BenutzerhandbuchInhaltsverzeichnisContents3Preface29Audience29Organization29Conventions31Product Documentation32Related Documentation33Obtaining Documentation35Cisco.com36Ordering Documentation36Documentation Feedback36Obtaining Technical Assistance37Cisco Technical Support Website37Submitting a Service Request37Definitions of Service Request Severity38Obtaining Additional Publications and Information39Overview41The CiscoSecure ACS Paradigm42CiscoSecure ACS Specifications43System Performance Specifications43CiscoSecure ACS Windows Services44AAA Server Functions and Concepts45CiscoSecure ACS and the AAA Client46AAA Protocols—TACACS+ and RADIUS46TACACS+47RADIUS47Authentication48Authentication Considerations49Authentication and User Databases50Authentication Protocol-Database Compatibility50Passwords51Comparing PAP, CHAP, and ARAP52MS-CHAP53EAP Support53Basic Password Configurations54Advanced Password Configurations54Password Aging55User-Changeable Passwords56Other Authentication-Related Features56Authorization57Max Sessions58Dynamic Usage Quotas58Shared Profile Components59Support for Cisco Device-Management Applications59Other Authorization-Related Features61Accounting62Other Accounting-Related Features62Administration63HTTP Port Allocation for Administrative Sessions63Network Device Groups64Other Administration-Related Features64Posture Validation65CiscoSecure ACS HTML Interface65About the CiscoSecure ACS HTML Interface66HTML Interface Security66HTML Interface Layout67Uniform Resource Locator for the HTML Interface69Network Environments and Administrative Sessions70Administrative Sessions and HTTP Proxy70Administrative Sessions through Firewalls71Administrative Sessions through a NAT Gateway71Accessing the HTML Interface72Logging Off the HTML Interface73Online Help and Online Documentation73Using Online Help74Using the Online Documentation74Deployment Considerations77Basic Deployment Requirements for CiscoSecure ACS78System Requirements78Hardware Requirements78Operating System Requirements78Third-Party Software Requirements79Network and Port Requirements80Basic Deployment Factors for CiscoSecure ACS82Network Topology82Dial-Up Topology82Wireless Network85Remote Access using VPN88Remote Access Policy90Security Policy91Administrative Access Policy91Separation of Administrative and General Users93Database94Number of Users94Type of Database94Network Latency and Reliability95Suggested Deployment Sequence95Interface Configuration99Interface Design Concepts100User-to-Group Relationship100Per-User or Per-Group Features100User Data Configuration Options101Defining New User Data Fields101Advanced Options102Setting Advanced Options for the CiscoSecure ACS User Interface104Protocol Configuration Options for TACACS+105Setting Options for TACACS+107Protocol Configuration Options for RADIUS109Setting Protocol Configuration Options for IETF RADIUS Attributes114Setting Protocol Configuration Options for Non-IETF RADIUS Attributes115Network Configuration117About Network Configuration117About Distributed Systems118AAA Servers in Distributed Systems119Default Distributed System Settings119Proxy in Distributed Systems120Fallback on Failed Connection121Character String122Stripping122Proxy in an Enterprise122Remote Use of Accounting Packets123Other Features Enabled by System Distribution124Network Device Searches124Network Device Search Criteria124Searching for Network Devices125AAA Client Configuration127AAA Client Configuration Options127Adding a AAA Client132Editing a AAA Client135Deleting a AAA Client137AAA Server Configuration137AAA Server Configuration Options138Adding a AAA Server140Editing a AAA Server142Deleting a AAA Server144Network Device Group Configuration144Adding a Network Device Group145Assigning an Unassigned AAA Client or AAA Server to an NDG146Reassigning a AAA Client or AAA Server to an NDG147Renaming a Network Device Group148Deleting a Network Device Group148Proxy Distribution Table Configuration150About the Proxy Distribution Table150Adding a New Proxy Distribution Table Entry151Sorting the Character String Match Order of Distribution Entries152Editing a Proxy Distribution Table Entry153Deleting a Proxy Distribution Table Entry154Shared Profile Components155About Shared Profile Components155Network Access Filters156About Network Access Filters156Adding a Network Access Filter157Editing a Network Access Filter159Deleting a Network Access Filter161Downloadable IP ACLs161About Downloadable IP ACLs162Adding a Downloadable IP ACL164Editing a Downloadable IP ACL167Deleting a Downloadable IP ACL168Network Access Restrictions168About Network Access Restrictions169About IP-based NAR Filters171About Non-IP-based