User Guide for Cisco Secure ACS

Appliance
Version 3.2

Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100

Customer Order Number: DOC-7814698=

Text Part Number: 78-14698-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch,
Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MGX, MICA, the
Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast,
SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered
trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0402R)

User Guide for Cisco Secure ACS Appliance

Copyright © 2004 Cisco Systems, Inc. All rights reserved.
 C O N T E N T S

Preface xxiii
Objective xxiii
Audience xxiii
Organization xxiv
Conventions xxv
Related Documentation xxvii
Obtaining Documentation xxviii
Cisco.com xxviii
Ordering Documentation xxviii
Documentation Feedback xxix
Obtaining Technical Assistance xxix
Cisco TAC Website xxix
Opening a TAC Case xxx
TAC Case Priority Definitions xxx
Obtaining Additional Publications and Information xxxi

CHAPTER 1 Overview 1-1

The Cisco Secure ACS Paradigm 1-1
Cisco Secure ACS Specifications 1-2
System Performance Specifications 1-3
Cisco Secure ACS Services 1-4
AAA Server Functions and Concepts 1-4
Cisco Secure ACS and the AAA Client 1-5
AAA Protocols—TACACS+ and RADIUS 1-6

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 iii
Contents

TACACS+ 1-6
RADIUS 1-6
Authentication 1-8
Authentication Considerations 1-8
Authentication and User Databases 1-9
Authentication Protocol-Database Compatibility 1-9
Passwords 1-10
Other Authentication-Related Features 1-16
Authorization 1-16
Max Sessions 1-17
Dynamic Usage Quotas 1-18
Shared Profile Components 1-18
Support for Cisco Device-Management Applications 1-18
Other Authorization-Related Features 1-20
Accounting 1-20
Other Accounting-Related Features 1-21
Administration 1-21
HTTP Port Allocation for Administrative Sessions 1-22
Network Device Groups 1-22
Other Administration-Related Features 1-23
Cisco Secure ACS HTML Interface 1-24
About the Cisco Secure ACS HTML Interface 1-24
HTML Interface Security 1-25
HTML Interface Layout 1-25
Uniform Resource Locator for the HTML Interface 1-27
Network Environments and Administrative Sessions 1-27
Administrative Sessions and HTTP Proxy 1-28
Administrative Sessions through Firewalls 1-28
Administrative Sessions through a NAT Gateway 1-29
Accessing the HTML Interface 1-29

User Guide for Cisco Secure ACS Appliance, version 3.2

iv 78-14698-02
 Contents

Logging Off the HTML Interface 1-30

Online Help and Online Documentation 1-31
Using Online Help 1-31
Using the Online Documentation 1-31

CHAPTER 2 Deployment Considerations 2-1

Basic Deployment Requirements for
Cisco Secure ACS 2-2
System Installation Requirements 2-2
Network and Port Requirements 2-2
Basic Deployment Factors for Cisco Secure ACS 2-3
Network Topology 2-4
Dial-Up Topology 2-4
Wireless Network 2-7
Remote Access using VPN 2-10
Remote Access Policy 2-12
Security Policy 2-13
Administrative Access Policy 2-13
Separation of Administrative and General Users 2-15
Database 2-16
Number of Users 2-16
Type of Database 2-16
Network Latency and Reliability 2-17
Suggested Deployment Sequence 2-17

CHAPTER 3 Interface Configuration 3-1

Interface Design Concepts 3-2
User-to-Group Relationship 3-2
Per-User or Per-Group Features 3-2
User Data Configuration Options 3-3

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 v
 Contents

Defining New User Data Fields 3-3

Advanced Options 3-4
Setting Advanced Options for the Cisco Secure ACS User Interface 3-6
Protocol Configuration Options for TACACS+ 3-7
Setting Options for TACACS+ 3-9
Protocol Configuration Options for RADIUS 3-11
Setting Protocol Configuration Options for IETF RADIUS Attributes 3-16
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes 3-17

CHAPTER 4 Network Configuration 4-1

About Network Configuration 4-2
About Distributed Systems 4-3
AAA Servers in Distributed Systems 4-3
Default Distributed System Settings 4-4
Proxy in Distributed Systems 4-4
Fallback on Failed Connection 4-6
Character String 4-6
Stripping 4-6
Proxy in an Enterprise 4-7
Remote Use of Accounting Packets 4-7
Other Features Enabled by System Distribution 4-8
Network Device Searches 4-9
Network Device Search Criteria 4-9
Searching for Network Devices 4-10
AAA Client Configuration 4-11
AAA Client Configuration Options 4-12
Adding a AAA Client 4-17
Editing a AAA Client 4-20
Deleting a AAA Client 4-21

User Guide for Cisco Secure ACS Appliance, version 3.2

vi 78-14698-02
 Contents

AAA Server Configuration 4-22

AAA Server Configuration Options 4-23
Adding a AAA Server 4-25
Editing a AAA Server 4-27
Deleting a AAA Server 4-28
Remote Agent Configuration 4-29
About Remote Agents 4-29
Remote Agent Configuration Options 4-30
Adding a Remote Agent 4-32
Editing a Remote Agent Configuration 4-34
Deleting a Remote Agent Configuration 4-35
Network Device Group Configuration 4-36
Adding a Network Device Group 4-37
Assigning an Unassigned AAA Client or AAA Server to an NDG 4-38
Reassigning a AAA Client or AAA Server to an NDG 4-39
Renaming a Network Device Group 4-39
Deleting a Network Device Group 4-40
Proxy Distribution Table Configuration 4-41
About the Proxy Distribution Table 4-42
Adding a New Proxy Distribution Table Entry 4-43
Sorting the Character String Match Order of Distribution Entries 4-44
Editing a Proxy Distribution Table Entry 4-45
Deleting a Proxy Distribution Table Entry 4-46

CHAPTER 5 Shared Profile Components 5-1

About Shared Profile Components 5-1
Downloadable IP ACLs 5-2
About Downloadable IP ACLs 5-2
Adding a Downloadable IP ACL 5-4

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 vii
 Contents

Editing a Downloadable IP ACL 5-5

Deleting a Downloadable IP ACL 5-6
Network Access Restrictions 5-7
About Network Access Restrictions 5-7
Adding a Shared Network Access Restriction 5-9
Editing a Shared Network Access Restriction 5-12
Deleting a Shared Network Access Restriction 5-14
Command Authorization Sets 5-15
About Command Authorization Sets 5-15
Command Authorization Sets Description 5-16
Command Authorization Sets Assignment 5-17
Case Sensitivity and Command Authorization 5-17
Arguments and Command Authorization 5-18
About Pattern Matching 5-19
Adding a Command Authorization Set 5-19
Editing a Command Authorization Set 5-22
Deleting a Command Authorization Set 5-23

CHAPTER 6 User Group Management 6-1

About User Group Setup Features and Functions 6-2
Default Group 6-2
Group TACACS+ Settings 6-2
Basic User Group Settings 6-3
Enabling VoIP Support for a User Group 6-4
Setting Default Time-of-Day Access for a User Group 6-5
Setting Callback Options for a User Group 6-6
Setting Network Access Restrictions for a User Group 6-7
Setting Max Sessions for a User Group 6-11
Setting Usage Quotas for a User Group 6-13

User Guide for Cisco Secure ACS Appliance, version 3.2

viii 78-14698-02
 Contents

Configuration-specific User Group Settings 6-15

Setting Token Card Settings for a User Group 6-17
Setting Enable Privilege Options for a User Group 6-18
Enabling Password Aging for the CiscoSecure User Database 6-20
Enabling Password Aging for Users in Windows Databases 6-25
Setting IP Address Assignment Method for a User Group 6-27
Assigning a Downloadable IP ACL to a Group 6-28
Configuring TACACS+ Settings for a User Group 6-29
Configuring a Shell Command Authorization Set for a User Group 6-31
Configuring a PIX Command Authorization Set for a User Group 6-33
Configuring Device-Management Command Authorization for a User
Group 6-35
Configuring IETF RADIUS Settings for a User Group 6-37
Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-38
Configuring Cisco Aironet RADIUS Settings for a User Group 6-39
Configuring Ascend RADIUS Settings for a User Group 6-41
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group 6-42
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User
Group 6-44
Configuring Microsoft RADIUS Settings for a User Group 6-45
Configuring Nortel RADIUS Settings for a User Group 6-47
Configuring Juniper RADIUS Settings for a User Group 6-49
Configuring BBSM RADIUS Settings for a User Group 6-50
Configuring Custom RADIUS VSA Settings for a User Group 6-51
Group Setting Management 6-52
Listing Users in a User Group 6-53
Resetting Usage Quota Counters for a User Group 6-53
Renaming a User Group 6-54
Saving Changes to User Group Settings 6-54

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 ix
 Contents

CHAPTER 7 User Management 7-1

About User Setup Features and Functions 7-1
Basic User Setup Options 7-2
Adding a Basic User Account 7-3
Setting Supplementary User Information 7-5
Setting a Separate CHAP/MS-CHAP/ARAP Password 7-6
Assigning a User to a Group 7-7
Setting User Callback Option 7-8
Assigning a User to a Client IP Address 7-9
Setting Network Access Restrictions for a User 7-10
Setting Max Sessions Options for a User 7-15
Setting User Usage Quotas Options 7-17
Setting Options for User Account Disablement 7-19
Assigning a Downloadable IP ACL to a User 7-20
Advanced User Authentication Settings 7-21
TACACS+ Settings (User) 7-22
Configuring TACACS+ Settings for a User 7-23
Configuring a Shell Command Authorization Set for a User 7-25
Configuring a PIX Command Authorization Set for a User 7-28
Configuring Device-Management Command Authorization for a
User 7-29
Configuring the Unknown Service Setting for a User 7-31
Advanced TACACS+ Settings (User) 7-32
Setting Enable Privilege Options for a User 7-32
Setting TACACS+ Enable Password Options for a User 7-34
Setting TACACS+ Outbound Password for a User 7-36
RADIUS Attributes 7-36
Setting IETF RADIUS Parameters for a User 7-37
Setting Cisco IOS/PIX RADIUS Parameters for a User 7-38
Setting Cisco Aironet RADIUS Parameters for a User 7-39

User Guide for Cisco Secure ACS Appliance, version 3.2

x 78-14698-02
 Contents

Setting Ascend RADIUS Parameters for a User 7-41

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a
User 7-43
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a
User 7-45
Setting Microsoft RADIUS Parameters for a User 7-46
Setting Nortel RADIUS Parameters for a User 7-48
Setting Juniper RADIUS Parameters for a User 7-50
Setting BBSM RADIUS Parameters for a User 7-51
Setting Custom RADIUS Attributes for a User 7-52
User Management 7-53
Listing All Users 7-54
Finding a User 7-54
Disabling a User Account 7-55
Deleting a User Account 7-56
Resetting User Session Quota Counters 7-57
Resetting a User Account after Login Failure 7-57
Saving User Settings 7-59

CHAPTER 8 System Configuration: Basic 8-1

Service Control 8-2
Determining the Status of Cisco Secure ACS Services 8-2
Stopping, Starting, or Restarting Services 8-2
Logging 8-3
Date Format Control 8-3
Setting the Date Format 8-4
Local Password Management 8-5
Configuring Local Password Management 8-6
Cisco Secure ACS Backup 8-8
About Cisco Secure ACS Backup 8-8

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xi
Contents

Components Backed Up 8-9

Reports of Cisco Secure ACS Backups 8-9
Backup Options 8-9
Performing a Manual Cisco Secure ACS Backup 8-10
Scheduling Cisco Secure ACS Backups 8-11
Disabling Scheduled Cisco Secure ACS Backups 8-13
Cisco Secure ACS System Restore 8-13
About Cisco Secure ACS System Restore 8-14
Backup Filenames and Locations 8-14
Components Restored 8-15
Reports of Cisco Secure ACS Restorations 8-15
Restoring Cisco Secure ACS from a Backup File 8-15
Cisco Secure ACS Active Service Management 8-17
System Monitoring 8-18
System Monitoring Options 8-18
Setting Up System Monitoring 8-19
Event Logging 8-20
Setting Up Event Logging 8-20
VoIP Accounting Configuration 8-21
Configuring VoIP Accounting 8-21
Appliance Configuration 8-22
Setting the Cisco Secure ACS System Time and Date 8-22
Setting the Cisco Secure ACS Host and Domain Names 8-23
Support 8-24
Running Support 8-24
Monitoring System Information 8-26
Viewing or Downloading Diagnostic Logs 8-27
Appliance Upgrade Status 8-27
About Appliance Upgrades 8-28

User Guide for Cisco Secure ACS Appliance, version 3.2

xii 78-14698-02
 Contents

Distribution Server Requirements 8-29

Upgrading an Appliance 8-30
Transferring an Upgrade Package to an Appliance 8-32
Applying an Upgrade 8-35

CHAPTER 9 System Configuration: Advanced 9-1

CiscoSecure Database Replication 9-1
About CiscoSecure Database Replication 9-2
Replication Process 9-4
Replication Frequency 9-7
Important Implementation Considerations 9-8
Database Replication Versus Database Backup 9-10
Database Replication Logging 9-11
Replication Options 9-11
Replication Components Options 9-11
Outbound Replication Options 9-12
Inbound Replication Options 9-14
Implementing Primary and Secondary Replication Setups on Cisco Secure
ACSes 9-15
Configuring a Secondary Cisco Secure ACS 9-16
Replicating Immediately 9-18
Scheduling Replication 9-20
Disabling CiscoSecure Database Replication 9-23
Database Replication Event Errors 9-23
RDBMS Synchronization 9-24
About RDBMS Synchronization 9-24
Users 9-25
User Groups 9-26
Network Configuration 9-26
Custom RADIUS Vendors and VSAs 9-27

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xiii
 Contents

RDBMS Synchronization Components 9-27

About CSDBSync 9-28
About the accountActions File 9-28
Cisco Secure ACS Database Recovery Using the accountActions Table 9-28
Preparing to Use RDBMS Synchronization 9-29
RDBMS Synchronization Options 9-31
FTP Setup Options 9-31
Synchronization Scheduling Options 9-32
Synchronization Partners Options 9-32
Performing RDBMS Synchronization Immediately 9-32
Scheduling RDBMS Synchronization 9-34
Disabling Scheduled RDBMS Synchronizations 9-37
IP Pools Server 9-37
About IP Pools Server 9-38
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 9-39
Refreshing the AAA Server IP Pools Table 9-40
Adding a New IP Pool 9-40
Editing an IP Pool Definition 9-41
Resetting an IP Pool 9-42
Deleting an IP Pool 9-43
IP Pools Address Recovery 9-44
Enabling IP Pool Address Recovery 9-44

CHAPTER 10 System Configuration: Authentication and Certificates 10-1

About Certification and EAP Protocols 10-1
Digital Certificates 10-2
EAP-TLS Authentication 10-2
About the EAP-TLS Protocol 10-2
EAP-TLS and Cisco Secure ACS 10-3
EAP-TLS Limitations 10-5

User Guide for Cisco Secure ACS Appliance, version 3.2

xiv 78-14698-02
 Contents

Enabling EAP-TLS Authentication 10-5

PEAP Authentication 10-7
About the PEAP Protocol 10-7
PEAP and Cisco Secure ACS 10-8
PEAP and the Unknown User Policy 10-9
Enabling PEAP Authentication 10-10
EAP-FAST Authentication 10-11
About EAP-FAST 10-12
About Master Keys 10-13
About PACs 10-15
Master Key and PAC TTLs 10-19
Replication and EAP-FAST 10-20
Enabling EAP-FAST 10-23
Global Authentication Setup 10-25
Authentication Configuration Options 10-25
Configuring Authentication Options 10-32
Cisco Secure ACS Certificate Setup 10-33
Installing a Cisco Secure ACS Certificate 10-33
Adding a Certificate Authority Certificate 10-36
Editing the Certificate Trust List 10-38
Generating a Certificate Signing Request 10-39
Updating or Replacing a Cisco Secure ACS Certificate 10-40
EAP-FAST PAC Files Generation 10-41
PAC File Generation Options 10-42
Generating PAC Files 10-45

CHAPTER 11 Logs and Reports 11-1

Logging Formats 11-1
Special Logging Attributes 11-2

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xv
Contents

Update Packets in Accounting Logs 11-3

About Cisco Secure ACS Logs and Reports 11-4
Accounting Logs 11-5
Dynamic Administration Reports 11-7
Viewing the Logged-in Users Report 11-9
Deleting Logged-in Users 11-10
Viewing the Disabled Accounts Report 11-11
Viewing the Appliance Status Report 11-11
Cisco Secure ACS System Logs 11-12
Working with CSV Logs 11-13
CSV Log Size and Retention 11-13
Enabling or Disabling a CSV Log 11-13
Viewing a CSV Report 11-14
Configuring a CSV Log 11-15
Remote Logging 11-17
About Remote Logging 11-17
Implementing Centralized Remote Logging 11-18
Local Configuration of Remote Logging 11-19
Remote Logging Options 11-19
Enabling and Configuring Remote Logging 11-20
Disabling Remote Logging 11-22
Remote Agent Logging Configuration 11-22
Remote Agent Logging Options 11-22
Configuring Remote Agent Logs 11-23
Service Logs 11-25
Services Logged 11-26
Configuring Service Log Detail 11-27

User Guide for Cisco Secure ACS Appliance, version 3.2

xvi 78-14698-02
 Contents

CHAPTER 12 Administrators and Administrative Policy 12-1

Administrator Accounts 12-1
About Administrator Accounts 12-2
Administrator Privileges 12-3
Adding an Administrator Account 12-6
Editing an Administrator Account 12-8
Unlocking a Locked Out Administrator Account 12-10
Deleting an Administrator Account 12-11
Access Policy 12-11
Access Policy Options 12-12
Setting Up Access Policy 12-14
Session Policy 12-16
Session Policy Options 12-16
Setting Up Session Policy 12-17

CHAPTER 13 User Databases 13-1

CiscoSecure User Database 13-2
User Import and Creation 13-2
About External User Databases 13-3
Authenticating with External User Databases 13-5
External User Database Authentication Process 13-6
Windows User Database 13-6
What’s Supported with Windows User Databases 13-7
Authentication Process with Windows User Databases 13-8
Trust Relationships 13-9
Windows Dial-up Networking Clients 13-9
Windows Dial-up Networking Clients with a Domain Field 13-10
Windows Dial-up Networking Clients without a Domain Field 13-10
Windows Authentication 13-10

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xvii
 Contents

EAP and Windows Authentication 13-12

EAP-TLS Domain Stripping 13-13
Machine Authentication 13-13
Microsoft Windows and Machine Authentication 13-16
Machine Access Restrictions 13-18
Enabling Machine Authentication 13-19
User-Changeable Passwords with Windows User Databases 13-22
Preparing Users for Authenticating with Windows 13-23
Selecting Remote Agents for Windows Authentication 13-23
Windows Authentication Configuration Options 13-25
Configuring Windows Authentication 13-29
Generic LDAP 13-30
Cisco Secure ACS Authentication Process with a Generic LDAP User
Database 13-31
Multiple LDAP Instances 13-31
LDAP Organizational Units and Groups 13-32
Domain Filtering 13-32
LDAP Failover 13-34
Successful Previous Authentication with the Primary LDAP Server 13-35
Unsuccessful Previous Authentication with the Primary LDAP
Server 13-35
LDAP Configuration Options 13-36
Configuring a Generic LDAP External User Database 13-42
Downloading a Certificate Database 13-47
Novell NDS Database 13-49
About Novell NDS User Databases 13-49
User Contexts 13-50
Novell NDS External User Database Options 13-51
Configuring a Novell NDS External User Database 13-53
LEAP Proxy RADIUS Server Database 13-55

User Guide for Cisco Secure ACS Appliance, version 3.2

xviii 78-14698-02
 Contents

Configuring a LEAP Proxy RADIUS Server External User Database 13-56

Token Server User Databases 13-58
About Token Servers and Cisco Secure ACS 13-58
Token Servers and ISDN 13-59
Token Server RADIUS Authentication Request and Response Contents 13-60
Configuring a RADIUS Token Server External User Database 13-61
Deleting an External User Database Configuration 13-64

CHAPTER 14 Unknown User Policy 14-1

Unknown User Processing 14-2
Known, Unknown, and Discovered Users 14-2
General Authentication Request Handling and Rejection Mode 14-4
Authentication Request Handling and Rejection Mode with the Windows User
Database 14-5
Windows Authentication with a Domain Specified 14-5
Windows Authentication with Domain Omitted 14-6
Performance of Unknown User Authentication 14-8
Added Latency 14-8
Authentication Timeout Value on AAA clients 14-8
Network Access Authorization 14-9
Unknown User Policy 14-9
Database Search Order 14-10
Configuring the Unknown User Policy 14-10
Turning off External User Database Authentication 14-11

