Configuring Proxy Distribution Tables

A Proxy Distribution Table allows you to take a request for authentication and forward it to other ACS devices based on the string prefix or suffix that you define. In this manner, you can authenticate a user from a California ACS through a New York ACS using a Proxy Distribution Table. As mentioned in the previous section, this is enabled based on a suffix or a prefix that is added to the username and configured within the Proxy Distribution Table by you. When a local ACS sees a user request,...

Installing ACS

If this is your first time installing ACS, you want to follow the next set of instructions as well as provide some information during the install. If you are reinstalling ACS, you need to combine the installation steps in this section with the information in the section titled Reinstalling ACS and Using an Existing ACS Database. For a new install, you want to have some basic information prepared as well as be logged in to the device to run the install program of ACS with Administrator rights....

Example 33 Debug Output for Login Debug AAA Authentication

7w4d AAA parse name tty0 idb type -1 tty -1 7w4d AAA name tty0 flags 0x11 type 4 shelf 0 slot 0 adapter 0 port 0 channel 0 7w4d AAA MEMORY create_user (0x346934) user 'NULL' ruser 'NULL' ds0 0 port 'tty0' rem addr 'async' authen type ASCII service LOGIN priv 1 initial task id '0' 7w4d AAA AUTHEN START (110 817 3303) port 'tty0' list 'is-in' action LOGIN service LOGIN 7w4d AAA AUTHEN START (110 817 3303) found list is-in 7w4d AAA AUTHEN START (110 817 3303) Method LOCAL 7w4d AAA AUTHEN (110 817...

Index

SYMBOL A B C D E F G H I J L M N O P R S I U V W X Z accountActions table accounting example of RADIUS remote accounting configuring 2nd IACACS+ 2nd AV pairs 2nd 3rd 4th 5th 6th types of 2nd accounting reports accounting reports (ACS) RADIUS+ IACACS+ VoIP+ acl attribute ACLs creating downloadable configuring 2nd 3rd 4th troubleshooting 2nd 3rd downloadable IP ACLs 2nd 3rd 4th ACS configuring accounting reports RADIUS+ IACACS+ VoIP+ configuring 2nd adding users to database 2nd address...

Figure 616 Simple PIX Firewall Network

If*. 84.2 24 10.1.1,1 2 _Outside Interlace -- , inside Interlace Workstation to Access pixfirewall ACS 192.163.34.10 32 is stafea y trans atedio 10.1,1.1 by (fie PIX Firewall. By accessing ACS using a domain name, or the hostname, all links to configuration pages return the domain name or hostname instead of the private (nontranslated) IP address. This sustains your management connection. Figure 6-16 also shows the topology using a PIX Firewall. The ACS is on...

IETF Dictionary of Radius Attribute Value Pairs

Table A-4 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Table A-4. Internet Engineering Task Force (IETF) RADIUS Name of the user being authenticated. User password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft 2 or later specifications. Point-to-Point Protocol (PPP) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge. IP...

Installing AR

Typically AR is installed from a downloaded file. To install AR from this file, perform the following tasks as the root user Step 1. Create a temporary directory, such as tmp-ar, to hold the downloaded software package. Step 2. Change to the directory where the downloaded file exists, as follows Step 3. Uncompress the tar files and extract the installation files, as follows After the preceding preparations have been made, you can proceed with the following steps. If you do not plan on using...

Using Network Device Searches

A network device search is a way to quickly locate network devices. Your ACS configuration grows by adding more AAA servers and more AAA clients to the configuration. Although the new devices are being added to NDGs, this configuration becomes large, and it is difficult to locate AAA servers and AAA clients when you need to verify information or for troubleshooting. Fortunately, ACS has a network device search feature that allows you to search for network devices that are configured in your...

AV Pair Example PPP Network

In this section, you look at a very basic dial-in network using PPP. Numerous AV pairs are used in this section. You can guess that the service ppp AV is used, and the protocol ip is used as well. The purpose of this section is not to configure the PPP connection or the AAA configuration on the NAS device, rather to display the TACACS+ AV pair configuration in the ACS HTML interface. (See Figure 13-1.) Figure 13-1. PPP Dial-In Network with AV Pairs Figure 13-1. PPP Dial-In Network with AV Pairs...

