|
|
This chapter describes the basic operation of each of the configuration areas of CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS). It also provides additional information about each function or attribute.
Before completing any of the tasks in this chapter, you must have:
The order to follow for configuration depends on your preferences and needs.
Select User Setup to perform the following tasks:
To view a list of all user accounts, follow these steps:
Step 1 In the navigation bar, click User Setup. The Select window opens.
Step 2 Click List All Users. A list of all existing user accounts, enabled and disabled, displays in the right window.
Step 3 (Optional) To view or edit the information for an individual user, click the username in the right window.
To find a user account, follow these steps:
Step 1 In the navigation bar, click User Setup. The Select window opens.
Step 2 Enter the name in the User field and click Find. You can use wildcard characters (*) in this field. The status (enabled or disabled) and group to which the user belongs display in the right window.
Step 3 (Optional) To view or edit the information for an individual user, click the username in the right window.
To add a user:
Step 1 In the navigation bar, click User Setup. The Select window opens.
Step 2 Enter a name in the User field.
Step 3 Click Add/Edit. The Edit window opens. The username being added or edited appears at the top of the window.
Enter the following information for the user as applicable:
Edit or enter the following information for the user:
ppp authentication pap chap
If this field does not display, click Interface Configuration: Advanced Options: User-Level Network Access Restrictions.
Network Access Restrictions let you permit or deny a user access to a specified network access server (NAS) or specified ports on the NAS. If you are using NAS access, the NAS (Telnet/Login/Exec) Access Control window displays. Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
If you are using dialup, the Dialup (PPP/ARAP) Access Control window displays.
Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
You can set a filter to limit the user to specific remote address information. Enter the string that must be matched before access is permitted. You can use the wildcard asterisk (*) character for large ranges. You can also use multiple strings separated by commas. Entering a remote address in User Setup overrides the remote address assignment in Group Setup.
If this field does not display, click Interface Configuration: Advanced Options: Max Sessions.
Sets the maximum number of simultaneous connections for this user. For CiscoSecure ACS purposes, a session is any type of user connection supported by RADIUS or TACACS+; for example, PPP, NAS prompt, Telnet, ARAP, or IPX/SLIP. All counts are based on user and group names only. CiscoSecure ACS does not support any differentiation by type of session---all sessions are counted as the same. To illustrate, a user with a Max Session count of 1 who is dialed in to a NAS with a PPP session will be refused a connection if that user then tries to telnet to a location whose access is controlled by the same ACS.
There are three options for user Max Sessions:
The default setting is Use Group Setting.
Define the circumstances under which this user's account will become disabled.
If you are using the Windows NT user database, this expiration information is in addition to the information in the Windows NT user account. Changes here do not alter settings configured in Windows NT.
When you have finished configuring the user information, click Submit.
The following information applies when you have a TACACS+ NAS configured. If this field does not display, click Interface Configuration: TACACS+ (Cisco): Advanced TACACS+ Features.
Use this option to configure user-level TACACS+ enable parameters.
Use TACACS+ Enable control with Exec session to control administrator access. It is primarily used for router management control. Select the Max Privilege level you want this user to have.
Options are:
See your NAS documentation for information on privilege levels.
Set the options for TACACS+ Enable password:
TACACS+ Outbound Password enables a NAS to authenticate itself to another NAS/client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the CiscoSecure ACS password being given out. By default, the user's ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.
If you have configured CiscoSecure ACS to use per-user RADIUS attributes, click the attributes you want to assign for this user and enter any parameters. See your RADIUS documentation and "RADIUS Attribute-Value Pairs," for an explanation of attributes and their available parameters.
To delete a user account from the CiscoSecure database:
Step 1 Click User Setup. The Select and Help windows of the user interface open.
Step 2 In the User field, enter the complete username to be deleted.
Step 3 Click Add/Edit.
Step 4 At the bottom of the User Setup window, click Delete.
 | Caution If you are authenticating using the Unknown User policy, you must also delete the user account from the external user database. This prevents the username from being automatically re-added to the CiscoSecure user database the next time the user attempts to log in. |
Click Group Setup and click one of the following options to perform the applicable task:
To list all users in a specified group:
Step 1 Click Group Setup. The Select and Help windows open.
Step 2 From the drop-down menu, select the group to list.
Step 3 Click Users in Group. The User List and the Edit windows open. You can view, modify, or delete a user by clicking on the user's name in the list.
To assign or edit a group's authorization and authentication settings, follow these steps:
Step 1 Click Group Setup. The Select window opens.
Step 2 In the drop-down list, select the applicable group.
Step 3 Click Edit Settings. The Edit window opens.
Step 4 Complete the Group Setup section.
Before you configure Group Setup it is important to understand how this window functions. Group Setup is dynamically built depending on the configuration of your NAS and the security protocols being used. The Group Setup window contains the following basic sections:
1. Information that applies to both TACACS+ and all instances of RADIUS
2. External User Database information
3. TACACS+
4. RADIUS (IETF)
5. RADIUS (Cisco Vendor-Specific Attribute)
6. RADIUS (Ascend)
The General Information is always displayed. Third-party and token card information is displayed if the corresponding external user databases are configured. The combination of TACACS+ and RADIUS sections displayed depends on how your access server is configured. If one NAS is configured within CiscoSecure and is running TACACS+, only the following subsections are displayed:
If a second NAS is using RADIUS (IETF), the following subsections are displayed:
The content of these subsections is dynamic. Only the attributes selected from the Interface Configuration: TACACS+ (Cisco) or RADIUS (IETF) section are displayed. This allows you to select and display only those attributes you want. You can change what is displayed in each of the subsections by selecting a security protocol from the protocol configuration options in the NAS Configuration window.
If this feature does not display, click Interface Configuration: Advanced Options and enable and configure VoIP.
