec) section.
Step 6 To permit or deny Cisco IOS commands in the CiscoSecure ACS Group Setup, make sure the proper command authorization has been configured on the NAS. (See the section "NAS Configuration.")
Step 7 To permit or deny authorization of any command not specified for the group, click the Permit/Deny button on the Unmatched Cisco IOS Commands section.
Step 8 Select the Command check box and enter the command to authorize in the dialog box. Add the argument(s) of the command to be permitted or denied. For example, for the command show, enter:
permit running-configuration show ip route deny interface ethernet 0
Step 9 Click the button to permit or deny all unlisted arguments for the command being configured.
Step 10 To enter another command, click Submit, then click Edit Group Settings. Scroll down and configure another command for authorization until you have entered all your commands. To activate the changes immediately, click Submit and Restart.
Follow these steps in the CiscoSecure ACS User Setup window:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select CiscoSecure ACS User Database as the method for password authentication.
Step 3 Enter and confirm a password in the first set CiscoSecure ACS User Database password fields.
Step 4 Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.
Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. User definition overrides group definition.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 7 To set expiration conditions for the user, configure them here.
Step 8 To authenticate the user by privilege level, in the Advanced TACACS+ Settings window, enable the TACACS+ Enable Control. Enter and confirm the password to be used when accessing enable mode on the NAS.
No token-server configuration is required; token card servers are not used in this configuration.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication, if commands other than 1 or 15 are enabled. CHAP can be used because the CiscoSecure ACS user database is being used:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authentication enable default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa authorization commands 0-15 tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting commands start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter one of the following commands under each interface used for dial-in access:
ppp authentication chap
or
ppp authentication pap
The client can be an async or ISDN client or reside on the network.
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 When the connection comes up, enter the username and password entered in the CiscoSecure ACS user database.
Consider the following:
You can use the CiscoSecure Authentication Agent (CAA) with CiscoSecure ACS to notify users to change their passwords before they expire and to allow users to change their own passwords. This feature uses the CAA Messaging Service and the new CiscoSecure Control Message Protocol (CCMP).
In order to use CAA, you must install and configure a web server. SSL is not required. CAA must be installed on a PC running Windows 95/98 or Windows NT. See the Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords quick reference card for instructions.
Configure these items in the CiscoSecure ACS.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Create or edit a user.
Step 2 Assign a CHAP or PAP password to the user.
Step 3 Map the user to the group that is configured to use password aging.
Follow these steps in the Group Setup window of CiscoSecure ACS:
Step 1 In the Apply age-by-date rules section, enter the number of days for the Active period, Warning period, and Grace period. For an explanation of these options, see the Online Help and "Step-by-Step Configuration for CiscoSecure ACS."
Step 2 In the Apply age-by-uses rules section, select the number of logins after which to issue warning or require changes.
Step 3 To force the user to change the password on the first login after an administrator has changed the password, check the Apply password change rule check box.
Step 4 To issue a greeting or message at each successful login, check the Generate greetings for successful logins check box. This message is displayed in the CAA.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
Follow these steps in the System Configuration window:
Step 1 Click Password Validation. The Password Validation Options window opens.
Step 2 Enter the minimum and maximum length you want to require for the password. The default password length is from 4 through 32 characters.
Step 3 Check one or more of the following check boxes:
In the Interface Configuration window click Advanced Options and check the Group-Level Password Aging check box.
If you want the administrator to be able to control the Password Aging options, click Administration Control. In the Administrator Privileges: System Configuration section, check the Password Validation check box.
If the password has aged, the account is expired, not disabled; expired accounts are reflected in the Disabled Accounts report. If the user attempts to log in to an expired account, this action is logged in the Failed Attempts report.
The following sample configuration can be used for an analog dial-up networking user with a NAS-assigned dynamic IP address. This sample is for a Cisco AS5200 access server using TACACS+. Adjust the sample to match your individual requirements.