Configuring the Remote ACS to Send Logging Information

A few more steps are involved in configuring the remote ACS to send logging information. This information is configured in the Network Configuration section of the ACS HTML interface. Follow these steps to complete your configuration Step 1. Verify that Central Logging ACS server is present in network configuration by selecting Network Configuration and viewing the AAA server entries. Step 2. If the Central Logging ACS is not in Network Configuration, you must add it. Step 3. To add an AAA...

Authentication Configuration on Cisco Routers

In this chapter, you learn the following topics Authentication configurations using Cisco Secure ACS for Windows Server and Cisco Secure ACS Solution Engine Authentication command references Authentication, authorization, and accounting (AAA) is an integral component in today's networks. AAA is configurable on most Cisco products and can play an important role in securing and managing Cisco networks. This chapter provides a configuration overview to the authentication component of AAA, as well...

Configuring the NAR

You can configure a NAR in more than one way. You can configure a NAR in the group configuration, the user configuration, or as a shared NAR by using options available in Shared Profile Components. In this example, you configure a NAR only in the group configuration. In Chapter 9, Managing Network Configurations, the Shared Profile Components are discussed. Follow these steps to configure the NAR at the group level for the network in Figure 8-6 Step 1. From the left frame menu, choose the...

External ODBC Database

You have the ability to configure ACS to authenticate to an ODBC-compliant relational database. When you authenticate users to a relational database of this type, ACS supports ASCII, PAP, ARAP, CHAP, MS-CHAP (versions 1 and 2), LEAP, EAP-TLS, EAP-MD5, and PEAP (EAP-GTC). This is done through the ODBC Authenticator feature. Other authentication protocols are not supported with ODBC external user databases however, they might be compatible with other external type databases. You can also...

Radius Operation

The following is the process used in a RADIUS managed login Step 1. A user login generates a query (Access-Request) from the AAA client to the RADIUS server. Step 2. A corresponding response (Access-Accept or Access-Reject) is returned by the server. The Access-Request packet contains the username, encrypted password, IP address of the AAA client, and port. The format of the request also provides information on the type of session that the user wants to initiate. The format of the RADIUS packet...

Example 71 PIX Firewall Configuration with AAA

Timeout uauth 3 00 00 absolute uauth 0 30 00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host 10.1.1.50 secretkey timeout 10 a a a authentication match AAA inside MYTACACS This tells the FIX to authenticate all outbound TCP connections. a a a authentication telnet console MYTACACS ' This tells the PIX to authenticate administrators that telnet to the PIX...

Extension Point Scripting Examples

The EPS examples shown here are written in Toolkit Command Language (TCL) for the purpose of clarity.2 All examples can be written in C or C++, and they all use the same APIs. The four examples shown in this section illustrate basic API commands as put, get, and remove. The following request attribute example adds the attribute Service-Type to a request with its value set to Outbound This response attribute example removes the State attribute from the Cisco AR response (some noncompliant RADIUS...

Cisco Secure ACS for Windows Server Version

The next version available was ACS version 3.1. ACS version 3.1 added the following features Protected Extensible Authentication Protocol-Generic Token Cards (PEAP-GTC) support PEAP provides stronger security, greater extensibility, and support for one-time token authentication and password aging. The goal of our PEAP implementation is to replace Lightweight Extensible Authentication Protocol (LEAP) client server user authentication services with the standards-based, non-proprietary PEAP...

RADIUS in Detail

RADUIS is an Internet Engineering Task Force (IETF) standard that is used for AAA. It is also a client server model. This means the AAA client sends user information to the AAA server, in this case via the RADIUS protocol, and the RADIUS server responds with all the information that is needed for the AAA client to provide connectivity and service to the end user. The AAA client acts in response to the reply it receives from the RADIUS server. For network authentication, a shared secret key...