Click this check box to enable support for the null password function of VoIP. This allows users to authenticate (session or telephone call) on only the user ID (telephone number). When you check this box, all users in this group become VoiP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.
| Caution Enabling VoIP disables password authentication and most of the advanced settings, including password aging and protocol attributes. |
If this feature does not display, click Interface Configuration: Advanced Options: Default Time-of-Day/Day-of-Week Specification.
You can define the times during which users are allowed or not allowed to access the NAS. Follow these steps:
Step 1 Click Set as Default Access Times.
Step 2 Click either Allow Access or Do Not Allow Access.
Step 3 Click the blocks of time to allow or deny access.
To set all times click Set All; to clear the time blocks, click Clear All.
If this option is not enabled, access is not limited based on time or day.
Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. Options are as follows:
Network Access Restrictions provide an automated method of making access control decisions on the following:
To permit or deny a group access to a specified server or specified ports on the server based on a definable filter, follow these steps:
Step 1 Click the NAS (Telnet/Login/Exec) Access Control check box.
Step 2 From the drop-down box, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
Step 3 Select or enter the information in the following fields:
Step 4 Click Enter.
To permit or deny a group access for a specified dialup location, follow these steps:
Step 1 Click the Dial-Up (PPP/ARAP) Access Control Table Defines check box.
Step 2 From the drop-down box, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
Step 3 Select or enter the applicable information in the following fields:
Set the maximum number of sessions available to groups and users.
As an example, Sessions available to group is set to 10 and sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.
You can also set per-user Max Sessions to be applied to users within the group. This limits the number of simultaneous connections a user can establish.
This option allows the token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
If this section does not display, configure a token card server. Click External User Databases: Database Configuration and add the applicable token card server.
This option is for use with token caching only for ISDN terminal adapters. You should fully understand token caching and ISDN concepts and principles before implementing this option. Token caching allows you to connect to multiple B channels without having to provide a token for each channel connection. Token card settings are applied to all users in the selected group.
The options for token caching are:
If this section does not display, configure the interface to display advanced TACACS+ settings. Click Interface Configuration: TACACS+ (Cisco). At the bottom of the page in the Advanced Configuration Options section, check the Advanced TACACS+ features option and click Submit.
Use this option to configure group-level TACACS+ enable parameters. If you are using Network Device Groups (NDGs), this option lets you easily configure the NDG for Enable-level mapping rather than having to do it for each individual user in the group. From the drop-down menus, select the NDG to which this group should belong and the privilege level to assign.
If this section does not display, click Interface Configuration: Advanced Options: Group-Level Password Aging.
The password aging feature of CiscoSecure ACS allows administrators to force users to change their passwords under one or more of the following conditions:
To use this feature, the NAS must be running the TACACS+ or RADIUS protocol for password aging over dialup connections. Only password aging over interactive connection (telnet) is supported with TACACS+.
The following conditions must also be met:
| Caution If a RADIUS user tries to make a telnet connection to the NAS during or after the warning or grace period, the change password option does not display, and the user's account is expired. |
Password aging parameters are configured on a group basis.
Users who fail authentication because they have not changed their password and have exceeded their grace period are logged in the Failed Attempts logs. The accounts are expired and appear in the Accounts Disabled list.
Conditions apply for all checked options. In other words, users can be forced to change their passwords every 20 days and every 10 logins, and to receive warnings and grace periods accordingly.
If no parameters are checked, passwords never expire.
Configure the way to assign IP addresses to the users in this group.
If a NAS has been configured to use TACACS+ as the security control protocol, TACACS+ service/protocol/attribute configuration is displayed. Enable and configure the parameters to be applied for the authorization of each user who belongs to the group. The default service-protocol settings displayed for TACACS+ are:
To display or hide additional services or protocols, click Interface Configuration: TACACS+ (Cisco).
Select the services and protocols to be authorized for the Group by checking the box next to the protocol-service. Below each service-protocol, select the attributes to further define the authorization for that protocol-service. In the case of access control lists (ACLs) and IP address pools, the name of the ACL or pool as defined on the NAS should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.) Leave blank if the default (as defined on the NAS) should be used. More information about attributes can be found in "TACACS+ Attribute-Value Pairs," or your NAS documentation.
When configuring Shell (Exec), you can define the Cisco IOS commands and arguments to be permitted or denied. Click the box to enable the command, enter the name of the command, define its arguments using standard permit or deny syntax, and define whether Unlisted Arguments are to be permitted or denied. You can enter any number of commands.
To add fields, submit the changes for the first commands and re-enter Group Setup. The submitted commands appear and additional fields become available.
These parameters are displayed only when the NAS has been configured to use RADIUS (IETF). See "RADIUS Attribute-Value Pairs," and your NAS documentation for a list and explanation of RADIUS attributes. RADIUS attributes are sent as a profile for each user from CiscoSecure ACS to the requesting NAS. To display or hide any of these attributes, see the "TACACS+ or RADIUS Protocol Configuration Options" section.
Select the attributes to be authorized for the Group by checking the box next to the attribute, then define the authorization for the attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.
The RADIUS (IETF) and RADIUS (Cisco) parameters are displayed only if a NAS has been configured to use RADIUS (Cisco). RADIUS (Cisco) represents the Cisco Vendor Specific Attribute (VSA) IETF number 26. Therefore, when configuring RADIUS (Cisco), both IETF and Cisco VSA apply. The default attribute setting displayed for RADIUS (Cisco) is Cisco VSA, which are packed as RADIUS VSAs (attribute number 26 using Cisco's Vendor ID of 9).
Step 1 For the IETF attributes, select the attributes to be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for the attribute in the field next to it. More information about attributes can be found in "RADIUS Attribute-Value Pairs,"or your NAS documentation.
Step 2 For the Cisco VSA, enter the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.
The RADIUS (IETF) and RADIUS (Ascend) parameters are displayed only if a NAS has been configured to use RADIUS (Ascend). RADIUS (Ascend) represents the Ascend proprietary attributes. Therefore, when configuring RADIUS (Ascend), both IETF and Ascend apply (proprietary attributes override IETF when conflicting).