CHAPTER 15 User Group Mapping and Specification 15-1

About User Group Mapping and Specification 15-1
Group Mapping by External User Database 15-2

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xix
 Contents

Creating a Cisco Secure ACS Group Mapping for a Token Server or LEAP
Proxy RADIUS Server Database 15-3
Group Mapping by Group Set Membership 15-4
Group Mapping Order 15-5
No Access Group for Group Set Mappings 15-5
Default Group Mapping for Windows 15-6
Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or
Generic LDAP Groups 15-6
Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping 15-8
Deleting a Windows, Novell NDS, or Generic LDAP Group Set
Mapping 15-10
Deleting a Windows Domain Group Mapping Configuration 15-11
Changing Group Set Mapping Order 15-11
RADIUS-Based Group Specification 15-13

APPENDIX A Troubleshooting A-1

Administration Issues A-2
Browser Issues A-4
Cisco IOS Issues A-5
Database Issues A-6
Dial-in Connection Issues A-8
Debug Issues A-12
Proxy Issues A-13
Installation and Upgrade Issues A-13
MaxSessions Issues A-14
Report Issues A-14
Third-Party Server Issues A-16
PIX Firewall Issues A-16
User Authentication Issues A-17

User Guide for Cisco Secure ACS Appliance, version 3.2

xx 78-14698-02
 Contents

TACACS+ and RADIUS Attribute Issues A-18

APPENDIX B TACACS+ Attribute-Value Pairs B-1

Cisco IOS AV Pair Dictionary B-1
TACACS+ AV Pairs B-2
TACACS+ Accounting AV Pairs B-4

APPENDIX C RADIUS Attributes C-1

Cisco IOS Dictionary of RADIUS AV Pairs C-2
Cisco IOS/PIX Dictionary of RADIUS VSAs C-5
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs C-7
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs C-11
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-12
IETF Dictionary of RADIUS AV Pairs C-12
Microsoft MPPE Dictionary of RADIUS VSAs C-27
Ascend Dictionary of RADIUS AV Pairs C-30
Nortel Dictionary of RADIUS VSAs C-42
Juniper Dictionary of RADIUS VSAs C-43

APPENDIX D VPDN Processing D-1

VPDN Process D-1

APPENDIX E RDBMS Synchronization Import Definitions E-1

accountActions Specification E-1
accountActions Format E-2
accountActions Mandatory Fields E-3
accountActions Processing Order E-4
Action Codes E-5

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxi
 Contents

Action Codes for Setting and Deleting Values E-5

Action Codes for Creating and Modifying User Accounts E-7
Action Codes for Initializing and Modifying Access Filters E-15
Action Codes for Modifying TACACS+ and RADIUS Group and User
Settings E-19
Action Codes for Modifying Network Configuration E-27
Cisco Secure ACS Attributes and Action Codes E-34
User-Specific Attributes E-34
User-Defined Attributes E-36
Group-Specific Attributes E-37
An Example of accountActions E-38

APPENDIX F Internal Architecture F-1

Cisco Secure ACS Services F-1
CSAdmin F-2
CSAuth F-3
CSDBSync F-3
CSLog F-4
CSMon F-4
Monitoring F-5
Recording F-6
Notification F-6
Response F-7
CSTacacs and CSRadius F-7

INDEX

User Guide for Cisco Secure ACS Appliance, version 3.2

xxii 78-14698-02
 Preface

This section discusses the objectives, audience, and organization of the

Cisco Secure Access Control Server (Cisco Secure ACS) Appliance version 3.2
user guide.

Objective
This document will help you configure and use Cisco Secure ACS and its features
and utilities.

Audience
This guide is for system administrators who use Cisco Secure ACS and who set
up and maintain accounts and dial-in network security.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxiii
 Preface
Organization

Organization
The Cisco Secure ACS User Guide is organized into the following chapters:
• Chapter 1, “Overview”. An overview of Cisco Secure ACS and its features,
network diagrams, and system requirements.
• Chapter 2, “Deployment Considerations”. A guide to deploying the
Cisco Secure ACS that includes requirements, options, trade-offs, and
suggested sequences.
• Chapter 3, “Interface Configuration”. Concepts and procedures regarding
how to use the Interface Configuration section of the Cisco Secure ACS to
configure the HTML interface.
• Chapter 4, “Network Configuration”. Concepts and procedures for
establishing Cisco Secure ACS network configuration and building a
distributed system.
• Chapter 5, “Shared Profile Components”. Concepts and procedures regarding
Cisco Secure ACS shared profile components: network access restrictions
and device command sets.
• Chapter 6, “User Group Management”. Concepts and procedures for
establishing and maintaining Cisco Secure ACS user groups.
• Chapter 7, “User Management”. Concepts and procedures for establishing
and maintaining Cisco Secure ACS user accounts.
• Chapter 8, “System Configuration: Basic”. Concepts and procedures
regarding the basic features found in the System Configuration section of
Cisco Secure ACS.
• Chapter 9, “System Configuration: Advanced”. Concepts and procedures
regarding RDBMS Synchronization and CiscoSecure Database Replication,
found in the System Configuration section of Cisco Secure ACS.
• Chapter 10, “System Configuration: Authentication and Certificates”.
Concepts and procedures regarding the Global Authentication and ACS
Certificate Setup pages, found in the System Configuration section of
Cisco Secure ACS.
• Chapter 11, “Logs and Reports”. Concepts and procedures regarding
Cisco Secure ACS logging and reports.

User Guide for Cisco Secure ACS Appliance, version 3.2

xxiv 78-14698-02
Preface
Conventions

• Chapter 12, “Administrators and Administrative Policy”. Concepts and

procedures for establishing and maintaining Cisco Secure ACS
administrators.
• Chapter 13, “User Databases”. Concepts and procedures for establishing user
databases.
• Chapter 14, “Unknown User Policy”. Concepts and procedures about the
Unknown User Policy.
• Chapter 15, “User Group Mapping and Specification”. Concepts and
procedures regarding the assignment of groups for users authenticated by an
external user database.
This guide also comprises the following appendixes:
• Appendix A, “Troubleshooting”. How to identify and solve certain problems
you might have with Cisco Secure ACS.
• Appendix B, “TACACS+ Attribute-Value Pairs”. A list of supported
TACACS+ AV pairs and accounting AV pairs.
• Appendix C, “RADIUS Attributes”. A list of supported RADIUS AV pairs
and accounting AV pairs.
• Appendix D, “VPDN Processing”. An introduction to Virtual Private Dial-up
Networks (VPDN), including stripping and tunneling, with instructions for
enabling VPDN on Cisco Secure ACS.
• Appendix E, “RDBMS Synchronization Import Definitions”. A list of import
definitions, for use with the RDBMS Synchronization feature.
• Appendix F, “Internal Architecture”. A description of Cisco Secure ACS
architectural components.

Conventions
This guide uses the following typographical conventions:

Table 1 Typographic Conventions

Convention Meaning
Italics Introduces new or important terminology and variable input for
commands.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxv
 Preface
Conventions

Table 1 Typographic Conventions (continued)

Convention Meaning
Script Denotes paths, file names, and example screen output. Also
denotes Secure Script translations of security policy decision
trees.
Bold Identifies special terminology and options that should be
selected during procedures.

Tip Means the following information will help you solve a problem. The tip
information might not be troubleshooting or even an action, but could be useful
information.

Note Means reader take note. Notes contain helpful suggestions or references to
materials not covered in the manual.

Caution Means reader be careful. In this situation, you might do something that could
result in equipment damage, loss of data, or a breach in your network security.

Warning Means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, you must be aware of the hazards involved with
electrical circuitry and be familiar with standard practices for preventing
accidents. To see translated versions of the warning, refer to the Regulatory
Compliance and Safety document that accompanied the device.

User Guide for Cisco Secure ACS Appliance, version 3.2

xxvi 78-14698-02
Preface
Related Documentation

Related Documentation
Note Although every effort has been made to validate the accuracy of the information
in the printed and electronic documentation, you should also review
Cisco Secure ACS documentation on Cisco.com for any updates.

The following documentation is available on Cisco.com and in PDF format on the

CD-ROM for the applicable Cisco Secure ACS platform:
• For Cisco Secure ACS for Windows Server, the following documents are
available:
– Release Notes for Cisco Secure ACS for Windows Server
– User Guide for Cisco Secure ACS for Windows Server
– Installation Guide for Cisco Secure ACS for Windows Server
• For Cisco Secure ACS Appliance, the following documents are available:
– Release Notes for Cisco Secure ACS Appliance
– User Guide for Cisco Secure ACS Appliance
– Installation and Setup Guide for Cisco Secure ACS Appliance
– Installation and Configuration Guide for Cisco Secure ACS Remote
Agents
– Regulatory Compliance and Safety Information for the Cisco Secure ACS
Appliance
• For all Cisco Secure ACS platforms, Installation and User Guide for
Cisco Secure ACS User-Changeable Passwords is available.
Included in the Cisco Secure ACS HTML interface are two sources of
information:
• Online Help contains information for each associated page in the
Cisco Secure ACS HTML interface.
• Online Documentation is a complete copy of the user guide for the applicable
release of Cisco Secure ACS.
You can find other product literature, including white papers, data sheets, and
product bulletins, at
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxvii
 Preface
Obtaining Documentation

You should refer to the documentation that came with your AAA clients for more
information about those products. You might also want to consult the Cisco
Systems publication Cisco Systems’ Internetworking Terms and Acronyms.

Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco
also provides several ways to obtain technical assistance and other technical
resources. These sections explain how to obtain technical information from Cisco
Systems.

Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml

User Guide for Cisco Secure ACS Appliance, version 3.2

xxviii 78-14698-02
 Preface
Documentation Feedback

• Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters
(California, USA) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).

Documentation Feedback
You can submit e-mail comments about technical documentation to
bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, the Cisco Technical Assistance Center (TAC) provides
24-hour-a-day, award-winning technical support services, online and over the
phone. Cisco.com features the Cisco TAC website as an online starting point for
technical assistance. If you do not hold a valid Cisco service contract, please
contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting
and resolving technical issues with Cisco products and technologies. The Cisco
TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website
is located at this URL:
http://www.cisco.com/tac

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxix
 Preface
Obtaining Technical Assistance

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID
and password. If you have a valid service contract but do not have a login ID or
password, register at this URL:
http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases.
(P3 and P4 cases are those in which your network is minimally impaired or for
which you require product information.) After you describe your situation, the
TAC Case Open Tool automatically recommends resources for an immediate
solution. If your issue is not resolved using the recommended resources, your case
will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is
located at this URL:
http://www.cisco.com/tac/caseopen
For P1 or P2 cases (P1 and P2 cases are those in which your production network
is down or severely degraded) or if you do not have Internet access, contact Cisco
TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2
cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established
case priority definitions.
Priority 1 (P1)—Your network is “down” or there is a critical impact to your
business operations. You and Cisco will commit all necessary resources around
the clock to resolve the situation.

User Guide for Cisco Secure ACS Appliance, version 3.2

xxx 78-14698-02
Preface
Obtaining Additional Publications and Information

Priority 2 (P2)—Operation of an existing network is severely degraded, or

significant aspects of your business operation are negatively affected by
inadequate performance of Cisco products. You and Cisco will commit full-time
resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most
business operations remain functional. You and Cisco will commit resources
during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product
capabilities, installation, or configuration. There is little or no effect on your
business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and
logo merchandise. Go to this URL to visit the company store:
http://www.cisco.com/go/marketplace/
• The Cisco Product Catalog describes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
• Cisco Press publishes a wide range of general networking, training and
certification titles. Both new and experienced users will benefit from these
publications. For current Cisco Press titles and other information, go to Cisco
Press online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 xxxi
 Preface
Obtaining Additional Publications and Information

configuration examples, customer case studies, tutorials and training,

certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/packet
• iQ Magazine is the Cisco bimonthly publication that delivers the latest
information about Internet business strategies for executives. You can access
iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems
for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Training—Cisco offers world-class networking training. Current offerings in
network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html

User Guide for Cisco Secure ACS Appliance, version 3.2

xxxii 78-14698-02
 C H A P T E R 1
Overview

This chapter provides an overview of Cisco Secure ACS Appliance.

This chapter contains the following topics:
• The Cisco Secure ACS Paradigm, page 1-1
• Cisco Secure ACS Specifications, page 1-2
• AAA Server Functions and Concepts, page 1-4
• Cisco Secure ACS HTML Interface, page 1-24

The Cisco Secure ACS Paradigm

Cisco Secure ACS provides authentication, authorization, and accounting
(AAA—pronounced “triple A”) services to network devices that function as AAA
clients, such as a network access server, PIX Firewall, or router. The AAA client
in Figure 1-1 represents any such device that provides AAA client functionality
and uses one of the AAA protocols supported by Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-1
 Chapter 1 Overview
Cisco Secure ACS Specifications

Figure 1-1 A Simple AAA Scenario

Cisco Secure
Access Control Server

End-user client AAA client External user

67472
database

Cisco Secure ACS centralizes access control and accounting, in addition to router
and switch access management. With Cisco Secure ACS, network administrators
can quickly administer accounts and globally change levels of service offerings
for entire groups of users. Although the external user database shown in
Figure 1-1 is optional, support for many popular user repository implementations
enables companies to put to use the working knowledge gained from and the
investment already made in building their corporate user repositories.
Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511,
3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco
Aironet Access Point wireless networking devices, Cisco VPN 3000
Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party
devices that can be configured with the Terminal Access Controller Access
Control System (TACACS+) or the Remote Access Dial-In User Service
(RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients.
Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA
services that ensure a secure environment. For more information about support for
TACACS+ and RADIUS in Cisco Secure ACS, see AAA Protocols—TACACS+
and RADIUS, page 1-6.

Cisco Secure ACS Specifications

This section provides information about Cisco Secure ACS performance
specifications and the services that compose Cisco Secure ACS.

Note For hardware specifications of the Cisco Secure ACS Appliance, see the
Installation and Setup Guide for Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-2 78-14698-02
 Chapter 1 Overview
Cisco Secure ACS Specifications

This section contains the following topics:

• System Performance Specifications, page 1-3
• Cisco Secure ACS Services, page 1-4

System Performance Specifications

The performance capabilities of Cisco Secure ACS are heavily affected by your
network topology and network management, the selection of user databases, and
other factors. For example, Cisco Secure ACS can perform many more
authentications per second if it is using its internal user database and is on a 1 GB
Ethernet backbone than it can if it is using an external user database and is on a
10 MB LAN.
For more information about the expected performance of Cisco Secure ACS in
your network setting, contact your Cisco sales representative. The following
items are general answers to common system performance questions. The
performance of Cisco Secure ACS in your network depends on your specific
environment and AAA requirements.
• Maximum users supported by the CiscoSecure user database—There is
no theoretical limit to the number of users the CiscoSecure user database can
support. We have successfully tested Cisco Secure ACS with databases in
excess of 100,000 users. The practical limit for a single Cisco Secure ACS
authenticating against all its databases, internal and external, is 300,000 to
500,000 users. This number increases significantly if the authentication load
is spread across a number of replicated Cisco Secure ACS.
• Transactions per second per number of users—Assuming 10,000 users in
the CiscoSecure user database, Cisco Secure ACS provides 80 RADIUS full
login cycles (authentication, accounting start, and accounting stop) per
second and approximately 40 TACACS+ logins per second. As the database
grows, this performance declines roughly proportionately.
• Maximum number of AAA clients supported—Cisco Secure ACS can
support AAA services for approximately 5000 AAA client configurations.
This limitation is primarily a limitation of the Cisco Secure ACS HTML
interface. Performance of the HTML interface degrades when Cisco Secure
ACS has more than approximately 5000 AAA client configurations.
However, a AAA client configuration in Cisco Secure ACS can represent
more than one physical network device, provided that the network devices

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-3
 Chapter 1 Overview
AAA Server Functions and Concepts

use the same AAA protocol and use the same shared secret. If you make use
of this ability, the number of actual AAA clients supported can be
considerably higher than 5000.

Cisco Secure ACS Services

Cisco Secure ACS operates as a set of services that provide the core of
Cisco Secure ACS functionality. These services control the authentication,
authorization, and accounting of users accessing networks. For a full discussion
of each service, see Chapter 1, “Overview.” The services on your Cisco Secure
ACS Appliance include the following:
• CSAdmin—Provides the HTML interface for administration of Cisco Secure
ACS.
• CSAuth—Provides authentication services.
• CSDBSync—Provides synchronization of the CiscoSecure user database
with an external RDBMS application.
• CSLog—Provides logging services, both for accounting and system activity.
• CSMon—Provides monitoring, recording, and notification of Cisco Secure
ACS performance, and includes automatic response to some scenarios.
• CSTacacs—Provides communication between TACACS+ AAA clients and
the CSAuth service.
• CSRadius—Provides communication between RADIUS AAA clients and
the CSAuth service.
Each module can be started and stopped individually from the serial console or as
a group from within the Cisco Secure ACS HTML interface or from the serial
console for the appliance. For information about stopping and starting services
using the HTML interface, see Service Control, page 8-2. For information about
stopping and starting services using the serial console, see Installation and Setup
Guide for Cisco Secure ACS Appliance.

AAA Server Functions and Concepts

Cisco Secure ACS is a AAA server, providing AAA services to network devices
that can act as AAA clients.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-4 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

As a AAA server, Cisco Secure ACS incorporates many technologies to render

AAA services to AAA clients. Understanding Cisco Secure ACS requires
knowledge of many of these technologies.
This section contains the following topics:
• Cisco Secure ACS and the AAA Client, page 1-5
• AAA Protocols—TACACS+ and RADIUS, page 1-6
• Authentication, page 1-8
• Authorization, page 1-16
• Accounting, page 1-20
• Administration, page 1-21

Cisco Secure ACS and the AAA Client

A AAA client is software running on a network device that enables the network
device to defer authentication, authorization, and logging (accounting) of user
sessions to a AAA server. AAA clients must be configured to direct all end-user
client access requests to Cisco Secure ACS for authentication of users and
authorization of service requests. Using the TACACS+ or RADIUS protocol, the
AAA client sends authentication requests to Cisco Secure ACS. Cisco Secure
ACS verifies the username and password using the user databases it is configured
to query. Cisco Secure ACS returns a success or failure response to the AAA
client, which permits or denies user access, based on the response it receives.
When the user authenticates successfully, Cisco Secure ACS sends a set of
authorization attributes to the AAA client. The AAA client then begins
forwarding accounting information to Cisco Secure ACS.
When the user has successfully authenticated, a set of session attributes can be
sent to the AAA client to provide additional security and control of privileges,
otherwise known as authorization. These attributes might include the IP address
pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
More recently, networking vendors are expanding the use of the attribute sets
returned to cover an increasingly wider aspect of user session provisioning.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-5
 Chapter 1 Overview
AAA Server Functions and Concepts

AAA Protocols—TACACS+ and RADIUS

Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols.
Table 1-1 compares the two protocols.

Table 1-1 TACACS+ and RADIUS Protocol Comparison

Point of Comparison TACACS+ RADIUS

Transmission Protocol TCP—connection-oriented UDP—connectionless transport layer
transport layer protocol, reliable protocol, datagram exchange without
full-duplex data transmission acknowledgments or guaranteed
delivery
Ports Used 49 Authentication and Authorization:
1645 and 1812
Accounting: 1646 and 1813
Encryption Full packet encryption Encrypts only passwords up to 16
bytes
AAA Architecture Separate control of each service: Authentication and authorization
authentication, authorization, and combined as one service
accounting
Intended Purpose Device management User access control

TACACS+
Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco
Systems in draft 1.77. For more information, refer to the Cisco IOS software
documentation or Cisco.com (http://www.cisco.com).

