Brief Overview of RADIUS

RADIUS is also a protocol that supports the three portions of AAA. Cisco Systems introduced support for RADIUS in Cisco IOS Software Release 11.1. The RADIUS authentication protocol is documented separately from the accounting protocol however, the two can be used together. RADIUS was initially developed by Livingston Enterprises, Inc. RADIUS, covered in RFC 2865, is an open standard, as opposed to the TACACS+ protocol that is implemented by Cisco. RADIUS is an IP-based protocol that uses UDP,...

Brief Overview of TACACS

TACACS+ is a recent protocol providing detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands. TACACS+ is the result of the evolution of TACACS and extended TACACS (XTACACS). The Cisco IOS supports all three of these protocols. Note the following details TACACS is an older access protocol, incompatible with the newer TACACS+ protocol. It provides password...

Look at Shared Network Access Restrictions

By examining the User Setup, you find that user-level Network Access Restrictions are what you used in the preceding example. Although this method works, it is recommended that you create shared Network Access Restrictions in shared profile components. This is a more modular approach and gives you the ability to re-use any NAR that you create. You most likely need to enable shared Network Access Restrictions for both the user and group levels. This is done in Interface Configuration under...

Access Device

The Access Device attribute is an attribute that reflects the name of the AAA client configuration that is sending logging information to ACS. When AAA clients perform a transaction with ACS, the AAA client includes information for authentication to ACS. This is done using a shared secret key. All this information is located in Network Configuration and can be seen in Figure 125. This information is used by ACS to match an AAA client configuration from the list of AAA clients in the Network...

Accounting Example

Back once again to our sample network, you can now use AAA accounting to perform one of the previously mentioned types of accounting. In this example, you pick up after authentication and authorization have taken place. Here resource accounting performs start stop accounting for FTP on the network. See Figure 1-3. Figure 1-3. Basic Accounting of Resources Figure 1-3. Basic Accounting of Resources In this example, the following process is performed. Note that once again authentication must take...

Accounting Reports

ACS also maintains TACACS+, RADIUS, and Voice over IP (VoIP) accounting reports, which contain records of successful authentications during selected time periods. In addition to logging successful authentications, these logs contain information such as time date, username, type of connection, amount of time logged in, and bytes transferred. Accounting logs contain information about the use of remote access services by users. By default, these report logs are available in CSV format. With the...

ACS Reports

ACS can provide numerous reports such as accounting reports, administrative reports, and system reports, among others. Some of these reports that ACS maintains might contain information from multiple sources and for multiple reasons. For example, ACS might log a failed password authentication attempt to the Failed Attempts log, and in the same log, you might find a failed attempt caused by an unknown AAA client attempting to communicate with ACS. This is where the third-party reporting...

Activ Card Token Server

To configure ACS to work with an ActivCard Token Server, begin with the following steps Step 1. From External User Databases, select Database Configuration. Step 2. Select ActivCard Token Server. Step 3. Select the Create New Configuration button. Step 4. Enter a name for your new configuration. To configure the database parameters, follow these steps Step 1. Select the Configure button. Step 2. Enter the primary server name IP. Step 3. Enter the secondary server name IP. Step 4. Enter the...

Adding Users to the Database

To add local users to the ACS database, use the following step sequence. This adds a user to the ACS database. It also adds that user to the default group. When you add a user to a group, the settings within that group are inherited by the user members of that group. As discussed previously in the book, you can configure user specific settings that can override the group settings. User's settings always override the group settings. Step 1. Select the User Setup button from the left frame menu....

Additional Logs Maintained by ACS

In addition to the CSV logs that ACS maintains for reporting, ACS also maintains what are known as service logs. Service logs are log files stored on the ACS itself that contain information about the process that ACS runs and its activity. The following list contains the service logs kept by ACS and their locations CSAdmin located in the directory C Program Files CiscoSecure ACS v3.2 CSAdmin Logs CSAuth located in the directory C Program Files CiscoSecure ACS v3.2 CSAuth Logs CSDBSync located...

Address Assignment

Address assignment is a very simple configuration that allows you, the administrator, to control the IP assignment of the users of this group. Beginning with the first option in the IP assignment section of the Group Setup, you can opt to not assign IP addresses. You might also want to allow the dial-in client to specify the IP assignment. In either case, the configuration on your part is minimal. Note that if you choose to assign an IP address from a pool that is configured on the AAA client,...

Administration Control

The Administration Control section is where you configure all aspects of ACS for administrative access. Here you have the ability to add administrators and configure Access Policy. Information such as IP addresses that are allowed to access ACS, IP addresses that are not allowed to access ACS, and HTTP port allocation can be configured here. Recall that ACS uses port 2002 as the listening port, but after connection to that port is made, you are redirected to a random port number. When ACS is...

Administrative Reports

Three different administrative reports exist in ACS TACACS+ Administration, Logged-in Users, and Disabled Accounts. Of the three reports, TACACS+ Administration is not dynamic. It records information as it happens and can be downloaded in CSV format. The other two reports are dynamic. The administrative report contains information about all the TACACS+ commands requested during the period of time covered in the report. This report is used most often when you are using ACS to control access to...