The term list-name used below in the command description refers to any character string (a name) used to represent a particular list of authentication method(s) for that login type.
! version 11.2 service timestamps debug datetime msec localtime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname 5200 ! aaa new-model aaa authentication login noaaa local aaa authentication login logintac tacacs+ aaa authentication ppp ppptac tacacs+ aaa accounting network start-stop tacacs+ aaa accounting connection start-stop tacacs+ aaa accounting update newinfo enable password cisco ! username juan password 0 cisco modem startup-test no ip domain-lookup isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 shutdown framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Ethernet0 ip address 10.4.1.30 255.255.255.0 no ip route-cache no ip mroute-cache no mop enabled ! interface Serial0 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue ! interface Serial1 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp no ip route-cache no ip mroute-cache no keepalive isdn incoming-voice modem peer default ip address pool setup_pool dialer idle-timeout 400 dialer-group 1 no fair-queue ppp multilink ! interface Serial1:23 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Group-Async1 ip unnumbered Ethernet0 ip tcpheader-compression passive encapsulation ppp no ip route-cache no ip mroute-cache async default routing async dynamic address async mode interactive peer default ipaddress pool setup_pool ppp authentication pap ppptac group-range148 ! ! interface Dialer0 no ip address no ip route-cache no ip mroute-cache dialer-group 1 ! router igrp 1 redistribute connected network 10.0.0.0 ! no ip classless ip route 10.0.0.0 255.0.0.0 Ethernet0 ! tacacs-server host 10.11.1.16 tacacs-server timeout 20 tacacs-server key cisco ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication noaaa line 1 48 exec-timeout 0 0 autoselect during-login autoselect ppp modem Dialin transport preferred telnet transport input all line aux 0 line vty 0 exec-timeout 0 0 password cisco login authentication logintac length 62 width 137 line vty 1 4 exec-timeout 0 0 password cisco login authentication logintac ! scheduler interval 1000 end 5200 #
Install the CAA client software using the self-extracting file provided with the CAA software. See the Quick Start Guide for the CiscoSecure Authentication Agent for instructions.
Follow the instructions in the readme file provided with the CAA client software to configure the CAA software.
Configure Dial-Up Networking on the Windows 95/98 or Windows NT workstation or server from which you will dial in. See your Microsoft documentation for instructions.
Consider the following:
Single Authentication uses the special Cisco EIOS image release 4.2(13) or later to provide a simple CHAP or PAP authentication. Single Authentication uses Cisco 76x or Cisco 77x routers that are equipped with the special UDP SOHO client packet. Only one PC at a time can communicate through the Cisco 76x/77x device, and only one PC at a time can have a Telnet session or an Active Monitor status into the Cisco 76x/77x device.
No special configuration is required for the Windows NT server.
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
Create an ISDN small office/home office (SOHO) group.
Create a standard ISDN user who will authenticate using a token card database, and/or map the user to the ISDN SOHO group.
Add the following statements to the SET USER LAN section of the Cisco 76x/77x device's configuration file:
SET IP ROUTING ON SET IP ADDRESS 200.200.200.1 SET IP NETMASK 255.255.255.0 SET IP RIP UPDATE PER
Add the following statements to the configuration file to create a host NAS profile:
SET USER 5200 SET PROFILE POWERUP ACTIVATE SET 1 NUMBER 95552000 SET 2 NUMBER 95552000 SET PPP TAS DISTRIBUTED SET PPP TAS CLIENT 0.0.0.0 SET PPP TAS CHAPSECRET LOCAL ON SET PPP CLIENTNAME 765 SET PPP PASSWORD CLIENT ENCRYPTED 121a0c041104 SET PPP SECRET CLIENT ENCRYPTED 05080f1c2243 SET PPP PASSWORD HOST ENCRYPTED 101b5a4955 SET PPP SECRET HOST ENCRYPTED 115c4a5547 SET IP ROUTING ON SET IP ADDRESS 0.0.0.0 SET IP NETMASK 0.0.0.0 SET IP ROUTE DEST 0.0.0.0/0 GATEWAY 0.0.0.0 PROPAGATE OFF COST 1
Configure the CAA for Single Authentication mode. See your CAA documentation for instructions.
