Cisco VPN 5000 Concentrator Dictionary of Radius Vsas
ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table C-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs. Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs String (maximum length 247 characters) String (maximum length 247 characters)
EAP Configuration
EAP is a flexible request-response protocol for arbitrary authentication information (RFC 2284). EAP is layered on top of another protocol such as UDP, 802.1x, or RADIUS and supports multiple authentication types EAP-TLS (based on X.509 certificates) EAP-MD5 Plain Password Hash (CHAP over EAP) New extended EAP methods have been added to EAP for NAC EAP-TLV Carry posture credentials, adding posture AVPs, posture notifications. Status Query You can use this new EAP method for securely querying...
AAA Client Configuration Options
AAA client configurations enable ACS to interact with the network devices that the configuration represents. A network device that does not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS. The Add AAA Client and AAA Client Setup pages include AAA Client Hostname The name that you assign to the AAA client configuration. Each AAA client configuration can represent multiple network devices thus, the AAA client hostname...
Date Format Control
ACS supports two possible date formats in its logs, reports, and administrative interface. You can choose a month day year format or a day month year format. Tip Using a comma-separated value (CSV) file might not work well in different countries for example, when imported into programs such as Word or Excel. You might need to replace the commas(,) with semicolons ( ) if necessary. If you have reports that were generated before you changed the date format, you must move or rename them to avoid...
Ascend Dictionary of Radius Av Pairs
ACS supports the Ascend RADIUS AV pairs. Table C-9 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions comprise AV pairs. The value of each attribute is specified as Ipaddr 4 octets in network byte order. Integer 32-bit value in big endian order (high byte first). Call filter Defines a call filter for the profile. Note RADIUS filters are retrieved only when a call is placed by using a RADIUS outgoing profile or answered by using a...
About the ciscoavpair Radius Attribute
The first attribute in the Cisco IOS PIX 6.0 RADIUS implementation, cisco-av-pair, supports the inclusion of many AV pairs by using the following format where attribute and value are an AV pair supported by the releases of IOS implemented on your AAA clients, and sep is for mandatory attributes and asterisk (*) for optional attributes. You can then use the full set of Terminal Access Controller Access Control System (TACACS+) authorization features for RADIUS. Note The attribute name in an AV...
Loading the ACS Internal Database from a Dump File
You can use the -l option to overwrite all ACS internal data from a dump text file. This option replaces the existing all ACS internal data with the data in the dump text file. In effect, the -l option initializes all ACS internal data before loading it from the dump text file. Dump text files are created by using the -d option. You must use the same password used to encrypt the dump files. You can use the -p option in conjunction with the -l option to reset password-aging counters. Note Using...
Listing Custom Radius Vendors
You can use the -listUDV option to determine what custom RADIUS vendors are defined in ACS. You also use this option to determine which of the ten possible custom RADIUS vendor slots are in use and which RADIUS vendor occupies each used slot. To list all custom RADIUS vendors that are defined in ACS Step 1 On the computer that is running ACS, open an MS-DOS command prompt and change directories to the directory containing csutii .exe. For more information about the location of csutii. exe, see...
CSUtil Command Syntax
The syntax for the CSUtil command is csutil -q -b backup_filename -d -p secret_key dump_filename -e number -g group_number -i file -p secret_key -l filename -passwd secret_key -n -r all users config backup_file -u -listUDV -addUDV slot filename.ini -delUDV slot -dumpUDV database_dump_filename -t -filepath full_filepath -passwd password -machine (-a -g group_number -u user_name -f user_list_filepath) -addAVP filepath -delAVP vendor_id application_id attribute_id -dumpAVP filename -delPropHPP...
Protocol Configuration Options for RADIUS
It is unlikely that you would want to install every attribute available for every protocol. Displaying each would make setting up a user or group cumbersome. To simplify setup, use the options in this section to customize the attributes that are visible. For a list of supported RADIUS AV pairs and accounting AV pairs, see Appendix C, RADIUS Attributes. Depending on which AAA client or clients you have configured, the Interface Configuration page displays different choices of RADIUS protocol...