Figure 22 Tacacs Messaging

1 T'H3 AAA c*& nl iwlWW l ti corapeellOT request from ttie user. 3 Tho TACACS+ seiver than sends Cho REPLY packet back to Ihe AAAc nl to asft ttwdtenrt to get the usenvanie. 4 Bw AAA cmnl sareis CONfiWUE p kflt to ihc TACAGS+ sorvor the usernair.B prw< ie< J by Hie jeer. 5 The TACACS+ server Ihw se-ds the REPLY pack back to ihe AAA chant to ask ihfl clleni a gel ihe password. 6. The AAA dent sends a CGNffiHiLi E packet to the TACserver nrti Ihe passwttd crow dud by ihe u*er. Till TACACS*...

Figure 610 Interface Configuration

J4 toil ' J _J tswtf. r J, - I --r . -. I r- C r.Mto RADIIJSfWwrM j KAlJllJSiflntfl HUOTJ& t& MKii BACTi iiufirfl RAPri'S iTF.TPj H AT)TT1S Itriwr VPS' SOOftt liimi-s vrs wwij RADIUS jClif BB M) RAMI'S (i it Ali awji liAmi'Ni k , l *v y itawaliteia f it cm nfyut fte CSko Stcir ACS HTML um nJnfcr vrih p-n r iti tir tnlrr ti GccfiBUNbon MDRfSttni TA7ACS* appear iTi & pttcms& n ti spsp ifyrm hinv Mj jf1& vwJ j fAA iiitH-c m nippa * iJtit atortfy protocol P& t jW DiUS Clara VP l...

Tacacs Communication

TACACS+ communication between the network access server (NAS) and AAA client is based on the TCP protocol and provides a reliable delivery mechanism to the AAA messaging. TACACS+ uses TCP port 49 and creates a session to facilitate the messaging in an AAA exchange. Many benefits in using TCP for session control in TACACS+ exist. Among these benefits is the fact that TACACS+ uses TCP to provide an acknowledgment of requests that are made by a NAS or an AAA client. In addition to the...

Wireless Deployment

When deploying ACS into a wireless network, you must determine whether users need to roam from one wireless access point to another. If the answer is yes, the task ahead has just become a bit more difficult, yet not impossible. You might want to consider breaking up your ACS deployment into geographic locations where common users can be grouped. By placing the users into groups defined by geographic locations, you can spread the load placed on each ACS. Keep in mind that your deployment in a...

Figure 119 Common LDAP Configuration Parameters

Ai J '-J- J -Sim nilinn rhnrsrt n1 frnm lb IVtl ITiti- ttH-rTyp UintflfHlClut Cii uupLVkfci iTvjip Domain hli i ii , r n n F -X 'l'unliutiiJliiiii i fi J y_anH -Spff lyy E,T> AF Snrvm Sjpfliftrlfce ii-.fTffor r * LDAP, or DS, iaabM D , xt fof Droemy Senses., rrfwi io Mff gtuttn L.4--V. jmiJtat-s ri IX'AT u ri itifcair. uih u Hitrape ftrtrtonr Sowf tf l ir > an Fitna tabk I drcct Mdbetttlb i by firme --mar. not i < IV*i r s i tI3 ai raa loiri *vl 4> fsL< Wui Cri...

Testing Your Configuration

Now that you have configured some users and a NAS, you are ready to test your configuration. The way to test AR locally without configuring an AAA client is to use a utility called radclient. The radclient utility uses the default Clients entry in AR of 127.0.0.1. The radclient utility simply creates and sends a RADIUS packet to AR. The following step sequence creates an Access-Request packet for user john with password john and the packet identifier p001. It displays the packet before sending...

Acknowledgments

There are so many people that I regard as my reason for this book. I would not feel right without mentioning them and how much each one of them has inspired me in some way or another. Ascolta Training Company, for your support along the way, especially Irene Kinoshita, Ted Wagner, William Kivlen, Jack Wood, Kevin Masui, Dennis Ogata, Colby Morita, Ann Mattair, Karl Homa, Chris Smith, Hilson Shen, Fred Cutaran, Randi Rubenstein, John Rauma, and the rest of the gang The Verizon Gang, especially...