Consider the following:
Some token cards require you to use double authentication with an ISDN connection. See your token card documentation to see if your particular card requires this feature.
Double authentication consists of a two-part challenge.
In the first challenge, either CHAP or PAP authenticates the SOHO NAS and allows the NAS to establish the connection to the NAS. PPP then negotiates with the AAA server to authorize the SOHO NAS to access the NAS's network. This challenge also triggers CiscoSecure ACS to download the first access control list (ACL) and apply it against the ISDN port of the NAS. The ACL assigns the network access privileges, and the SOHO and its users are only allowed to Telnet to the NAS.
In the second challenge, SOHO users must Telnet to the NAS to be user-authenticated. When SOHO users log in, they are authenticated with AAA login authentication. CAA users can simply right-click to access the Connect option and establish the required Telnet session. Users are automatically prompted to enter the username and password. The Telnet service negotiates with CiscoSecure ACS to authorize users to access the NAS network. When authorization is complete, users have been double-authenticated and can access the network according to their per-user network privileges. The second challenge also triggers the second ACS to download the ACS and apply it against the ISDN port on the NAS to which the SOHO connection has already been established.
No special Windows NT server configuration is required.
Define the access control lists (ACLs) and network access privileges of the SOHO and its users on CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
Configure the database for the token card you are using. See the "External User Databases" section for instructions.
Add or edit a user.
Add an ISDN SOHO group. The following TACACS+ statements must be included in the double-authentication user's or group's profile. Users on the same SOHO 802.3 segment inherit the capabilities and limitations of the first session established.
Step 1 Add a first authentication group for the Cisco 77x or Cisco 1xxx device.
Step 2 In the Custom Attributes section, assign PPP/IP to the group by adding the following statement:
inacl#3=permit tcp any any eq telnet
Make sure PPP LCP and ppp multilink are checked.
Step 3 Add the SOHO device to the first authentication group and assign it a standard CHAP password.
Step 4 Add a second authentication group which will include the actual users.
Step 5 In the Custom Attributes section, assign PPP/IP to the group by adding the following statements:
inacl#4=permit icmp any any inacl#5=permit tcp any any eq ftp inacl#6=permit tcp any any eq ftp-data
Make sure PPP LCP, Shell (exec), and AutoCommand are checked. AutoCommand is defined for the access profile only at the per-user level.
Step 6 Map the CHAP password user or token card user to the second authentication group.
Add the following configuration to the NAS:
5200 #s ru Building configuration... Current configuration: ! version 11.2 service timestamps debug datetime msec localtime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname 5200 ! aaa new-model aaa authentication login noaaa local aaa authentication login logintac tacacs+ aaa authentication ppp ppptac tacacs+ aaa authorization exec tacacs+ aaa authorization network default tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting network def start-stop tacacs+ aaa accounting connection start-stop tacacs+ enable password cisco ! username jsmith password 0 cisco modem startup-test no ip domain-lookup isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 shutdown framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Ethernet0 ip address 10.4.1.30 255.255.255.0 no ip route-cache no ip mroute-cache no mop enabled ! interface Virtual-Template1 ip unnumbered Ethernet0 no ip mroute-cache peer default ip address pool pool1 ppp authentication chap ppptac ! interface Serial0 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue ! interface Serial1 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp no ip route-cache no ip mroute-cache no keepalive isdn incoming-voice modem peer default ip address pool setup_pool dialer idle-timeout 400 dialer map ip 10.15.2.50 6661400 dialer-group 1 no fair-queue ppp authentication pap ppptac ppp multilink ! interface Serial1:23 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Group-Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp no ip route-cache no ip mroute-cache async default routing async dynamic address async mode interactive peer default ip address pool setup_pool ppp authentication pap ppptac group-range 1 48 ! ! interface Dialer0 no ip address no ip route-cache no ip mroute-cache dialer-group 1 ! router igrp 1 redistribute connected network 10.0.0.0 ! ip local pool pool1 10.4.1.101 10.4.1.110 ip local pool setup_pool 10.4.1.90 10.4.1.99 no ip classless ip route 10.0.0.0 255.0.0.0 Ethernet0 ip route 10.5.7.0 255.255.255.0 10.15.2.71 ip route 10.6.3.0 255.255.255.0 10.15.2.70 virtual-profile virtual-template 1 dialer-list 1 protocol ip permit ! tacacs-server host 10.11.1.16 tacacs-server timeout 20 tacacs-server key cisco ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication noaaa line 1 48 exec-timeout 0 0 autoselect during-login autoselect ppp modem Dialin transport preferred telnet transport input all line aux 0 line vty 0 exec-timeout 0 0 password cisco login authentication logintac length 62 width 137 line vty 1 4 exec-timeout 0 0 password cisco login authentication logintac ! scheduler interval 1000 end 5200 #
Enter the following commands in the configuration file on the SOHO router:
version 11.3 no service pad no service password-encryption service udp-small-servers service tcp-small-servers ! hostname 1000 ! enable secret 5 $1$pAlv$j3we9UFIcvdXBJ497PzFa/ enable password enable ! username 5200 password 7 104D000A0618 username jsmith password 7 124C303A0617 isdn switch-type basic-ni1 ! interface Ethernet0 ip address 10.4.1.1 255.255.255.0 ! interface BRI0 ip address 10.15.2.40 255.255.255.0 encapsulation ppp dialer map ip 10.15.2.80 name 5200 broadcast 96662000 dialer load-threshold 1 either dialer-group 1 isdn spid1 714666140100 isdn spid2 714666140200 ppp authentication chap ! no ip classless ip route 10.0.0.0 255.0.0.0 10.15.2.80 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line vty 0 4 password enable login ! end
Consider the following:
This sample configuration supports authentication via the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator.
To use MCIS LDAP authentication, you must have Microsoft Site Server 3.0 or MCIS 2.0 installed on the server. See your Microsoft documentation for more information.
Follow these steps on the membership server:
Step 1 Select Membership Authentication.
Step 2 Enable clear text/basic authentication for the LDAP directory instance.
Step 3 The password is in clear text and is not encrypted. To increase security, click the Use Secure Authentication check box, the Use Encryption check box, or both.
Step 4 Make sure user objects are located in the Members container (ou=members) and are of the type "Member."
Step 5 Make sure the common name (cn=MarySmith) property exactly matches the username entered during dial-in.
Step 6 Make sure the user-object's Account-Status property is set to Active (1).
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
To allow the administrator to configure MCIS LDAP options, in the Administrator Privileges section, check User & Group Setup, External User Databases, and any other applicable check boxes.
Configure these items in the External User Databases window:
For more information, see the "MCIS LDAP Configuration" section.
Add or edit the user profile and either assign the user to an MCIS LDAP group, or overwrite the group profile.
Configure an MCIS LDAP group.
No special NAS configuration is required.
No special client configuration is required.
Consider the following:
This configuration presents examples of the information you need to use CiscoSecure ACS with Directory Services (DS).
To use DS authentication, you must have the Netscape Directory Services software installed on the server. See your Netscape documentation for more information.
Follow these steps on the Netscape DS console:
Step 1 Click the Users and Groups tab.
Step 2 In the drop-down menu at the bottom of the window, select New User.
Step 3 Click Create.
Step 4 Select Organizational Unit. The configuration dialog box opens.
Step 5 Select Base DN and click OK.
Step 6 Enter the information requested. Fields with an * are required. The username is the name to be used to authenticate. Click OK. The system will return to the Users and Groups tab. The user you just created should appear in the Search Results list.
Step 7 If you do not want these users to be in the Default Group, add them to the applicable group.