NAR Filters172Adding a Shared Network Access Restriction173Editing a Shared Network Access Restriction177Deleting a Shared Network Access Restriction178Command Authorization Sets179About Command Authorization Sets180Command Authorization Sets Description180Command Authorization Sets Assignment182Case Sensitivity and Command Authorization183Arguments and Command Authorization183About Pattern Matching184Adding a Command Authorization Set185Editing a Command Authorization Set187Deleting a Command Authorization Set189User Group Management191About User Group Setup Features and Functions192Default Group192Group TACACS+ Settings192Basic User Group Settings193Group Disablement194Enabling VoIP Support for a User Group194Setting Default Time-of-Day Access for a User Group195Setting Callback Options for a User Group197Setting Network Access Restrictions for a User Group198Setting Max Sessions for a User Group202Setting Usage Quotas for a User Group204Configuration-specific User Group Settings206Setting Token Card Settings for a User Group208Setting Enable Privilege Options for a User Group209Enabling Password Aging for the CiscoSecure User Database211Enabling Password Aging for Users in Windows Databases216Setting IP Address Assignment Method for a User Group218Assigning a Downloadable IP ACL to a Group220Configuring TACACS+ Settings for a User Group221Configuring a Shell Command Authorization Set for a User Group223Configuring a PIX Command Authorization Set for a User Group225Configuring Device-Management Command Authorization for a User Group227Configuring IETF RADIUS Settings for a User Group228Configuring Cisco IOS/PIX RADIUS Settings for a User Group230Configuring Cisco Aironet RADIUS Settings for a User Group231Configuring Ascend RADIUS Settings for a User Group233Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group234Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group236Configuring Microsoft RADIUS Settings for a User Group237Configuring Nortel RADIUS Settings for a User Group239Configuring Juniper RADIUS Settings for a User Group240Configuring BBSM RADIUS Settings for a User Group241Configuring Custom RADIUS VSA Settings for a User Group243Group Setting Management244Listing Users in a User Group244Resetting Usage Quota Counters for a User Group245Renaming a User Group245Saving Changes to User Group Settings246User Management247About User Setup Features and Functions247About User Databases248Basic User Setup Options249Adding a Basic User Account250Setting Supplementary User Information252Setting a Separate CHAP/MS-CHAP/ARAP Password253Assigning a User to a Group254Setting User Callback Option255Assigning a User to a Client IP Address256Setting Network Access Restrictions for a User257Setting Max Sessions Options for a User262Setting User Usage Quotas Options264Setting Options for User Account Disablement266Assigning a Downloadable IP ACL to a User267Advanced User Authentication Settings268TACACS+ Settings (User)269Configuring TACACS+ Settings for a User270Configuring a Shell Command Authorization Set for a User272Configuring a PIX Command Authorization Set for a User275Configuring Device-Management Command Authorization for a User276Configuring the Unknown Service Setting for a User278Advanced TACACS+ Settings (User)279Setting Enable Privilege Options for a User279Setting TACACS+ Enable Password Options for a User281Setting TACACS+ Outbound Password for a User283RADIUS Attributes283Setting IETF RADIUS Parameters for a User284Setting Cisco IOS/PIX RADIUS Parameters for a User285Setting Cisco Aironet RADIUS Parameters for a User287Setting Ascend RADIUS Parameters for a User289Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User290Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User292Setting Microsoft RADIUS Parameters for a User293Setting Nortel RADIUS Parameters for a User295Setting Juniper RADIUS Parameters for a User297Setting BBSM RADIUS Parameters for a User298Setting Custom RADIUS Attributes for a User299User Management300Listing All Users301Finding a User301Disabling a User Account302Deleting a User Account303Resetting User Session Quota Counters304Resetting a User Account after Login Failure305Saving User Settings306System Configuration: Basic307Service Control307Determining the Status of CiscoSecure ACS Services308Stopping, Starting, or Restarting Services308Logging309Date Format Control309Setting the Date Format309Local Password Management311Configuring Local Password Management313CiscoSecure ACS Backup315About CiscoSecure ACS Backup315Backup File Locations315Directory Management316Components Backed Up316Reports of CiscoSecure ACS Backups316Backup Options317Performing