Advanced Configurations

Advanced configurations are those that are a bit more than just authenticating a user with a password. They can be used in a number of ways that you see during the course of this book. Some of these advanced configurations include some of these features First of all, they can be used for PPP parameters. This can be used for IP, IPX, or AppleTalk. You can configure Link Control Protocol (LCP) options and so on here. You can also configure TACACS+ for command authorization. Command authorization...

Applying a NAR to a User

Now that you have a NAR specified for this group, it's time to look at an extension to the group configuration by adding NARs to the individual user configuration. For this example, you use the network diagram in Figure 8-7. 1Q. .JWS Insid In-L'rljL'j 1Q. .JWS Insid In-L'rljL'j The AAA client router14all is the device that you want to control access to. In this simple network diagram, only two PCs are shown however, they are in different subnets. The user ADMIN should not be allowed access from...

Applying an ACL to the Dial Interface

You can further utilize AV pairs with this example by applying an ACL to the dial interface. You can actually do this in two ways. The first way is to define the numbered access list on the router and then reference the numbered access list on ACS. The second method is to create the entire ACL on ACS. For this example, you apply access list 101 to the interface. This is seen in Figure 132. Wo I * iii imffwfii Asrignrd b-y ifcikp tier* , jr npJ Hras 1 IJ'iVoll'j po.i i J> uf uJr rBB -tJ i>...

Rs Server Object Hierarchy

Now that you know a bit more about the AR commands, where do you use them Well, the answer to that question is simple. It depends. Since AR's command line is built in a pretty structured fashion, you use certain commands based on your location in the server's objects. Let's look at how AR is built. At the top of the Server Objects tree are two objects, Administrators and Radius. This is displayed to you when you log in to an AR cluster. This is very similar to a UNIX file system in that the...

Rs Subdirectories

These subdirectories are seen in Example 14-2 by issuing the Is command. README conf examples logs scripts ucd-snmp Table 14-4 lists these directories as well as a description of them. directory for RADIUS accounting information. This contains sample scripts that you can use to This contains Cisco CNS AR software library files. This contains the UCD-SNMP software Cisco CNS AR uses.

Ascend RADIUS

Table A-6 includes Ascend RADIUS dictionary translations for parsing requests and generating responses. All the transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types ipaddr 4 octets in network byte order. integer 32-bit value in big endian order (high byte first). call filter Defines a call filter for the profile. date 32-bit value in big-endian order. For example, seconds since 00 00 00 universal time (UT), January 1, 1970....

Authenticating Users to a Windows NT2000 Database

If you have a Windows NT 2000 domain, your users probably already have a domain username and password. If this is the case, it is probably an easier task on a network administrator to configure ACS to use a remote database. The point here is that having a Windows domain opens up additional features of ACS. Having a Windows domain allows such configurations as Unknown User Policy. If you recall, in Chapter 4, Enterprise Authentication Servers, you installed the ACS on a server in your network....

Authentication and Password Options

Authentication and password options greatly depend on the network environment that ACS is deployed in. As seen earlier in this chapter, you can choose to implement local passwords in ACS and allow users to change passwords with the UCP module. Of course, your network security might be at such a high priority that you choose to implement an ACS device in conjunction with a token server. You might also choose strict lock-out policies in the ACS device or on a Windows NT 2000 domain. Either way,...

Authentication Configurations Using Cisco Secure ACS for Windows Server and Cisco Secure ACS Solution Engine

Other configurations and implementations of authentication might differ from the preceding example. The example is not intended to provide a complete solution and guide to configuring authentication. Rather, it is to assist in the understanding of how AAA is enabled on a Cisco router, how a method list is designed and implemented, and how you can read an AAA configuration. For additional information on configuring AAA on Cisco routers, including examples of authorization and accounting, see the...

Authentication Example

In this example, your user local-admin is attempting to Telnet to a Cisco router. The Cisco router is configured to request authentication from anyone that attempts to access it via Telnet. As the user enters a password, it is sent as clear text to the router. The router then takes that username and password and places it in a packet that is sent to either an AAA server, such as CSACS, or it compares it to a local username and password that are configured. A more detailed look at the process is...

Authentication Overview

Just as many types of authentication processes take place in today's world, many types of authentication methods can be performed on a Cisco device. An example of an authentication method might be a state-issued driver license or a boarding pass for a specific airline. When the airline attendants request identification for the use of their services, you are prepared with the proper identification. This is the most basic process of AAA. Authentication provides a method for identifying users and...

Authorization Example

You can clearly see the process of authorization using the same network example from earlier in the chapter. Figure 1-2 demonstrates a basic authorization process that can take place, in addition to the authentication process that is seen in the previous example. One difference you might note here is that in the authentication example, only a local authentication is discussed. In this authorization example, an AAA server is added, which includes authorizations. More detail on local...

Authorization Overview

To take AAA a step further, imagine that you are about to take a vacation. You are going to take a commercial airline to your vacation hot spot. The airplane has a couple of rows in the front that are very nice, leather, wide, and comfortable. You would prefer to sit here instead of the seats that are farther back, because those are stiff, uncomfortable, and do not offer much leg room. Unfortunately, if you purchased a coach class ticket, you cannot sit in the first-class seat in the front of...