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a NAS.
Step 3 Enter the name of the NAS.
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
To allow the administrator to configure DS options, in the Administrator Privileges section, check User & Group Setup, External User Databases, and any other applicable check boxes.
Configure these items in the External User Databases window:
For more information, see the "External User Database Configuration" section.
Add or edit the user profile and either assign the user to a DS group, or overwrite the group profile.
Configure a DS group.
No special NAS configuration is required.
No special client configuration is required.
Consider the following:
This is a typical configuration that you can use in a Windows NT network that resides behind a PIX firewall and uses only the Windows NT user database to maintain authentication information. Businesses with a significant investment or strategic direction based on Windows NT can use this configuration to control connectivity through a PIX firewall using Windows NT for authentication and the CiscoSecure ACS for authorization.
Because it depends greatly on Windows NT management functions, this configuration requires significant configuration of the Windows NT server.
Configure these items in the User Manager of your Windows NT server running CiscoSecure ACS:
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit a PIX (NAS).
Step 3 Enter the name of the PIX (NAS).
Step 4 Enter the IP address of the PIX (NAS).
Step 5 Enter the shared secret (key) between the PIX (NAS) and the CiscoSecure ACS.
Step 6 Select TACACS+ (Cisco) as the security control protocol.
If CiscoSecure ACS was initially installed so that it did not authenticate usernames against the Windows NT database, you must add a new configuration to allow this function.
Step 1 Click External User Databases: Database Configuration.
Step 2 Click Create a new configuration.
Step 3 Click Submit to accept the default name.
Step 4 Click Configure to allow Grant dialin permission to user. CiscoSecure ACS verifies that dialup permission is granted for this user in the Windows NT user database. If users without dialup permission on the Windows NT server try to log in, authentication fails, even if they use the correct password. If you do not want to use this feature, clear the check box and click Submit.
Step 5 The Unknown User Policy window controls how CiscoSecure ACS behaves when a username is not found in the CiscoSecure ACS user database. Configure this option to ensure that all authentications without matching usernames in the CiscoSecure ACS user database are checked against the Windows NT database. If this authentication succeeds, a record is automatically generated in the CiscoSecure ACS database indicating the database to use for password authentication. User records added to the database this way automatically become members of the selected group.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Windows NT Users group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 Enable Shell (Exec) to allow the client to run Telnet sessions for FTP and HTTP. With the commands:
aaa authen any inbound 0.0.0.0 0.0.0.0 tacacs+ aaa author any inbound 0.0.0.0 0.0.0.0
in addition to authentication, when a user tries to do FTP, Telnet, or HTTP inbound, command authorization requests come in to CiscoSecure ACS. If you want users to be able to do "http 1.1.1.1," all Telnets, and "ftp 2.2.2.2," add command authorization to CiscoSecure ACS as follows:
command=http permit 1.1.1.1 deny unmatched arguments command=telnet permit unmatched arguments command=ftp permit 2.2.2.2 deny unmatched arguments
User setup is not required; users who successfully authenticate against the Windows NT user database are automatically added to the CiscoSecure ACS user database; you can reassign them later to groups with different authorization levels.
This sample configuration for a Cisco PIX firewall allows any inbound traffic (HTTP, FTP, or Telnet) as long as the user is authenticated and authorized. Notations have been added to this configuration to allow variations to be configured to deny authentication and/or authorization:
PIX Version 4.0.3 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside auto interface ethernet inside auto ip address inside 10.5.55.46 255.0.0.0 ip address outside 200.200.201.100 255.255.255.0 arp timeout 14400
global 1 200.200.201.150-200.200.201.180 static 200.200.201.0 10.0.0.0 static 200.200.201.150 10.5.55.88 conduit 200.200.201.150 0 tcp 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 10.5.55.46 1 route inside 10.0.0.0 255.0.0.0 200.200.201.100 1 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 tacacs-server host 10.5.55.88 cisco aaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+ aaa authorization any inbound 0.0.0.0 0.0.0.0 no snmp-server location no snmp-server contact telnet 10.5.55.88 255.0.0.0 mtu outside 1500 mtu inside 1500
No other client configuration is necessary for this application; however, you might need to enable authentication forwarding support on your browser.
