Справочник ПользователяСодержаниеPreface27Document Objectives27Who Should Read This Guide27How This Guide is Organized28Conventions Used in This Guide30Related Documentation31Obtaining Documentation32World Wide Web32Documentation CD-ROM32Ordering Documentation32Documentation Feedback33Obtaining Technical Assistance33Cisco.com33Technical Assistance Center34Cisco TAC Web Site34Cisco TAC Escalation Center35Overview of CiscoSecureACS37The CiscoSecureACS Paradigm37CiscoSecureACS Specifications38System Performance Specifications39CiscoSecureACS Windows Services39AAA Server Functions and Concepts40CiscoSecureACS and the AAA Client41AAA Protocols—TACACS+ and RADIUS41TACACS+42RADIUS42Authentication43Authentication Considerations44Authentication and User Databases44Passwords46Comparing PAP, CHAP, and ARAP47MS-CHAP47Basic Password Configurations48Advanced Password Configurations48Password Aging49User-Changeable Passwords50Other Authentication-Related Features50Authorization51Max Sessions52Dynamic Usage Quotas52Other Authorization-Related Features53Accounting53Other Accounting-Related Features54Administration54HTTP Port Allocation for Remote Administrative Sessions55Network Device Groups56Other Administration-Related Features56CiscoSecureACS HTML Interface57About the CiscoSecureACS HTML Interface57HTML Interface Layout58Uniform Resource Locator for the HTML Interface60Network Environments and Remote Administrative Sessions60Remote Administrative Sessions and HTTP Proxy60Remote Administrative Sessions through Firewalls61Remote Administrative Sessions through a NAT Gateway61Accessing the HTML Interface62Logging Off the HTML Interface62Online Help and Online Documentation63Using Online Help63Using the Online Documentation64Deploying CiscoSecureACS67Basic Deployment Requirements for CiscoSecureACS68System Requirements68Hardware Requirements68Operating System Requirements69Third-Party Software Requirements69Network Requirements70Basic Deployment Factors for CiscoSecureACS70Network Topology71Dial-Up Topology71Wireless Network74Remote Access using VPN77Remote Access Policy79Security Policy80Administrative Access Policy80Separation of Administrative and General Users82Database83Number of Users83Type of Database83Network Speed and Reliability84Suggested Deployment Sequence84Setting Up the CiscoSecureACS HTML Interface89Interface Design Concepts90User-to-Group Relationship90Per-User or Per-Group Features90User Data Configuration Options91Defining New User Data Fields91Advanced Options92Setting Advanced Options for the CiscoSecureACS User Interface94Protocol Configuration Options for TACACS+95Setting Options for TACACS+97Protocol Configuration Options for RADIUS98Setting Protocol Configuration Options for (IETF) RADIUS100Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX)102Setting Protocol Configuration Options for RADIUS (Ascend)102Setting Protocol Configuration Options for RADIUS (CiscoVPN3000)103Setting Protocol Configuration Options for RADIUS (CiscoVPN5000)104Setting Protocol Configuration Options for RADIUS (Microsoft)105Setting Protocol Configuration Options for RADIUS (Nortel)106Setting Protocol Configuration Options for RADIUS (Juniper)107Setting Protocol Configuration Options for RADIUS (Cisco BBSM)108Setting Up and Managing Network Configuration109About Distributed Systems110AAA Servers in Distributed Systems111Default Distributed System Settings111Proxy in Distributed Systems112Fallback on Failed Connection113Character String114Stripping114Proxy in an Enterprise114Remote Use of Accounting Packets115Other Features Enabled by System Distribution116AAA Client Configuration116Adding and Configuring a AAA Client117Editing an Existing AAA Client120Deleting a AAA Client122AAA Server Configuration123Adding and Configuring a AAA Server124Editing a AAA Server Configuration126Deleting a AAA Server128Network Device Group Configuration128Adding a Network Device Group129Assigning an Unassigned AAA Client or AAA Server to an NDG130Reassigning a AAA Client or AAA Server to an NDG131Renaming a Network Device Group131Deleting a Network Device Group132Proxy Distribution Table Configuration133About the Proxy Distribution Table133Adding a New