RADIUS
Cisco Secure ACS conforms to the RADIUS protocol as defined in draft April
1997 and in the following Requests for Comments (RFCs):
• RFC 2138, Remote Authentication Dial In User Service
• RFC 2139, RADIUS Accounting
• RFC 2865

User Guide for Cisco Secure ACS Appliance, version 3.2

1-6 78-14698-02
Chapter 1 Overview
AAA Server Functions and Concepts

• RFC 2866
• RFC 2867
• RFC 2868
• RFC 2869
The ports used for authentication and accounting have changed in RADIUS RFC
documents. To support both the older and newer RFCs, Cisco Secure ACS accepts
authentication requests on port 1645 and port 1812. For accounting, Cisco Secure
ACS accepts accounting packets on port 1646 and 1813.
In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS
includes support for RADIUS vendor-specific attributes (VSAs). We have
predefined the following RADIUS VSAs in Cisco Secure ACS:
• Cisco IOS/PIX
• Cisco VPN 3000
• Cisco VPN 5000
• Ascend
• Juniper
• Microsoft
• Nortel
Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. After
you define a new RADIUS VSA, you can use it as you would one of the RADIUS
VSAs that come predefined in Cisco Secure ACS. In the Network Configuration
section of the Cisco Secure ACS HTML interface, you can configure a AAA
client to use a user-defined RADIUS VSA as its AAA protocol. In Interface
Configuration, you can enable user-level and group-level attributes for
user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure
the values for enabled attributes of a user-defined RADIUS VSA.
For more information about creating user-defined RADIUS VSAs, see Custom
RADIUS Vendors and VSAs, page 9-27.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-7
 Chapter 1 Overview
AAA Server Functions and Concepts

Authentication
Authentication determines user identity and verifies the information. Traditional
authentication uses a name and a fixed password. More modern and secure
methods use technologies such as CHAP and one-time passwords (OTPs).
Cisco Secure ACS supports a variety of these authentication methods.
There is a fundamental implicit relationship between authentication and
authorization. The more authorization privileges granted to a user, the stronger the
authentication should be. Cisco Secure ACS supports this relationship by
providing various methods of authentication.

Authentication Considerations
Username and password is the most popular, simplest, and least expensive
method used for authentication. No special equipment is required. This is a
popular method for service providers because of its easy application by the client.
The disadvantage is that this information can be told to someone else, guessed, or
captured. Simple unencrypted username and password is not considered a strong
authentication mechanism but can be sufficient for low authorization or privilege
levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as TACACS+ and RADIUS encrypt
passwords to prevent them from being captured within a network. However,
TACACS+ and RADIUS operate only between the AAA client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or over a Telnet session between an end-user client and the
hosting device.
Network administrators who offer increased levels of security services, and
corporations that want to lessen the chance of intruder access resulting from
password capturing, can use an OTP. Cisco Secure ACS supports several types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered one of the strongest OTP authentication
mechanisms.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-8 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

Authentication and User Databases

Cisco Secure ACS supports a variety of user databases. It supports the
CiscoSecure user database and several external user databases, including the
following:
• Windows User Database
• Generic LDAP
• Novell NetWare Directory Services (NDS)
• CRYPTOCard token server
• SafeWord token server
• PassGo token server
• RSA SecurID token server
• ActivCard token server
• Vasco token server
In addition to the token servers listed above, Cisco Secure ACS supports any
token server that provides a RADIUS server interface. For more information
about token server support, see Token Server User Databases, page 13-58.

Authentication Protocol-Database Compatibility

The various password protocols supported by Cisco Secure ACS for
authentication are supported unevenly by the various databases supported by
Cisco Secure ACS. For more information about the password protocols supported
by Cisco Secure ACS, see Passwords, page 1-10.
Table 1-2 specifies non-EAP authentication protocol support.

Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility

Database ASCII/PAP CHAP ARAP MS-CHAP v.1 MS-CHAP v.2

Cisco Secure ACS Yes Yes Yes Yes Yes
Windows SAM Yes No No Yes Yes
Windows AD Yes No No Yes Yes
LDAP Yes No No No No

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-9
 Chapter 1 Overview
AAA Server Functions and Concepts

Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility (continued)

Database ASCII/PAP CHAP ARAP MS-CHAP v.1 MS-CHAP v.2

Novell NDS Yes No No No No
LEAP Proxy Yes No No Yes Yes
RADIUS Server
All Token Servers Yes No No No No

Table 1-3 specifies EAP authentication protocol support.

Table 1-3 EAP Authentication Protocol and User Database Compatibility

PEAP
PEAP (EAP-MS EAP-FAST EAP-FAST
Database LEAP EAP-MD5 EAP-TLS (EAP-GTC) CHAPv2) Phase Zero Phase Two
Cisco Secure Yes Yes Yes Yes Yes Yes Yes
ACS
Windows SAM Yes No No Yes Yes Yes Yes
Windows AD Yes No Yes Yes Yes Yes Yes
LDAP No No Yes Yes No No Yes
Novell NDS No No Yes Yes No No Yes
LEAP Proxy Yes No No Yes Yes Yes Yes
RADIUS Server
All Token No No No Yes No No No
Servers

Passwords
Cisco Secure ACS supports many common password protocols:
• ASCII/PAP
• CHAP
• MS-CHAP
• LEAP

User Guide for Cisco Secure ACS Appliance, version 3.2

1-10 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

• EAP-MD5
• EAP-TLS
• PEAP(EAP-GTC)
• PEAP(EAP-MSCHAPv2)
• EAP-FAST
• ARAP
Passwords can be processed using these password authentication protocols based
on the version and type of security control protocol used (for example, RADIUS
or TACACS+) and the configuration of the AAA client and end-user client. The
following sections outline the different conditions and functions of password
handling.
In the case of token servers, Cisco Secure ACS acts as a client to the token server,
using either its proprietary API or its RADIUS interface, depending on the token
server. For more information, see About Token Servers and Cisco Secure ACS,
page 13-58.
Different levels of security can be concurrently used with Cisco Secure ACS for
different requirements. The basic user-to-network security level is PAP. Although
it represents the unencrypted security, PAP does offer convenience and simplicity
for the client. PAP allows authentication against the Windows database. With this
configuration, users need to log in only once. CHAP allows a higher level of
security for encrypting passwords when communicating from an end-user client
to the AAA client. You can use CHAP with the CiscoSecure user database. ARAP
support is included to support Apple clients.

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords.
However, each protocol provides a different level of security.
• PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the Windows user
database to authenticate users, you must use PAP password encryption or
MS-CHAP.
• CHAP—Uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables Cisco Secure ACS to negotiate downward from
the most secure to the least secure encryption mechanism, and it protects

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-11
 Chapter 1 Overview
AAA Server Functions and Concepts

passwords transmitted in the process. CHAP passwords are reusable. If you

are using the CiscoSecure user database for authentication, you can use either
PAP or CHAP. CHAP does not work with the Windows user database.
• ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.

MS-CHAP

Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication

Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
• The MS-CHAP Response packet is in a format compatible with Microsoft
Windows and LAN Manager 2.x. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted password.
• MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
• MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.

EAP Support

The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an

end-to-end framework that allows the creation of authentication types without
changing AAA client configurations. For more information about EAP, go to PPP
Extensible Authentication Protocol (EAP) RFC 2284.
Cisco Secure ACS supports the following varieties of EAP:
• EAP-MD5—An EAP protocol that does not support mutual authentication.
• EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see EAP-TLS Deployment Guide for Wireless LAN Networks
and EAP-TLS Authentication, page 10-2.
• LEAP—An EAP protocol used by Cisco Aironet wireless equipment; it
supports mutual authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-12 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

• PEAP—Protected EAP, which is implemented with EAP-Generic Token

Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see
PEAP Authentication, page 10-7.
• EAP-FAST—EAP Flexible Authentication via Secured Tunnel
(EAP-FAST), a faster means of encrypting EAP authentication, supports
EAP-GTC authentication. For more information, see EAP-FAST
Authentication, page 10-11.
The architecture of Cisco Secure ACS is extensible with regard to EAP;
additional varieties of EAP will be supported as those protocols mature.

Basic Password Configurations

There are several basic password configurations:

Note These configurations are all classed as inbound authentication.

• Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the

most convenient method for both the administrator when setting up accounts
and the user when obtaining authentication. However, because the CHAP
password is the same as the PAP password, and the PAP password is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.
• Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For
a higher level of security, users can be given two separate passwords. If the
ASCII/PAP password is compromised, the CHAP/ARAP password can
remain secure.
• External user database authentication—For authentication by an external
user database, the user does not need a password stored in the CiscoSecure
user database. Instead, Cisco Secure ACS records which external user
database it should query to authenticate the user.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-13
 Chapter 1 Overview
AAA Server Functions and Concepts

Advanced Password Configurations

Cisco Secure ACS supports the following advanced password configurations:

• Inbound passwords—Passwords used by most Cisco Secure ACS users.
These are supported by both the TACACS+ and RADIUS protocols. They are
held internally to the CiscoSecure user database and are not usually given up
to an external source if an outbound password has been configured.
• Outbound passwords—The TACACS+ protocol supports outbound
passwords that can be used, for example, when a AAA client has to be
authenticated by another AAA client and end-user client. Passwords from the
CiscoSecure user database are then sent back to the second AAA client and
end-user client.
• Token caching—When token caching is enabled, ISDN users can connect
(for a limited time) a second B Channel using the same OTP entered during
original authentication. For greater security, the B-Channel authentication
request from the AAA client should include the OTP in the username value
(for example, Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either the single ASCII/PAP/ARAP or separate CHAP/ARAP
password, depending on the configuration the user employs.
The TACACS+ SENDAUTH feature enables a AAA client to authenticate
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, ASCII/PAP or CHAP/ARAP password is used, depending on how
this has been configured; however, we recommend that the separate
SENDAUTH password be configured for the user so that Cisco Secure ACS
inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security,
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from the inbound password.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-14 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

Password Aging

With Cisco Secure ACS you can choose whether and how you want to employ
password aging. Control for password aging may reside either in the CiscoSecure
user database, or in a Windows user database. Each password aging mechanism
differs as to requirements and setting configurations.
The password aging feature controlled by the CiscoSecure user database enables
you force users to change their passwords under any of the following conditions:
• After a specified number of days.
• After a specified number of logins.
• The first time a new user logs in.
For information on the requirements and configuration of the password aging
feature controlled by the CiscoSecure user database, see Enabling Password
Aging for the CiscoSecure User Database, page 6-20.
The Windows-based password aging feature enables you to control the following
password aging parameters:
• Maximum password age in days.
• Minimum password age in days.
The methods and functionality of Windows password aging differ according to
which Windows operating system you use and whether you employ Active
Directory (AD) or Security Accounts Manager (SAM). For information on the
requirements and configuration of the Windows-based password aging feature,
see Enabling Password Aging for Users in Windows Databases, page 6-25.

User-Changeable Passwords

With Cisco Secure ACS, you can install a separate program that enables users to
change their passwords by using a web-based utility. For more information about
installing user-changeable passwords, see the Installation and User Guide for
Cisco Secure ACS User-Changeable Passwords.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-15
 Chapter 1 Overview
AAA Server Functions and Concepts

Other Authentication-Related Features

In addition to the authentication-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Authentication of unknown users with external user databases (see Unknown
User Processing, page 14-2).
• Authentication of computers running Microsoft Windows (see Machine
Authentication, page 13-13).
• Microsoft Windows Callback feature (see Setting User Callback Option,
page 7-8).
• Ability to configure user accounts, including passwords, using an external
data source (see About RDBMS Synchronization, page 9-24).
• Ability for external users to authenticate via an enable password (see Setting
TACACS+ Enable Password Options for a User, page 7-34).
• Proxy of authentication requests to other AAA servers (see Proxy in
Distributed Systems, page 4-4).
• Configurable character string stripping from proxied authentication requests
(see Stripping, page 4-6).

Authorization
Authorization determines what a user is allowed to do. Cisco Secure ACS can
send user profile policies to a AAA client to determine the network services the
user can access. You can configure authorization to give different users and
groups different levels of service. For example, standard dial-up users might not
have the same access privileges as premium customers and users. You can also
differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature enables you to permit or deny
logins based on time-of-day and day-of-week. For example, you could create a
group for temporary accounts that can be disabled on specified dates. This would
make it possible for a service provider to offer a 30-day free trial. The same
authorization could be used to create a temporary account for a consultant with
login permission limited to Monday through Friday, 9 A.M. to 5 P.M.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-16 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

You can restrict users to a service or combination of services such as PPP,

AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or
EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols,
such as IP and IPX, and you can apply individual access lists. Access lists on a
per-user or per-group basis can restrict users from reaching parts of the network
where critical information is stored or prevent them from using certain services
such as File Transfer Protocol (FTP) or Simple Network Management Protocol
(SNMP).
One fast-growing service being offered by service providers and adopted by
corporations is a service authorization for Virtual Private Dial-Up Networks
(VPDNs). Cisco Secure ACS can provide information to the network device for a
specific user to configure a secure tunnel through a public network such as the
Internet. The information can be for the access server (such as the home gateway
for that user) or for the home gateway router to validate the user at the customer
premises. In either case, Cisco Secure ACS can be used for each end of the
VPDN.

Max Sessions
Max Sessions is a useful feature for organizations that need to limit the number
of concurrent sessions available to either a user or a group:
• User Max Sessions—For example, an Internet service provider can limit
each account holder to a single session.
• Group Max Sessions—For example, an enterprise administrator can allow
the remote access infrastructure to be shared equally among several
departments and limit the maximum number of concurrent sessions for all
users in any one department.
In addition to enabling simple User and Group Max Sessions control,
Cisco Secure ACS enables the administrator to specify a Group Max Sessions
value and a group-based User Max Sessions value; that is, a User Max Sessions
value based on the group membership of the user. For example, an administrator
can allocate a Group Max Sessions value of 50 to the group “Sales” and also limit
each member of the “Sales” group to 5 sessions each. This way no single member
of a group account would be able to use more than 5 sessions at any one time, but
the group could still have up to 50 active sessions.
For more information about the Max Sessions feature, see Setting Max Sessions
for a User Group, page 6-11, and Setting Max Sessions Options for a User,
page 7-15.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-17
 Chapter 1 Overview
AAA Server Functions and Concepts

Dynamic Usage Quotas

Cisco Secure ACS enables you to define network usage quotas for users. Using
quotas, you can limit the network access of each user in a group or of individual
users. You define quotas by duration of sessions or the total number of sessions.
Quotas can be either absolute or based on daily, weekly, or monthly periods. To
grant access to users who have exceeded their quotas, you can reset session quota
counters as needed.
To support time-based quotas, we recommend enabling accounting update
packets on all AAA clients. If update packets are not enabled, the quota is updated
only when the user logs off and the accounting stop packet is received from the
AAA client. If the AAA client through which the user is accessing your network
fails, the session information is not updated. In the case of multiple sessions, such
as with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the quota allocated to the user.
For more information about usage quotas, see Setting Usage Quotas for a User
Group, page 6-13, and Setting User Usage Quotas Options, page 7-17.

Shared Profile Components

Cisco Secure ACS provides a means for specifying authorization profile
components that you can apply to multiple user groups and users. For example,
you may have multiple user groups that have identical network access restrictions.
Rather than configuring the network access restrictions several times, once per
group, you can configure a network access restriction set in the Shared Profile
Components section of the HTML interface, and then configure each group to use
the network access restriction set you created.
For information about the types of shared profile components supported by
Cisco Secure ACS, see About Shared Profile Components, page 5-1.

Support for Cisco Device-Management Applications

Cisco Secure ACS supports Cisco device-management applications, such as, by
providing command authorization for network users who are using the
management application to configure managed network devices. Support for

User Guide for Cisco Secure ACS Appliance, version 3.2

1-18 78-14698-02
Chapter 1 Overview
AAA Server Functions and Concepts

command authorization for management application users is accomplished by

using unique command authorization set types for each management application
configured to use Cisco Secure ACS for authorization.
Cisco Secure ACS uses TACACS+ to communicate with management
applications. For a management application to communicate with Cisco Secure
ACS, the management application must be configured in Cisco Secure ACS as a
AAA client that uses TACACS+. Also, you must provide the device-management
application with a valid administrator name and password. When a management
application initially communicates with Cisco Secure ACS, these requirements
ensure the validity of the communication. For information about configuring a
AAA client, see AAA Client Configuration, page 4-11. For information about
administrator accounts, see Administrator Accounts, page 12-1.
Additionally, the administrator used by the management application must have
the Create New Device Command Set Type privilege enabled. When a
management application initially communicates with Cisco Secure ACS, it
dictates to Cisco Secure ACS the creation of a device command set type, which
appears in the Shared Profile Components section of the HTML interface. It also
dictates a custom service to be authorized by TACACS+. The custom service
appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section
of the HTML interface. For information about enabling TACACS+ services, see
Protocol Configuration Options for TACACS+, page 3-7. For information about
device command-authorization sets for management applications, see Command
Authorization Sets, page 5-15.
After the management application has dictated the custom TACACS+ service and
device command-authorization set type to Cisco Secure ACS, you can configure
command-authorization sets for each role supported by the management
application and apply those sets to user groups that contain network
administrators or to individual users who are network administrators. For
information about configuring a command-authorization set, see Adding a
Command Authorization Set, page 5-19. For information about applying a shared
device command-authorization set to a user group, see Configuring
Device-Management Command Authorization for a User Group, page 6-35. For
information about applying a shared device command-authorization set to a user,
see Configuring Device-Management Command Authorization for a User,
page 7-29.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-19
 Chapter 1 Overview
AAA Server Functions and Concepts

Other Authorization-Related Features

In addition to the authorization-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Group administration of users, with support for up to 500 groups (see
Chapter 6, “User Group Management”).
• Ability to map a user from an external user database to a specific
Cisco Secure ACS group (see Chapter 15, “User Group Mapping and
Specification”).
• Ability to disable an account after a number of failed attempts, specified by
the administrator (see Setting Options for User Account Disablement,
page 7-19).
• Ability to disable an account on a specific date (see Setting Options for User
Account Disablement, page 7-19).
• Ability to restrict time-of-day and day-of-week access (see Setting Default
Time-of-Day Access for a User Group, page 6-5).
• Ability to restrict network access based on remote address caller line
identification (CLID) and dialed number identification service (DNIS) (see
Setting Network Access Restrictions for a User Group, page 6-7).
• IP pools for IP address assignment of end-user client hosts (see Setting IP
Address Assignment Method for a User Group, page 6-27).
• Per-user and per-group TACACS+ or RADIUS attributes (see Advanced
Options, page 3-4).
• Support for Voice-over-IP (VoIP), including configurable logging of
accounting data (see Enabling VoIP Support for a User Group, page 6-4).

Accounting
AAA clients use the accounting functions provided by the RADIUS and
TACACS+ protocols to communicate relevant data for each user session to the
AAA server for recording. Cisco Secure ACS writes accounting records to
comma-separated value (CSV) log files. You can easily import these logs into
popular database and spreadsheet applications for billing, security audits, and

User Guide for Cisco Secure ACS Appliance, version 3.2

1-20 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

report generation. You can also use a third-party reporting tool to manage
accounting data. For example, aaa-reports! by Extraxi supports Cisco Secure ACS
(http://www.extraxi.com).
Among the types of accounting logs you can generate are the following:
• TACACS+ Accounting—Lists when sessions start and stop; records AAA
client messages with username; provides caller line identification
information; records the duration of each session.
• RADIUS Accounting—Lists when sessions stop and start; records AAA
client messages with username; provides caller line identification
information; records the duration of each session.
• Administrative Accounting—Lists commands entered on a network device
with TACACS+ command authorization enabled.
For more information about Cisco Secure ACS logging capabilities, see
Chapter 1, “Overview.”

Other Accounting-Related Features

In addition to the accounting-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Centralized logging, allowing several Cisco Secure ACS Appliances to
forward their accounting data to a remote agent (see Remote Logging,
page 11-17).
• Configurable supplementary user ID fields for capturing additional
information in logs (see User Data Configuration Options, page 3-3).
• Configurable logs, allowing you to capture as much information as needed
(see Accounting Logs, page 11-5).

Administration
To configure, maintain, and protect its AAA functionality, Cisco Secure ACS
provides a flexible administration scheme. You can perform nearly all
administration of Cisco Secure ACS through its HTML interface. For more
information about the HTML interface, including steps for accessing the HTML
interface, see Cisco Secure ACS HTML Interface, page 1-24.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-21
 Chapter 1 Overview
AAA Server Functions and Concepts

HTTP Port Allocation for Administrative Sessions

The HTTP port allocation feature allows you to configure the range of TCP ports
used by Cisco Secure ACS for administrative HTTP sessions. Narrowing this
range with the HTTP port allocation feature reduces the risk of unauthorized
access to your network by a port open for administrative sessions.
We do not recommend that you administer Cisco Secure ACS through a firewall.
Doing so requires that you configure the firewall to permit HTTP traffic over the
range of HTTP administrative session ports that Cisco Secure ACS uses. While
narrowing this range reduces the risk of unauthorized access, a greater risk of
attack remains if you allow administration of Cisco Secure ACS from outside a
firewall. A firewall configured to permit HTTP traffic over the Cisco Secure ACS
administrative port range must also permit HTTP traffic through port 2002,
because this is the port a web browser must address to initiate an administrative
session.