With this configuration you can leverage all of the benefits of the Windows NT operating system such as Primary Domain Controller/Backup Domain Controller (PDC/BDC) database replication and distribution.
Use this configuration to create secure connections over a public infrastructure. You can use the CiscoSecure ACS to provide authentication, authorization, and accounting for Virtual Private Dialup Networks (VPDNs) using the L2F tunneling protocol. Service providers can use this method to create the service and procure it by the corporate customers. This configuration requires both types of users to have an ACS at both the NAS and home gateway (HG) locations.
The CiscoSecure ACS is used at the originating end of the VPDN tunnel (the site into which the VPDN user dials, often called the ISP NAS) and at the end of the tunnel (the private network that terminates the VPDN tunnel, called the home gateway or HG).
The creation of a tunnel can be described in two major processes that take place after the client dials in:
1. The ISP NAS uses the VPDN domain to get information from the ACS (ISP) about where the tunnel should be built for that user (Tunnel ID and HG address).
2. The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS (HG).
3. The NAS forwards the information (Tunnel ID) to the ACS (HG) to authenticate the request.
4. When the information (Tunnel ID) is validated, the tunnel has been created.
1. The ISP NAS requests authentication for the user by the ACS (HG).
2. The ACS (HG) returns authentication and authorization responses to the ISP NAS.
3. After validation, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (HG).
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items on the CiscoSecure ACS at the ISP end of the VPDN connection.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS (this is only for identification by the administrator).
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 Click PPP-VPDN and click Submit. This displays the PPP-VPDN option under Group Setup when it is time to configure that section.
Follow these steps in Group Setup for Group 1:
Step 1 Enable PPP-VPDN.
Step 2 Enter CISCO_TUNNEL. This is the Tunnel ID, which is the username.
Step 3 Enter the IP address of the HG NAS.
Follow these steps in User Setup:
Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is actually the name of the VPDN domain. For this example, use cisco. A password is needed to submit the user but is not actually used for authentication, so enter a fictitious password. Do not configure any other parameters.
Step 2 Assign the user to Group 1.
Step 3 Add a second user to the CiscoSecure ACS user database for authentication. This username is the name of the Tunnel ID. For this example use cisco_tunnel. A legitimate password is needed for this entry. Enter cisco for this example. Do not configure any other parameters.
Step 4 Assign the second user to Group 1.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ enable vpdn tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following command under each interface used for dial-in access:
ppp authentication chap
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items on the CiscoSecure ACS at the HG of the VPDN connection.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS (this is only for identification by the administrator).
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Select TACACS+ as the security control protocol.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Do not configure any parameters in Group Setup for the CISCO_TUNNEL user's group (for example, Group 1). CISCO_TUNNEL is only used for authentication of the tunnel.
Follow these steps in Group Setup for the Group where the user username@CISCO has been placed (for example, Group 2):
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 4 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 5 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 6 To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is used by the client. It must contain the VPDN domain as the suffix following the "@" sign. This name must be the same as the VPDN domain name entered at the ISP's ACS (for example, username@cisco). Enter a client password.
Step 2 Assign the username@cisco to a group, for example, the Windows NT Users group.
Step 3 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 5 To set expiration or aging conditions for the user, configure them here.
Step 6 Add a second user to the CiscoSecure ACS user database for authentication. This username is actually the same name used at the ISP as the Tunnel ID. For this example, use cisco_tunnel. The same legitimate password is needed for this entry. For this example, enter cisco. Do not configure any other parameters.
Step 7 Assign the second user to Group 1.