AV Pair Discussion

15 J 1 '3 JHt*i Jl'1-n- J-tewt J- J -J f* Kfr IP * iiiis nssrc 'fii f Afriawdbv fefe -cict* r Aiqpx-d fr & AAA dje* p DiifiuJr loir ii l 'j-i Aitifl N> ciUi i . C Dyrl, viiipftwipi . > n hlf j ii.nc - Mkiiiffc.iSKi .ii l'i.iv.-.j , Aj-inji. Hoir. I Ar ACS * U, a < ' cura in J AufJim uitioi iiB iiiri friftniiiSm hr Ptiimt Bears GACS+ l.'-nl.iiirti i Sl'ickn ' r F HAI> II1- Ajtdhidu RAMV3 Vfiriprgmiftf Afflftfl P Raring p Enafckd sfapi rrr lcf-uj u > .Muckd, *uM a au < * u f aiith...

Basic TACACS

In this example, you use TACACS+ to perform some authorization and an autocommand. Follow these steps to complete this example Step 1. Begin with the goal. In this situation, you have an administrator, that we call junior-admin, log in to a router via the Telnet protocol. This junior-admin is not allowed to make major changes to the router rbb. What you want to happen here is for junior-admin to see a menu when they authenticate to ACS, choose an option from that menu, and have authorization...

Callbackdialstring callbackline and callbackrotary

The callback-dialstring sets the phone number for a callback. For example, I could call into my network access server (NAS), and when I authenticate, the callback function is determined and the NAS uses the phone number defined here to call me back. This helps me cut down on phone charges. The callback-dialstring can be used with the callback-line command, which defines the tty line that is used to call me back. An example of this is callback-line 3. You could also use the callback-rotary AV...

Authentication Authorization and Accounting Overview

In this chapter, you learn the following topics Authentication, authorization, and accounting (AAA) is a way to control who is allowed to access your network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting). AAA can be used in Internet Protocol Security (IPSec) to provide preshared keys during the Internet Security Association and Key Management Protocol (ISAKMP) process or to provide per-user...

Configuring

In this chapter, you learn the following topics Network Access Restrictions Configuring Network Access Restrictions Troubleshooting extended configurations Common issues of network access restrictions The importance of documentation In Access Control Server (ACS), Shared Profile components can consist of downloadable IP access control lists (ACLs), Network Access Restrictions (NARs), and command authorization sets for both shell commands and PIX shell commands. These configurations can...

System Configuration

In this chapter, you learn the following topics How users interact with your external database configuration External database configuration This chapter deals with the configuration of Access Control Server (ACS) to facilitate authentication to external databases, as well as the backup and restoration of ACS. In particular, the chapter covers the following External database configuration Database replication and backup The following sections discuss each of these topics in further detail.

Reports and Logging for Windows

In this chapter, you learn the following topics Logging attributes in ACS reports Working with accounting and administrative reports Working with system reports It is important to understand the functionality of reporting made available in Access Control Server (ACS). Likewise, an understanding of the logs that ACS maintains benefits in troubleshooting client server issues. To better understand this functionality, you need to be able to distinguish between the logs that pertain to the ACS...

Exploring Tacacs Attribute Values

In this chapter, you learn the following topics The attributes of TACACS+ pairs Work with an AV pair example Understand AV pairs in the ACS interface Terminal Access Controller Access Control System Plus (TACACS+) as well as the RADIUS protocol use attributes in the messages that are passed between the Access Control Server (ACS) and the authentication, authorization, and accounting (AAA) client. In the next sections, you see what these TACACS+ attributes and values are. It can help to get a...

Service Provider AAA and the Cisco CNS Access Registrar

In this chapter, you learn the following topics The service provider (SP) model The service provider challenge Options of the Cisco CNS Access Registrar Installation requirements for AR In many cases, a service provider's role is to provide network access to a customer. To provide this type of service, a provider must have the ability to add, delete, and manipulate its infrastructure as customers are added and removed. This chapter looks at the role of authentication, authorization, and...

Configuring the Cisco Access

In this chapter, you learn the following topics Using aregcmd to configure AR AR's server object hierarchy Configuring the ACE ISP as a basic site Configuring AR's administrators Configuring the RADIUS server Validating and saving your changes to AR Troubleshooting your configuration with trace In this chapter, you are taken through the process of creating a basic site configuration. If you want to configure a basic site, it is beneficial to learn the structure of the Access Registrar (AR)...

TACACS

In this chapter, you learn the following topics A brief overview of TACACS+ In the authentication arena, an authentication, authorization, and accounting (AAA) client can use multiple protocols to communicate with an AAA server. These are protocols such as TACACS, XTACACS, TACACS+, and RADIUS. This chapter focuses on two of these protocols, Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). Specifically, you see the...

Enterprise Authentication Servers

In this chapter, you learn the following topics Cisco Secure Access Control Server software and versions The Cisco Secure Solution Engine Numerous enterprise level authentication servers are on the market today. Popular among these are Funk's Steel-Belted RADIUS server, Livingston Enterprises' RADIUS Authentication Billing Manager, and Merit Networks' RADIUS servers. While these are reputable companies with popular products, they lack the ability to combine both the TACACS+ and RADIUS protocols...