a Manual CiscoSecure ACS Backup317Scheduling CiscoSecure ACS Backups318Disabling Scheduled CiscoSecure ACS Backups319CiscoSecure ACS System Restore320About CiscoSecure ACS System Restore320Backup Filenames and Locations320Components Restored321Reports of CiscoSecure ACS Restorations322Restoring CiscoSecure ACS from a Backup File322CiscoSecure ACS Active Service Management323System Monitoring323System Monitoring Options324Setting Up System Monitoring325Event Logging326Setting Up Event Logging326VoIP Accounting Configuration327Configuring VoIP Accounting327System Configuration: Advanced329CiscoSecure Database Replication329About CiscoSecure Database Replication330Replication Process332Replication Frequency335Important Implementation Considerations335Database Replication Versus Database Backup338Database Replication Logging338Replication Options339Replication Components Options339Outbound Replication Options340Inbound Replication Options343Implementing Primary and Secondary Replication Setups on CiscoSecure ACSes343Configuring a Secondary CiscoSecure ACS345Replicating Immediately347Scheduling Replication349Disabling CiscoSecure Database Replication352Database Replication Event Errors353RDBMS Synchronization353About RDBMS Synchronization354Users355User Groups355Network Configuration356Custom RADIUS Vendors and VSAs356RDBMS Synchronization Components357About CSDBSync357About the accountActions Table359CiscoSecure ACS Database Recovery Using the accountActions Table360Reports and Event (Error) Handling361Preparing to Use RDBMS Synchronization361Considerations for Using CSV-Based Synchronization363Preparing for CSV-Based Synchronization364Configuring a System Data Source Name for RDBMS Synchronization365RDBMS Synchronization Options366RDBMS Setup Options366Synchronization Scheduling Options367Synchronization Partners Options367Performing RDBMS Synchronization Immediately368Scheduling RDBMS Synchronization369Disabling Scheduled RDBMS Synchronizations371IP Pools Server372About IP Pools Server372Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges373Refreshing the AAA Server IP Pools Table375Adding a New IP Pool375Editing an IP Pool Definition376Resetting an IP Pool377Deleting an IP Pool378IP Pools Address Recovery379Enabling IP Pool Address Recovery379System Configuration: Authentication and Certificates381About Certification and EAP Protocols381Digital Certificates382EAP-TLS Authentication382About the EAP-TLS Protocol383EAP-TLS and CiscoSecure ACS384EAP-TLS Limitations386Enabling EAP-TLS Authentication387PEAP Authentication388About the PEAP Protocol388PEAP and CiscoSecure ACS389PEAP and the Unknown User Policy391Enabling PEAP Authentication392EAP-FAST Authentication393About EAP-FAST393About Master Keys395About PACs397Automatic PAC Provisioning398Manual PAC Provisioning400Master Key and PAC TTLs401Replication and EAP-FAST402Enabling EAP-FAST405Global Authentication Setup406Authentication Configuration Options407Configuring Authentication Options413CiscoSecure ACS Certificate Setup414Installing a CiscoSecure ACS Server Certificate415Adding a Certificate Authority Certificate417Editing the Certificate Trust List418Managing Certificate Revocation Lists420About Certificate Revocation Lists420Certificate Revocation List Configuration Options421Adding a Certificate Revocation List Issuer422Editing a Certificate Revocation List Issuer424Deleting a Certificate Revocation List Issuer424Generating a Certificate Signing Request425Using Self-Signed Certificates427About Self-Signed Certificates427Self-Signed Certificate Configuration Options428Generating a Self-Signed Certificate429Updating or Replacing a CiscoSecure ACS Certificate430Logs and Reports433Logging Formats434Special Logging Attributes434NAC Attributes in Logs436Update Packets in Accounting Logs437About CiscoSecure ACS Logs and Reports438Accounting Logs438Dynamic Administration Reports441Viewing the Logged-in Users Report442Deleting Logged-in Users443Viewing the Disabled Accounts Report444CiscoSecure ACS System Logs445Configuring the Administration Audit Log446Working with CSV Logs447CSV Log File Names447CSV Log File Locations448Enabling or Disabling a CSV Log449Viewing a CSV Report450Configuring a CSV Log451Working with ODBC Logs453Preparing for ODBC Logging454Configuring a System Data Source Name for ODBC Logging454Configuring an ODBC Log455Remote Logging458About Remote Logging458Implementing Centralized Remote Logging459Remote Logging Options460Enabling and Configuring Remote Logging461Disabling Remote Logging463Service Logs463Services Logged464Configuring Service Logs465Administrators and Administrative Policy467Administrator Accounts467About Administrator