To allow users to configure CiscoSecure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. In the Administration Control window, enter the administrator's username and password, and assign the applicable administrator privileges. This username and password have no association with the dialup authentication username and password.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ enable vpdn vpdn incoming isp hostname home-gw hostname virtual-template 1 tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs int virtual-template 1 ip unnumber e0 encap ppp ppp authentication chap
Enter the following command under each interface used for dial-in access:
ppp authentication chap
The client can be an async or ISDN client.
The client must dial in to the ISP NAS with the name defined at the HG ACS (for example, username@corporation).
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 When you make a connection, enter the same username and password for the user account in the Windows NT user database.
Consider the following:
This section outlines how you can achieve greater flexibility in supporting access security with virtual profiles. Virtual profiles are specific access profiles you define in CiscoSecure ACS.
Virtual profiles allow you to:
In this example, an access list is applied to a user's dial-in connections. When the user dials in and authenticates, a virtual profile is created and the access list is applied.
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items in the CiscoSecure ACS.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS (this is only for identification by the administrator).
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Select TACACS+ as the security control protocol.
Follow these steps in the External User Databases window:
Step 1 Click Unknown User Policy.
Step 1 Click Fail the attempt.
Step 2 Click Database Configuration.
Step 3 Click Windows NT.
Step 4 Clear the Grant dialin permission to user check box.
This sets CiscoSecure ACS to deny authentication unless the user has an active account in the CiscoSecure ACS database.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+(Cisco).
Step 2 Click Display a window for each service selected in which you can enter customized TACACS+ attributes in the TACACS+(Cisco) window.
Step 3 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Follow these steps in Group Setup for the Default Group:
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token caching methods:
Step 5 Enable IP and click the Custom Attributes check box. In the text window enter:
inacl#3=permit ip any any
Step 6 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 7 Enable LCP and check Custom Attributes. In the text window, enter:
interface-config=ip unnumbered e0\nno ip route-cache
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database.
Step 2 Select CiscoSecure Database as the method for password authentication.
Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.
Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.
Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 6 If you are using dial-in, to assign a particular IP address to the user, enter the address in the Static IP Address field.
Step 7 To set expiration or aging conditions for the user, configure them here.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication. CHAP can be used because the CiscoSecure ACS user database is being used:
virtual-profile virtual-template1
virtual-profile aaa aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authentication enable default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter one of the following commands under each interface used for dial-in access:
ppp authentication chap
or
ppp authentication pap
The client can be an async or ISDN client or reside on the network.
Follow these steps in the Dial-Up Networking section of Windows 95/98.
Step 1 Create and configure a connection with the dial number for the NAS.
Step 2 Right-click the Connection icon and select Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 When you make a connection, enter the CiscoSecure ACS user database username and password.
Because the CiscoSecure ACS user database can store PAP and CHAP passwords, you can use PAP or CHAP as the authentication protocol. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.
Use this configuration to create secure connections over a public infrastructure. You can use the CiscoSecure ACS to provide authentication, authorization, and accounting for Virtual Private Dialup Networks (VPDNs) using the L2F tunneling protocol. Service providers can use this method to create the service and procure it by the corporate customers. This configuration requires both types of users to have an ACS at both the NAS and home gateway (HG) locations.
The CiscoSecure ACS is used at the originating end of the VPDN tunnel (the site into which the VPDN user dials, often called the ISP NAS) and at the end of the tunnel (the private network that terminates the VPDN tunnel, called the home gateway or HG).
The creation of a tunnel can be described in two major processes that take place after the client dials in:
1. The ISP NAS uses the VPDN domain to get information from the ACS (ISP) about where the tunnel should be built for that user (Tunnel ID and HG address).
2. The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS (HG).
3. The NAS forwards the information (Tunnel ID) to the ACS (HG) to authenticate the request.
4. When the information (Tunnel ID) is validated, the tunnel has been created.
1. The ISP NAS requests authentication for the user by the ACS (HG).
2. The ACS (HG) returns authentication and authorization responses to the ISP NAS.
3. After validation, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (HG).
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items on the CiscoSecure ACS at the ISP end of the VPDN connection.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS (this is only for identification by the administrator).