Configuring the Radius Server

At the top level of AR is the Administrator object that you just configured and the Radius object. The Radius object specifies the name of the server and other parameters that are related to the way AR handles user requests. In configuring this site, you need to change only a few of these properties. This section of the chapter shows you how to configure some basic RADIUS parameters for AR. Step 1. Change to the Radius object, as seen in Example 155. localhost Radius Name Radius Description...

Tacacs Format and Header Values

The TACACS+ ID defines a 12-byte header that appears in all TACACS+ packets. This header is always sent in clear text format. The following defines the TACACS+ ID fields, which are also shown in Figure 2-1 Major_version This is the major version number of TACACS+. The value appears in the header as TAC_PLUS_MAJOR_VER 0xc. Minor_version This field provides revision number for the TACACS+ protocol. It also provides for backward compatibility of the protocol. A default value, as well as a version...

Figure 1112 Successful ODBC Database Configuration Screen

J -** Jt -jy J - J < ** MiKJftiVG.fr I.WOU' iutttLibaif tmntxbzS '< 11-,-jl < ofr.> j ci ri . h iCIWIK L'HAP-'ANAP A--1 -Jii jiacr. ipfAPSUl IWnHm, - Svnin tTLS tftlMUltlI EAE3)k6 *y C-. MX HiAibcn icf DSO- iiT lirir'liU i rr iii-Li--.rr tkU Ox bjU. blfenc lil 'JjtfiJ u iCnJigirA Ig -.rrr-J cirmmiAfli rfli ygir ODEiC-coqiji * reluMulusrr itwkw Note that this cannot be successful unless the ODBC drivers are properly configured. After the ODBC drivers are configured, you...

Figure 1111 External ODBC Database Parameters

J**'1- cr J V J- - _' i UrifSriiirr ODBC AMMtsflm OnI tHr-*t *rt. Sj ttm DSN D5i< UMMK DSN F'*tlWUnl DSN C*tuMcaon K bi* . ODBC Yiniinr rhrp Js DSN VaKtA iirTjfpB Room de 3 Suppini PAP auriifiuvfiiHii PAP SQL IYKcdtu - IcsiTTAutiUs .Pot ' Suppuil iHAf ES riS.-U' AHA 1 JM i tacit *b an r Suppen EAP-TI.S g wiu c3iwii EAP SQL Piou-duio C5NTF fthM S ggort j ' KAjyji 1 ii C HAPAK AJ AgJ tWdjl tlm ta-ij*Ft MEUS .Nm nr nar, lA & L ftacfj tti* Crnigjie 0-r -n MniMisn for you C- d 1- itfeti...

Figure 1115 Configuring Radius Token Server Parameters

Y.l.i . _> Qfwfi J V J I FfM TilS ScVtt iurft t H VJ , JV.-.Jin Ink' Strvrrnfwjra'w . KAIMIG ( hfamqMi i lAi'.WK'-M.r i'uiiiuiuifliiiii Ute p-jfi* 6--- (- girr Cor - Sf ewe ACS M dbr Kite vwn weh. i ifiSTfc. token serrer ihK a RADIUS tiubki Ell K F jiX lJL- C t & jHiHi* li Jr, pcemit JiA JD q la rnJrk C ftO t ACS t* BiTWK RADIUS 1cOwn J ver driabjee i Thn n-y SVr-rir imi' II -Tjf < hp ltianr oi If1 iiirij of h jimwT RAP'PJS rtr Swendkiy Stn HuniAP Tyj* tbe toeb ta* U' hi ofcb tenday...

Note

The significance of these possible message types is that TACACS+ has the ability to perform authentication, authorization, and accounting as separate functions. RADIUS does not have this capability. Seq_no This determines the sequence number for the current session. TACACS+ has the ability to perform multiple TACACS+ sessions or to use one TACACS+ session per AAA client. The beginning packet of a session is identified by the sequence number 1. All subsequent packets are an increment from that...