Accounts468Administrator Privileges469Adding an Administrator Account472Editing an Administrator Account473Unlocking a Locked Out Administrator Account476Deleting an Administrator Account477Access Policy477Access Policy Options478Setting Up Access Policy480Session Policy482Session Policy Options482Setting Up Session Policy483Audit Policy484User Databases485CiscoSecure User Database486About the CiscoSecure User Database486User Import and Creation487About External User Databases488Authenticating with External User Databases489External User Database Authentication Process490Windows User Database491What’s Supported with Windows User Databases492Authentication with Windows User Databases493Trust Relationships493Windows Dial-up Networking Clients494Windows Dial-up Networking Clients with a Domain Field494Windows Dial-up Networking Clients without a Domain Field495Usernames and Windows Authentication495Username Formats and Windows Authentication495Non-domain-qualified Usernames497Domain-Qualified Usernames498UPN Usernames498EAP and Windows Authentication499EAP-TLS Domain Stripping500Machine Authentication500Machine Access Restrictions503Microsoft Windows and Machine Authentication504Enabling Machine Authentication506User-Changeable Passwords with Windows User Databases509Preparing Users for Authenticating with Windows510Windows User Database Configuration Options510Configuring a Windows External User Database514Generic LDAP516CiscoSecure ACS Authentication Process with a Generic LDAP User Database517Multiple LDAP Instances517LDAP Organizational Units and Groups518Domain Filtering518LDAP Failover520Successful Previous Authentication with the Primary LDAP Server520Unsuccessful Previous Authentication with the Primary LDAP Server521LDAP Configuration Options521Configuring a Generic LDAP External User Database527Novell NDS Database533About Novell NDS User Databases534User Contexts535Novell NDS External User Database Options536Configuring a Novell NDS External User Database537ODBC Database539What is Supported with ODBC User Databases541CiscoSecure ACS Authentication Process with an ODBC External User Database542Preparing to Authenticate Users with an ODBC-Compliant Relational Database543Implementation of Stored Procedures for ODBC Authentication544Type Definitions545Microsoft SQL Server and Case-Sensitive Passwords545Sample Routine for Generating a PAP Authentication SQL Procedure546Sample Routine for Generating an SQL CHAP Authentication Procedure547Sample Routine for Generating an EAP-TLS Authentication Procedure548PAP Authentication Procedure Input548PAP Procedure Output549CHAP/MS-CHAP/ARAP Authentication Procedure Input550CHAP/MS-CHAP/ARAP Procedure Output550EAP-TLS Authentication Procedure Input551EAP-TLS Procedure Output552Result Codes553Configuring a System Data Source Name for an ODBC External User Database554Configuring an ODBC External User Database555LEAP Proxy RADIUS Server Database559Configuring a LEAP Proxy RADIUS Server External User Database560Token Server User Databases562About Token Servers and CiscoSecure ACS562Token Servers and ISDN563RADIUS-Enabled Token Servers563About RADIUS-Enabled Token Servers564Token Server RADIUS Authentication Request and Response Contents564Configuring a RADIUS Token Server External User Database565RSA SecurID Token Servers568Configuring an RSA SecurID Token Server External User Database569Deleting an External User Database Configuration570Network Admission Control573About Network Admission Control573NAC AAA Components574Posture Validation575Posture Tokens576Non-Responsive NAC-Client Computers577Implementing Network Admission Control577NAC Databases582About NAC Databases582About NAC Credentials and Attributes583NAC Database Configuration Options584Policy Selection Options585Configuring a NAC Database586NAC Policies588Local Policies589About Local Policies590About Rules, Rule Elements, and Attributes591NAC Attribute Data Types591Rule Operators592Local Policy Configuration Options594Rule Configuration Options596Creating a Local Policy597External Policies600About External Policies600External Policy Configuration Options601Creating an External Policy604Editing a Policy606Deleting a Policy608Unknown User Policy611Known, Unknown, and Discovered Users612Authentication and Unknown Users614About Unknown User Authentication614General Authentication of Unknown Users615Windows Authentication of Unknown Users616Domain-Qualified Unknown Windows Users616Windows Authentication with Domain Qualification617Multiple User Account Creation618Performance of Unknown User Authentication618Added Authentication Latency619Authentication Timeout Value on AAA clients619Posture Validation and