How to Add Users to Csacsnt

©2000, Cisco Systems,

©2000, Cisco Systems,

To add users to the Cisco Secure ACS, complete the following steps: Step 1 In the navigation bar, click User Setup. The Select window opens. Step 2 Enter a name in the User field.

Note The username can contain up to 32 characters. Names cannot contain the following special characters: #?"*>< Leading and trailing spaces are not allowed.

Step 3 Click Add/Edit. The Edit window opens. The username being added or edited appears at the top of the window.

Account Disable

Click the Account Disabled check box to deny access for this user. Note You must click Submit to have this action take effect.

Supplementary User Information

■ Supplementary User Information—(Optional.) Enter the following information:

< Real Name—If the username is not the user's real name, enter the real name here.

Description—Enter a detailed description of the user.

Note This item can contain up to five user-configurable fields. See the "Interface

Configuration" section for information on how to display and configure these fields.

User Setup

Edit or enter the following information for the user as applicable:

■ Password Authentication—Select the authentication type from the dropdown menu:

< Cisco Secure Database—Authenticates a user from the local Cisco Secure ACS database.

< Windows NT—Authenticates a user with an existing account in the Windows NT User Database located on the same machine as the Cisco Secure server. There is also an entry in the Cisco Secure ACS database used for other Cisco Secure ACS services. This authentication type will appear in the user interface only if this external user database has been configured in External User Databases: Database Configuration.

■ Password and Confirm Password—Enter and confirm the Password Authentication Protocol (PAP) password to be used.

■ Separate CHAP/MS-CHAP/ARAP—This is not used with the PIX Firewall.

Note The Password and Confirm Password fields are required for all authentication methods except for all third-party user databases.

■ Group to which the user is assigned—From the drop-down menu, select the group to which to assign the user. The user inherits the attributes and operations assigned to the group. By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method who are not found in an existing group are also assigned to the Default Group.

■ Callback—This is not used with the PIX Firewall.

■ Client IP Address Assignment—This is not used with PIX Firewall.

Account Disable

Define the circumstances under which this user's account will become disabled.

Note This is not to be confused with account expiration due to Password Aging. Password Aging is defined for groups only, not for individual users.

■ Never—Click to keep the user's account always enabled. This is the default.

■ Disable account if—Click to disable the account under the circumstances you specify in the following fields:

< Date exceeds—From the drop-down menus, select the month, date, and year on which to disable the account. The default is 30 days after the user is added.

< Failed attempts exceed—Click the check box and enter the number of consecutive unsuccessful login attempts to allow before disabling the account. The default is 5.

< Failed attempts since last successful login—This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully.

■ Reset current failed attempts count on submit—If an account is disabled because the failed attempts count has been exceeded, check this check box and click Submit to reset the failed attempts counter to 0 and reinstate the account.

If you are using the Windows NT user database, this expiration information is in addition to the information in the Windows NT user account. Changes here do not alter settings configured in Windows NT.

When you have finished configuring all user information, click Submit.

Authentication of Non-Telnet, FTP, or HTTP Traffic

Option 1: Authenticate first by accessing a Telnet, FTP, or HTTP server before accessing other services.

Option 2: Authenticate to the PIX Firewall virtual Telnet service before accessing other services.

©2000, Cisco Systems,

The PIX Firewall authenticates users via Telnet, FTP, or HTTP. But what if users need to access a Microsoft file server on port 139 or a Cisco IP/TV server for instance? Whenever users are required to authenticate to access services other than Telnet, FTP, or HTTP, they need to do one of the following:

■ Option 1 : Authenticate first by accessing a Telnet, FTP, or HTTP server before accessing other services.

■ Option 2: Authenticate to the PIX Firewall virtual Telnet service before accessing other services.

When there are no Telnet, FTP, or HTTP servers to authenticate with, orjust to simplify authentication for the user, the PIX Firewall allows a virtual Telnet authentication option. This permits the user to authenticate directly with the PIX Firewall to the virtual Telnet IP address.

Virtual Telnet Authentication

Examples ^

Authenticating In

Authenticating Out

>telnet 192.168.0.5

>telnet 192.168.0.5

LOGIN Authentication

LOGOUT Authentication

Username: aaauser

Username: aaauser

Password: ********

Password: ********

Authentication Successful

Logout Successful

©2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA1.01—4-16

The virtual Telnet option provides a way to pre-authenticate users who require connections through the PIX Firewall using services or protocols that do not support authentication. The virtual Telnet IP address is used both to authenticate in and authenticate out of the PIX Firewall.

When an unauthenticated user Telnets to the virtual IP address, the user is challenged for their username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, the user sees the message "Authentication Successful" and the authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout.

If a user wishes to log out and clear the entry in the PIX Firewall uauth cache, the user can again Telnet to the virtual address. The user is prompted for a username and password, the PIX Firewall removes the associated credentials from the uauth cache, and the user receives a "Logout Successful" message.

0 0

Post a comment