The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.
To display additional, or hide any/all of these IETF attributes, see the "TACACS+ or RADIUS Protocol Configuration Options" section.
Step 1 For the IETF attributes, select which attributes should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.
Step 2 For the Ascend attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field next to it. More information about attributes can be found in "RADIUS Attribute-Value Pairs," or your NAS documentation.
Step 3 Click Submit + Restart. The group attributes are applied and services are restarted. The Edit window opens. (Click Submit if you want to save your changes and apply them later by restarting the services.)
Step 4 Verify that your changes were applied by selecting the group and click Edit Settings. View the settings.
To rename a group, follow these steps:
Step 1 Click Group Setup. The Select window opens.
Step 2 Select a group from the drop-down list.
Step 3 Click Rename Group.
Step 4 Enter the new name in the Group field. Group names cannot contain angle brackets (< or >).
Step 5 Click Submit. The Select window opens with the new group name selected.
The NASes and AAA Servers you use with CiscoSecure ACS must be configured and active on the network. If you are not using Network Device Groups (NDGs), when you click Network Configuration in the button bar, you will see at least two tables: Network Access Servers and AAA Servers. To configure a NAS or AAA server, just click the applicable name.
If you are using NDGs, you will see only the Network Device Groups table. To configure a NAS or AAA server, click the name of the NDG to which the device is assigned. If the device is not assigned to an NDG, it will automatically belong to the Not Assigned group.
In either case, if you have enabled Distributed Systems Settings, you will also see the Proxy Distribution Table.
Network Device Grouping (NDG) is an advanced feature that allows you to view and administer a collection of network devices as a single logical group. To simplify administration, each group can be assigned a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within CiscoSecure ACS---single discrete devices such as an individual router or NAS, and an NDG; that is, a collection of routers or AAA servers. For more information on NDGs, see "Network Device Groups" in "Overview of CiscoSecure ACS 2.4 for Windows NT Server."
You can assign groups of users to NDGs. See the "Group Settings" section for more information.
To add an NDG, follow these steps:
Step 1 Click Add Entry.
Step 2 Enter the name of the new NDG. The maximum name length is 19 characters. Quotation marks (") and commas (,) are not allowed. Spaces are allowed.
Step 3 Click Submit.
To assign an unassigned NAS or AAA server to a group, click Not Assigned.
To reassign a NAS or AAA server to a new group, click the name of its current group.
To add a NAS, follow these steps:
Step 1 Click Network Configuration.
Step 2 If you are using NDGs, click the name of the NDG to which the NAS is assigned.
Step 3 Click Add New Access Server.
Step 4 If you are adding a NAS, in the Network Access Server Hostname box, enter the name assigned to this access server. You can also enter the information for a Cisco Systems PIX firewall in this field.
Step 5 In the Network Access Server IP address box, enter the name assigned to this access server. You can also enter the information for a Cisco Systems PIX firewall in this field.
Step 6 In the Key box, enter the shared secret that the TACACS+ or RADIUS NAS and CiscoSecure ACS use to encrypt the data. For correct operation, the identical key (case-sensitive) must be configured on the NAS and CiscoSecure ACS.
Step 7 If you are using NDGs, from the Network Device Group drop-down menu, select the name of the NDG to which this NAS should belong, or select Not Assigned to have this NAS be independent of NDGs.
Step 8 From the Authenticate Using drop-down list, select the network security protocol. Select one of the following options:
Step 9 If you are using the TACACS+ security protocol, select Single Connect TACACS+ NAS to allow a stop record to be sent to the TACACS+ accounting log for each user connected through the NAS.
Step 10 Select the Log Update/Watchdog Packets from this Access Server option to allow accounting packets sent by the NAS to be logged in the Reports & Activity: TACACS+ Accounting or RADIUS Accounting reports.
Step 11 Select the Log RADIUS tunnelling Packets from this Access Server option to allow RADIUS tunnelling accounting packets to be logged in the Reports & Activity: RADIUS Accounting reports.
Step 12 Click Submit or Submit + Restart.
For more information on Network Configuration, see "Distributed Systems."
To configure a AAA server, follow these steps:
Step 1 From either the Network Configuration window or the Network Device Groups Table, click Add Entry to add a new AAA server or click the name of the AAA Server to edit an existing server.
Step 2 If this is a new AAA Server, in the AAA Server Name box, enter a name for the remote AAA server.
Step 3 In the AAA Server IP Address box, enter the IP address assigned to the remote AAA server.
Step 4 In the Key box, enter the shared secret that the remote AAA server and the CiscoSecure ACS use to encrypt the data. For correct operation, the identical key (case-sensitive) must be configured on both the remote AAA server and CiscoSecure ACS.
Step 5 From the Network Device Group drop-down box, select the NDG to which this AAA Server belongs.
Step 6 Select the Log Update/Watchdog Packets when proxied to/from this AAA Server option to allow accounting packets sent or received by the AAA server to be logged in the Reports & Activity reports.
Step 7 In the AAA Server Type drop-down menu, select the protocol the remote AAA server is configured to use:
Step 8 The TrafficType field defines the direction in which traffic to and from the remote AAA server is allowed to flow from this local CiscoSecure ACS. From the Traffic Type drop-down menu, select one of the following options:
The Distribution Table shows the Character Strings on which to proxy, the AAA Servers to proxy to, whether to strip the character string, and where to send the accounting information (Local/Remote, Remote, or Local).
The Distribution Table originally includes only the Default table, which includes this Windows NT server. After you add entries, this table includes a list of the proxies that you have configured. To add an entry, click Add Entry. To change a configuration, click the applicable character string. To sort the entries, click Sort Entries.
To create a new Distribution Table entry, follow these steps:
Step 1 Click Network Configuration.
Step 2 Click the Add Entry button that is below the Distribution Table.