About Downloadable IP ACLs
You can use downloadable IP ACLs to create sets of ACL definitions that you can apply to many users or user groups. These sets of ACL definitions are called ACL contents. Also, by incorporating NAFs, you can control the ACL contents that are sent to the AAA client from which a user is seeking access. That is, a downloadable IP ACL comprises one or more ACL content definitions, each of which is associated with a NAF or (by default) associated to all AAA clients. (The NAF controls the...
Adding a Custom Radius Vendor and VSA
You can use the -addUDV option to add up to ten custom RADIUS vendors and VSA sets to ACS. Each RADIUS vendor and VSA set is added to one of ten possible user-defined RADIUS vendor slots. _ Note While csutii.exe adds a custom RADIUS vendor and VSA set to ACS, all ACS services are automatically stopped and restarted. No users are authenticated during this process. Define a custom RADIUS vendor and VSA set in a RADIUS vendor VSA import file. For more information, see RADIUS Vendor VSA Import...
Deleting a Windows Domain Group Mapping Configuration
You can delete an entire group mapping configuration for a Windows domain. When you delete a Windows domain group mapping configuration, you delete all group set mappings in the configuration. Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the name of the Windows external user database. Step 4 Click the domain name whose group set mapping you want to delete. ACS displays a confirmation dialog box. Step 6 Click OK in the...
Configuring a Radius Token Server External User Database
Use this procedure to configure RADIUS Token Server external user databases. Before You Begin You should install and configure your RADIUS token server before configuring ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server. To configure ACS to authenticate users with a RADIUS Token Sever In the navigation bar, click External User Databases. ACS lists all possible external user database types. The...
Deleting a Posture Validation Attribute Definition
The -delAVP option deletes a single posture-validation attribute from ACS. Before You Begin Because completing this procedure requires restarting the CSAuth service, which temporarily suspends authentication services, consider performing this procedure when demand for ACS services is low. Use the steps in Exporting Posture-Validation Attribute Definitions, page D-31, to create a backup of posture-validation attribute definitions. You can also use the exported attribute definition file to...
Cisco VPN 3000 ConcentratorASAPIX 7x Dictionary of Radius Vsas
ACS supports Cisco VPN 3000 ASA PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. Note Some of the RADIUS VSAs supported by Cisco virtual private network (VPN) 3000 Concentrators, Adaptive Security Appliance (ASA), and Project Information Exchange (PIX) 7.x+ appliances are interdependent. Before you implement them, we recommend that you refer to your respective device documentation. For example, to control Microsoft Point-to-Point Encryption (MPPE) settings for...
About Network Access Restrictions
A network access restriction (NAR) is a definition, which you make in ACS, of additional conditions that you must meet before a user can access the network. ACS applies these conditions by using information from attributes that your AAA clients sent. Although you can set up NARs in several ways, they all are based on matching attribute information that a AAA client sent. Therefore, you must understand the format and content of the attributes that your AAA clients sends if you want to employ...
Configuring Juniper Radius Settings for a User Group
Juniper RADIUS represents only the Juniper VSA. You must configure the IETF RADIUS and Juniper RADIUS attributes. Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-13. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group...
Adding a Basic User Account
This procedure details the minimum steps necessary to add a new user account to the ACS internal database. In the navigation bar, click User Setup. The User Setup Select page opens. Note The username can contain up to 64 characters. Names cannot contain the pound sign ( ), the question mark ( ), the quote (), the asterisk (*), the right angle bracket (> ), or the left angle bracket (< ). Leading and trailing spaces are not allowed. The User Setup Edit page opens. The username that you are...
Usernames and Windows Authentication
This section contains the following topics Username Formats and Windows Authentication, page 13-8 Nondomain-Qualified Usernames, page 13-9 Domain-Qualified Usernames, page 13-9 Username Formats and Windows Authentication ACS supports Windows authentication for usernames in a variety of formats. When ACS attempts Windows authentication, it first determines the username format and submits the username to Windows in the applicable manner. To implement reliable Windows authentication with ACS, you...