Note A broad HTTP port range could create a security risk. To prevent accidental
discovery of an active administrative port by unauthorized users, keep the HTTP
port range as narrow as possible. Cisco Secure ACS tracks the IP address
associated with each administrative session. An unauthorized user would have to
impersonate, or “spoof”, the IP address of the legitimate remote host to make use
of the active administrative session HTTP port.

For information about configuring the HTTP port allocation feature, see Access
Policy, page 12-11.

Network Device Groups

With a network device group (NDG), you can view and administer a collection of
AAA clients and AAA servers as a single logical group. To simplify
administration, you can assign each group a convenient name that can be used to
refer to all devices within that group. This creates two levels of network devices
within Cisco Secure ACS—discrete devices such as an individual router, access
server, AAA server, or PIX Firewall, and NDGs, which are named collections of
AAA clients and AAA servers.
A network device can belong to only one NDG at a time.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-22 78-14698-02
 Chapter 1 Overview
AAA Server Functions and Concepts

Using NDGs enables an organization with a large number of AAA clients spread
across a large geographical area to logically organize its environment within
Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe
could belong to a group named Europe; all routers in the United States could
belong to a US group; and so on. This would be especially convenient if the AAA
clients in each region were administered along the same divisions. Alternatively,
the environment could be organized by some other attribute such as divisions,
departments, business functions, and so on.
You can assign a group of users to an NDG. For more information on NDGs, see
Network Device Group Configuration, page 4-36.

Other Administration-Related Features

In addition to the administration-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Ability to define different privileges per administrator (see Administrator
Accounts, page 12-1).
• Ability to log administrator activities (see Cisco Secure ACS System Logs,
page 11-12).
• Ability to view a list of logged-in users (see Dynamic Administration
Reports, page 11-7).
• CSMonitor service, providing monitoring, notification, logging, and limited
automated failure response (see Cisco Secure ACS Active Service
Management, page 8-17).
• Ability to automate configuration of users, groups, network devices, and
custom RADIUS VSAs (see RDBMS Synchronization, page 9-24).
• Replication of CiscoSecure user database components to other Cisco Secure
ACSes (see CiscoSecure Database Replication, page 9-1).
• Scheduled and on-demand Cisco Secure ACS system backups (see
Cisco Secure ACS Backup, page 8-8).
• Ability to restore Cisco Secure ACS configuration, user accounts, and group
profiles from a backup file (see Cisco Secure ACS System Restore,
page 8-13).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-23
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

Cisco Secure ACS HTML Interface

This section discusses the Cisco Secure ACS HTML interface and provides
procedures for using it.
This section contains the following topics:
• About the Cisco Secure ACS HTML Interface, page 1-24
• HTML Interface Layout, page 1-25
• Uniform Resource Locator for the HTML Interface, page 1-27
• Network Environments and Administrative Sessions, page 1-27
• Accessing the HTML Interface, page 1-29
• Logging Off the HTML Interface, page 1-30
• Online Help and Online Documentation, page 1-31

About the Cisco Secure ACS HTML Interface

After installing Cisco Secure ACS, you configure and administer it through the
HTML interface. The HTML interface enables you to easily modify Cisco Secure
ACS configuration from any connection on your LAN or WAN.
The Cisco Secure ACS HTML interface is designed to be viewed using a web
browser. The design primarily uses HTML, along with some Java functions, to
enhance ease of use. This design keeps the interface responsive and
straightforward. The inclusion of Java requires that the browser used for
administrative sessions supports Java. For a list of supported browsers, see the
Release Notes. The most recent revision to the Release Notes is posted on
Cisco.com (http://www.cisco.com).
The HTML interface not only makes viewing and editing user and group
information possible, it also enables you to restart services, add remote
administrators, change AAA client information, back up the system, view reports
from anywhere on the network, and more. The reports track connection activity,
show which users are logged in, list failed authentication and authorization
attempts, and show administrators’ recent tasks.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-24 78-14698-02
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

HTML Interface Security

Accessing the HTML interface requires a valid administrator name and password.
The Cisco Secure ACS Login page encrypts the administrator credentials before
sending them to Cisco Secure ACS.
Administrative sessions timeout after a configurable length of idle time.
Regardless, we recommend that you log out of the HTML interface after each
session. For information about logging out of Cisco Secure ACS, see Logging Off
the HTML Interface, page 1-30. For information about configuring the idle
timeout feature, see Access Policy, page 12-11.
You can enable secure socket layer (SSL) for administrative sessions. This
ensures that all communication between the web browser and Cisco Secure ACS
is encrypted. Your browser must support SSL. You can enable this feature on the
Access Policy Setup page in the Administration Control section. For more
information about enabling SSL for HTML interface security, see Access Policy,
page 12-11.

HTML Interface Layout

The HTML interface has three vertical partitions, known as frames:
• Navigation Bar—The gray frame on the left of the browser window, the
navigation bar contains the task buttons. Each button changes the
configuration area (see below) to a unique section of the Cisco Secure ACS
application, such as the User Setup section or the Interface Configuration
section. This frame does not change; it always contains the following buttons:
– User Setup—Add and edit user profiles.
– Group Setup—Configure network services and protocols for groups of
users.
– Shared Profile Components—Add and edit network access restriction
and command authorization sets, to be applied to users and groups.
– Network Configuration—Add and edit network access devices and
configure distributed systems.
– System Configuration—Configure database information and
accounting.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-25
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

– Interface Configuration—Display or hide product features and options

to be configured.
– Administration Control—Define and configure access policies.
– External User Databases—Configure external databases for
authentication.
– Reports and Activity—Display accounting and logging information.
– Online Documentation—View the user guide.
• Configuration Area—The frame in the middle of the browser window, the
configuration area displays web pages that belong to one of the sections
represented by the buttons in the navigation bar. The configuration area is
where you add, edit, or delete information. For example, you configure user
information in this frame on the User Setup Edit page.

Note Most pages have a Submit button at the bottom. Click Submit to
confirm your changes. If you do not click Submit, changes are not
saved.

• Display Area—The frame on the right of the browser window, the display
area shows one of the following options:
– Online Help—Displays basic help about the page currently shown in the
configuration area. This help does not offer in-depth information, rather
it gives some basic information about what can be accomplished in the
middle frame. For more detailed information, click Section Information
at the bottom of the page to go to the applicable part of Online
Documentation.
– Reports or Lists—Displays lists or reports, including accounting
reports. For example, in User Setup you can show all usernames that start
with a specific letter. The list of usernames beginning with a specified
letter is displayed in this section. The usernames are hyperlinks to the
specific user configuration, so clicking the name enables you to edit that
user.
– System Messages—Displays messages after you click Submit if you
have typed in incorrect or incomplete data. For example, if the
information you entered in the Password box does not match the
information in the Confirm Password box in the User Setup section,

User Guide for Cisco Secure ACS Appliance, version 3.2

1-26 78-14698-02
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

Cisco Secure ACS displays an error message here. The incorrect

information remains in the configuration area so that you can retype and
resubmit the information correctly.

Uniform Resource Locator for the HTML Interface

The HTML interface is available by web browser at one of the following uniform
resource locators (URLs):
• http://IP address:2002
• http://hostname:2002
where IP address is the dotted decimal IP address of the Cisco Secure ACS
Appliance and hostname is the hostname of the Cisco Secure ACS Appliance. If
you use the hostname, DNS must be functioning properly on your network or the
hostname must be listed in the local hosts file of the computer running the
browser.
If Cisco Secure ACS is configured to use SSL to protect administrative sessions,
you can also access the HTML interface by specifying the HTTPS protocol in the
URLs:
• https://IP address:2002
• https://hostname:2002
If SSL is enabled and you do not specify HTTPS, Cisco Secure ACS redirects the
initial request to HTTPS for you. Using SSL to access the login page protects
administrator credentials. For more information about enabling SSL to protect
administrative sessions, see Access Policy, page 12-11.

Network Environments and Administrative Sessions

We recommend that administrative sessions take place without the use of an
HTTP proxy server, without a firewall between the browser and Cisco Secure
ACS, and without a NAT gateway between the browser and Cisco Secure ACS.
Because these limitations are not always practical, this section discusses how
various network environmental issues affect administrative sessions.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-27
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

This section contains the following topics:

• Administrative Sessions and HTTP Proxy, page 1-28
• Administrative Sessions through Firewalls, page 1-28
• Administrative Sessions through a NAT Gateway, page 1-29

Administrative Sessions and HTTP Proxy

Cisco Secure ACS does not support HTTP proxy for administrative sessions. If
the browser used for an administrative session is configured to use a proxy server,
Cisco Secure ACS sees the administrative session originating from the IP address
of the proxy server rather than from the actual address of the computer.
Administrative session tracking assumes each browser resides on a computer with
a unique IP.
Also, IP filtering of proxied administrative sessions has to be based on the IP
address of the proxy server rather than the IP address of the computer. This
conflicts with administrative session communication that does use the actual IP
address of the computer. For more information about IP filtering of administrative
sessions, see Access Policy, page 12-11.
For these reasons, we do not recommend performing administrative sessions
using a web browser that is configured to use a proxy server. Administrative
sessions using a proxy-enabled web browser is not tested. If your web browser is
configured to use a proxy server, disable HTTP proxying when attempting
Cisco Secure ACS administrative sessions.

Administrative Sessions through Firewalls

In the case of firewalls that do not perform network address translation (NAT),
administrative sessions conducted across the firewall can require additional
configuration of Cisco Secure ACS and the firewall. This is because Cisco Secure
ACS assigns a random HTTP port at the beginning of an administrative session.
To allow administrative sessions from browsers outside a firewall that protects
Cisco Secure ACS, the firewall must permit HTTP traffic across the range of
ports that Cisco Secure ACS is configured to use. You can control the HTTP port
range using the HTTP port allocation feature. For more information about the
HTTP port allocation feature, see HTTP Port Allocation for Administrative
Sessions, page 1-22.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-28 78-14698-02
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

While administering Cisco Secure ACS through a firewall that is not performing
NAT is possible, we do not recommend that you administer Cisco Secure ACS
through a firewall. For more information, see HTTP Port Allocation for
Administrative Sessions, page 1-22.

Administrative Sessions through a NAT Gateway

We do not recommend conducting administrative sessions across a network
device performing NAT. If the administrator runs a browser on a computer behind
a NAT gateway, Cisco Secure ACS receives the HTTP requests from the public
IP address of the NAT device, which conflicts with the computer private IP
address, included in the content of the HTTP requests. Cisco Secure ACS does not
permit this.
If Cisco Secure ACS is behind a NAT gateway and the URL used to access the
HTML interface specifies Cisco Secure ACS by its hostname, administrative
sessions operate correctly, provided that DNS is functioning correctly on your
network or that computers used to access the HTML interface have a hosts file
entry for Cisco Secure ACS.
If the URL used to access the HTML interface specifies Cisco Secure ACS by its
IP address, you could configure the gateway to forward all connections to port
2002 to Cisco Secure ACS, using the same port. Additionally, all the ports
allowed using the HTTP port allocation feature would have to be similarly
mapped. We have not tested such a configuration and do not recommend
implementing it.

Accessing the HTML Interface

Administrative sessions always require that you login using a valid administrator
name and password.
Before You Begin
Determine whether a supported web browser is installed on the computer you
want to use to access the HTML interface. If not, install a supported web browser
or user a computer that already has a supported web browser installed. For a list
of supported browsers, see the Release Notes. The latest revision to the Release
Notes is posted on Cisco.com (http://www.cisco.com).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-29
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

Because the HTML interface uses Java in a few places, the computer running the
browser used to access the HTML interface must have a Java Virtual Machine
available for the use of the browser.
To access the HTML interface, follow these steps:

Step 1 Open a web browser. For a list of supported web browsers, see the Release Notes
for the version of Cisco Secure ACS you are accessing. The latest revision to the
Release Notes is posted on Cisco.com (http://www.cisco.com).
Step 2 In the Address or Location bar in the web browser, type the applicable URL. For
a list of possible URLs, see Uniform Resource Locator for the HTML Interface,
page 1-27.
Step 3 In the Username box, type a valid Cisco Secure ACS administrator name.
Step 4 In the Password box, type the password for the administrator name you specified.
Step 5 Click Login.
The initial page appears.

Logging Off the HTML Interface

When you are finished using the HTML interface, we recommend that you log off.
While Cisco Secure ACS can timeout unused administrative sessions, logging off
prevents unauthorized access by someone using the browser after you or by
unauthorized persons using the HTTP port left open to support the administrative
session.
To log off the Cisco Secure ACS HTML interface, click the Logoff button.

Note The Logoff button appears in the upper right corner of the browser window,
except on the initial page, where it appears in the upper left of the configuration
area.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-30 78-14698-02
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

Online Help and Online Documentation

We provide two sources of information in the HTML interface:
• Online Help—Contains basic information about the page shown in the
configuration area.
• Online Documentation—Contains the entire user guide.

Using Online Help

Online help is the default content in the display area. For every page that appears
in the configuration area, there is a corresponding online help page. At the top of
each online help page is a list of topics covered by that page.
To jump from the top of the online help page to a particular topic, click the topic
name in the list at the top of the page.
There are three icons that appear on many pages in Cisco Secure ACS:
• Question Mark—Many subsections of the pages in the configuration area
contain an icon with a question mark. To jump to the applicable topic in an
online help page, click the question mark icon.
• Section Information—Many online help pages contain a Section
Information icon at the bottom of the page. To view an applicable section of
the online documentation, click the Section Information icon.
• Back to Help—Wherever you find a online help page with a Section
Information icon, the corresponding page in the configuration area contains
a Back to Help icon. If you have accessed the online documentation by
clicking a Section Information icon and want to view the online help page
again, click the Back to Help icon.

Using the Online Documentation

Online documentation is the user guide for Cisco Secure ACS. The user guide
provides information about the configuration, operation, and concepts of
Cisco Secure ACS. The information presented in the online documentation is as
current as the release date of the Cisco Secure ACS version you are using. For the
most up-to-date documentation about Cisco Secure ACS, please go to
http://www.cisco.com.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 1-31
 Chapter 1 Overview
Cisco Secure ACS HTML Interface

Tip Click Section Information on any online help page to view online documentation
relevant to the section of the HTML interface you are using.

To access online documentation, follow these steps:

Step 1 In the Cisco Secure ACS HTML interface, click Online Documentation.

Tip To open the online documentation in a new browser window, right-click

Online Documentation, and then click Open Link in New Window (for
Microsoft Internet Explorer) or Open in New Window (for Netscape
Navigator).

The table of contents opens in the configuration area.

Step 2 If you want to select a topic from the table of contents, scroll through the table of
contents and click the applicable topic.
The online documentation for the topic selected appears in the display area.
Step 3 If you want to select a topic from the index, follow these steps:
a. Click [Index].
The index appears in the display area.
b. Scroll through the index to find an entry for the topic you are researching.

Tip Use the lettered shortcut links to jump to a particular section of the index.

Entries appear with numbered links after them. The numbered links lead to
separate instances of the entry topic.
c. Click an instance number for the desired topic.
The online documentation for the topic selected appears in the display area.
Step 4 If you want to print the online documentation, click in the display area, and then
click Print in the navigation bar of your browser.

User Guide for Cisco Secure ACS Appliance, version 3.2

1-32 78-14698-02
 C H A P T E R 2
Deployment Considerations

Deployment of Cisco Secure ACS Appliance can be complex and iterative,

depending on the specific implementation required. This chapter provides insight
into the deployment process and presents a collection of factors that you should
consider before deploying Cisco Secure ACS.
The complexity of deploying Cisco Secure ACS reflects the evolution of AAA
servers in general, and the advanced capabilities, flexibility, and features of
Cisco Secure ACS in particular. AAA was conceived originally to provide a
centralized point of control for user access via dial-up services. As user databases
grew and the locations of AAA clients became more dispersed, more capability
was required of the AAA server. Regional, and then global, requirements became
common. Today, Cisco Secure ACS is required to provide AAA services for
dial-up access, dial-out access, wireless, VLAN access, firewalls, VPN
concentrators, administrative controls, and more. The list of external databases
supported has also continued to grow and the use of multiple databases, as well as
multiple Cisco Secure ACSes, has become more common. Regardless of the
scope of your Cisco Secure ACS deployment, the information contained in this
chapter should prove valuable. If you have deployment questions that are not
addressed in this guide, contact your Cisco technical representative for assistance.
This chapter contains the following topics:
• Basic Deployment Requirements for Cisco Secure ACS, page 2-2
• Basic Deployment Factors for Cisco Secure ACS, page 2-3
• Suggested Deployment Sequence, page 2-17

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-1
 Chapter 2 Deployment Considerations
Basic Deployment Requirements for Cisco Secure ACS

Basic Deployment Requirements for

Cisco Secure ACS
This section details the minimum requirements you must meet to successfully
deploy Cisco Secure ACS.
This section contains the following topics:
• System Installation Requirements, page 2-2
• Network and Port Requirements, page 2-2

System Installation Requirements

Before fully configuring and deploying a Cisco Secure ACS Appliance, you must
properly install the appliance. For information and procedures about installing an
appliance, see Installation and Setup Guide for Cisco Secure ACS Appliance.

Network and Port Requirements

Your network should meet the following requirements before you begin deploying
Cisco Secure ACS.
• For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients
must run Cisco IOS Release 11.2 or later.
• Non-Cisco IOS AAA clients must be configured with TACACS+ and/or
RADIUS.
• Dial-in, VPN, or wireless clients must be able to connect to the applicable
AAA clients.
• Cisco Secure ACS must be able to ping all AAA clients.
• Gateway devices between Cisco Secure ACS and other network devices must
permit communication over the ports needed to support the applicable feature
or protocol. For information about ports listened to by Cisco Secure ACS, see
Table 2-1.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-2 78-14698-02
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

• To have Cisco Secure ACS use the Grant Dial-in Permission to User feature
in Windows when authorizing network users, this option must be selected in
the Windows User Manager or Active Directory Users and Computers for the
applicable user accounts.
Table 2-1 lists the ports that Cisco Secure ACS listens to for communications with
AAA clients, other Cisco Secure ACSes and applications, and web browsers.
Cisco Secure ACS uses other ports to communicate with external user databases;
however, it initiates those communications rather than listening to specific ports.
In some cases, these ports are configurable, such as with LDAP and RADIUS
token server databases. For more information about ports that a particular external
user database listens to, see the documentation for that database.

Table 2-1 Ports that Cisco Secure ACS Listens To

Feature/Protocol UDP or TCP? Ports

RADIUS authentication and authorization UDP 1645, 1812
RADIUS accounting UDP 1646, 1813
TACACS+ TCP 49
CiscoSecure Database Replication TCP 2000
RDBMS Synchronization with synchronization partners TCP 2000
User-Changeable Password web application TCP 2000
Logging TCP 2001
Remote agents TCP 2003
Administrative HTTP port for new sessions TCP 2002
Administrative HTTP port range TCP Configurable; default
1024 through 65535

Basic Deployment Factors for Cisco Secure ACS

Generally, the ease in deploying Cisco Secure ACS is directly related to the
complexity of the implementation planned and the degree to which you have
defined your policies and requirements. This section presents some basic factors
you should consider before you begin implementing Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-3
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

This section contains the following topics:

• Network Topology, page 2-4
• Remote Access Policy, page 2-12
• Security Policy, page 2-13
• Administrative Access Policy, page 2-13
• Database, page 2-16
• Network Latency and Reliability, page 2-17

Network Topology
How your enterprise network is configured is likely to be the most important
factor in deploying Cisco Secure ACS. While an exhaustive treatment of this topic
is beyond the scope of this guide, this section details how the growth of network
topology options has made Cisco Secure ACS deployment decisions more
complex.
When AAA was created, network access was restricted to either devices directly
connected to the LAN or remote devices gaining access via modem. Today,
enterprise networks can be complex and, because of tunneling technologies, can
be widely geographically dispersed.