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 Click PPP-VPDN and click Submit. This displays the PPP-VPDN option under Group Setup when it is time to configure that section.
Follow these steps in Group Setup for Group 1:
Step 1 Enable PPP-VPDN.
Step 2 Enter CISCO_TUNNEL. This is the Tunnel ID, which is the username.
Step 3 Enter the IP address of the HG NAS.
Follow these steps in User Setup:
Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is actually the name of the VPDN domain. For this example, use cisco. A password is needed to submit the user but is not actually used for authentication, so enter a fictitious password. Do not configure any other parameters.
Step 2 Assign the user to Group 1.
Step 3 Add a second user to the CiscoSecure ACS user database for authentication. This username is the name of the Tunnel ID. For this example use cisco_tunnel. A legitimate password is needed for this entry. Enter cisco for this example. Do not configure any other parameters.
Step 4 Assign the second user to Group 1.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ enable vpdn tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs
Enter the following command under each interface used for dial-in access:
ppp authentication chap
No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
Configure these items on the CiscoSecure ACS at the HG of the VPDN connection.
Follow these steps in the Network Configuration window:
Step 1 If you are using Network Device Groups (NDGs), click the name of the applicable NDG.
Step 2 Add or edit the NAS.
Step 3 Enter the name of the NAS (this is only for identification by the administrator).
Step 4 Enter the IP address of the NAS.
Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.
Step 6 Select TACACS+ as the security control protocol.
Follow these steps in the Interface Configuration window:
Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).
Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.
Do not configure any parameters in Group Setup for the CISCO_TUNNEL user's group (for example, Group 1). CISCO_TUNNEL is only used for authentication of the tunnel.
Follow these steps in Group Setup for the Group where the user username@CISCO has been placed (for example, Group 2):
Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 3 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 4 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.
Step 5 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Step 6 To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.
Follow these steps in the User Setup window of CiscoSecure ACS:
Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is used by the client. It must contain the VPDN domain as the suffix following the "@" sign. This name must be the same as the VPDN domain name entered at the ISP's ACS (for example, username@cisco). Enter a client password.
Step 2 Assign the username@cisco to a group, for example, the Windows NT Users group.
Step 3 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.
Step 4 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.
Step 5 To set expiration or aging conditions for the user, configure them here.
Step 6 Add a second user to the CiscoSecure ACS user database for authentication. This username is actually the same name used at the ISP as the Tunnel ID. For this example, use cisco_tunnel. The same legitimate password is needed for this entry. For this example, enter cisco. Do not configure any other parameters.
Step 7 Assign the second user to Group 1.
To allow users to configure CiscoSecure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. In the Administration Control window, enter the administrator's username and password, and assign the applicable administrator privileges. This username and password have no association with the dialup authentication username and password.
The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:
aaa new-model aaa authentication login default tacacs+ aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ enable vpdn vpdn incoming isp hostname home-gw hostname virtual-template 1 tacacs-server host ip_address single tacacs-server key key enable secret password aaa authentication login no_tacacs enable line con 0 login authentication no_tacacs int virtual-template 1 ip unnumber e0 encap ppp ppp authentication chap
Enter the following command under each interface used for dial-in access:
ppp authentication chap
The client can be an async or ISDN client.
The client must dial in to the ISP NAS with the name defined at the HG ACS (for example, username@corporation).
Follow these steps in the Dial-Up Networking section of Windows 95/98:
Step 1 Create and configure a connection with the dial number to the NAS.
Step 2 Right-click the Connection icon and click Properties.
Step 3 Click the Server Type tab.
Step 4 For the Type of Dial-Up Server, select PPP.
Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.
Step 6 Clear the Require encrypted password check box.
Step 7 Under Allowed network protocols, check IP and/or IPX.
Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.
Step 9 When you make a connection, enter the same username and password for the user account in the Windows NT user database.
Consider the following:
Posted: Fri Sep 24 11:15:58 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.