Deploying Cisco Secure Access Control Server for Windows Server

In this chapter, you learn the following topics Welcome to Cisco Secure Access Control Server, authentication, authorization, and accounting management. In today's networks, it's not good enough to simply install a network you must secure it as well. As you progress through this book, you learn how to deploy and manage a Cisco Secure Access Control Server (CSACS). You also examine some working examples that can be used as a guideline in your day-to-day management of ACS. In this chapter, you...

Getting Familiar with

In this chapter, you learn the following topics Navigating the HTML interface Starting point for configuring your server Locating configuration items If you recall during the installation process of Access Control Server (ACS), you were given the opportunity to enable advanced configuration options by enabling a check box. As I look back to my first install and navigation of ACS, this spot is where I thought to myself, I'll get to it later. As it turns out, I should have gotten to it sooner...

Configuring User Accounts

In this chapter, you learn the following topics Adding users to the database Authenticating users to a Windows NT 2000 database Access Control Server (ACS) has the capability to authenticate users against numerous databases. From token servers to Active Directory servers, ACS provides the flexibility of integration into an existing environment, or the power to use its own database for user authentication. Cisco Secure can keep a record of all users locally, regardless of whether you configured...

Configuring User Groups

In this chapter, you learn the following topics How to use PPP callback configuration How to configure Network Access Restrictions How to configure max sessions, usage quotas, and password aging rules How to configure IP assignment and downloadable ACLs How to use TACACS+ for groups configuration of PPP VPDN In Chapter 3, Authentication Configuration on Cisco Routers, you configured a user into the Access Control Server (ACS) database and were able to test authentication to the local ACS...

Managing Network

In this chapter, you learn the following topics How to manage network configurations How to configure Network Device Groups How to configure Proxy Distribution Tables How to configure remote accounting How to work with network device searches How to configure AAA clients How to troubleshoot network configurations Now that you are comfortable with configuring user groups and user settings, it is time to scale your network by creating a distributed system in an environment where users can...

Cisco 3000 Series VPN Concentrators

To add an AAA server to a Cisco 3000 series virtual private network (VPN) concentrator for administrator authentication using the TACACS+ protocol, follow these steps Step 1. Select Administration > Access-Rights > AAA Servers > Authentication. Step 2. Select Add in the right panel. Step 3. Enter the server IP, port, timeout, retries, and server secret. Step 4. Select Add. You can use TACACS+ only for administrative authentication on the 3000 series concentrators. This discussion is...

Cisco CNS Access Registrar

Cisco Networking Services Access Registrar (CNS AR) is a RADIUS server developed by Cisco that answers the call to service provider AAA. AR is used as an access policy server and is designed to support the delivery of dial, Integrated Services Digital Network (ISDN), and new services including DSL, cable with telco-return, wireless, and Voice over IP. Much of the design of AR provides ease of deployment and administration for service providers. This chapter focuses on the installation and...

Cisco Device Support for AAA

It is pretty safe to say that most Cisco devices support the AAA framework. In some cases, the support for AAA is not the issue, but rather the support for either Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS), because these are the protocols that AAA uses to communicate with an AAA server. In some situations, the protocol might be LOCAL, however, and RADIUS or TACACS+ are not needed. In some cases, the RADIUS protocol is...

Cisco IOS Routers

To configure a Cisco router for AAA, follow these steps Step 1. Begin your router configuration by enabling AAA with this command Step 2. To add an AAA server to a Cisco IOS router using TACACS+, use the following configuration commands in global configuration mode tacacs-server host hostname single-connection port integer timeout integer key string tacacs-server host ip_address single-connection port integer timeout integer key s tring You can use the no form of the command in the previous...

Cisco IOS Switches

To add an AAA server to a Cisco IOS switch using TACACS+, add the following configuration commands in global configuration mode tacacs-server host hostname single-connection port integer timeout integer key string tacacs-server host ip_address single-connection port integer timeout integer key s tring Note that this command and arguments are similar to the router configurations. To add an AAA server to a Cisco IOS switch using RADIUS, add the following configuration commands in global...

Cisco Secure Access Control Server Software and Versions

ACS provides a highly scalable, centralized user access control framework. Versions of ACS number from version 2.0 through 3.2, which is the most current version. With each release of ACS, more support has been added for multiple vendors' AAA implementations, as well as external database support. ACS has a browser driven interface that makes configuration a simple task in a centrally located database. ACS provides for the authentication of Cisco routers, switches, firewalls, and wireless access...

Cisco Secure ACS for Windows Server Version

The versions of ACS discussed in this chapter begin with 2.0. ACS 2.0 for Windows NT supported the following features Simultaneous TACACS+ and RADIUS support for a flexible solution HTML Java graphical user interface (GUI) that simplifies and distributes configuration for user profiles, group profiles, and ACS configuration Help and online documentation included for quick problem solving Group administration of users for maximum flexibility and to facilitate enforcement and changes of security...