Dial-Up Topology
In the traditional model of dial-up access (a PPP connection), a user employing a
modem or ISDN connection is granted access to an intranet via a network access
server (NAS) functioning as a AAA client. Users may be able to connect via only
a single AAA client as in a small business, or have the option of numerous
geographically dispersed AAA clients.
In the small LAN environment, see Figure 2-1, network architects typically place
a single Cisco Secure ACS internal to the AAA client, protected from outside
access by a firewall and the AAA client. In this environment, the user database is
usually small, there are few devices that require access to the Cisco Secure ACS
for AAA, and any database replication is limited to a secondary Cisco Secure
ACS as a backup.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-4 78-14698-02
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-1 Small Dial-up Network

Server-based
dial access

PSTN
Modem
Network

Cisco Secure
Access Control

63486
Server

In a larger dial-in environment, a single Cisco Secure ACS with a backup may be
suitable, too. The suitability of this configuration depends on network and server
access latency. Figure 2-2 shows an example of a large dial-in arrangement. In this
scenario the addition of a backup Cisco Secure ACS is a recommended addition.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-5
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-2 Large Dial-up Network

Cisco AS5300

Cisco AS5300's

UNIX server

Novell server

Windows NT server

Cisco Secure Macintosh server

Access Control

63487
Server

In a very large, geographically dispersed network (Figure 2-3), there may be

access servers located in different parts of a city, in different cities, or on different
continents. If network latency is not an issue, a central Cisco Secure ACS may
work but connection reliability over long distances may cause problems. In this
case, local Cisco Secure ACSes may be preferable to a central Cisco Secure ACS.
If the need for a globally coherent user database is most important, database
replication or synchronization from a central Cisco Secure ACS may be
necessary. Authentication using external databases, such as a Windows user
database or the Lightweight Directory Access Protocol (LDAP), can further
complicate the deployment of distributed, localized Cisco Secure ACSes. While
Cisco Secure ACS uses encryption for all replication and database
synchronization traffic, additional security measures may be required to protect
the network and user information that Cisco Secure ACS sends across the WAN.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-6 78-14698-02
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-3 Geographically Dispersed Network

Cisco Secure
Access Control
Server

Cisco Secure
Access Control Cisco Secure
Server Access Control
Server

63488

Wireless Network
The wireless network access point is a relatively new client for AAA services. The
wireless access point (AP), such as the Cisco Aironet series, provides a bridged
connection for mobile end-user clients into the LAN. Authentication is absolutely
necessary due to the ease of access to the AP. Encryption is also necessary because
of the ease of eavesdropping on communications. As such, security plays an even
bigger role than in the dial-up scenario and is discussed in more detail later in this
section.
Scaling can be a serious issue in the wireless network. The mobility factor of the
wireless LAN (WLAN) requires considerations similar to those given to the
dial-up network. Unlike the wired LAN, however, the WLAN can be more readily
expanded. Though WLAN technology does have physical limits as to the number
of users that can be connected via an AP, the number of APs can grow quickly. As
with the dial-up network, you can structure your WLAN to allow full access for
all users, or to provide restricted access to different subnets between sites,
buildings, floors, or rooms. This raises a unique issue with the WLAN: the ability
of a user to “roam” between APs.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-7
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

In the simple WLAN, there may be a single AP installed (Figure 2-4). Because
there is only one AP, the primary issue is security. In this environment, there is
generally a small user base and few network devices to worry about. Providing
AAA services to the other devices on the network does not cause any significant
additional load on the Cisco Secure ACS.

Figure 2-4 Simple WLAN

Cisco Aironet AP

Network

Cisco Secure

63489
Access Control Server

In the LAN where a number of APs are deployed, as in a large building or a

campus environment, your decisions on how to deploy Cisco Secure ACS become
a little more involved. Though Figure 2-5 shows all APs on the same LAN, they
may be distributed throughout the LAN, connected via routers, switches, and so
on. In the larger, geographical distribution of WLANs, deployment of
Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs
(Figure 2-3).

User Guide for Cisco Secure ACS Appliance, version 3.2

2-8 78-14698-02
Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-5 Campus WLAN

Cisco Aironet APs

Dial-up connection

UNIX server

Novell server

Windows NT server

Cisco Secure
Access Control
Server
Macintosh server

63490
This is particularly true when the regional topology is the campus WLAN. This
model starts to change when you deploy WLANs in many small sites that more
resemble the simple WLAN shown in Figure 2-4. This model may apply to a chain
of small stores distributed throughout a city or state, nationally, or globally
(Figure 2-6).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-9
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-6 Large Deployment of Small Sites

63491
For the model in Figure 2-6, the location of Cisco Secure ACS depends on
whether all users need access on any AP, or whether users require only regional
or local network access. Along with database type, these factors control whether
local or regional Cisco Secure ACSes are required, and how database continuity
is maintained. In this very large deployment model, security becomes a more
complicated issue, too.

Remote Access using VPN

Virtual Private Networks (VPNs) use advanced encryption and tunneling to
permit organizations to establish secure, end-to-end, private network connections
over third-party networks, such as the Internet or extranets (Figure 2-7). The
benefits of a VPN include the following:
• Cost Savings—By leveraging third-party networks with VPN, organizations
no longer have to use expensive leased or frame relay lines and can connect
remote users to their corporate networks via a local Internet service provider
(ISP) instead of using expensive toll-free or long-distance calls to
resource-consuming modem banks.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-10 78-14698-02
Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

• Security—VPNs provide the highest level of security using advanced

encryption and authentication protocols that protect data from unauthorized
access.
• Scalability—VPNs allow corporations to use remote access infrastructure
within ISPs; therefore, corporations can add a large amount of capacity
without adding significant infrastructure.
• Compatibility with Broadband Technology—VPNs allow mobile workers
and telecommuters to take advantage of high-speed, broadband connectivity,
such as DSL and cable, when gaining access to their corporate networks,
providing workers significant flexibility and efficiency.

Figure 2-7 Simple VPN Configuration

VPN concentrator

Network WAN

63492
Tunnel

Cisco Secure
Access Control Server

There are two types of VPN access into a network:

• Site-to-Site VPNs—Extend the classic WAN by providing large-scale
encryption between multiple fixed sites such as remote offices and central
offices, over a public network, such as the Internet.
• Remote Access VPNs—Permit secure, encrypted connections between
mobile or remote users and their corporate networks via a third-party
network, such as an ISP, via VPN client software.
Generally speaking, site-to-site VPNs can be viewed as a typical WAN connection
and are not usually configured to use AAA to secure the initial connection and are
likely to use the device-oriented IPSec tunneling protocol. Remote access VPNs,
however, are similar to classic remote connection technology (modem/ISDN) and
lend themselves to using the AAA model very effectively (Figure 2-8).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-11
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Figure 2-8 Enterprise VPN Solution

Tunnel

Home office
ISP
VPN concentrator

Internet

ISP

Tunnel Cisco Secure

Access Control

63493
Mobile Server
worker

For more information about implementing VPN solutions, see the reference guide
A Primer for Implementing a Cisco Virtual Private Network.

Remote Access Policy

Remote access is a broad concept. In general, it defines how the user can connect
to the LAN, or from the LAN to outside resources (that is, the Internet). There are
several ways this may occur. The methods include dial-in, ISDN, wireless bridges,
and secure Internet connections. Each method incurs its own advantages and
disadvantages, and provides a unique challenge to providing AAA services. This
closely ties remote access policies to the enterprise network topology. In addition
to the method of access, other decisions can also affect how Cisco Secure ACS is
deployed; these include specific network routing (access lists), time-of-day
access, individual restrictions on AAA client access, access control lists (ACLs),
and so on.
Remote access policies can be implemented for employees who telecommute or
for mobile users who dial in over ISDN or public switched telephone network
(PSTN). Such policies are enforced at the corporate campus with Cisco Secure
ACS and the AAA client. Inside the enterprise network, remote access policies
can control wireless access by individual employees.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-12 78-14698-02
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Cisco Secure ACS remote access policies provides control by using central
authentication and authorization of remote users. The CiscoSecure user database
maintains all user IDs, passwords, and privileges. Cisco Secure ACS access
policies can be downloaded in the form of ACLs to network access servers such
as the Cisco AS5300 Network Access Server, or by allowing access during
specific periods, or on specific access servers.
Remote access policies are part of overall corporate security policy.

Security Policy
We recommend that every organization that maintains a network develop a
security policy for the organization. The sophistication, nature, and scope of your
security policy directly affect how you deploy Cisco Secure ACS.
For more information about developing and maintaining a comprehensive security
policy, refer to the following documents:
• Network Security Policy: Best Practices White Paper
• Delivering End-to-End Security in Policy-Based Networks
• Cisco IOS Security Configuration Guide

Administrative Access Policy

Managing a network is a matter of scale. Providing a policy for administrative
access to network devices depends directly on the size of the network and the
number of administrators required to maintain the network. Local authentication
on a network device can be performed, but it is not scalable. The use of network
management tools can help in large networks, but if local authentication is used
on each network device, the policy usually consists of a single login on the
network device. This does not promote adequate network device security. Using
Cisco Secure ACS allows a centralized administrator database, and administrators
can be added or deleted at one location. TACACS+ is the recommended AAA
protocol for controlling AAA client administrative access because of its ability to
provide per-command control (command authorization) of AAA client
administrator access to the device. RADIUS is not well suited for this purpose
because of the one-time transfer of authorization information at time of initial
authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-13
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

The type of access is also an important consideration. If there are to be different

administrative access levels to the AAA clients, or if a subset of administrators is
to be limited to certain systems, Cisco Secure ACS can be used with command
authorization per network device to restrict network administrators as necessary.
Using local authentication restricts the administrative access policy to no login on
a device or using privilege levels to control access. Controlling access by means
of privilege levels is cumbersome and not very scalable. This requires that the
privilege levels of specific commands are altered on the AAA client device and
specific privilege levels are defined for the user login. It is also very easy to create
more problems by editing command privilege levels. Using command
authorization on Cisco Secure ACS does not require that you alter the privilege
level of controlled commands. The AAA client sends the command to
Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the
administrator has permission to use the command. The use of AAA allows
authentication on any AAA client to any user on Cisco Secure ACS and limits
access to these devices on a per-AAA client basis.
A small network with a small number of network devices may require only one or
two individuals to administer it. Local authentication on the device is usually
sufficient. If you require more granular control than that which authentication can
provide, some means of authorization is necessary. As discussed earlier,
controlling access using privilege levels can be cumbersome. Cisco Secure ACS
reduces this problem.
In large enterprise networks, with many devices to administer, the use of
Cisco Secure ACS becomes a practical necessity. Because administration of many
devices requires a larger number of network administrators, with varying levels of
access, the use of local control is simply not a viable way of keeping track of
network device configuration changes required when changing administrators or
devices. The use of network management tools, such as CiscoWorks 2000, helps
to ease this burden, but maintaining security is still an issue. Because
Cisco Secure ACS can comfortably handle up to 100,000 users, the number of
network administrators that Cisco Secure ACS supports is rarely an issue. If there
is a large remote access population using RADIUS for AAA support, the
corporate IT team should consider separate TACACS+ authentication using
Cisco Secure ACS for the administrative team. This would isolate the general user
population from the administrative team and reduce the likelihood of inadvertent
access to network devices. If this is not a suitable solution, using TACACS+ for
administrative (shell/exec) logins, and RADIUS for remote network access,
provides sufficient security for the network devices.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-14 78-14698-02
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Separation of Administrative and General Users

It is important to keep the general network user from accessing network devices.
Even though the general user may not intend to gain unauthorized access,
inadvertent access could accidentally disrupt network access. AAA and
Cisco Secure ACS provide the means to separate the general user from the
administrative user.
The easiest, and recommended, method to perform such separation is to use
RADIUS for the general remote access user and TACACS+ for the administrative
user. An issue that arises is that an administrator may also require remote network
access, like the general user. If you use Cisco Secure ACS this poses no problem.
The administrator can have both RADIUS and TACACS+ configurations in
Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other
network access protocols) set as the permitted protocol. Under TACACS+, only
the administrator would be configured to allow shell (exec) access.
For example, if the administrator is dialing in to the network as a general user, a
AAA client would use RADIUS as the authenticating and authorizing protocol
and the PPP protocol would be authorized. In turn, if the same administrator
remotely connects to a AAA client to make configuration changes, the AAA client
would use the TACACS+ protocol for authentication and authorization. Because
this administrator is configured on Cisco Secure ACS with permission for shell
under TACACS+, he would be authorized to log in to that device. This does
require that the AAA client have two separate configurations on Cisco Secure
ACS, one for RADIUS and one for TACACS+. An example of a AAA client
configuration under IOS that effectively separates PPP and shell logins follows:
aaa new-model
tacacs-server host ip-address
tacacs-server key secret-key
radius-server host ip-address
radius-server key secret-key
aaa authentication ppp default group radius
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization network default group radius
aaa authorization exec default group tacacs+ none
aaa authorization command 15 default group tacacs+ none
username user password password
line con 0
login authentication console

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-15
 Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS

Conversely, if a general user attempts to use his or her remote access to log in to
a network device, Cisco Secure ACS checks and approves the username and
password, but the authorization process would fail because that user would not
have credentials that allow shell or exec access to the device.

Database
Aside from topological considerations, the user database is one of the most
influential factors involved in making deployment decisions for Cisco Secure
ACS. The size of the user base, distribution of users throughout the network,
access requirements, and type of user database contribute to how Cisco Secure
ACS is deployed.

Number of Users
Cisco Secure ACS is designed for the enterprise environment, comfortably
handling 100,000 users. This is usually more than adequate for a corporation. In
an environment that exceeds these numbers, the user base would typically be
geographically dispersed, which lends itself to the use of more than one
Cisco Secure ACS configuration. A WAN failure could render a local network
inaccessible because of the loss of the authentication server. In addition to this
issue, reducing the number of users that a single Cisco Secure ACS handles
improves performance by lowering the number of logins occurring at any given
time and by reducing the load on the database itself.

Type of Database
Cisco Secure ACS supports several database options, including the CiscoSecure
user database or using remote authentication with any of the external databases
supported. For more information about database options, types, and features, see
Authentication and User Databases, page 1-9, Chapter 13, “User Databases,” or
Chapter 15, “User Group Mapping and Specification.” Each database option has
its own advantages and limitations in scalability and performance.

User Guide for Cisco Secure ACS Appliance, version 3.2

2-16 78-14698-02
 Chapter 2 Deployment Considerations
Suggested Deployment Sequence

Network Latency and Reliability

Network latency and reliability are also important factors in how you deploy
Cisco Secure ACS. Delays in authentication can result in timeouts at the end-user
client or the AAA client.
The general rule for large, extended networks, such as a globally dispersed
corporation, is to have at least one Cisco Secure ACS deployed in each region.
This may not be adequate without a reliable, high-speed connection between sites.
Many corporations use secure VPN connections between sites so that the Internet
provides the link. This saves time and money but it does not provide the speed and
reliability that a dedicated frame relay or T1 link provides. If reliable
authentication service is critical to business functionality, such as retail outlets
with cash registers that are linked by a WLAN, the loss of WAN connection to a
remote Cisco Secure ACS could be catastrophic.
The same issue can be applied to an external database used by Cisco Secure ACS.
The database should be deployed close enough to Cisco Secure ACS to ensure
reliable and timely access. Using a local Cisco Secure ACS with a remote
database can result in the same problems as using a remote Cisco Secure ACS.
Another possible problem in this scenario is that a user may experience timeout
problems. The AAA client would be able to contact Cisco Secure ACS, but
Cisco Secure ACS would wait for a reply that might be delayed or never arrive
from the external user database. If the Cisco Secure ACS were remote, the AAA
client would time out and try an alternative method to authenticate the user, but in
the latter case, it is likely the end-user client would time out first.

Suggested Deployment Sequence

While there is no single, one-size-fits-all process for all Cisco Secure ACS
deployments, you should consider following the sequence, keyed to the high-level
functions represented in the navigation toolbar. Also bear in mind that many of
these deployment activities are iterative in nature; you may find that you
repeatedly return to such tasks as interface configuration as your deployment
proceeds.
• Configure Additional Administrators—You configured a single
administrator during initial configuration and installation of the appliance.
You should establish any additional administrators in accordance with your
own detailed plan for establishing and maintaining an administrative policy.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-17
 Chapter 2 Deployment Considerations
Suggested Deployment Sequence

For more information about setting up administrators, see Chapter 1,

“Overview.”
• Configure the Cisco Secure ACS HTML Interface—You can configure
Cisco Secure ACS HTML interface to show only those features and controls
that you intend to use. This makes using Cisco Secure ACS less difficult than
it would be if you had to contend with multiple parts of the HTML interface
that you did not plan to use. The price of this convenience can sometimes be
frustration that features and controls do not appear because you failed to
configure them in the Interface Configuration section. For guidance on
configuring the HTML interface, see Interface Design Concepts, page 3-2.
For information about configuring particular aspects of the HTML interface,
see the following sections of the interface configuration chapter:
– User Data Configuration Options, page 3-3
– Advanced Options, page 3-4
– Protocol Configuration Options for TACACS+, page 3-7
– Protocol Configuration Options for RADIUS, page 3-11
• Configure System—There are more than a dozen functions within the
System Configuration section to be considered, from setting the format for
the display of dates and password validation to configuring settings for
database replication and RDBMS synchronization. These functions are
detailed in Chapter 8, “System Configuration: Basic.” Of particular note
during initial system configuration is setting up the logs and reports to be
generated by Cisco Secure ACS; for more information, see Chapter 1,
“Overview.”
• Configure Network—You control distributed and proxied AAA functions in
the Network Configuration section of the HTML interface. From here, you
establish the identity, location, and grouping of AAA clients and servers, and
determine what authentication protocols each is to employ. For more
information, see Chapter 4, “Network Configuration.”
• Configure External User Database—During this phase of deployment you
must decide whether and how you intend to implement an external database
to establish and maintain user authentication accounts. Typically, this
decision is made according to your existing network administration
mechanisms. For information about the types of databases Cisco Secure ACS
supports and instructions for establishing them, see Chapter 13, “User
Databases.”

User Guide for Cisco Secure ACS Appliance, version 3.2

2-18 78-14698-02
Chapter 2 Deployment Considerations
Suggested Deployment Sequence

Along with the decision to implement an external user database (or

databases), you should have detailed plans that specify your requirements for
Cisco Secure ACS database replication, backup, and synchronization. These
aspects of configuring CiscoSecure user database management are detailed in
Chapter 8, “System Configuration: Basic.”
• Configure Shared Profile Components—With most aspects of network
configuration already established and before configuring user groups, you
should configure your Shared Profile Components. When you set up and
name the network access restrictions and command authorization sets you
intend to employ, you lay out an efficient basis for specifying user group and
single user access privileges. For more information about Shared Profile
Components, see Chapter 5, “Shared Profile Components.”
• Configure Groups—Having previously configured any external user
databases you intend to employ, and before configuring your user groups, you
should decide how to implement two other Cisco Secure ACS features related
to external user databases: unknown user processing and database group
mapping. For more information see Unknown User Processing, page 14-2,
and Chapter 15, “User Group Mapping and Specification.” Then, you are able
to configure your user groups with a complete plan of how Cisco Secure ACS
is to implement authorization and authentication. For more information, see
Chapter 6, “User Group Management.”
• Configure Users—With groups established, you can establish user accounts.
Remember that a particular user can belong to only one user group, and that
settings made at the user level override settings made at the group level. For
more information, see Chapter 7, “User Management.”
• Configure Reports—Using the Reports and Activities section of the
Cisco Secure ACS HTML interface, you can specify the nature and scope of
logging that Cisco Secure ACS performs. For more information, see
Chapter 1, “Overview.”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 2-19
 Chapter 2 Deployment Considerations
Suggested Deployment Sequence

User Guide for Cisco Secure ACS Appliance, version 3.2

2-20 78-14698-02
 C H A P T E R 3
Interface Configuration

Ease of use is the overriding design principle of the HTML interface in the
Cisco Secure ACS Appliance. Cisco Secure ACS presents intricate concepts of
network security from the perspective of an administrator. The Interface
Configuration section of Cisco Secure ACS enables you to configure the
Cisco Secure ACS HTML interface—you can tailor the interface to simplify the
screens you will use by hiding the features that you do not use and by adding fields
for your specific configuration.

Note We recommend that you return to this section to review and confirm your initial
settings. While it is logical to begin your Cisco Secure ACS configuration efforts
with configuring the interface, sometimes a section of the HTML interface that
you initially believed should be hidden from view may later require configuration
from within this section.

Tip If a section of the Cisco Secure ACS HTML interface appears to be “missing” or
“broken”, return to the Interface Configuration section and confirm that the
particular section has been activated.