the Unknown User Policy620NAC and the Unknown User Policy620Posture Validation Use of the Unknown User Policy621Required Use for Posture Validation622Authorization of Unknown Users623Unknown User Policy Options623Database Search Order624Configuring the Unknown User Policy626Disabling Unknown User Authentication627User Group Mapping and Specification629About User Group Mapping and Specification629Group Mapping by External User Database630Creating a CiscoSecure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS...631Group Mapping by Group Set Membership632Group Mapping Order633No Access Group for Group Set Mappings633Default Group Mapping for Windows634Windows Group Mapping Limitations634Creating a CiscoSecure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups635Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping637Deleting a Windows, Novell NDS, or Generic LDAP Group Set Mapping638Deleting a Windows Domain Group Mapping Configuration639Changing Group Set Mapping Order640NAC Group Mapping641Configuring NAC Group Mapping641RADIUS-Based Group Specification642Troubleshooting645Administration Issues646Browser Issues648Cisco IOS Issues649Database Issues651Dial-in Connection Issues654Debug Issues658Proxy Issues659Installation and Upgrade Issues660MaxSessions Issues660Report Issues661Third-Party Server Issues663User Authentication Issues664TACACS+ and RADIUS Attribute Issues666TACACS+ Attribute-Value Pairs667Cisco IOS AV Pair Dictionary667TACACS+ AV Pairs668TACACS+ Accounting AV Pairs670RADIUS Attributes673CiscoIOS Dictionary of RADIUS AV Pairs674CiscoIOS/PIX Dictionary of RADIUS VSAs677About the cisco-av-pair RADUIS Attribute679CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs681Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs685Cisco Building Broadband Service Manager Dictionary of RADIUS VSA686IETF Dictionary of RADIUS AV Pairs686Microsoft MPPE Dictionary of RADIUS VSAs700Ascend Dictionary of RADIUS AV Pairs703Nortel Dictionary of RADIUS VSAs715Juniper Dictionary of RADIUS VSAs716CSUtil Database Utility717Location of CSUtil.exe and Related Files718CSUtil.exe Syntax718CSUtil.exe Options719Displaying Command-Line Syntax721Backing Up CiscoSecure ACS with CSUtil.exe722Restoring CiscoSecure ACS with CSUtil.exe723Creating a CiscoSecure User Database724Creating a CiscoSecure ACS Database Dump File726Loading the CiscoSecure ACS Database from a Dump File727Compacting the CiscoSecure User Database728User and AAA Client Import Option730Importing User and AAA Client Information731User and AAA Client Import File Format732About User and AAA Client Import File Format733ONLINE or OFFLINE Statement733ADD Statements734UPDATE Statements735DELETE Statements737ADD_NAS Statements737DEL_NAS Statements739Import File Example740Exporting User List to a Text File740Exporting Group Information to a Text File741Exporting Registry Information to a Text File742Decoding Error Numbers743Recalculating CRC Values744User-Defined RADIUS Vendors and VSA Sets744About User-Defined RADIUS Vendors and VSA Sets745Adding a Custom RADIUS Vendor and VSA Set745Deleting a Custom RADIUS Vendor and VSA Set747Listing Custom RADIUS Vendors748Exporting Custom RADIUS Vendor and VSA Sets749RADIUS Vendor/VSA Import File750About the RADIUS Vendor/VSA Import File750Vendor and VSA Set Definition751Attribute Definition752Enumeration Definition754Example RADIUS Vendor/VSA Import File755PAC File Generation756PAC File Options and Examples757Generating PAC Files759Posture Validation Attributes760Posture Validation Attribute Definition File760Exporting Posture Validation Attribute Definitions764Importing Posture Validation Attribute Definitions765Deleting a Posture Validation Attribute Definition767Default Posture Validation Attribute Definition File768VPDN Processing781VPDN Process781RDBMS Synchronization Import Definitions787accountActions Specification787accountActions Format788accountActions Mandatory Fields789accountActions Processing Order790Action Codes790Action Codes for Setting and Deleting Values791Action Codes for Creating and Modifying User Accounts793Action Codes for Initializing and Modifying Access Filters800Action Codes for Modifying TACACS+ and RADIUS Group and User Settings805Action Codes for Modifying Network Configuration811CiscoSecure ACS Attributes and Action Codes818User-Specific Attributes818User-Defined Attributes820Group-Specific Attributes821An Example of accountActions822Internal Architecture825Windows Services825Windows Registry826CSAdmin826CSAuth827CSDBSync828CSLog828CSMon828Monitoring829Recording830Notification831Response831CSTacacs and CSRadius832Index833Größe: 6,62 MBSeiten: 860Language: EnglishHandbuch öffnen