Cisco Secure Solution Engine

An appliance version of Cisco Secure ACS exists. The Cisco Secure Solution Engine is a rack mountable, dedicated platform that provides nearly the same functionality as the Windows versions of Cisco Secure ACS. The Cisco Secure Solution Engine version 3.2 is a hardened operating system that is built on the Windows 2000 kernel however, you do not have the ability to connect a mouse and keyboard to it. Only the services that are necessary for the Solution Engine to function are enabled, and you...

Cisco Wireless Access Points

To add an AAA server to a Cisco Wireless access point, follow these steps Step 1. From the Summary Status page, click Setup. Step 2. In the Services menu, click Security. Step 3. Click Authentication Server. Step 4. Select the version of 802.1x to run on this Access Point (AP) in the 802.1x Protocol Version drop-down menu. Please note that Draft 7 is no longer supported. Step 5. Configure the server IP, server type, port, shared secret, and Retran_Int, and Max Retran. Although many other...

Client Configuration

Numerous network and security devices have become a part of the Cisco product family through many acquisitions. Due to this fact, you might encounter a few different operating systems across the Cisco platforms. Because the operating systems differ, so does the configuration of AAA across different platforms. To begin configuring devices for AAA, you need at least one entry for every network device in your network if you want ACS to communicate. Likewise, you need to configure those network...

Common Issues of Network Access Restrictions

Most issues that you run into when configuring NARs are common issues experienced by most when they configure the ACS in conjunction with the AAA client. Far too many possibilities exist to cover in one chapter. Use the Cisco website to find valuable information that might be more specific to the network environment that you are in. For AAA specific information, check the Cisco Technical Assistance. If you are unable to find the answer online, submit a Technical Assistance Center (TAC) case....

Completing the Configuration

On the ACS, the user is already configured, as well as the group. For this situation, you assume that the group is already configured, with the exception of the PPP authorization. To configure ACS for authorization of the PPP session, you select the PPP IP TACACS+ option in the group configuration page of the HTML interface. By selecting this option, you are configuring the service ppp and protocol ip TACACS+ AV pairs. Follow these steps to complete the configuration Step 2. Select the group in...

Components of Synchronization

When you perform database synchronization, two components work together, the CSDBsync process and the accountActions table. This section should help you to better understand what each component's role in synchronization is and how the two work hand in hand to facilitate synchronization. CSDBSync is a service that ACS runs to perform automated user and group account management. This functions by gaining access the ODBC driver Data Source Name (DSN) and thereby accessing the accountActions table....

Configuration Considerations for Command Authorization Sets

When beginning to configure command authorization, take the following into consideration How many users will be accessing the shell of your network devices How many levels of privilege will you need Will you apply the privilege to the user profile or the group If you will apply the privilege to the user, is there a default group privilege In addition to asking these questions, you might also consider writing out what commands you want to be available at each level as well as who is assigned...

Configuration Details and Tips

This section details some options that are available to you during the configuration When you specify a NAR, you can use asterisks (*) as wildcards for any value, or as part of any value to establish a range. All the values and conditions in a NAR specification must be met for the NAR to restrict access. These values are ANDed to determine the result. NARs can be applied to a user profile or a group profile. When you create the NAR, you don't need to specify if it is to be used for a user...

Configuring a Secondary Server

The secondary server must be configured to receive the exact configuration that the primary server is sending. To configure the secondary server for database replication, follow these steps Step 1. From the System Configuration menu, select the Cisco Secure Database Replication link. Step 2. Select the Receive check box for each item you want to receive. These include user and group database, AAA servers and AAA clients tables, distribution table, interface configuration, interface security...

Configuring ARs Administrators

In the previous section, you logged in to AR using the default username and password. You most likely want to change these. To do so, follow these steps Step 1. Change to the Administrators object, as follows cd ad --This changes to the Administrator object localhost Administrators Step 2. Change to the admin object, as follows 'cd admin This changes to the admin user profile- localhost Administrators admin Name admin Description Password < encrypted> Step 3. Use the set command to set the...

Configuring Cisco CNS AR

The configuration of AR is dependent on the product licensing. Every copy of AR requires a license. When you begin configuring AR, you create a cluster. You must enter your license the first time you configure each cluster. A cluster is nothing more than the AR server. The following bullet points highlight important information as to the licensing of AR If you have a permanent license, you will not see the license prompt again unless you reinstall and overwrite the database. If you have a...

Configuring Network Access Restrictions

As you begin to explore the group section to apply Network Access Restrictions (NAR), note that you see no current NARs in the left vertical box titled NARs. This is because you must first configure the NAR before you can apply it. In this section, you configure a NAR and then apply it to an interface. The type of NAR that you configure is called a shared NAR. All users of this group share this common NAR, and you can also use this NAR for other groups. A NAR is simply additional access...

Configuring Network Device Groups

As you can see in Figure 9-5, the Distributed System Settings check box and the Network Device Groups (NDG) check box have been selected in Interface Configuration. When they are selected, a NDG, which is a grouping of AAA servers and AAA clients, is formed. This simply allows you to group AAA clients and AAA servers into groups that might have something in common for example, you might have a Network Device Group called Routers and another called Firewalls. Of course, you can tell by the name...