Configuring a System Data Source Name for Rdbms Synchronization
On the ACS, a system DSN must exist for ACS to access the accountActions table. If you plan to use the CiscoSecure Transactions.mdbMicrosoft Access database that is provided with ACS, you can use the CiscoSecure DBSync system DSN, rather than create one. Everything ACS does with ODBC requires System DSNs. User DSNs will not work. Confusing the two DSNs is an easy mistake to make when configuring the datasources in the ODBC control panel applet. Ensure your System DSN is set properly. For more...
NAP Administration Pages
This section describes the fields in the web pages that you use for NAP administration Network Access Profiles Page, page 15-11 Profile Setup Page, page 15-12 Advanced Filtering-Rule Elements Table, page 15-12 Click to activate the configuration for the profile. Opens the Profile Setup Page. Contains links to set up authentication, posture validation, and authorization policies. Choose the appropriate link in this column to set the policy for the profile. Controls the profile's authentication...
Cisco IOS Dictionary of Radius Ietf
ACS supports Cisco RADIUS IETF (IOS RADIUS AV pairs). Before selecting AV pairs for ACS, you must confirm that your AAA client is a compatible release of Cisco IOS or compatible AAA client software. For more information, see Installation Guide for Cisco Secure ACS for Windows for information about network and port requirements. Note If you specify a given AV pair on ACS, the corresponding AV pair must be implemented in the Cisco IOS software that is running on the network device. Always...
Setting Tacacs Outbound Password for a User
The TACACS+ outbound password enables an AAA client to authenticate itself to another AAA client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the ACS password being given out. By default, the user ASCII PAP or CHAP MS-CHAP ARAP password is used. To avoid compromising inbound passwords, you can configure a separate SENDAUTH password. Use an outbound password only if you are familiar with the use of a TACACS+ SendAuth OutBound...
Enabling Password Aging for the ACS Internal Database
You use the Password Aging feature of ACS to force users to change their passwords under one or more of the following conditions After a specified number of days (age-by-date rules). After a specified number of logins (age-by-uses rules). The first time a new user logs in (password change rule). Varieties of Password Aging Supported by ACS ACS supports four distinct password-aging mechanisms Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol-Flexible...
PAP Procedure Output
The stored procedure must return a single row that contains the nonnull fields. Table 13-2 lists the procedure results that ACS expects as output from stored procedure. The ACS group number for authorization. You use 0xFFFFFFFF to assign the default value. Values other than 0-499 are converted to the default. Note The group that is specified in the CSNTgroup field overrides group mapping that is configured for the ODBC external user database. 0-16 characters. A customer-defined string that ACS...
Action Codes
This section provides the action codes valid for use in the Action field (mnemonic A) of accountActions. The Required column uses the field mnemonic names to indicate which fields should be completed, except for the mandatory fields, which are assumed. For more information about the mnemonic names of accountActions fields, see Table F-1. For more information about the mandatory fields, see accountActions Mandatory Fields, page F-2. If an action can be applied to a user or group, un gn appears,...
EAPTLS and ACS
ACS supports EAP-TLS with any end-user client that supports EAP-TLS, such as Windows XP. To learn which user databases support EAP-TLS, see Authentication Protocol-Database Compatibility, page 1-7. For more information about deploying EAP-TLS authentication, see Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks at ACS can use EAP-TLS to support machine authentication to Microsoft Windows Active Directory. The end-user client may limit the...
Types of PACs
ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel between the supplicant and ACS. ACS provisions supplicants with PAC that have a wider contextual use. The following types of PACs are provisioned to ACS, as per server policies Tunnel (Shared Secret) PAC, user or machine Distributed shared secret between the peer and ACS that is used to establish a secure tunnel and convey the policy of what must and can occur in the tunnel. The policy can...