Step 3 In the Character String box, enter the string of characters, including the delimiter to forward on when users dial in to be authenticated. For example, .uk.
Step 4 From the Position drop-down menu, select Prefix if the character string you entered appears at the beginning of the username or Suffix if the character string appears at the end of the username.
Step 5 From the Strip drop-down menu, select Yes if the character string you entered is to be stripped off the username, or No if it is to be left intact.
Step 6 In the AAA Servers column, select the AAA server you want to use for proxy. Click > to move it to the Forward To column. To remove the server from the distribution table, click < to move it back to the AAA Servers column. You can then select additional AAA servers to use for backup proxy in the event the prior servers fail. In the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want. If the AAA server you want to use is not listed, click Network Configuration: AAA Servers: Add Entry and enter the applicable information.
Step 7 From the Send Accounting Information drop-down menu, select one of the following areas to report accounting information to:
This information is especially important if you are using the Max Sessions feature to control the number of connections a user is allowed. Max Sessions depends on accounting start and stop records, and where the accounting information is sent will determine where the Max Sessions counter is tracked. The Failed Attempts and Logged in Users logs are also affected by where the accounting records are sent.
This window allows you to set the order in which CiscoSecure ACS handles the entries in the distribution table when users dial in. To be able to sort the tables, you must have already configured at least two distribution tables in addition to the default table. Click the name of the character string to move, then click Up or Down to move it to the position you want. When you have finished, click Submit or Submit + Restart.
To edit your current CiscoSecure configuration, click System Configuration. The Select window opens. Select one of the following options.
To restart or stop services, click Service Control.
Click the applicable button to restart or stop services. This stops or stops and restarts all CiscoSecure services except for CSAdmin. CSAdmin controls the browser and must continue to run. This achieves the same result as starting and stopping all of the services (excluding CSAdmin) from within the Windows NT Control Panel. CSAdmin is the web server for the interface, and it is not restarted. It is left on to prevent remote administrators from losing access. If the service needs to be restarted, CSAdmin can be started or stopped from the Services icon in the Windows NT Control Panel. However, it is best to allow CiscoSecure ACS to handle the services because there are dependencies in the order in which the services are started.
The options in this section control the parameters for the Service log file and directory.
CiscoSecure ACS generates CSV and ODBC log files for the administrative and accounting events for the protocols and options you have enabled. See "Logging," for more information and instructions for configuring the Logging options.
Select whether to use a "Month/Day/Year" or "Day/Month/Year" format on the CiscoSecure ACS HTML interface. Note that this does not affect the accounting logs.
In order for the changes to be used in the Administrator server logs, you must manually restart the Administrator server using the Windows NT Control Panel. See your Microsoft documentation for instructions.
The Password Validation option lets you configure parameters for user passwords.
Select one or more of the following options for user passwords:
Database replication lets you enable and schedule the method and times that the CiscoSecure ACS database is replicated by sending or receiving information from another CiscoSecure ACS database.
For more information on Database Replication, see "Database Information Management," and ""Distributed Systems."
You can propagate changes from user and group setup information and Network configuration, including AAA servers, NASes, and NDGs, to other databases using RDBMS Synchronization.
For more information on RDBMS Synchronization, see "Database Information Management," and "Distributed Systems."
ACS Backup lets you back up selected components of your ACS system to the local hard drive. Components that are backed up can include your user and group databases and/or your CiscoSecure ACS System Configuration information.
To schedule the times at which the ACS system data is backed up, follow these steps:
Step 1 Click System Configuration: ACS Backup.
Step 2 In the ACS Backup Scheduling section, select one of the following schedules:
Enter the name of the directory in which to place the backup files. This directory must already exist; CiscoSecure ACS will not create it for you.
To configure parameters for the directory for the backup files, click Manage Directory and one of the following options:
Click Backup Now to backup the ACS system information immediately.
ACS System Restore lets you restore your ACS system data from a backup file that was created during the ACS Backup process.
In the Directory box, select or enter the name of the directory that contains the .dmp backup file you want to use. Click OK. Then select the name of the backup file whose information you want to restore. This file must already exist. The most recent file is listed at the top. If this system has never been backed up, <no matching files> displays.
You can select either or both of the following options for restoring the system information:
The ACS Active Service Management (CSMon) feature lets you monitor all CiscoSecure ACS services.
In the System Monitoring section, click the applicable check box and select from the following options:
In the Event Logging section, click the applicable check box and select from the following options:
The IP address recovery feature allows you to recover IP addresses that have not been used for a specified period of time. If CiscoSecure ACS is to reclaim the IP addresses correctly, an accounting network must be configured on the NAS.
To enable IP Pool address recovery, in the Address Allocation Lifespan section, click the Release address if allocated for longer than x hours check box and enter the number of hours of inactivity after which the address should be released. This must be a positive number.
The IP Pools feature allows you to assign the same IP address to multiple users, as long as the users are on different segments of the network. This means you can re-use IP addresses and reduce the number of IP addresses on your network. When you enable the IP Pools feature, CiscoSecure ACS dynamically issues IP addresses from the IP pools you have defined by number or name. You can configure up to 999 IP pools, for a total of approximately 255,000 users.
If you are using IP pooling and proxy, all accounting packets are proxied so that the CiscoSecure ACS that is assigning the IP addresses can confirm whether an IP address is already in use.
To use IP pools, the NAS must have network authorization (aaa authorization network) and accounting (aaa accounting) enabled.
CiscoSecure ACS provides automated detection of overlapping pools. To enable the use of overlapping pools, click Allow Overlapping Pool Address Ranges.
Configuring IP pooling is a three-step process:
Step 1 Create the IP Pool on the AAA server.
Step 2 Assign a name or number to the IP pool.
Step 3 Assign a group or user to the IP pool.
For information on assigning a group or user to an IP pool, see the "Group Setup" or "User Setup" sections.