Configuring Remote Logging

To configure remote logging, you need to perform configuration on the ACS that sends the information and the ACS that receives the information. The order that they are configured in does not matter. The only criteria for performing remote logging are that both devices are running ACS. Therefore, before you can log to server x, you must have ACS installed. Note that a Central Logging Server is the server that receives logging information from remote ACSs. The configuration of the central server...

Configuring Service Log Options

To configure how ACS generates and manages the service log file, follow these steps Step 1. In the left navigation bar, select System Configuration. Step 2. Select Service Control. Step 3. To disable the service log file, under Level of Detail, select the None option. By choosing this selection and restarting ACS, it will no longer generate service logs. Once you have selected this option, items under Generate New File will no longer have any effect. Step 4. To configure how often ACS creates a...

Configuring Switches

The next set of configurations you need to do is configuring the switch to talk to ACS and vice versa. At this point, you should be able to add a new AAA client to ACS. Do this from the Network Configuration section. When you add the switch as an AAA client to ACS, ensure that you select RADIUS (IETF) as your protocol type. This is seen in Figure 7-17. Figure 7-17. Configuring the Switch as an AAA Client in ACS i A-Vi < ' i r.l I u> 1c. m i AAA Clitw IP r S & tGoxiui TACACS+ AAA Cfeea a...

Configuring the Ace Isp as a Basic Site

The simplest site configuration is one that uses a single user list for all its users, writes its accounting information to a local file, and does not use session management to allocate dynamic resources. For example purposes, we use a fictitious Internet service provider (ISP) named ACE. We assume that ACE ISP meets this criterion for a basic site. To configure the ACE ISP, you need to perform the following tasks Step 1. Run aregcmd and log in to AR. You can find aregcmd in the default...

Configuring Timeof Day Access Settings

Notice that the Default Time-of-Day access settings section is grayed out in the interface when you return to the Edit page of the FirstUsers group. It is visible, but cannot be changed. This option controls access hours. Use the grid to configure the desired access hours. To change the grid, follow these simple steps Step 1. Place a check mark in the box next to Set as Default Access Times. This then allows you to modify the grid. The grid also changes from a gray color to a green color. A...

Configuring Voice over IP Support

In ACS, you can configure Voice over IP groups. These groups are most likely kept separate from groups with configurations that have actual user-access restrictions in them. This is mainly because a Voice over IP group is going to authenticate with only a username. If this were a Voice over IP group that you were going to configure, you would place a check mark in the Voice over IP Support box. Users of a Voice over IP group authenticate with only a username, which is usually the telephone...

Copyright

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library...

Creating a Complete Distributed Network

You can now tie the configurations discussed in this chapter together and create a complete distributed network. You started out with a network that you wanted to make a distributed system and added a Proxy Distribution Table to forward authentication requests to other ACSs. After your Proxy Distribution Table was created, you were able to configure remote accounting. You also enabled NDGs along the way and discovered how to search them. The following is a recap of all the steps that you...

Creating a NonIPBased NAR

The following steps apply to non-IPbased NARs rather that IP-based NARs Step 1. Select the Define CLID DNIS-based access restrictions check box. Step 2. To specify whether you are listing addresses that are permitted or denied, select the applicable value from the Table Defines list. Step 3. To specify the applicability of this NAR, select one of the following values from the AAA Client list - The name of the particular AAA client At this point, if you have not configured any NDGs, they do not...

Creating an ACL

The next step of the process is to create the access list in the ACS. The way that you create your access list is important to the way that traffic is processed. When an access list is searched, most Cisco devices perform a linear search, as does the PIX. This means that the first match that the PIX comes across in the list is the one that is acted upon, regardless of whether a more specific statement exists later in the list. Other considerations to building your access list should be the...

Credits

Team Coordinator Cover Designer Composition Indexer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA 800 553-NETS (6387) Fax 408 526-4100 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel 31 0 20 357 1000 Fax 31 0 20 357 1100 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-7660 Fax 408 527-0883 Cisco Systems, Inc. Capital Tower 168 Robinson Road 22-01...

CRYPTOCard Token Server

To configure ACS to work with a CRYPTOCard Token Server, begin with the following steps Step 1. From External User Databases, select Database Configuration. Step 2. Select CRYPTOCard Token Server. Step 3. Select the Create New Configuration button. Step 4. Enter a name for your new configuration. To configure the database parameters, follow these steps Step 1. Select the Configure button. Step 2. Enter the primary server name IP. Step 3. Enter the secondary server name IP. Step 4. Enter the...

Csacs

I assume throughout the course of this chapter that you have followed the install of ACS according to the laboratory example in Chapter 5, Deploying Cisco Secure Access Control Server for Windows Server. If you are using a Cisco Secure Solution Engine, you might have some slight differences. All in all, the HTML interface of the Cisco Secure Solution Engine and the software version of ACS for Windows Server should be close to identical.

Database Group Mappings

After you complete the setup of the database that you want to use with ACS, you can then set up a database group mapping. This maps a group to an external server. This way when users are authenticated by way of one of the external servers, they are placed in the corresponding group in the mapping configuration. To configure the database group mapping, perform the following steps Step 1. Select the Database Group Mappings link from the External Database Configuration page. Step 2. Select the...