Proxy Distribution Table Entry134Sorting the Character String Match Order of Distribution Entries136Editing a Proxy Distribution Table Entry136Deleting a Proxy Distribution Table Entry137Setting Up and Managing Shared Profile Components139Downloadable PIX ACLs140About Downloadable PIX ACLs140Downloadable PIX ACL Configuration141Adding a Downloadable PIX ACL141Editing a Downloadable PIX ACL142Deleting a Downloadable PIX ACL143Network Access Restrictions144About Network Access Restrictions144Shared Network Access Restrictions Configuration145Adding a Shared Network Access Restriction146Editing a Shared Network Access Restriction148Deleting a Shared Network Access Restriction150Command Authorization Sets150About Command Authorization Sets151About Pattern Matching152Command Authorization Sets Configuration152Adding a Command Authorization Set153Editing a Command Authorization Set155Deleting a Command Authorization Set155Setting Up and Managing User Groups157User Group Setup Features and Functions158Default Group158Group TACACS+ Settings158Common User Group Settings159Enabling VoIP Support for a User Group160Setting Default Time of Day Access for a User Group161Setting Callback Options for a User Group162Setting Network Access Restrictions for a User Group163Setting Max Sessions for a User Group167Setting Usage Quotas for a User Group169Configuration-specific User Group Settings171Setting Token Card Settings for a User Group173Setting Enable Privilege Options for a User Group174Enabling Password Aging for the CiscoSecure User Database176Varieties of Password Aging Supported by CiscoSecureACS176Password Aging Feature Settings177Enabling Password Aging for Users in Windows Databases181Setting IP Address Assignment Method for a User Group182Assigning a Downloadable PIX ACL to a Group183Configuring TACACS+ Settings for a User Group184Configuring a Shell Command Authorization Set for a User Group186Configuring a PIX Command Authorization Set for a User Group188Configuring IETF RADIUS Settings for a User Group190Configuring Cisco IOS/PIX RADIUS Settings for a User Group192Configuring Ascend RADIUS Settings for a User Group193Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group194Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group195Configuring Microsoft RADIUS Settings for a User Group197Configuring Nortel RADIUS Settings for a User Group198Configuring Juniper RADIUS Settings for a User Group200Configuring Cisco BBSM RADIUS Settings for a User Group201Configuring Custom RADIUS VSA Settings for a User Group202Group Setting Management204Listing Users in a User Group204Resetting Usage Quota Counters for a User Group205Renaming a User Group205Saving Changes to User Group Settings206Setting Up and Managing User Accounts207User Setup Features and Functions208About User Databases209Basic User Setup Options210Adding a Basic User Account211Setting Supplementary User Information213Setting a Separate CHAP/MS-CHAP/ARAP Password214Assigning a User to a Group215Setting User Callback Option216Assigning a User to a Client IP Address217Setting Network Access Restrictions for a User218Setting Max Sessions Options for a User223Setting User Usage Quotas Options225Setting Options for User Account Disablement227Assigning a PIX ACL to a User228Advanced User Authentication Settings229TACACS+ Settings (User)230Configuring TACACS+ Settings for a User230Configuring a Shell Command Authorization Set for a User232Configuring a PIX Command Authorization Set for a User235Configuring the Unknown Service Setting for a User237Advanced TACACS+ Settings (User)237Setting Enable Privilege Options for a User238Setting TACACS+ Enable Password Options for a User240Setting TACACS+ Outbound Password for a User241RADIUS Attributes242Setting IETF RADIUS Parameters for a User243Setting Cisco IOS/PIX RADIUS Parameters for a User244Setting Ascend RADIUS Parameters for a User245Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User247Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User248Setting Microsoft RADIUS Parameters for a User250Setting Nortel RADIUS Parameters for a User251Setting Juniper RADIUS Parameters for a User253Setting BBSM RADIUS Parameters