|
|
After CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS) has been installed, you configure and manage it through the HTML user interface. The hypertext markup language (HTML) interface allows you to easily modify the authentication and authorization configuration of any user or group in CiscoSecure ACS from any connection on your LAN or WAN.
The CiscoSecure ACS interface is designed to be viewed using a web browser. See the "System Requirements" section for a list of supported browsers.
The design uses primarily HTML, along with some Java functions to enhance ease of use. This design keeps the interface responsive and straightforward, and it means that the browser must support Java.
The web-based interface not only makes viewing and editing user and group information possible, it also allows you to restart services, add remote administrators, change network access server (NAS) information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and show administrators' recent tasks.
You can configure and perform almost all functions for CiscoSecure ACS through the user interface, including:
The HTML interface displays an online help window with information specific to the section displayed. If more extensive information is needed, click Section Information at the bottom of the online help window to see the related point in the Online Documentation.
You can configure the HTML interface to display or hide the options of your choice. See the "Interface Configuration" section for instructions.
To access the CiscoSecure ACS web-based interface, enter one of the following uniform resource locators (URLs) on the address line of a browser:
From the browser at the server on which CiscoSecure ACS is installed:
From a browser on a remote workstation:
The display has three vertical sections:
The overriding design of the interface is centered on ease of use. The intricate concepts of network security are presented from a user's perspective. This section describes implicit and explicit relationships among the different components that comprise network security.
A user can belong to only one group at a time. As long as there are no conflicting attributes, users inherit group settings.
If a user has a unique configuration requirement, you can make that user a part of a group and set the unique requirements in the User Setup window, or you can assign that user to his or her own separate group.
You can configure most parameters at both the group and user levels. Parameters configurable only at the user level include static IP address, password, and expiration. Password aging and time-of-day/day-of-week restrictions are configurable only at the group level.
To maintain ease of use, the default configuration options support the most common applications. Not every TACACS+ and RADIUS is listed. You can select additional attributes to display in the Group or User Setup window. If you want to use an attribute that is not listed, or if you do not use some of the default options, you can display or hide them in the Interface Configuration window. For more information, see the "Interface Configuration" section.
CiscoSecure ACS can simultaneously communicate with different access devices that use any of the following protocol selections:
When you add or configure a NAS, a menu with these choices opens. CiscoSecure ACS can communicate with a NAS with any of these choices. TACACS+ and RADIUS (IETF) are protocols with attributes defined by the IETF. RADIUS (Cisco) is RADIUS (IETF) support plus IETF Attribute 26, the vendor specific attribute (VSA) for Cisco. It is under the VSA that any TACACS+ command can be sent to an access device through RADIUS. RADIUS (Ascend) is the RADIUS (IETF) support plus the Ascend proprietary attributes.
You can control the use of each TACACS+ service by the time of day and day of week. For example, you can restrict Exec (Telnet) access to business hours but permit PPP-IP access at any time.
The default setting is to control time-of-day access for all services as part of authentication. However, you can override the default and display a time-of-day access grid for every service. This keeps User and Group Setup easy to manage, while making this feature available for the most sophisticated environments. This feature applies only to TACACS+ because it can separate the authentication and authorization processes. RADIUS time-of-day access applies to all services. If both TACACS+ and RADIUS are used simultaneously, the default time-of-day access applies to both. This provides a common method to control access regardless of the access control protocol.
CiscoSecure ACS can also display a custom command field for each service. This text field lets you make specialized configurations to be downloaded for a particular service for users in a particular group; for example, you can define an access control list (ACL) at the CiscoSecure ACS. The IP addresses to which a user is limited are downloaded to the access device at the time of authentication and authorization. After the user ends the session to the access device, the ACL is suspended until a user of the same group accesses the device again.
This feature is not limited to ACLs; you can use it to send many TACACS+ commands to the access device for the service, provided that the device supports the command, and that the command's syntax is correct. This feature is disabled by default, but you can enable it the same way you enable attributes and time-of-day access.
This is the section in which you configure the CiscoSecure ACS user interface. Note that if you enable a protocol, you must have a NAS configured with that protocol for the protocol information to display.
This section allows you to add or edit up to five user-defined fields that will display in the User Setup window for each user. For example, you could add the user's company name, department, billing information, and so on. You can also include these fields in the Accounting logs.
These sections allow you to display or hide TACACS+ or RADIUS administrative and accounting options. You can simplify the window by turning off the features that you do not use.
This feature lets you determine which advanced features will appear on the CiscoSecure ACS interface. You can simplify the entry windows by turning off the features that you do not use. Many of these options do not display if they are not enabled.
The advanced option features include:
Posted: Fri Sep 24 11:06:59 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.