Debugging Authentication

Certain debug commands can be enabled on a Cisco router to assist in the troubleshooting of authentication issues. Example 3-3 is the output from the debug text when an administrator accesses the console of the Cisco router with the configuration seen in this chapter. The command that enables the debug is as follows To disable this debug, use the no form of the command You can also use the all-encompassing undebug all statement the output is shown in Example 3-3.

Dialup Access

Dialup access is a key technology that uses the services of ACS for the authentication and authorization of remote users. In my previous employment, I was in a situation where I would use a notebook computer and dial in to a remote access server (RAS) from the field, to upload and download my job assignments. When I would dial in, a username and password were required to determine who I was and what area, jobs, and network rights I was supposed to receive. This is the perfect place to deploy an...

Downloadable IP ACLs

The downloadable IP ACL is a fairly new configuration option in the ACS device. It was specifically designed to work with the PIX Firewalls however, in ACS 3.2, it works with VPN 3000 series concentrators. In ACS 3.1, you see it in the interface as downloadable PIX ACLs, and in version 3.2, it has been renamed to downloadable IP ACLs. To use the downloadable PIX ACL, you must use the RADIUS protocol in communication between the PIX and ACS and have authorization configured. This allows an ACL...

EAP Support

EAP support can be considered an advanced configuration in ACS. The actual EAP support at the switchport can be performed via the RADIUS protocol by authenticating the user to ACS. In this type of environment, you must determine what type of EAP to use, EAP-TLS or EAP-MD5. To enable switchport authentication support in ACS, follow these steps Step 1. Configuration of the RADIUS profile is found in the IETF RADIUS settings of the Interface Control Select Interface Configuration.

Enable an Administrative Policy

The next configuration enables an administrative policy in ACS for the switch. Cisco recommends that you separate your users' access to the network from the administrator's access to the network. The simplest way to do so is by using the RADIUS protocol for average users and TACACS+ for administrative users. To enable this on your IOS-based switch, you enter the additional commands seen in Example 7-3. Example 7-3. Separating Users from Administrators switch(config) tacacs-server host...

Enabling AAA on the Router

AAA is a framework or model for security and authentication. To enable the AAA process on a Cisco router, you must enable the AAA model. This creates a configuration location within the configuration for AAA. When you enable AAA, it forces the Cisco router to override every other authentication method configured. This might cause you to lose connectivity to the management session that you are using to configure AAA. This might force you into an unwanted password recovery procedure. To enable...

Enabling SSL on the Web Server

In the section titled User Changeable Passwords earlier in the chapter, SSL was briefly mentioned. For those of you that are unfamiliar with SSL, SSL is a means of encrypting communication between the web server and the user that is changing their password. If the users that change passwords with the UCP exist on a trusted network, it might not be necessary to encrypt this traffic. It is my general recommendation to encrypt it anyhow. To configure the SSL portion on the web server, perform the...

Encrypting TACACS

One feature that provides more security under TACACS+, as opposed to its alternative RADIUS, is the encryption of the entire packet. This encryption is sent between the AAA client and the AAA server running the TACACS+ daemon. This is not to be confused with encryption of user data. This is not an encryption such as 3DES-IPSec or RSA encryption, but is rather a combination of a hashing algorithm and an XOR function. TACACS+ uses MD5 to hash using a secret key provided on both ends. The process...

End Notes

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords, page 2, Mark Wilgus installation guide09186a00800e6edf.html 2. Installation and User Guide for Cisco Secure ACS User-Changeable Passwords, page 3, Mark Wilgus installation guide09186a00800e6edf.html 3. Installation and User Guide for Cisco Secure ACS User-Changeable Passwords, page 5, Mark Wilgus installation guide09186a00800e6edf.html 4. Installation and User Guide for Cisco Secure ACS User-Changeable Passwords, page...

Example 31 Basic Configuration

Interface Ethernet0 C description ******* INSIDE ip address 172.30.1.2 255.255.255.0 password pa55w0rd line aux 0 line vty 0 4 password cisco login At this point in the configuration, AAA has not been enabled. Line Console 0 is configured to authenticate using the password pa55w0rd. After the AAA process is enabled, the username and password of admin cisco are used, and the password configured on the line is overridden. To enable AAA, enter the aaa new-model command in global configuration...

Example 32 Finished AAA Authentication Configuration

Aaa authentication login default enable aaa authentication login admins-in local aaa authentication login is-in local enable secret san-fran interface Ethernet0 C description ******* INSIDE description ******* OUTSIDE ip address 172.30.1.2 255.255.255.0 To recap this configuration, AAA has been enabled, and a username and password have been created locally to this router. For users attempting to access the command-line interface via Telnet or console 0, they are authenticated using the...

Example 34 Debug Output for Enable Debug AAA Authentication

7w4d AAA MEMORY dup_user (0x199254) user 'admin' ruser 'NULL' port 'tty0' addr 'async' authen type ASCII service ENABLE priv 15 source 'AAA dup enable' 7w4d AAA AUTHEN START (332554494) port 'tty0' list '' action LOGIN service ENABLE 7w4d AAA AUTHEN START (332554494) using default list 7w4d AAA AUTHEN START (332554494) Method ENABLE 7w4d AAA AUTHEN (332554494) status GETPASS r1 7w4d AAA AUTHEN CONT (332554494) continue_login (user '(undef)') 7w4d AAA AUTHEN (332554494) status GETPASS 7w4d AAA...