for a User254Setting Custom RADIUS Attributes for a User255User Management257Listing All Users257Finding a User258Disabling a User Account259Deleting a User Account260Resetting User Session Quota Counters261Resetting a User Account after Login Failure261Saving User Settings262Establishing CiscoSecureACS System Configuration263Service Control264Determining the Status of CiscoSecureACS Services264Stopping, Starting, or Restarting Services264Logging265Date Format Control265Setting the Date Format266Password Validation266Setting Password Validation Options267CiscoSecure Database Replication268About CiscoSecure Database Replication268Replication Process270Replication Frequency272Important Implementation Considerations272Database Replication Versus Database Backup273Database Replication Logging274Replication Options275Replication Components Options275Replication Scheduling Options276Replication Partners Options277Implementing Primary and Secondary Replication Setups on CiscoSecureACS Servers278Configuring a Secondary CiscoSecureACS Server279Replicating Immediately280Scheduling Replication282Disabling CiscoSecure Database Replication285Database Replication Event Error Alert Notification285RDBMS Synchronization286About RDBMS Synchronization286RDBMS Synchronization Components287About CSDBSync287About the accountActions Table288CiscoSecureACS Database Recovery Using the accountActions Table290Reports and Event (Error) Handling291Preparing to Use RDBMS Synchronization291Considerations for Using CSV-Based Synchronization292Preparing for CSV-Based Synchronization293Configuring a System Data Source Name for RDBMS Synchronization294RDBMS Synchronization Options295RDBMS Setup Options296Synchronization Scheduling Options296Synchronization Partners Options297Performing RDBMS Synchronization Immediately297Scheduling RDBMS Synchronization299Disabling Scheduled RDBMS Synchronizations301CiscoSecureACS Backup302About CiscoSecureACS Backup302Backup File Locations303Directory Management303Components Backed Up303Reports of CiscoSecureACS Backups304Performing a Manual CiscoSecureACS Backup304Scheduling CiscoSecureACS Backups305Disabling Scheduled CiscoSecureACS Backups306CiscoSecureACS System Restore307About CiscoSecureACS System Restore307Backup File Names and Locations307Components Restored309Reports of CiscoSecureACS Restorations309Restoring CiscoSecureACS from a Backup File309CiscoSecureACS Active Service Management310System Monitoring311System Monitoring Options311Setting Up System Monitoring312Event Logging313Setting Up Event Logging313IP Pools Server314Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges315Refreshing the AAA Server IP Pools Table317Adding a New IP Pool317Editing an IP Pool Definition318Resetting an IP Pool319Deleting an IP Pool320IP Pools Address Recovery321Enabling IP Pool Address Recovery321VoIP Accounting Configuration322Configuring VoIP Accounting323CiscoSecureACS Certificate Setup323Background on Certification324EAP-TLS Setup Overview325Requirements for Certificate Enrollment325Generating a Request for a Certificate326Installing CiscoSecureACS Certification with Manual Enrollment328Installing CiscoSecureACS Certification with Automatic Enrollment330Performing CiscoSecureACS Certification Update or Replacement331Certification Authority Setup332Trust Requirements and Models333Editing the Certificate Trust List334Adding a New CA Certificate to Local Certificate Storage334Global Authentication Setup335Working with Logging and Reports337Logging Formats337Special Logging Attributes338Update Packets In Accounting Logs339About CiscoSecureACS Logs and Reports340Accounting Logs340TACACS+ Accounting Log341TACACS+ Administration Log342RADIUS Accounting Log343VoIP Accounting Log344Failed Attempts Log345Passed Authentications Log346Dynamic CiscoSecureACS Administration Reports346Logged-In Users Report347Viewing the Logged-in Users Report347Deleting Logged-in Users348Disabled Accounts Report350Viewing the Disabled Accounts Report350CiscoSecureACS System Logs351ACS Backup and Restore Log351RDBMS Synchronization Log352Database Replication Log352Administration Audit Log353Configuring the Administration Audit Log353ACS Service