This chapter contains the following topics:

• Interface Design Concepts, page 3-2
• User Data Configuration Options, page 3-3
• Advanced Options, page 3-4
• Protocol Configuration Options for TACACS+, page 3-7

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-1
 Chapter 3 Interface Configuration
Interface Design Concepts

• Protocol Configuration Options for RADIUS, page 3-11

Interface Design Concepts

Before you begin to configure the Cisco Secure ACS HTML interface for your
particular configuration, you should understand a few basic precepts of the system
operation. The information in the following sections is necessary for effective
interface configuration.

User-to-Group Relationship
A user can belong to only one group at a time. As long as there are no conflicting
attributes, users inherit group settings.

Note If a user profile has an attribute configured differently from the same attribute in
the group profile, the user setting always overrides the group setting.

If a user has a unique configuration requirement, you can make that user a part of
a group and set unique requirements on the User Setup page, or you can assign
that user to his or her own group.

Per-User or Per-Group Features

You can configure most features at both group and user levels, with the following
exceptions:
• User level only—Static IP address, password, and expiration.
• Group level only—Password aging and time-of-day/day-of-week
restrictions.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-2 78-14698-02
 Chapter 3 Interface Configuration
User Data Configuration Options

User Data Configuration Options

The Configure User Defined Fields page enables you to add (or edit) up to five
fields for recording information on each user. The fields you define in this section
subsequently appear in the Supplementary User Information section at the top of
the User Setup page. For example, you could add the user’s company name,
telephone number, department, billing code, and so on. You can also include these
fields in the accounting logs. For more information about the accounting logs, see
About Cisco Secure ACS Logs and Reports, page 11-4. For information on the
data fields that compose the user data options, see User-Defined Attributes,
page E-36.

Defining New User Data Fields

To configure new user data fields, follow these steps:

Step 1 Click Interface Configuration, and then click User Data Configuration.
The Configure User Defined Fields page appears. Check boxes in the Display
column indicate which fields are configured to appear in the Supplementary User
Information section at the top of the User Setup page.
Step 2 Select a check box in the Display column.
Step 3 In the corresponding Field Title box, type a title for the new field.
Step 4 To configure another field, repeat Step 2 and Step 3.
Step 5 When you have finished configuring new user data fields, click Submit.

Tip You can change the title of a field by editing the text in the Field Title box
and then clicking Submit. For the change to take effect, you must restart
Cisco Secure ACS services, including CSAdmin. To do so, use the restart
command at the serial console of the appliance. Restarting services
should be done during off hours because it briefly interrupts
authentication, authorization, and accounting.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-3
 Chapter 3 Interface Configuration
Advanced Options

Advanced Options
This feature enables you to determine which advanced features Cisco Secure ACS
displays. You can simplify the pages displayed in other areas of the Cisco Secure
ACS HTML interface by hiding advanced features that you do not use. Many of
these options do not appear if they are not enabled.

Caution Disabling an advanced option in the Interface Configuration section does not
affect anything except the display of that function in the HTML interface. Settings
made while an advanced option was active (selected) remain in effect when that
advanced option is no longer displayed in the interface (deselected). Further, the
interface displays any advanced option that is enabled or has non-default values,
even if you have configured that advanced option to be hidden. If you later disable
the option or delete its value, Cisco Secure ACS hides the advanced option.

The advanced option features include the following:

• Per-User TACACS+/RADIUS Attributes—When selected, this feature
enables TACACS+/RADIUS attributes to be set at a per-user level, in addition
to being set at the group level.
• User-Level Shared Network Access Restrictions—When selected, this
feature enables the Shared Profile Component network access restrictions
(NARs) options on the User Setup page. These options allow you to apply
previously configured, named, IP-based and CLID/DNIS-based NARs at the
user level. For information on defining a NAR within Shared Profile
Components, see Adding a Shared Network Access Restriction, page 5-9.
• User-Level Network Access Restrictions—When selected, this feature
enables the two sets of options for defining user-level, IP-based and
CLI/DNIS-based NARs on the User Setup page.
• User-Level Downloadable ACLs—When selected, this feature enables the
Downloadable ACLs section on the User Setup page.
• Default Time-of-Day/Day-of-Week Specification—When selected, this
feature enables the default time-of-day/day-of-week access settings grid on
the Group Setup page.
• Group-Level Shared Network Access Restrictions—When selected, this
feature enables the Shared Profile Component NAR options on the Group
Setup page. These options allow you to apply previously configured, named,

User Guide for Cisco Secure ACS Appliance, version 3.2

3-4 78-14698-02
Chapter 3 Interface Configuration
Advanced Options

IP-based and CLID/DNIS-based NARs at the group level. For information on

defining a NAR, or NAR set, within Shared Profile Components, see Adding
a Shared Network Access Restriction, page 5-9.
• Group-Level Network Access Restrictions—When selected, this feature
enables the two sets of options for defining group-level, IP-based and
CLI/DNIS-based NARs on the on the Group Setup page.
• Group-Level Downloadable ACLs—When selected, this feature enables the
Downloadable ACLs section on the Group Setup page.
• Group-Level Password Aging—When selected, this feature enables the
Password Aging section on the Group Setup page. The Password Aging
feature enables you to force users to change their passwords.
• Max Sessions—When selected, this feature enables the Max Sessions section
on the User Setup and Group Setup pages. The Max Sessions option sets the
maximum number of simultaneous connections for a group or a user.
• Usage Quotas—When selected, this feature enables the Usage Quotas
sections on the User Setup and Group Setup pages. The Usage Quotas option
sets one or more quotas for usage by a group or a user.
• Distributed System Settings—When selected, this feature displays the AAA
server and proxy tables on the Network Interface page. If the tables are not
empty and have information other than the defaults in them, they always
appear.
• Remote Logging—When selected, this feature enables the Remote Logging
feature in the Logging page of the System Configuration section.
• Cisco Secure ACS Database Replication—When selected, this feature
enables the Cisco Secure ACS database replication information on the
System Configuration page.
• RDBMS Synchronization—When selected, this feature enables the RDBMS
(Relational Database Management System) Synchronization option on the
System Configuration page. If RDBMS Synchronization is configured, this
option always appears.
• IP Pools—When selected, this feature enables the IP Pools Address Recovery
and IP Pools Server options on the System Configuration page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-5
 Chapter 3 Interface Configuration
Advanced Options

• Network Device Groups—When selected, this option enables network

device groups (NDGs). When NDGs are enabled, the Network Configuration
section and parts of the User Setup and Group Setup pages change to enable
you to manage groups of network devices (AAA clients or AAA servers).
This feature is useful if you have many devices to administer.
• Voice-over-IP (VoIP) Group Settings—When selected, this feature enables
the VoIP option on the Group Setup page.
• Voice-over-IP (VoIP) Accounting Configuration—When selected, this
feature enables the VoIP Accounting Configuration option on the System
Configuration page. This option is used to determine the logging format of
RADIUS VoIP accounting packets.

Setting Advanced Options for the Cisco Secure ACS User

Interface
To set advanced options for the Cisco Secure ACS HTML interface, follow these
steps:

Step 1 Click Interface Configuration, and then click Advanced Options.

The Advanced Options table appears.
Step 2 Select each option that you want displayed (enabled) in the Cisco Secure ACS
HTML interface.

Caution Disabling an advanced feature in the Interface Configuration section does not
affect anything except the display of that feature in the HTML interface. Settings
made while an advanced feature was displayed remain in effect when that
advanced feature is no longer displayed. Further, the interface displays any
advanced feature that has non-default settings, even if you have configured that
advanced feature to be hidden. If you later disable the feature or delete its settings,
Cisco Secure ACS hides the advanced feature. The only exception is the Network
Device Groups feature. Regardless of whether Network Device Groups are in use,
they are hidden when deselected on the Advanced Options page.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-6 78-14698-02
Chapter 3 Interface Configuration
Protocol Configuration Options for TACACS+

Step 3 When you have finished making selections, click Submit.

Cisco Secure ACS alters the contents of various sections of the HTML interface
according to the selections you have made.

Protocol Configuration Options for TACACS+

The TACACS+ (Cisco) page details the configuration of the Cisco Secure ACS
HTML interface for TACACS+ settings. The interface settings enable you to
display or hide TACACS+ administrative and accounting options. You can
simplify the HTML interface by hiding the features that you do not use.
The TACACS+ (Cisco) page comprises three distinct areas, as follows:

Tip The default interface setting presents a single column of check boxes, at the group
level only, for selecting TACACS+ Services Settings and New Service Settings.
To view two columns of check boxes that enable you to configure settings at the
Group level or the User level, you must have enabled the Per-user
TACACS+/RADIUS Attributes option on the Advanced Options page of Interface
Configuration section.

• TACACS+ Services Settings—In this area is a list of the most commonly

used services and protocols for TACACS+. You select each TACACS+
service that you want to appear as a configurable option on either the User
Setup page or Group Setup page.
• New Services—In this area you can enter any services or protocols particular
to your network configuration.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-7
 Chapter 3 Interface Configuration
Protocol Configuration Options for TACACS+

Note If you have configured Cisco Secure ACS to interact with device
management applications for other Cisco products, such as a,
Cisco Secure ACS may display new TACACS+ services as dictated
by these device management applications. To ensure the proper
functioning of Cisco Secure ACS, of device management applications
with which Cisco Secure ACS interacts, and of the Cisco network
devices managed by those applications, do not change or delete
automatically generated TACACS+ service types.

• Advanced Configuration Options—In this area you can add more detailed
information for even more tailored configurations.
The four items you can choose to hide or display are as follows:
– Advanced TACACS+ Features—This option displays or hides the
Advanced TACACS+ Options section on the User Setup page. These
options include Privilege Level Authentication and Outbound Password
Configuration for SENDPASS and SENDAUTH clients, such as routers.
– Display a Time-of-Day access grid for every TACACS+ service where
you can override the default Time-of-Day settings—If this option is
selected, a grid appears on the User Setup page that enables you to
override the TACACS+ scheduling attributes on the Group Setup page.
You can control the use of each TACACS+ service by the time of day and
day of week. For example, you can restrict Exec (Telnet) access to
business hours but permit PPP-IP access at any time.
The default setting is to control time-of-day access for all services as part
of authentication. However, you can override the default and display a
time-of-day access grid for every service. This keeps user and group
setup easy to manage, while making this feature available for the most
sophisticated environments. This feature applies only to TACACS+
because TACACS+ can separate the authentication and authorization
processes. RADIUS time-of-day access applies to all services. If
TACACS+ and RADIUS are used simultaneously, the default
time-of-day access applies to both. This provides a common method to
control access regardless of the access control protocol.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-8 78-14698-02
 Chapter 3 Interface Configuration
Protocol Configuration Options for TACACS+

– Display a window for each service selected in which you can enter
customized TACACS+ attributes—If this option is selected, an area
appears on the User Setup and Group Setup pages that enables you to
enter custom TACACS+ attributes.
Cisco Secure ACS can also display a custom command field for each
service. This text field enables you to make specialized configurations to
be downloaded for a particular service for users in a particular group.
You can use this feature to send many TACACS+ commands to the access
device for the service, provided that the device supports the command,
and that the command syntax is correct. This feature is disabled by
default, but you can enable it the same way you enable attributes and
time-of-day access.
– Display enable Default (Undefined) Service Configuration—If this
check box is selected, an area appears on the User Setup and Group Setup
pages that enables you to permit unknown TACACS+ services, such as
Cisco Discovery Protocol (CDP).

Note This option should be used by advanced system administrators

only.

Note Customized settings at the user level take precedence over settings at the group
level.

Setting Options for TACACS+

This procedure enables you to display or hide TACACS+ administrative and
accounting options. It is unlikely that you will use every service and protocol
available for TACACS+. Displaying each would make setting up a user or group
cumbersome. To simplify setup, you can use the TACACS+ (Cisco IOS) Edit page
to customize the services and protocols that appear.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-9
 Chapter 3 Interface Configuration
Protocol Configuration Options for TACACS+

To configure the user interface for TACACS+ options, follow these steps:

Note The CiscoSecure Access Control Server ACS HTML interface displays any
protocol option that is enabled or has non-default values, even if you have
configured that protocol option to be hidden. If you later disable the option or
delete its value and the protocol option is configured to be hidden, CiscoSecure
Access Control Server ACS hides the protocol option. This behavior prevents
CiscoSecure Access Control Server ACS from hiding active settings.

Step 1 Click Interface Configuration, and then click TACACS+ (Cisco IOS).
The TACACS+ (Cisco) page appears.
Step 2 In the TACACS+ Services table, select the check box for each TACACS+ service
you want displayed on the applicable setup page.
Step 3 To add new services and protocols, follow these steps:
a. In the New Services section of the TACACS+ Services table, type in any
Service and Protocol to be added.

Note If you have configured Cisco Secure ACS to interact with device
management applications for other Cisco products, such as a,
Cisco Secure ACS may display new TACACS+ services as dictated
by these device management applications. To ensure the proper
functioning of Cisco Secure ACS, of device management applications
with which Cisco Secure ACS interacts, and of the Cisco network
devices managed by those applications, do not change or delete
automatically generated TACACS+ service types.

b. Select the appropriate check box to select those that should be displayed for
configuration either under User Setup, or Group Setup, or both.
Step 4 In the Advanced Configurations Options section, select the check boxes of the
display options you want to enable.
Step 5 When you have finished setting TACACS+ interface display options, click
Submit.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-10 78-14698-02
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

The selections made in this procedure determine what TACACS+ options

Cisco Secure ACS displays in other sections of the HTML interface.

Protocol Configuration Options for RADIUS

It is unlikely that you would want to install every attribute available for every
protocol. Displaying each would make setting up a user or group cumbersome. To
simplify setup, this section allows you to customize the attributes that are
displayed. For a list of supported RADIUS AV pairs and accounting AV pairs, see
Appendix C, “RADIUS Attributes.”
Depending on which AAA client or clients you have configured, the Interface
Configuration page displays different types of RADIUS protocol configuration
settings choices. The Interface Configuration page displays RADIUS IETF
settings whenever any RADIUS AAA client is configured. The Interface
Configuration page also displays additional settings for each vendor-specific
RADIUS type. The settings that appear for various types of AAA client depend
on what settings that type of device can employ. These combinations are detailed
in Table 3-1, as follows:

Table 3-1 RADIUS Listings in Interface

Configure
this Type
of AAA
Client... ...the Interface Configuration Page Lists the Types of Settings Shown
RADIUS RADIUS RADIUS
RADIUS (Cisco RADIUS RADIUS (Cisco (Cisco
RADIUS (Cisco RADIUS IOS/PIX (Micros (Ascend VPN VPN RADIUS RADIUS
(IETF) Aironet) (BBSM) ) oft) ) 3000) 5000) (Juniper) (Nortel)
RADIUS Yes No No No No No No No No No
(IETF)
RADIUS Yes Yes No Yes No No No No No No
(Cisco
Aironet)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-11
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Table 3-1 RADIUS Listings in Interface (continued)

Configure
this Type
of AAA
Client... ...the Interface Configuration Page Lists the Types of Settings Shown
RADIUS Yes No Yes No No No No No No No
(BBSM)
RADIUS Yes No No Yes Yes Yes No No No No
(Cisco
IOS/PIX)
RADIUS Yes No No No Yes Yes No No No No
(Ascend)
RADIUS Yes No No Yes Yes No Yes No No No
(Cisco
VPN
3000)
RADIUS Yes No No No No No No Yes No No
(Cisco
VPN
5000)
RADIUS Yes No No No No No No No Yes No
(Juniper)

User Guide for Cisco Secure ACS Appliance, version 3.2

3-12 78-14698-02
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Table 3-1 RADIUS Listings in Interface (continued)

Configure
this Type
of AAA
Client... ...the Interface Configuration Page Lists the Types of Settings Shown
RADIUS RADIUS RADIUS
RADIUS (Cisco RADIUS RADIUS (Cisco (Cisco
RADIUS (Cisco RADIUS IOS/PIX (Micros (Ascend VPN VPN RADIUS RADIUS
(IETF) Aironet) (BBSM) ) oft) ) 3000) 5000) (Juniper) (Nortel)
RADIUS Yes No No No No No No No No Yes
(Nortel)
RADIUS Yes No No No No No No No No No
(iPass)

Tip You must have your network devices configured before you can select, on the
Interface Configuration page, a type of setting for further configuration.

From the Interface Configuration page, when you select a type of RADIUS setting
to configure, the HTML interface displays the corresponding list of available
RADIUS attributes and associated check boxes. If you have selected the Per-user
TACACS+/RADIUS Attributes check box in Interface Configuration: Advanced
Options, a User check box appears alongside the Group check box for each
attribute. Otherwise, only the Group check box for each attribute appears. By
selecting check boxes in a list of attributes, you determine whether the
corresponding (IETF) RADIUS attribute or vendor-specific attribute (VSA) is
configurable from the User Setup and Group Setup sections.
Details regarding the types of RADIUS settings pages follow:
• (IETF) RADIUS Settings—This page lists attributes available for (IETF)
RADIUS.
These standard (IETF) RADIUS attributes are available for any network
device configuration when using RADIUS. If you want to use IETF attribute
number 26 (for VSAs), select Interface Configuration and then RADIUS for
the vendors whose network devices you use. Attributes for (IETF) RADIUS
and the VSA for each RADIUS network device vendor supported by
Cisco Secure ACS appear in User Setup or Group Setup.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-13
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Note The RADIUS (IETF) attributes are shared with RADIUS VSAs. You
must configure the first RADIUS attributes from RADIUS (IETF) for
the RADIUS vendor.

The Tags to Display Per Attribute option (located under Advanced

Configuration Options) enables you to specify how many values to display for
tagged attributes on the User Setup and Group Setup pages. Examples of
tagged attributes include [064]Tunnel-Type and [069]Tunnel-Password.
For detailed steps, see Setting Protocol Configuration Options for IETF
RADIUS Attributes, page 3-16.
• RADIUS (Cisco IOS/PIX) Settings—This section allows you to enable the
specific attributes for RADIUS (Cisco IOS/PIX). Selecting the first attribute
listed under RADIUS (Cisco IOS/PIX), 026/009/001, displays an entry field
under User Setup and/or Group Setup in which any TACACS+ commands can
be entered to fully leverage TACACS+ in a RADIUS environment. For
detailed steps, see Setting Protocol Configuration Options for Non-IETF
RADIUS Attributes, page 3-17.
• RADIUS (Cisco Aironet) Settings—This section allows you to enable the
specific attribute for RADIUS (Cisco Aironet). The single Cisco Aironet
RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialized
implementation of the IETF RADIUS Session-Timeout attribute (27). When
Cisco Secure ACS responds to an authentication request from a Cisco Aironet
Access Point and the Cisco-Aironet-Session-Timeout attribute is configured,
Cisco Secure ACS sends to the wireless device this value in the IETF
Session-Timeout attribute. This enables you to provide different session
timeout values for wireless and wired end-user clients. For detailed steps, see
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes,
page 3-17.
• RADIUS (Ascend) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Ascend). This page appears if you have configured a
RADIUS (Ascend) or a RADIUS (Cisco IOS/PIX) device. For detailed
procedures, see Setting Protocol Configuration Options for Non-IETF
RADIUS Attributes, page 3-17.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-14 78-14698-02
Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

• RADIUS (Cisco VPN 3000) Settings—From this section you enable the
RADIUS VSAs for RADIUS (Cisco VPN 3000). For detailed procedures, see
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes,
page 3-17.
• RADIUS (Cisco VPN 5000) Settings—From this section you enable the
RADIUS VSAs for RADIUS (Cisco VPN 5000). For detailed procedures, see
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes,
page 3-17.
• RADIUS (Microsoft) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Microsoft). This page appears if you configure a
RADIUS (Ascend), or a RADIUS (VPN 3000), or a RADIUS (Cisco
IOS/PIX) device. For detailed procedures, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17.
• RADIUS (Nortel) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Nortel). For detailed procedures, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17.
• RADIUS (Juniper) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Juniper). For detailed procedures, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17.
• RADIUS (BBSM) Settings—From this section you enable the RADIUS
VSAs for RADIUS “Building Broadband Service Manger” (BBSM). For
detailed procedures, see Setting Protocol Configuration Options for
Non-IETF RADIUS Attributes, page 3-17.
While Cisco Secure ACS ships with these listed VSAs prepackaged, it also
enables you to define and configure custom attributes for any VSA set not already
contained in Cisco Secure ACS. If you have configured a custom VSA and a
corresponding AAA client, from the Interface Configuration section you can
select the custom VSA and then set the options for how particular attributes
appear as configurable options on the User Setup or Group Setup page. For
information about creating user-defined RADIUS VSAs, see Custom RADIUS
Vendors and VSAs, page 9-27.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-15
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Setting Protocol Configuration Options for IETF RADIUS

Attributes
This procedure enables you to hide or display any of the standard IETF RADIUS
attributes for configuration from other portions of the Cisco Secure ACS HTML
interface.