ExtDB Info

If you have configured ACS to authenticate users to an external database, the ExtDB Info attribute contains the information that was returned by that database. For Windows NT 2000 external database authentication, this returns the domain name from which the user authenticated. For other external databases, such as CRYPTOCard authentication servers, RSA's SecurID, LDAP servers, and other external servers that are supported in ACS, the information returned is authentication information. In Figure...

Extension Points

The extension points, indicated by the number 2 in Figure 14-3, are where the customization and integration can occur. These custom calls and service use custom logic and are written by programming languages such as C, C+, Tcl, and Java. At certain times during a request-response program flow, a script written by the provider can be used to customize the process. The extension points include the following Server incoming outgoing These scripts run for every request packet coming into or leaving...

External Database Configuration

For most database configurations, Windows NT 2000 databases excluded, ACS supports only one instance of a username and password. If you have multiple user databases with common usernames stored in each, you must take care in your database configurations because the first database to match the authentication credentials is the one that ACS uses from that point on for the user. Take the following occurrence as an example assume that you have a user on an Lightweight Directory Access Protocol...

External User Database

In this section, you see where to configure an unknown user policy. This same topic is covered in extensive detail in Chapter 11, System Configuration. You also configure database group mappings to external user databases as well as perform the actual database configuration. Further, you are given a list of compatible databases, and you can choose which one you will configure to be used with ACS. The servers that are available for use as an external database are as follows PassGo Defender Token...

Failed Attempts Report

The Failed Attempts report provides you with information related to authentication attempts that were not successful. From this report, you can gather information such as the username attempting to authenticate as well as the IP address that they made the attempt from. You also receive information to guide you in the direction you should look if authentication is not successful. An example of this would be a failed authentication attempt to an external database. In this situation, you receive a...

Features of this Book

This book contains discussion on the extended features of ACS as well as AR. This book also combines configuration examples with a step-by-step how-to for each item. This book uses a ground up approach. You will not configure a device until it has been built from the ground up. This will assist in you installation and implementation process. As you work through the book, you'll note that shorthand commands are sometimes used in the code examples. In addition, comments within code most often...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Figure 104 NAR Delete Warning

W.* I - J Q J'tX1 jr '.J.* J'HT.r .V J - . J ffJSOTk AttfllJE * ri n r.h 1 v - 'T > . V i-.- -l.-n.-K i JhIpIuij4 d NrluuiL ,'urin HViliarlmu rd nrfworfc JCtrFT lihJ-vfV. K'Z'.- i Aifca* r FirLitiny ArmF H* Hiirlinni < N uur. Ty - Sst tutu jwi ujeu le- ju t to ibe sem k strsi enh mi i I> P frip inn. TVf-r hi itb r> rtu-- -fi k-s ra

Figure 105 Entering a permit Command

S* - J ) '2 ftV .ti jr,.** j., - j , V- r,H Krt.Tih- M I I r.n,i i.-. V,.iU.i( - .i. Set ' piliffihi * sh ll i iiiiii rid amk fii jii ii si-c Alfrt uid Fit in a 4 h Commu fflhimr**i< Tn Sti 7 riJ f rS* > rinfl i vmnaivi j-JbrTyai r> Tfl. c n(Jrt lift f-v'-'-JTii p7i frf. then cltfc Mm> i Munir Typr < -.c iuiik 'ir ihrl e .bu-J nduiUJtKO let Dr nrij*i an Tr.pr * if. -tt * < f tfrr f *3 qc-iTiWr-S tfjiiiLi'iZja -> ri J C tateUchnd '-' luinitoit C KO irttfe ACS Wi tuf rfaiV or penni...

Figure 107 Applying Command Authorization to the Group

This command authorization set applies to all users that belong to this group. You can assign only one command authorization set this way. Suppose that you want to have separate command authorization sets for each type of equipment, one set for firewalls and one set for routers. To accomplish this, you would create two network device groups. To create network device groups, refer to Chapter 9, Managing Network Configurations. In one network device group, you would place your firewalls, and in...

Figure 111 External User Databases Configuration

Vn J J , I ,i ,h I- t > i Mii i i. , , I ,i ,h I- t > i Mii i i. , CkVtoiCffifcUFC w jiiih sS cj K 'j c i r for asibriwiiHn Ht rfitH'i D CaciSica-e urw & U H Cfcfc citfiiwf thf Cuc Scture ACS grwp l fHUJfii-ii p4Mfeg f < tuL IuJ d MdtesU alt Sc in Sirni -SsUb e vwfl th.- -. Ob * ijj (.(it prt i j-tmci M eir.efcj dtOk-ut tv. -f f 'Jicii L.J Mdldz6t c jj. iju Ctii S eint ACS Ott mdhrtikitr srri va ihe whiswl um j 1 . ic ji we *s svdh tofcm nmo toi -rihfr...