Select one of the following options:
When you add a new pool, you will need to enter information for the following options:
When you edit an existing pool, the following options are available:
The Interface Configuration window lets you display or hide fields in the other parts of the HTML user interface. The information for hidden fields will still be stored in CiscoSecure ACS, but you will not be able to see them unless you check the item here. This allows you to hide unused fields and view a clearer interface. You can configure the following items from the Interface Configuration window:
You can define up to five fields to contain information that you want to view for each user. The fields you define in this section will appear in the Supplementary User Information section at the top of the User Setup window. To define the fields, click Display and enter a Field Name in each applicable box. For example, you can set up fields for each user to display the user's email address, department, telephone number, and so on.
These fields display only if you have configured a NAS with the applicable protocol. This lets you select the AV pairs you want to appear as a configurable option in the Group Setup window. Click the applicable option and click Submit. See the section "Group Setup" for more information on these fields.
Check the box for either User and/or Group for each TACACS+ service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. For correct operation, each protocol/service must be supported by the NAS. When you have finished selecting options, click Submit.
It is unlikely that you will use every service and protocol available for TACACS+. Displaying each would make setting up a user or group very cumbersome. To simplify setup, this section allows you to customize the services and protocols that are displayed.
This list has two sections:
The Advanced Configuration Options section lets you add more detailed information for even more tailored configurations. Click the applicable check box to enable the option to be displayed in the applicable setup window.
This window displays a list of all of the attributes available for IETF RADIUS. Check the box for User and/or Group for each IETF RADIUS service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. Each attribute selected must be supported by the NAS.
The RADIUS IETF attributes are available for any NAS configuration when using RADIUS. If you want to use IETF attribute #26, Vendor Specific Attribute (VSA) for Cisco, select RADIUS (Cisco) for the NAS. Attributes for RADIUS (IETF) and the Cisco VSA will appear in User Setup or Group Setup.
The Tags to Display Per Attribute option allows you to specify how many values to display for tagged attributes in the User Setup and Group Setup windows. Examples of tagged attributes are Tunnel-Type and Tunnel-Password.
When you have finished selecting attributes, click Submit at the bottom of the page.
This section allows you to enable the RADIUS Vendor Specific Attribute number 26. Selecting this attribute displays an entry field under User Setup and/or Group Setup in which any TACACS+ commands can be entered to fully leverage TACACS+ in a RADIUS environment.
Check the box for either User and/or Group to next to attribute number 26, the VSA for Cisco. This attribute will then appear in either the User Setup and/or Group Setup window, accordingly, as a configurable option with a field in which you can enter TACACS+ commands.
The RADIUS IETF attributes are available for any NAS configuration when using RADIUS. RADIUS IETF AV pairs are shared among all RADIUS vendors. Configure supported standard RADIUS attributes using the RADIUS IETF dictionary. Each selected attribute must be supported by the NAS. When you have finished selecting attributes, click Submit at the bottom of the page.
This window displays a list of all of the attributes available for Ascend RADIUS. Check the box for User and/or Group for each Ascend RADIUS service that you want to appear as a configurable option in the User Setup and/or Group Setup window, accordingly. Each attribute selected must be supported by the access server. When you have finished selecting attributes, click Submit at the bottom of the page.
Click the check boxes of the items you want to have displayed in the applicable area of the HTML interface; clear the check boxes of the items you want to hide.
You can administer CiscoSecure from any workstation in the network as long as the workstation is running a compatible browser. See the "System Requirements" section for a list of compatible browsers. The address to enter in the remote administrator's browser is: http://Windows NT
:2002. The port number, 2002, is dynamically changed after the initial login of a remote administrator.
Remote administrators can use a firewall-protected dial-in connection, but this is not recommended or supported. Leaving a port open for remote administration could compromise network security.
To enable remote administration from a workstation or remote client:
Step 1 Click Administration Control from the navigation bar.
Step 2 Click Add new administrator. Enter the following information:
(a) Administrator Name---User identification for the administrator to log into CiscoSecure
(b) Password---Password used by the administrator to log in
(c) Confirm Password---Confirmation of the administrator password
Step 3 In the Administrator Privileges section, check any or all of the privileges you want to allow for this administrator:
Step 4 You can also select the Reports & Activity items that this administrator can access.
Step 5 Click Submit to save these changes.
The following items can be configured for the Access Policy:
Specify the parameters for the Administrator Audit reports. To view an Administrator Audit report, click Reports and Activity: Administrator Audit, then click the applicable filename.
An administrative login can be terminated by setting the idle timeout. This parameter applies to the browser session only. It does not apply to the dial-in session. The browser connection with CiscoSecure is terminated if there is no activity for the specified period of time.
To delete an administrator:
Step 1 Click Administration Control. The Select window opens.
Step 2 Click an existing administrator name in the list. The Edit window opens.
Step 3 Click Delete. A delete confirmation window opens.
Step 4 Click OK to delete the selected administrator.
Click External User Databases to configure the following features:
For more information on External User Databases, see "User Databases."
In CiscoSecure ACS, an unknown user is defined as one for whom no account has been created within the CiscoSecure ACS database.
To specify how CiscoSecure ACS should handle users who are not in the CiscoSecure ACS database, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Unknown User Policy.
Step 3 In the Configure Unknown User Policy window, click one of the following:
Step 4 Click Submit.
To configure the order of the databases, follow these steps:
Step 1 Click External User Databases: Unknown User Policy.
Step 2 Click Check the following external user databases.
Step 3 If the databases you want to be checked are not in the Selected Databases column, click the name of the database in the External Databases column, then click the right arrow (>). To move a database out of the list, click the name of the database and the left arrow (<).
Step 4 To move the position of a database within the list, click the name of the database, then click Up or Down until it is in the position you want.
For more information on Unknown User Policy, see "Sophisticated Handling of Unknown Users."
While Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the NAS remain with CiscoSecure ACS. Basically, the external user database simply authenticates the user and CiscoSecure ACS then provides the additional authorization information that is sent to the NAS in the RADIUS or TACACS+ response packet. See the "Database Group Mappings" section for more information.
The Database Group Mappings window allows you to enable CiscoSecure ACS to map an applicable authentication/authorization group profile to each external user database. Because the only data items common to both the CiscoSecure ACS database and the third-party database are username and password, external users databases can be used only for authentication.
CiscoSecure ACS supports group-access profiles for external user database mapping so that you can specify a different access profile for each individual external user database. Because it is a native Windows NT application, CiscoSecure ACS provides even greater configurability of group access profile mapping when using Windows NT as an external user database CiscoSecure ACS can extract a substantial amount of data on each user from the API calls, including the user's Windows NT Domain and, within that domain, the groups to which the user belongs. CiscoSecure ACS allows you to map group access profiles to Windows NT domains or to groups within domains.
For more information on external user databases, see ""Sophisticated Handling of Unknown Users."
To specify a token card database mapping for a group, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click the name of the external user database to be used:
Step 4 Click the number of the group to be authenticated using this source. For example, Group 0 (x users) where x is the number of users assigned to the group. See the section "Group Setup" for more information.
Step 5 Click Submit.
To map a group to authenticate via the Directory Services user database, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click Directory Service.
Step 4 Click Add Mapping. The Create New Group Mapping for DS Users window opens. The DS Groups list derives the listed names from the DS directory; however, it does not list Windows NT groups.
Step 5 In the Define DS group set list, click the name of the applicable DS group, then click Add to selected.
Step 6 In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this DS group.
Step 7 Click Submit.
To map a group to authenticate via the MCIS LDAP user database, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click MCIS LDAP.
Step 4 Click Add Mapping. The Create New Group Mapping for MCIS Users window opens. The MCIS Groups list derives the listed names from the LDAP directory; however, it does not list Windows NT groups.
Step 5 In the Define MCIS group set list, click the name of the applicable LDAP group, then click Add to selected.
Step 6 In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this MCIS group.
Step 7 Click Submit.
To map a group to authenticate via the Novell Directory Services (NDS) user database, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click NDS Authentication.
Step 4 Click Add Mapping. The Create New Group Mapping for NDS Users window opens. The NDS Groups list derives the listed names from the LDAP directory; however, it does not list Windows NT groups.
Step 5 In the Define NDS group set list, click the name of the applicable NDS group, then click Add to selected.
Step 6 In the CiscoSecure group drop-down menu, click the name of the group to which you want to map this NDS group.
Step 7 Click Submit.
To map a group to the Windows NT database, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click Windows NT to authenticate a user from an existing entry in the Windows NT user database located on the same machine as the CiscoSecure server. There is also an entry in the CiscoSecure ACS database used for other CiscoSecure ACS services. A window with a list of domain configurations opens.
Step 4 Click New Configuration to add a domain or click the name of the domain to configure.
Step 5 If you are adding a domain configuration, do one of the following:
Step 6 Click Submit. The service restarts and the Domain Configurations window opens. The name of the new configuration is listed.
Step 7 To edit an existing configuration, click its name in the Domain Configurations window. The Mappings for Domain: domainname window opens where domainname is the name of the configuration you are editing.
Step 8 Click Add Mapping. The Create New Mapping for Domain domainname window opens.
Step 9 In the CiscoSecure group scroll box, click the name of the group to which you want to map this configuration; for example, Group 0. See the section "Group Setup" for information on renaming a group.
Step 10 Click Submit.
Step 11 The Mappings for Domain: domainname window opens again, this time listing the mapping you just created.
To assign a Windows NT user to the No Access group, follow these steps:
Step 1 Click External User Databases: Database Group Mappings: database
where database is the name of the external database you are using
Step 2 Click the name of the existing group or click Add mapping.
Step 3 In the drop-down box, click <No Access>.
Step 4 Click Submit.
To set or change the order of the group mappings for a Windows NT, ODBC, LDAP, or MCIS LDAP group, follow these steps:
Step 1 Click External User Databases: Database Group Mappings: database
where database is the name of the external database to sort.
Step 2 Click the name of the group.
Step 3 Click Add Mapping.
Step 4 Make sure all the groups you want to list are in the Selected column. If not, click the name of the group to move, then click the right arrow (>).
Step 5 Click the name of the group to move, then click Up or Down until it is in the position you want.
Step 6 Click Submit.
To edit the mapping for a domain, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Group Mappings.
Step 3 Click Windows NT. The Domain Configurations window opens.
Step 4 To edit a domain, click the name of the domain you want to edit. The Mappings for Domain domainname window opens. This window displays a list of the NT groups you have configured for this domain and the CiscoSecure group to which it is mapped.
(a) To edit the mapping, click the name of the Windows NT group to be edited. The Edit mapping for Domain domainname window opens.
(b) In the CiscoSecure group scroll box, click the name of the group to which this NT group should be mapped, then click Submit.
Step 5 To add a new mapping, click Add mapping. The Create New Mapping for Domain: domainname window opens. In the CiscoSecure group: scroll box, select the CiscoSecure group to which this Windows NT domain should be mapped; for example, Group 1. If you do not want to assign this mapping to a group, you can leave this scroll box set to the default, <No Access>.
Step 6 In the Define Windows NT group set, Windows NT Groups scroll box, click the name of the NT group you want to assign to this mapping.
Step 7 Click the -> (right arrow) button to move your selection into the Selected column.
Step 8 When you have finished selecting all the groups you want, click Submit. The Mappings for Domain domainname window opens again with the new group mapping listed.
You can change the mapping for an existing Windows NT group. To remap an existing Windows NT group, follow these steps:
Step 1 Click External User Databases: Database Group Mappings: Windows NT.
Step 2 Click the name of the group.
Step 3 Click the name of the mapping you want to change.
Step 4 From the drop-down box, click the name of the new group to map to.