Note If the Per-user TACACS+/RADIUS Attributes check box in Interface

Configuration: Advanced Options is selected, a User check box appears alongside
the Group check box for each attribute.

Note Each selected IETF RADIUS attribute must be supported by all your network
devices using RADIUS.

To set protocol configuration options for IETF RADIUS attributes, follow these
steps:

Step 1 Click Interface Configuration, and then click RADIUS (IETF).

The RADIUS (IETF) page appears.
Step 2 For each IETF RADIUS attribute that you want to appear as a configurable option
on the User Setup or Group Setup page, select the corresponding check box.

Note Each attribute selected must be supported by your RADIUS network

devices.

Step 3 To specify how many values to display for tagged attributes on the User Setup and
Group Setup pages, select the Tags to Display Per Attribute option, and then
select a value from the corresponding list. Examples of tagged attributes are [064]
Tunnel-Type and [069] Tunnel-Password.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-16 78-14698-02
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Step 4 When you have finished selecting the attributes, click Submit at the bottom of the
page.
Each IETF RADIUS attribute that you selected appears as a configurable option
on the User Setup or Group Setup page, as applicable.

Setting Protocol Configuration Options for Non-IETF RADIUS

Attributes
This procedure enables you to hide or display various RADIUS VSAs for
configuration from the User Setup and Group Setup portions of the Cisco Secure
ACS HTML interface.
To set protocol configuration options for a set of RADIUS VSAs, follow these
steps:

Step 1 Click Interface Configuration.

Step 2 Click one of the RADIUS VSA set types displayed, for example, RADIUS
(Ascend).

The page listing the selected set of available RADIUS VSAs appears.

Note If the Per-user TACACS+/RADIUS Attributes check box in Interface

Configuration: Advanced Options is selected, a User check box appears
alongside the Group check box for each attribute.

Step 3 For each RADIUS VSA that you want to appear as a configurable option on the
User Setup or Group Setup page, select the corresponding check box.

Note Each attribute selected must be supported by your RADIUS network

devices.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 3-17
 Chapter 3 Interface Configuration
Protocol Configuration Options for RADIUS

Step 4 Click Submit at the bottom of the page.

According to your selections, the RADIUS VSAs appear on the User Setup or
Group Setup pages, or both, as a configurable option.

User Guide for Cisco Secure ACS Appliance, version 3.2

3-18 78-14698-02
 C H A P T E R 4
Network Configuration

This chapter details concepts and procedures for configuring Cisco Secure ACS
Appliance to interact with AAA clients, AAA servers, and remote agents, and for
establishing a distributed system.
This chapter contains the following topics:
• About Network Configuration, page 4-2
• About Distributed Systems, page 4-3
• Proxy in Distributed Systems, page 4-4
• Network Device Searches, page 4-9
• AAA Client Configuration, page 4-11
• AAA Server Configuration, page 4-22
• Remote Agent Configuration, page 4-29
• Network Device Group Configuration, page 4-36
• Proxy Distribution Table Configuration, page 4-41

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-1
 Chapter 4 Network Configuration
About Network Configuration

About Network Configuration

The appearance of the page you see when you click Network Configuration differs
according to the network configuration selections you made in the Interface
Configuration section. The five tables that may appear in this section are as
follows:
• AAA Clients—This table lists each AAA client that is configured on the
network, together with its IP address and associated protocol.
If you are using network device groups (NDGs), this table does not appear on
the initial page, but is accessed through the Network Device Group table. For
more information about this interface configuration, see Advanced Options,
page 3-4.
• AAA Servers—This table lists each AAA server that is configured on the
network together with its IP address and associated type.
If you are using NDGs, this table does not appear on the initial page, but is
accessed through the Network Device Groups table. For more information
about this interface configuration, see Advanced Options, page 3-4.
• Remote Agents—This table lists each remote agent that is configured
together with its IP address and available services. For more information
about remote agents, see About Remote Agents, page 4-29.
This table does not appear unless you have enabled the Distributed System
Settings feature in Interface Configuration.
If you are using NDGs, this table does not appear on the initial page, but is
accessed through the Network Device Groups table. For more information
about this interface configuration, see Advanced Options, page 3-4.
• Network Device Groups—This table lists the name of each NDG that has
been configured, and the number of AAA clients and AAA servers assigned
to each NDG. If you are using NDGs, the AAA Clients table and AAA
Servers table do not appear on the opening page. To configure a AAA client
or AAA server, you must click the name of the NDG to which the device is
assigned. If the newly configured device is not assigned to an NDG, it
automatically belongs to the (Not Assigned) group.
This table appears only when you have configured the interface to use NDGs.
For more information about this interface configuration, see Advanced
Options, page 3-4.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-2 78-14698-02
 Chapter 4 Network Configuration
About Distributed Systems

• Proxy Distribution Table—You can use the Proxy Distribution Table to

configure proxy capabilities including “domain” stripping. For more
information, see Proxy Distribution Table Configuration, page 4-41.
This table appears only when you have configured the interface to enable
Distributed Systems Settings. For more information about this interface
configuration, see Advanced Options, page 3-4.

About Distributed Systems

Cisco Secure ACS can be used in a distributed system; that is, multiple
Cisco Secure ACSes and authentication, authorization, and accounting (AAA)
servers can be configured to communicate with one another as primary, backup,
client, or peer systems. This enables you to use powerful features such as the
following:
• Proxy
• Fallback on failed connection
• CiscoSecure database replication
• Remote and centralized logging

AAA Servers in Distributed Systems

“AAA server” is the generic term for an access control server (ACS), and the two
terms are often used interchangeably. AAA servers are used to determine who can
access the network and what services are authorized for each user. The
AAA server stores a profile containing authentication and authorization
information for each user. Authentication information validates user identity, and
authorization information determines what network services a user is permitted to
use. A single AAA server can provide concurrent AAA services to many dial-up
access servers, routers, and firewalls. Each network device can be configured to
communicate with a AAA server. This makes it possible to centrally control
dial-up access, and to secure network devices from unauthorized access.
These types of access control have unique authentication and authorization
requirements. With Cisco Secure ACS, system administrators can use a variety of
authentication methods that are used with different degrees of authorization
privileges.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-3
 Chapter 4 Network Configuration
Proxy in Distributed Systems

Completing the AAA functionality, Cisco Secure ACS serves as a central

repository for accounting information. Each user session granted by Cisco Secure
ACS can be fully accounted for, and its accounting information can be stored in
the server. This accounting information can be used for billing, capacity planning,
and security audits.

Note If the fields mentioned in this section do not appear in the Cisco Secure ACS
HTML interface, enable them by clicking Interface Configuration, clicking
Advanced Options, and then selecting the Distributed System Settings check
box.

Default Distributed System Settings

You use both the AAA Servers table and the Proxy Distribution Table to establish
distributed system settings. The parameters configured within these tables create
the foundation to enable multiple Cisco Secure ACSes to be configured to work
with one another. Each table contains a Cisco Secure ACS entry for itself. In the
AAA Servers table, the only AAA server initially listed is itself; the Proxy
Distribution Table lists an initial entry of (Default), which displays how the local
Cisco Secure ACS is configured to handle each authentication request locally.
You can configure additional AAA servers in the AAA Servers table. This enables
these devices to become available in the HTML interface so that they can be
configured for other distributed features such as proxy, CiscoSecure user database
replication, remote logging, and RDBMS synchronization. For information about
configuring additional AAA servers, see Adding a AAA Server, page 4-25.

Proxy in Distributed Systems

Proxy is a powerful feature that enables you to use Cisco Secure ACS for
authentication in a network that uses more than one AAA server. Using proxy,
Cisco Secure ACS automatically forwards an authentication request from a AAA
client to another AAA server. After the request has been successfully
authenticated, the authorization privileges that have been configured for the user
on the remote AAA server are passed back to the original Cisco Secure ACS,
where the AAA client applies the user profile information for that session.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-4 78-14698-02
Chapter 4 Network Configuration
Proxy in Distributed Systems

Proxy provides a useful service to users, such as business travelers, who dial in to
a network device other than the one they normally use and would otherwise be
authenticated by a “foreign” AAA server. To use proxy, you must first click
Interface Configuration, click Advanced Options, and then select the
Distributed System Settings check box.
Whether, and where, an authentication request is to be forwarded is defined in the
Proxy Distribution Table on the Network Configuration page. You can use
multiple Cisco Secure ACSes throughout your network. For information about
configuring the Proxy Distribution Table, see Proxy Distribution Table
Configuration, page 4-41.
Cisco Secure ACS employs character strings defined by the administrator to
determine whether an authentication request should be processed locally or
forwarded, and to where. When an end user dials in to the network device and
Cisco Secure ACS finds a match for the character string defined in the Proxy
Distribution Table, Cisco Secure ACS forwards the authentication request to the
associated remote AAA server.

Note When a Cisco Secure ACS receives a TACACS+ authentication request forwarded
by proxy, any Network Access Restrictions for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of the
originating AAA client.

Note When a Cisco Secure ACS proxies to a second Cisco Secure ACS, the second
Cisco Secure ACS responds to the first using only IETF attributes, no VSAs,
when it recognizes the first Cisco Secure ACS as a AAA server. Alternatively, you
can configure an Cisco Secure ACS to be seen as a AAA client by the second
Cisco Secure ACS; in this case, the second Cisco Secure ACS responses include
the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client
definition table entry—in the same manner as any other AAA client.

For example, a Cisco Secure ACS receives an authentication request for

mary.smith@corporate.com, where “@corporate.com” is a character string
defined in the server distribution table as being associated with another specific
AAA server. The Cisco Secure ACS receiving the authentication request for
mary.smith@corporate.com then forwards the request to the AAA server with
which that character string is associated. The entry in the Proxy Distribution Table
defines the association.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-5
 Chapter 4 Network Configuration
Proxy in Distributed Systems

Administrators with geographically dispersed networks can configure and

manage the user profiles of employees within their immediate location or
building. This enables the administrator to manage the policies of just their users
and allows all authentication requests from other users within the company to be
forwarded to their respective AAA server for authentication. Not every user
profile needs to reside on every AAA server. This saves administration time and
server space, and facilitates end users receiving the same privileges regardless of
which access device they connect through.

Fallback on Failed Connection

You can configure the order in which Cisco Secure ACS checks remote
AAA servers when a failure of the network connection to the primary AAA server
has occurred. If an authentication request cannot be sent to the first listed server,
because of a network failure for example, the next listed server is checked. This
continues, in order, down the list until a AAA server handles the authentication
request. (Failed connections are detected by failure of the nominated server to
respond within a specified time period. That is, the request is timed out.) If
Cisco Secure ACS cannot connect to any server in the list, authentication fails.

Character String
Cisco Secure ACS forwards authentication requests using a configurable set of
characters with a delimiter, such as dots (.), slashes (/), or hyphens (-). When
configuring the Cisco Secure ACS character string to match, you must specify
whether the character string is the prefix or suffix. For example, you can use
“domain.us” as a suffix character string in username*domain.us, where *
represents any delimiter. An example of a prefix character string is
domain.*username, where the * would be used to detect the “/” character.

Stripping
Stripping allows Cisco Secure ACS to remove, or strip, the matched character
string from the username. When you enable stripping, Cisco Secure ACS
examines each authentication request for matching information. When
Cisco Secure ACS finds a match by character string in the Proxy Distribution
Table, as described in the example under Proxy in Distributed Systems, page 4-4,
Cisco Secure ACS strips off the character string if you have configured it to do so.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-6 78-14698-02
 Chapter 4 Network Configuration
Proxy in Distributed Systems

For example, in the proxy example that follows, the character string that
accompanies the username establishes the ability to forward the request to another
AAA server. If the user must enter the user ID of mary@corporate.com to be
forwarded correctly to the AAA server for authentication, Cisco Secure ACS
might find a match on the “@corporate.com” character string, and strip the
“@corporate.com”, leaving a username of “mary”, which may be the username
format that the destination AAA server requires to identify the correct entry in its
database.

Proxy in an Enterprise
This section presents a scenario of proxy used in an enterprise system. Mary is an
employee with an office in the corporate headquarters in Los Angeles. Her
username is mary@la.corporate.com. When Mary needs access to the network,
she accesses the network locally and authenticates her username and password.
Because Mary works in the Los Angeles office, her user profile, which defines her
authentication and authorization privileges, resides on the local Los Angeles
AAA server. However, Mary occasionally travels to a division within the
corporation in New York, where she still needs to access the corporate network to
get her e-mail and other files. When Mary is in New York, she dials in to the New
York office and logs in as mary@la.corporate.com. Her username is not
recognized by the New York Cisco Secure ACS, but the Proxy Distribution Table
contains an entry, “@la.corporate.com”, to forward the authentication request to
the Los Angeles Cisco Secure ACS. Because the username and password
information for Mary reside on that AAA server, when she authenticates correctly,
the authorization parameters assigned to her are applied by the AAA client in the
New York office.

Remote Use of Accounting Packets

When proxy is employed, Cisco Secure ACS can dispatch AAA accounting
packets in one of three ways:
• Log them locally.
• Forward them to the destination AAA server.
• Log them locally and forward copies to the destination AAA server.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-7
 Chapter 4 Network Configuration
Proxy in Distributed Systems

Sending accounting packets to the remote Cisco Secure ACS offers several
benefits. When Cisco Secure ACS is configured to send accounting packets to the
remote AAA server, the remote AAA server logs an entry in the accounting report
for that session on the destination server. Cisco Secure ACS also caches the user
connection information and adds an entry in the List Logged on Users report. You
can then view the information for users that are currently connected. Because the
accounting information is being sent to the remote AAA server, even if the
connection fails, you can view the Failed Attempts report to troubleshoot the
failed connection.
Sending the accounting information to the remote AAA server also enables you
to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop
records in the accounting packet. If the remote AAA server is a Cisco Secure ACS
and the Max Sessions feature is implemented, you can track the number of
sessions allowed for each user or group.
You can also choose to have Voice-over-IP (VoIP) accounting information logged
remotely, either appended to the RADIUS Accounting log, in a separate VoIP
Accounting log, or both.

Other Features Enabled by System Distribution

Beyond basic proxy and fallback features, configuring a Cisco Secure ACS to
interact with distributed systems enables several other features that are beyond the
scope of this chapter. These features include the following:
• Replication—For more information, see CiscoSecure Database Replication,
page 9-1.
• RDBMS synchronization—For more information, see RDBMS
Synchronization, page 9-24.
• Remote and centralized logging—For more information, see Remote
Logging, page 11-17.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-8 78-14698-02
 Chapter 4 Network Configuration
Network Device Searches

Network Device Searches

You can search for any network device configured in the Network Configuration
section of the Cisco Secure ACS HTML interface.
This section contains the following topics:
• Network Device Search Criteria, page 4-9
• Searching for Network Devices, page 4-10

Network Device Search Criteria

You can specify search criteria for network device searches. Cisco Secure ACS
provides the following search criteria:
• Name—The name assigned to the network device in Cisco Secure ACS. You
can use asterisks (*) as wildcard characters. For example, if you wanted to
find all devices with names starting with the letter M, you would enter “M*”
or “m*”. Name-based searches are case-insensitive. If you do not want to
search based on device name, you can leave the Name box blank or you can
put only an asterisk in the Name box.
• IP Address—The IP address specified for the network device in
Cisco Secure ACS. For each octet in the address, you have three options, as
follows:
– Number—You can specify a number, such as 10.3.157.98.
– Numeric Range—You can specify the low and high numbers of the
range in the octet, separated by a hyphen, such as 10.3.157.10-50.
– Wildcard—You can use an asterisk (*) to match all numbers in that
octet, such as 10.3.157.*.
Cisco Secure ACS allows multiple octets in the IP Address box to be either a
number, a numeric range, or an asterisk, such as 172.16-31.*.*.
• Type—The device type, as specified by the AAA protocol it is configured to
use or the kind of AAA server it is. You can also specify that you want to
search for remote agents. If you do not want to limit the search based on
device type, select “Any” from the Type list.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-9
 Chapter 4 Network Configuration
Network Device Searches

• Device Group—The NDG the device is assigned to. This search criterion
only appears if you have enabled Network Device Groups on the Advanced
Options page in the Interface Configuration Section. If you do not want to
limit the search based on NDG membership, select “Any” from the Device
Group list.

Searching for Network Devices

To search for a network device, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Click Search.
The Search for Network Devices page appears. In the configuration area, the
controls for setting search criteria appear above the search results for the most
recent search previously conducted for this session, if any.

Tip When you leave the Search for Network Devices page, Cisco Secure ACS
retains your search criteria and results for the duration of the current
administrative session. Until you log out of Cisco Secure ACS, you can
return to the Search for Network Devices page to view your most recent
search criteria and results.

Step 3 Set the criteria for a device search. For information about search criteria, see
Network Device Search Criteria, page 4-9.

Tip To reset the search criteria to default settings, click Clear.

Step 4 Click Search.

A table lists each network device configured in Cisco Secure ACS that matches
the search criteria you specified. If Cisco Secure ACS did not find a matching
network device, the message “No Search Results” appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-10 78-14698-02
Chapter 4 Network Configuration
AAA Client Configuration

The table listing matching network devices includes the device name, IP address,
and type. If you have enabled Network Device Groups on the Advanced Options
page in the Interface Configuration Section, the table also includes the NDG of
each matching network device.

Tip You can sort the table rows by whichever column you like, in either
ascending or descending order. Click a column title once to sort the rows
by the entries in that column in ascending order. Click the column a
second time to sort the rows by the entries in that column in descending
order.

Step 5 If you want to view the configuration settings for a network device found by the
search, click the network device name in the Name column of the table of
matching network devices.
Cisco Secure ACS displays the applicable setup page. For information about the
AAA Client Setup page, see AAA Client Configuration Options, page 4-12. For
information about the AAA Server Setup page, see AAA Server Configuration
Options, page 4-23.
Step 6 If you want to download a file containing the search results in a comma-separated
value format, click Download and use your browser to save the file to a location
and filename of your choice.
Step 7 If you want to search again using different criteria, repeat Step 3 and Step 4.

AAA Client Configuration

In this guide we use the term “AAA client” comprehensively to signify the device
through which or to which service access is being attempted. This is the RADIUS
or TACACS+ client device, and may comprise network access servers (NASes),
PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware/software
client.
This section contains the following topics:
• AAA Client Configuration Options, page 4-12
• Adding a AAA Client, page 4-17

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-11
 Chapter 4 Network Configuration
AAA Client Configuration

• Editing a AAA Client, page 4-20

• Deleting a AAA Client, page 4-21

AAA Client Configuration Options

A AAA client configuration enables Cisco Secure ACS to interact with the
network devices the configuration represents. A network device that does not have
a corresponding configuration in Cisco Secure ACS, or whose configuration in
Cisco Secure ACS is incorrect, does not receive AAA services from Cisco Secure
ACS.
The Add AAA Client and AAA Client Setup pages include the following options:
• AAA Client Hostname—The name you assign to the AAA client
configuration. Each AAA client configuration can represent multiple network
devices; thus, the AAA client hostname configured in Cisco Secure ACS is
not required to match the hostname configured on a network device. We
recommend that you adopt a descriptive, consistent naming convention for
AAA client hostnames. Maximum length for a AAA client hostname is 32
characters.

Note After you submit the AAA client hostname, you cannot change it. If
you want to use a different name for a AAA client, delete the AAA
client configuration and create a AAA client configuration using the
new name.