Monitoring Log354Working with CSV Logs355CSV Log File Names355Enabling or Disabling a CSV Log355Viewing a CSV Report356Configuring a CSV Log358Working with ODBC Logs361Preparing to Use ODBC Logging361Configuring a System Data Source Name for ODBC Logging362Configuring an ODBC Log363Remote Logging365About Remote Logging366Remote Logging Options367Configuring a Central Logging Server367Enabling and Configuring Remote Logging368Disabling Remote Logging369Service Logs370Services Logged370Configuring Service Logs371Setting Up and Managing Administrators and Policy375Administrator Accounts375Administrator Privileges376Adding an Administrator Account380Editing an Administrator Account381Deleting an Administrator Account383Access Policy384Access Policy Options384Setting Up Access Policy386Session Policy387Session Policy Options387Setting Up Session Policy388Audit Policy390Working with User Databases391CiscoSecure User Database392About External User Databases394Authenticating with External User Databases395Windows NT/2000 User Database396The CiscoSecureACS Authentication Process with Windows NT/2000 User Databases397Trust Relationships398Windows Dial-up Networking Clients399About the Windows NT/2000 Dial-up Networking Client399About the Windows 95/98/Millennium Edition Dial-up Networking Client400Windows NT/2000 Authentication400User-Changeable Passwords with Windows NT/2000 User Databases402Preparing Users for Authenticating with WindowsNT/2000402Configuring a WindowsNT/2000 External User Database403Generic LDAP404CiscoSecureACS Authentication Process with a Generic LDAP User Database405Multiple LDAP Instances406LDAP Organizational Units and Groups407Directed Authentications407LDAP Failover407Successful Previous Authentication with the Primary LDAP Server408Unsuccessful Previous Authentication with the Primary LDAP Server408Configuring a Generic LDAP External User Database409Novell NDS Database414User Contexts415Novell NDS External User Database Options417Configuring a Novell NDS External User Database418ODBC Database420CiscoSecureACS Authentication Process with an ODBC External User Database421Preparing to Authenticate Users with an ODBC-Compliant Relational Database422Implementation of Stored Procedures for ODBC Authentication423Type Definitions424Microsoft SQL Server and Case-Sensitive Passwords424Sample Routine for Generating a PAP Authentication SQL Procedure425Sample Routine for Generating an SQL CHAP Authentication Procedure426PAP Authentication Procedure Input426PAP Procedure Output427CHAP/MS-CHAP/ARAP Authentication Procedure Input428CHAP/MS-CHAP/ARAP Procedure Output428Result Codes429Configuring a System Data Source Name for an ODBC External User Database430Configuring an ODBC External User Database431LEAP Proxy RADIUS Server Database434Configuring a LEAP Proxy RADIUS Server External User Database435Token Server User Databases437About Token Servers and CiscoSecureACS438Token Servers and ISDN438RADIUS-Enabled Token Servers439About RADIUS-Enabled Token Servers439Token Server RADIUS Authentication Request and Response Contents440Configuring a RADIUS Token Server External User Database440Token Servers with Vendor-Proprietary Interfaces443About Token Servers with Proprietary Interfaces443Configuring a SafeWord Token Server External User Database443Configuring an AXENT Token Server External User Database AXENT445Configuring an RSA SecurID Token Server External User Database446Deleting an External User Database Configuration448Administering External User Databases451Unknown User Processing451Known, Unknown, and Cached Users452General Authentication Request Handling and Rejection Mode453Authentication Request Handling and Rejection Mode with the WindowsNT/2000 User Database454Windows Authentication with a Domain Specified454Windows Authentication with Domain Omitted455Performance of Unknown User Authentication456Added Latency456Authentication Timeout Value on AAA clients456Network Access Authorization457Unknown User Policy457Database Search Order458Configuring the Unknown User Policy458Turning off External User Database Authentication459Database Group Mappings460Group Mapping by External User Database460Creating a CiscoSecureACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS...462Group Mapping by Group Set Membership463Group Mapping Order463No Access Group for Group Set Mappings464Default Group Mapping for Windows NT/2000464Creating a CiscoSecureACS Group Mapping for WindowsNT/2000, Novell NDS, or Generic LDAP Groups465Editing a WindowsNT/2000, Novell NDS, or Generic LDAP Group Set Mapping467Deleting a WindowsNT/2000, Novell NDS, or Generic LDAP Group Set Mapping468Deleting a WindowsNT/2000 Domain Group Mapping Configuration469Changing Group Set Mapping Order470RADIUS-Based Group Specification471Troubleshooting Information for CiscoSecureACS473Administration Issues474Browser Issues475Cisco IOS Issues476Database Issues477Dial-in Connection Issues478Debug Issues483Proxy Issues484Installation and Upgrade Issues485MaxSessions Issues485Report Issues486Third-Party Server Issues487PIX Firewall Issues488User Authentication Issues488TACACS+ and RADIUS Attribute Issues490System Messages491WindowsNT/2000 Event Log Service Startup Errors491System Monitored Events492Replication Messages496Failed Attempts Messages499TACACS+ Attribute-Value Pairs501Cisco IOS Attribute-Value Pair Dictionary501TACACS+ AV Pairs502TACACS+ Accounting AV Pairs504RADIUS Attributes507CiscoIOS Dictionary of RADIUS AV Pairs508CiscoIOS/PIX Dictionary of RADIUS VSAs510CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs512Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs515Cisco Building Broadband Service Manager Dictionary of RADIUS VSA515Vendor-Proprietary IETF RADIUS AV Pairs516IETF Dictionary of RADIUS AV Pairs518RADIUS (IETF) Accounting AV Pairs522Microsoft MPPE Dictionary of RADIUS VSAs524Ascend Dictionary of RADIUS AV Pairs527Nortel Dictionary of RADIUS VSAs535Juniper Dictionary of RADIUS VSAs536CiscoSecureACS Command-Line Database Utility537Location of CSUtil.exe and Related Files538CSUtil.exe Syntax538CSUtil.exe Options539Backing Up CiscoSecureACS with CSUtil.exe541Restoring CiscoSecureACS with CSUtil.exe542Creating a CiscoSecure User Database543Creating a CiscoSecureACS Database Dump File545Loading the CiscoSecureACS Database from a Dump File546Compacting the CiscoSecure User Database547User and AAA Client Import Option549Importing User and AAA Client Information549User and AAA Client Import File Format551About User and AAA Client Import File Format551ONLINE or OFFLINE Statement552ADD Statements552UPDATE Statements554DELETE Statements556ADD_NAS Statements556DEL_NAS Statements558Import File Examples558Exporting User List to a Text File559Exporting Group Information to a Text File560Exporting Registry Information to a Text File561Decoding Error Numbers561Recalculating CRC Values562User-Defined RADIUS Vendors and VSA Sets563About User-Defined RADIUS Vendors and VSA Sets563Adding a Custom RADIUS Vendor and VSA Set564Deleting a Custom RADIUS Vendor and VSA Set565Listing Custom RADIUS Vendors566RADIUS Vendor/VSA Import File567About the RADIUS Vendor/VSA Import File568Vendor and VSA Set Definition569Attribute Definition570Enumeration Definition571Example RADIUS Vendor/VSA Import File573CiscoSecureACS and Virtual Private Dial-up Networks575VPDN Process575ODBC Import Definitions581accountActions Table Specification581accountActions Table Format582accountActions Table Mandatory Fields583accountActions Table Processing Order584Action Codes585Action Codes for Setting and Deleting Values585Action Codes for Creating and Modifying User Accounts587Action Codes for Initializing and Modifying Access Filters595Action Codes for Modifying TACACS+ and RADIUS Group and User Settings600Action Codes for Modifying Network Configuration607Action Code for Deleting the CiscoSecure User Database611CiscoSecureACS Attributes and Action Codes611User-Specific Attributes611User-Defined Attributes614Group-Specific Attributes614An Example accountActions Table616CiscoSecureACS Internal Architecture619WindowsNT/2000 Environment Overview620WindowsNT/2000 Services620WindowsNT/2000 Registry620CiscoSecureACS Web Server620CSAdmin621CSAuth621CSDBSync624CSLog624CSMon625Monitoring625Recording627Sample Scripts628Configuration628CSTacacs and CSRadius629index631Размер: 5,1 МБСтраницы: 654Язык: EnglishПросмотреть