Step 5 Click Submit.
To delete a group mapping, follow these steps:
Step 1 Click External User Databases: Database Group Mappings: database.
where database is the name of the applicable external user database
Step 2 Click the name of the group.
Step 3 Click the name of the mapping you want to delete.
Step 4 Click Delete.
Step 5 Click Submit.
To delete an existing mapping configuration, follow these steps:
Step 1 In the navigation bar, click External User Databases.
Step 2 Click Database Mappings.
Step 3 Click Windows NT. The Domain Configurations window opens.
Step 4 Click the name of the configuration to delete. The Mappings for Domain: domainname window opens (where domainname is the name of the configuration to delete).
Step 5 Click Delete Configuration.
Step 6 Click Submit.
To install CiscoSecure ACS support for any of the remote authentication sources, follow these steps:
Step 1 Click External User Databases.
Step 2 Click Database Configuration. The External User Databases window opens.
Step 3 Click one of the following types of authentication to be used:
For CiscoSecure ACS to interact with an external user database, two components are required; a source-specific CiscoSecure ACS DLL and the third-party authentication source API with which this communicates. However, for Windows NT, Directory Services, MCIS LDAP, ODBC, and NDS authentication, the program interface for the external authentication is local to the CiscoSecure ACS system and is provided by the local operating system. In these cases, no further components are required. To communicate with each of the OTP servers, you must have software components provided by the OTP vendors installed, in addition to the CiscoSecure ACS components. You must also specify in User Setup that a token card server is to be used.
Step 4 The Database Configuration window opens. To delete a configuration, click Delete. To set up a configuration, click Configure.
ODBC is a standardized API that was first developed by Microsoft and is now used by most major database vendors. ODBC now follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. You must have already installed your ODBC database server and populated the database. See your Microsoft documentation for more information. To configure CiscoSecure ACS for ODBC authentication, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click ODBC Database Authentication.
Step 3 Click Configure.
Step 4 Enter the following information:
Step 5 Click Submit.
If you want your passwords to be case-sensitive, reconfigure your SQL Server to accommodate this feature. If your users are authenticating using PPP via PAP or Telnet login, the password might not be case-sensitive, depending on how the case-sensitivity option is set on the SQL server. For example, Oracle SQL servers default to case sensitivity, whereas Microsoft SQL servers default to case-insenstivity. However, in the case of CHAP/ARAP, the password is case-sensitive if the CHAP stored procedure is configured.
For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiSc0 will all work if the SQL server is confgured for case-insensitivity.
For CHAP/ARAP, the passwords cisco or CISCO or CiSc0 are not the same, regardless of whether or not the SQL server is configured for case-sensitive passwords.
The following example SQL Procedure routines are included on the CiscoSecure ACS CD-ROM.
The following example routine is for use with PAP authentication:
if exists (select * from sysobjects where id = object_id
(`dbo.CSNTAuthUserPap') and sysstat & 0xf = 4) drop procedure dbo.CSNTAuthUserPap
GO CREATE PROCEDURE CSNTAuthUserPap @username varchar(64), @pass varchar(255) AS SET NOCOUNT ON IF EXISTS( SELECT username
FROM users WHERE username = @username AND csntpassword = @pass )
SELECT 0,csntgroup,csntacctinfo,"No Error" FROM users WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure GO
if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') and sysstat & 0xf = 4)
drop procedure dbo.CSNTExtractUserClearTextPw
GO CREATE PROCEDURE CSNTExtractUserClearTextPw @username varchar(64) AS SET NOCOUNT ON IF EXISTS( SELECT username
FROM users WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword FROM users WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure GO
MCIS is Microsoft's product suite of commercial-grade server components designed for ISPs and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT Server and Microsoft Internet Information Server (IIS).
To configure CiscoSecure ACS to use the MCIS LDAP User Database, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click MCIS LDAP.
Step 3 Click Configure.
Step 4 In the Hostname box, enter the IP address or DNS name of the machine that is running the LDAP software.
Step 5 In the Port box, enter the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you leave this box blank, CiscoSecure ACS uses port 389. If you do not know the port number, you can find this information by viewing LDAP Properties on the LDAP machine.
Step 6 In the Security box, select the type of security to use. The user name and password credentials are passed over the network to the MCIS LDAP directory. Normally the username and password are sent in clear text. To enhance security, there are two check boxes in the MCIS Database Configuration window that allow you to configure the level of security of the connection to the LDAP directory.
There are four combinations of the two check boxes possible. (See Table 9-1.)
| Check Box State | Action |
|---|---|
Simple bind over SSL. (Secure authentication over a secure channel) | |
Secure Authentication checked SSL encryption unchecked | As above, except that if the ldap_open call to the SSL port fails, it calls SSPI with the user name and password. |
Secure Authentication unchecked SSL encryption checked | Simple bind over SSL. Encryption only. |
Secure Authentication unchecked SSL encryption unchecked | Simple bind to LDAP Server in clear text over wire. Credentials are transmitted in clear text at initial bind. User object contents travel the network in clear text. |
If you check either of these boxes, be sure to specify the SSL port number that the MCIS LDAP Directory is configured to use for SSL. The CiscoSecure ACS CSAuth service makes one TCP/IP connection to the MCIS LDAP directory and maintains that single connection.
| Caution If you are using MCIS 2.0 with the Active Directory Service Interfaces (ADSI) 2.0 client libraries and you check the Secure Authentication check box, Windows first tries to authenticate using Kerberos, then using NT LAN Manager (NTLM). If it does not find either of these types, it sends the password in Clear Text, compromising authentication security. This issue is corrected in the Microsoft ADSI 2.5 client. |
Step 7 In the Admin DN box, enter the following information from your MCIS LDAP server.:
o=root,ou=members,cn=userobject
For example:
o=xyzcompany,ou=members,cn=administrator
When CiscoSecure ACS binds, it authenticates itself to the directory to get administrator-level privileges. The Administrator account SUPERBROKER is created during installation. You can also create an account with just the privilege level you want to allow. At a minimum, the administrator account must allow reading passwords and reading account status. Currently CiscoSecure ACS only reads the directory; it does not write to it.