Figure 1114 LEAP Proxy Radius Server Configuration

J J ) to*ch ,J J - J , I'.-- -, St i . i-i .V.imr 1 1 i f ifiifr& BI ftfMidi) 1 H> lri> t I ftiifc IPi TT rrtir fmhrrlrrl > H*k. - . J J ) to*ch ,J J - J , I'.-- -, St i . i-i .V.imr 1 1 i f ifiifr& BI ftfMidi) 1 H> lri> t I ftiifc IPi TT rrtir fmhrrlrrl Ttf ths r.- j rriif i- IP ri n c tfc piimiy Tjpt tti tr-ifriWTi EP iddkVII dw KCrfriuy RADIUS ioru.

Using Remote Accounting

When you deploy proxy in your network and you are using a Proxy Distribution Table, you increase the amount of accounting that you can do within your network. You can use accounting in the distributed system in three ways You can log accounting information locally. You can forward accounting information to the destination AAA server. You can log accounting information locally and forward a copy to the destination AAA server. The benefits of remote accounting are that the remote AAA server logs...

Categories of aregcmd Commands

The aregcmd CLI commands are entered after you are logged onto the AR cluster. To log in to the cluster, you actually invoke the aregcmd CLI. The commands can be grouped into the categories discussed in the following sections. These commands navigate within the Cisco AR hierarchy commands include cd, ls, pwd, next, prev, filter, and find. We discuss the first three in detail. The cd and ls commands were already discussed however, let's recap. The cd command simply allows you to move through the...

LEAP Proxy Radius Server

J2 For Cisco Secure ACS-authenticated users accessing your network via Cisco Aironet devices, Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), and LEAP authentication with a proxy RADIUS server. Other authentication protocols are not supported with LEAP Proxy RADIUS Server databases. Cisco Secure ACS uses MS-CHAP version 1 for LEAP Proxy RADIUS Server authentication. To manage your proxy RADIUS database, refer to your RADIUS database documentation. Lightweight Extensible...

Backing Up the Cisco Secure Database

Another important aspect of maintaining your ACS configuration is to perform frequent database backups of the ACS database. This section covers the steps needed to perform manual backups, schedule backups, cancel scheduled backups, and recover ACS from a backup. Under the umbrella of database backup, you have the following options Schedule a backup to take place at periodic intervals, or at a given time Database backups are performed from the System Configuration subsection ACS System Backup...

VASCO Token Server

To configure ACS to work with a VASCO Token Server, begin with the following steps Step 1. From External User Databases, select Database Configuration. Step 2. Select VASCO Token Server. Step 3. Select the Create New Configuration button. Step 4. Enter a name for your new configuration. To configure the database parameters, follow these steps Step 1. Select the Configure button. Step 2. Enter the primary server name IP. Step 3. Enter the secondary server name IP. Step 4. Enter the shared...

Microsoft Radius VSAs

Microsoft Point-to-Point Encryption MPPE is an encryption technology developed by Microsoft to encrypt point-to-point PPP links. These PPP connections can be via a dialup line or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network-device vendors that Cisco Secure ACS supports. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA Additional Description If Necessary Signifies whether the use of encryption is allowed or required. If the Policy...

Nortel RADIUS

Table A-7 lists the Nortel RADIUS VSAs supported by Cisco Secure ACS. The Nortel vendor ID number is 1584. ipaddr maximum length 15 characters ipaddr maximum length 15 characters ipaddr maximum length 15 characters ipaddr maximum length 15 characters ipaddr maximum length 15 characters

Aregcmd Syntax

We said that the aregcmd command when invoked from the Solaris command line accesses the CLI that AR commands are entered into. The commands entered into aregcmd are not case sensitive and just like the Cisco IOS provide some context-sensitive help and command completion using the Tab key. If the command element that you are requesting is unique, you have to enter only a portion of the command for it to execute. Also, the aregcmd commands are command-line order dependent. This means the...

Using aregcmd to Configure AR

To configure AR, you use the aregcmd command-line interface CLI . Accessing this CLI allows you to enter commands directly into AR. When using aregcmd, you need to know a few important commands. First off, you can think of aregcmd as a modified UNIX command line. You can use the UNIX command cd to change directories, or in the case of AR, configuration objects. You can use the UNIX command ls to list the elements in your current location of AR. To back out of a configuration object, use cd...