Step 8 In the Password box, enter the administrator account (SUPERBROKER) password. Password case-sensitivity is determined by the SQL server.
Step 9 In the Confirm Password box, re-enter the same password to verify its format.
The Directory Services (DS) is a generic type of Lightweight Directory Access Protocol (LDAP) used by several vendors. The information in this section applies to Netscape's implementation of DS. See your vendor documentation for more specific information. To configure CiscoSecure ACS to use the DS User Database, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click Directory Services.
Step 3 Click Configure.
Step 4 In the Hostname box, enter the name or IP address of the machine that is running the DS software.
Step 5 In the Port box, enter the TCP/IP port number on which the DS server is listening. The default is 389, as stated in the DS specification. If you leave this box blank, CiscoSecure ACS uses port 389. If you do not know the port number, you can find this information by viewing those properties on the DS machine.
Step 6 The username and password credentials are normally passed over the network to the DS directory in clear text. To enhance security, in the Security box, check the Use secure authentication check box.
Step 7 In the Admin DN box, enter the following information from your DS server:
uid=userid,ou=organizationalunit,[ou=nextorganizationalunit]o=organization
where userid is the username
organizationalunit is the last level of the tree
nextorganizationalunit is the next level up the tree.
For example:
uid=joesmith,ou=members,ou=administrators,o=cisco
See your DS documentation for more information.
Step 8 In the Password box, enter the administrator password. Password case-sensitivity is determined by the server.
Step 9 In the Confirm Password box, re-enter the same password to verify its format.
Step 10 In the User Object Type box, enter the uid (user ID). This is configured on your Directory Server. See your DS documentation for more information.
Step 11 In the User Object Class box, enter the class of user object (for example, person). See your DS documentation for more information.
Step 12 In the User Directory Subtree box, enter:
o=subtree
where subtree is the tree in which all of your users are located. This is configured when you set up your Directory Server. See your DS documentation for more information.
If you are using CRYPTOCard authentication, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click CRYPTOCard.
Step 3 Click Configure.
Step 4 Enter the following information:
Step 5 Click Submit.
If you are using SafeWord authentication, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click CRYPTOCard.
Step 3 Click Configure.
Step 4 Enter the following information:
Step 5 Click Submit.
If you are using AXENT authentication, follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click AXENT.
Step 3 Click Configure.
Step 4 Enter the following information:
Step 5 Click Submit.
If you are using SDI authentication, follow these steps:
Step 1 Before you start:
Step 2 Run the Setup program of the ACE Client software (following the setup instructions). Do not restart your Windows NT server when installation is complete.
Step 3 Locate the ACE Server data directory, for example /sdi/ace/data.
Step 4 Get the file named sdconf.rec and place it in your Windows NT directory: %SystemRoot%\system32
for example:
\winnt\system32
Step 5 Make sure the ACE server host machine name is in the Windows NT local host's file:
\winnt\system32\drivers\etc\hosts
Step 6 Restart your Windows NT server.
Step 7 Verify connectivity by running the Test Authentication function of your ACE client application. You can run this from the Control Panel.
If you selected NDS Server Support, follow these steps:
Step 1 See your Novell NetWare administrator to get the names and other information on the Tree, Container, and Context.
Step 2 Click NDS Server Support.
Step 3 Enter the Tree name.
Step 4 Enter the full Context List, separated by dots (.). You can enter more than one context list. If you do, separate them with a comma. For example, if your Organization is Corporation, your Organization Name is Chicago, and you want to enter two Context names, Marketing and Engineering, you would enter:
Engineering.Chicago.Corporation, Marketing.Chicago.Corporation
You do not need to add users in the Context List.
Step 5 Click Submit. Changes take effect immediately; you do not need to restart CiscoSecure ACS.
| Caution If you click Delete, your NDS database will be deleted. |
You can allow your users to enter their own context as part of the log on process, and you can allow CiscoSecure ACS to allow NDS to search its own tree recursively. Follow these steps:
Step 1 The tree must already have its contexts set up. For example,
[Root] whose treename= ABC OU=ABC-Company
OU=salesCN=sales1user CN=sales2user
OU=marketing
OU=marketing-researchCN=market1
OU=marketing-productCN=market2
Step 2 In CiscoSecure ACS, enter in the context field:
ABC-Company
Step 3 When sales1user authenticates, the logon name would be:
Username:sales1user.sales
For market1 to authenticate, the logon name would be:
Username:market1.marketing-research.marketing
If you did not already do so during installation, you can enable CiscoSecure ACS to grant dial-in permission to users. Follow these steps:
Step 1 Click External User Databases: Database Configuration.
Step 2 Click Windows NT.
Step 3 Click Configure.
Step 4 Check the Grant dialin permission to user check box.
Step 5 Click Submit.
Click Reports & Activity in the navigation bar to view reports. The Reports window opens. Select one of the following types of reports to view:
When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. The reports are named and listed by the date on which they were created; for example, if you are using month/day/year format, a file created on October 5, 1999 would be named 1999-10-05.csv. If you are using the day/month/year format, a file created on that date would be named 1999-05-10.csv.
You can import the .csv files into most database and spreadsheet applications.
These reports are created daily and include information for a 24-hour period starting at midnight. To create a weekly report, merge the files together in the database or spreadsheet application. The files are located in the following directories:
The online documentation provides more detailed information about the configuration, operation, and concepts of CiscoSecure.
Step 1 Click Online Documentation.
The Table of Contents opens in the left window.
Step 2 Click the applicable topic. The online documentation window opens.
Step 3 To print the online documentation, click in the right window, then click Print in your browser's navigation bar.
Posted: Fri Sep 24 11:10:37 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.