• AAA Client IP Address—At a minimum, a single IP address of a AAA client

or the keyword “dynamic”.
If you only use the keyword “dynamic”, with no IP addresses, the AAA client
configuration can only be used for command authorization for Cisco
multi-device management applications, such as Management Center for
Firewalls (Firewall MC). Cisco Secure ACS only provides AAA services to
devices based on IP address, so it ignores such requests from a device whose
AAA client configuration only has the keyword “dynamic” in the Client IP
Address box.
If you want a AAA client configuration in Cisco Secure ACS to represent
multiple network devices, you can specify multiple IP addresses. Separate
each IP address by pressing Enter.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-12 78-14698-02
Chapter 4 Network Configuration
AAA Client Configuration

In each IP address you specify, you have three options for each octet in the
address, as follows:
– Number—You can specify a number, for example, 10.3.157.98.
– Numeric Range—You can specify the low and high numbers of the
range in the octet, separated by a hyphen, for example, 10.3.157.10-50.
– Wildcard—You can use an asterisk (*) to match all numbers in that
octet, for example, 10.3.157.*.
Cisco Secure ACS allows any octet or octets in the IP Address box to be a
number, a numeric range, or an asterisk, for example 172.16-31.*.*.
• Key—The shared secret of the AAA client. Maximum length for a AAA
client key is 32 characters.
For correct operation, the key must be identical on the AAA client and
Cisco Secure ACS. Keys are case sensitive. Because shared secrets are not
synchronized, it is easy to make mistakes when entering them on network
devices and Cisco Secure ACS. If the shared secret does not match,
Cisco Secure ACS discards all packets from the network device.

Note If the AAA client represents multiple network devices, the key must
be identical on all network devices represented by the AAA client.

• Network Device Group—The name of the NDG to which this AAA client
should belong. To make the AAA client independent of NDGs, use the Not
Assigned selection.

Note This option does not appear if you have not configured Cisco Secure
ACS to use NDGs. To enable NDGs, click Interface Configuration,
click Advanced Options, and then select the Network Device
Groups check box.

• Authenticate Using—The AAA protocol to be used for communications

with the AAA client. The Authenticate Using list includes Cisco IOS
TACACS+ and several vendor-specific implementations of RADIUS. If you
have configured user-defined RADIUS vendors and VSAs, those
vendor-specific RADIUS implementations appear on the list also. For
information about creating user-defined RADIUS VSAs, see Custom
RADIUS Vendors and VSAs, page 9-27.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-13
 Chapter 4 Network Configuration
AAA Client Configuration

The Authenticate Using list always contains the following selections:

– TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is
the standard choice when using Cisco Systems access servers, routers,
and firewalls. If the AAA client is a Cisco device-management
application, such as Management Center for Firewalls (Firewall MC),
you must use this option.
– RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select
this option if the network device is a Cisco Aironet Access Point used by
users authenticating with LEAP or EAP-TLS, provided that these
protocols are enabled on the Global Authentication Setup page in the
System Configuration section.
When an authentication request from a RADIUS (Cisco Aironet) AAA
client arrives, Cisco Secure ACS first attempts authentication by using
LEAP; if this fails, Cisco Secure ACS fails over to EAP-TLS. If LEAP is
not enabled on the Global Authentication Setup page, Cisco Secure ACS
immediately attempts EAP-TLS authentication. If neither LEAP nor
EAP-TLS are enabled on the Global Authentication Setup, any
authentication attempt received from a Cisco Aironet RADIUS client
fail. For more information about enabling LEAP or EAP-TLS, see Global
Authentication Setup, page 10-25.
Using this option enables Cisco Secure ACS to send the wireless network
device a different session timeout value for user sessions than
Cisco Secure ACS sends to wired end-user clients.

Note If all authentication requests from a particular Cisco Aironet

Access Point are PEAP or EAP-TLS requests, use RADIUS
(IETF) instead of RADIUS (Cisco Aironet). Cisco Secure ACS
cannot support PEAP authentication using the RADIUS (Cisco
Aironet) protocol.

– RADIUS (Cisco BBMS)—RADIUS using Cisco BBMS VSAs. Select

this option if the network device is a Cisco BBMS network device
supporting authentication via RADIUS.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-14 78-14698-02
Chapter 4 Network Configuration
AAA Client Configuration

– RADIUS (Cisco IOS/PIX)—RADIUS using Cisco IOS/PIX VSAs. This

option enables you to pack commands sent to a Cisco IOS AAA client.
The commands are defined in the Group Setup section. Select this option
for RADIUS environments in which key TACACS+ functions are
required to support Cisco IOS equipment.
– RADIUS (Cisco VPN 3000)—RADIUS using Cisco VPN 3000 VSAs.
Select this option if the network device is a Cisco VPN 3000 series
Concentrator.
– RADIUS (Cisco VPN 5000)—RADIUS using Cisco VPN 5000 VSAs.
Select this option if the network device is a Cisco VPN 5000 series
Concentrator.
– RADIUS (IETF)—IETF-standard RADIUS, using no VSAs. Select this
option if the AAA client represents RADIUS-enabled devices from more
than one manufacturer and you want to use standard IETF RADIUS
attributes. If the AAA client represents a Cisco Aironet Access Point
used only by users authenticating with PEAP or EAP-TLS, this is also the
protocol to select.
– RADIUS (Ascend)—RADIUS using Ascend RADIUS VSAs. Select this
option if the network device is an Ascend network device supporting
authentication via RADIUS.
– RADIUS (Juniper)—RADIUS using Juniper RADIUS VSAs. Select
this option if the network device is a Juniper network device supporting
authentication via RADIUS.
– RADIUS (Nortel)—RADIUS using Nortel RADIUS VSAs. Select this
option if the network device is a Nortel network device supporting
authentication via RADIUS.
– RADIUS (iPass)—RADIUS for AAA clients using iPass RADIUS.
Select this option if the network device is an iPass network device
supporting authentication via RADIUS. iPass RADIUS is identical to
IETF RADIUS.
• Single Connect TACACS+ AAA Client (Record stop in accounting on
failure)—If you select TACACS+ (Cisco IOS) from the Authenticate Using
list, you can use this option to specify that Cisco Secure ACS use a single
TCP connection for all TACACS+ communication with the AAA client,
rather than a new one for every TACACS+ request. In single connection
mode, multiple requests from a network device are multiplexed over a single
TCP session. By default, this check box is not selected.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-15
 Chapter 4 Network Configuration
AAA Client Configuration

Note If TCP connections between Cisco Secure ACS and the AAA client
are unreliable, do not use this feature.

• Log Update/Watchdog Packets from this AAA Client—Enables logging of

update, or watchdog, packets. Watchdog packets are interim packets sent
periodically during a session. They provide you with an approximate session
length if a AAA client fails and, therefore, no stop packet is received to mark
the end of the session. By default, this check box is not selected.
• Log RADIUS Tunneling Packets from this AAA Client—Enables logging
of RADIUS tunneling accounting packets. Packets are recorded in the
RADIUS Accounting reports of Reports and Activity. By default, this check
ox is not selected.
• Replace RADIUS Port info with Username from this AAA
Client—Enables use of username rather than port number for session state
tracking. This option is useful when the AAA client cannot provide unique
port values, such as a gateway GPRS support node (GGSN). For example, if
you use the Cisco Secure ACS IP pools server and the AAA client does not
provide unique port for each user, Cisco Secure ACS assumes that a reused
port number indicates that the previous user session has ended and
Cisco Secure ACS may reassign the IP address previously assigned to the
session with the non-unique port number. By default, this check box is not
selected.

Note If this option is enabled, Cisco Secure ACS cannot determine the
number of user sessions for each user. Each session uses the same
session identifier, the username; therefore, the Max Sessions feature
is ineffective for users accessing the network through a AAA client
with this feature enabled.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-16 78-14698-02
 Chapter 4 Network Configuration
AAA Client Configuration

Adding a AAA Client

You can use this procedure to add a AAA client configuration.
Before You Begin
For descriptions of the options available while adding a AAA client configuration,
see AAA Client Configuration Options, page 4-12.
For Cisco Secure ACS to provide AAA services to a AAA client, you must ensure
that gateway devices between AAA clients and Cisco Secure ACS allow
communication over the ports needed to support the applicable AAA protocol
(RADIUS or TACACS+). For information about ports used by AAA protocols,
see AAA Protocols—TACACS+ and RADIUS, page 1-6.
To add a AAA client, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA client
is to be assigned. Then, click Add Entry below the AAA Clients table.
• To add a AAA client when you have not enabled NDGs, click Add Entry
below the AAA Clients table.
The Add AAA Client page appears.
Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up
to 32 characters).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-17
 Chapter 4 Network Configuration
AAA Client Configuration

Step 4 In the AAA Client IP Address box, do one of the following:

• Type the AAA client IP address or addresses. For information about using
wildcards, octet ranges, or multiple IP address, see AAA Client
Configuration Options, page 4-12.
• If the AAA client configuration will only be used for command authorization
of Cisco multi-device management applications, type dynamic.

Note If you only provide the keyword “dynamic”, the AAA client
configuration cannot be used by Cisco Secure ACS to provide
AAA services to a network device and is used solely for
command authorization of Cisco multi-device management
applications, such as Management Center for Firewalls (Firewall
MC).

Step 5 In the Key box, type the shared secret that the AAA client and Cisco Secure ACS
use to encrypt the data (up to 32 characters).

Note For correct operation, the identical key must be configured on the AAA
client and Cisco Secure ACS. Keys are case sensitive.

Step 6 If you are using NDGs, from the Network Device Group list, select the name of
the NDG to which this AAA client should belong, or select Not Assigned to set
this AAA client to be independent of NDGs.

Note If you want to enable NDGs, click Interface Configuration, click

Advanced Options, and then select the Network Device Groups check
box.

Step 7 From the Authenticate Using list, select the network security protocol used by the
AAA client.

Tip If you are uncertain which protocol to select on the Authenticate Using
list, see AAA Client Configuration Options, page 4-12.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-18 78-14698-02
Chapter 4 Network Configuration
AAA Client Configuration

Step 8 If you want to enable a single connection from a AAA client, rather than a new
one for every TACACS+ request, select the Single Connect TACACS+ AAA
Client (Record stop in accounting on failure) check box.

Note If TCP connections between Cisco Secure ACS and the AAA client are
unreliable, do not use this feature.

Step 9 If you want to enable logging of watchdog packets, select the Log
Update/Watchdog Packets from this AAA Client check box.
Step 10 If you want to enable logging of RADIUS tunneling accounting packets, select the
Log RADIUS tunneling Packets from this AAA Client check box.
Step 11 If you want to track session state by username rather than port number, select the
Replace RADIUS Port info with Username from this AAA check box.

Note If this option is enabled, Cisco Secure ACS cannot determine the number
of user sessions for each user. Each session uses the same session
identifier, the username; therefore, the Max Sessions feature is ineffective
for users accessing the network through a AAA client with this feature
enabled.

Step 12 If you want to save your changes and apply them immediately, click
Submit + Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter.

Tip If you want to save your changes and apply them later, click Submit.
When you are ready to implement the changes, click System
Configuration, click Service Control, and then click Restart.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-19
 Chapter 4 Network Configuration
AAA Client Configuration

Editing a AAA Client

You can use this procedure to edit the settings for a AAA client configuration.

Note You cannot directly edit the name of a AAA client; rather, you must delete the
AAA client entry and then re-establish the entry with the corrected name. For
steps about deleting a AAA client configuration, see Deleting a AAA Client,
page 4-21. For steps about creating a AAA client configuration, see Adding a
AAA Client, page 4-17.

Before You Begin

For descriptions of the options available while editing a AAA client
configuration, see AAA Client Configuration Options, page 4-12.
For Cisco Secure ACS to provide AAA services to a AAA client, you must ensure
that gateway devices between AAA clients and Cisco Secure ACS permit
communication over the ports needed to support the applicable AAA protocol
(RADIUS or TACACS+). For information about ports used by AAA protocols,
see AAA Protocols—TACACS+ and RADIUS, page 1-6.
To edit a AAA client, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA client
is assigned. Then, click the name of the AAA client.
• To edit a AAA client when you have not enabled NDGs, click the name of the
AAA client in the AAA Client Hostname column of the AAA Clients table.
The AAA Client Setup For Name page appears.
Step 3 Modify the AAA client settings, as needed. For information about the
configuration options available for a AAA client, see AAA Client Configuration
Options, page 4-12.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-20 78-14698-02
 Chapter 4 Network Configuration
AAA Client Configuration

Note You cannot directly edit the name of a AAA client; rather, you must delete
the AAA client entry and then re-establish the entry with the corrected
name. For steps about deleting a AAA client entry, see Deleting a AAA
Client, page 4-21. For steps about creating a AAA client entry, see
Adding a AAA Client, page 4-17.

Step 4 To save your changes and apply them immediately, click Submit + Restart.

Tip To save your changes and apply them later, click Submit. When you are
ready to implement the changes, click System Configuration, click
Service Control, and then click Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter.

Deleting a AAA Client

To delete a AAA client, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA client
is assigned. Then, click the AAA client hostname in the AAA Clients table.
• To delete a AAA client when you have not enabled NDGs, click the AAA
client hostname in the AAA Clients table.
The AAA Client Setup for the Name page appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-21
 Chapter 4 Network Configuration
AAA Server Configuration

Step 3 To delete the AAA client and have the deletion take effect immediately, click
Delete + Restart.

Note Restarting Cisco Secure ACS services clears the Logged-in User report
and temporarily interrupts all Cisco Secure ACS services. As an
alternative to restarting when you delete a AAA client, you can click
Delete. However, when you do this, the change does not take effect until
you restart the system, which you can do by clicking System
Configuration, clicking Service Control, and then clicking Restart.

A confirmation dialog box appears.

Step 4 Click OK.
Cisco Secure ACS restarts AAA services and the AAA client is deleted.

AAA Server Configuration

This section presents procedures for configuring AAA servers in the Cisco Secure
ACS HTML interface. For additional information about AAA servers, see AAA
Servers in Distributed Systems, page 4-3.
To configure distributed system features for a given Cisco Secure ACS, you must
first define the other AAA server(s).

Tip If the AAA Servers table does not appear, click Interface Configuration, click
Advanced Options, and then select the Distributed System Settings check box.

This section contains the following topics:

• AAA Server Configuration Options, page 4-23
• Adding a AAA Server, page 4-25
• Editing a AAA Server, page 4-27
• Deleting a AAA Server, page 4-28

User Guide for Cisco Secure ACS Appliance, version 3.2

4-22 78-14698-02
 Chapter 4 Network Configuration
AAA Server Configuration

AAA Server Configuration Options

A AAA server configuration enables Cisco Secure ACS to interact with the AAA
server that the configuration represents. A AAA server that does not have a
corresponding configuration in Cisco Secure ACS, or whose configuration in
Cisco Secure ACS is incorrect, does not receive AAA services from Cisco Secure
ACS, such as proxied authentication requests. Also, several distributed systems
features require that the other Cisco Secure ACSes included in the distributed
system be represented in the AAA Servers table. For more information about
distributed systems features, see About Distributed Systems, page 4-3.
The Add AAA Server and AAA Server Setup pages include the following options:
• AAA Server Name—The name you assign to the AAA server configuration.
The AAA server hostname that is configured in Cisco Secure ACS does not
have to match the hostname configured on a network device. We recommend
that you adopt a descriptive, consistent naming convention for AAA server
names. Maximum length for a AAA server name is 32 characters.

Note After you submit the AAA server name, you cannot change it. If you
want to use a different name for a AAA server, delete the AAA server
configuration and create a AAA server configuration using the new
name.

• AAA Server IP Address—The IP address of the AAA server, in dotted, four

octet format. For example, 10.77.234.3.
• Key—The shared secret of the AAA server. Maximum length for a AAA
server key is 32 characters.
For correct operation, the key must be identical on the remote AAA server
and Cisco Secure ACS. Keys are case sensitive. Because shared secrets are
not synchronized, it is easy to make mistakes when entering them upon
remote AAA servers and Cisco Secure ACS. If the shared secret does not
match, Cisco Secure ACS discards all packets from the remote AAA server.
• Network Device Group—The name of the NDG to which this AAA server
should belong. To make the AAA server independent of NDGs, use the Not
Assigned selection.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-23
 Chapter 4 Network Configuration
AAA Server Configuration

Note This option does not appear if you have not configured Cisco Secure
ACS to use NDGs. To enable NDGs, click Interface Configuration,
click Advanced Options, and then select the Network Device
Groups check box.

• Log Update/Watchdog Packets from this remote AAA Server—Enables

logging of update, or watchdog, packets from AAA clients that are forwarded
by the remote AAA server to this Cisco Secure ACS. Watchdog packets are
interim packets sent periodically during a session. They provide you with an
approximate session length if a AAA client fails and, therefore, no stop
packet is received to mark the end of the session.
• AAA Server Type—One of the following three types:
– RADIUS—Select this option if the remote AAA server is configured
using any type of RADIUS protocol.
– TACACS+—Select this option if the remote AAA server is configured
using the TACACS+ protocol.
– Cisco Secure ACS—Select this option if the remote AAA server is
another Cisco Secure ACS. This enables you to configure features that
are only available with other Cisco Secure ACSes, such as CiscoSecure
user database replication and remote logging.

Note The remote Cisco Secure ACS must be using version 2.1 or later.

• Traffic Type—The Traffic Type list defines the direction in which traffic to
and from the remote AAA server is permitted to flow from this Cisco Secure
ACS. The list includes the following options:
– Inbound—The remote AAA server accepts requests that have been
forwarded to it and does not forward the requests to another AAA server.
Select this option if you do not want to permit any authentication requests
to be forwarded from the remote AAA server.
– Outbound—The remote AAA server sends out authentication requests
but does not receive them. If a Proxy Distribution Table entry is
configured to proxy authentication requests to a AAA server that is
configured for Outbound, the authentication request is not sent.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-24 78-14698-02
 Chapter 4 Network Configuration
AAA Server Configuration

– Inbound/Outbound—The remote AAA server forwards and accepts

authentication requests. This allows the selected server to handle
authentication requests in any manner defined in the distribution tables.

Adding a AAA Server

Before You Begin
For descriptions of the options available while adding a remote AAA server
configuration, see AAA Server Configuration Options, page 4-23.
For Cisco Secure ACS to provide AAA services to a remote AAA server, you
must ensure that gateway devices between the remote AAA server and
Cisco Secure ACS permit communication over the ports that support the
applicable AAA protocol (RADIUS or TACACS+). For information about ports
used by AAA protocols, see AAA Protocols—TACACS+ and RADIUS, page 1-6.
To add and configure a AAA server, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA server
is to be assigned. Then, click Add Entry below the [name] AAA Servers
table.
• To add a AAA server when you have not enabled NDGs, below the AAA
Servers table, click Add Entry.
The Add AAA Server page appears.
Step 3 In the AAA Server Name box, type a name for the remote AAA server (up to 32
characters).
Step 4 In the AAA Server IP Address box, type the IP address assigned to the remote
AAA server.
Step 5 In the Key box, type the shared secret that the remote AAA server and the
Cisco Secure ACS use to encrypt the data (up to 32 characters).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-25
 Chapter 4 Network Configuration
AAA Server Configuration

Note The key is case sensitive. If the shared secret does not match,
Cisco Secure ACS discards all packets from the remote AAA server.

Step 6 From the Network Device Group list, select the NDG to which this AAA server
belongs.

Note To enable NDGs, click Interface Configuration, click Advanced

Options, and then click Network Device Groups.

Step 7 To enable watchdog packets, select the Log Update/Watchdog Packets from
this remote AAA Server check box.
Step 8 From the AAA Server Type list, select the AAA server type applicable to the
remote AAA server. If the remote AAA server is another Cisco Secure ACS,
identify it as such by selecting CiscoSecure ACS.
Step 9 From the Traffic Type list, select the type of traffic you want to permit between
the remote AAA server and Cisco Secure ACS.
Step 10 To save your changes and apply them immediately, click Submit + Restart.

Tip To save your changes and apply them later, click Submit. When you are
ready to implement the changes, click System Configuration, click
Service Control, and then click Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter and resets it to zero.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-26 78-14698-02
 Chapter 4 Network Configuration
AAA Server Configuration

Editing a AAA Server

Use this procedure to edit the settings for a AAA server that you have previously
configured.

Note You cannot edit the name of a AAA server. To rename a AAA server, you must
delete the existing AAA server entry and then add a new server entry with the new
name.

Before You Begin

For descriptions of the options available while editing a remote AAA server entry,
see AAA Server Configuration Options, page 4-23.
For Cisco Secure ACS to provide AAA services to a remote AAA server, you
must ensure that gateway devices between the remote AAA server and
Cisco Secure ACS permit communication over the ports that support the
applicable AAA protocol (RADIUS or TACACS+). For information about ports
used by AAA protocols, see AAA Protocols—TACACS+ and RADIUS, page 1-6.
To edit a AAA server, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA server
is assigned. Then, in the AAA Servers table, click the name of the AAA
server to be edited.
• If you have not enabled NDGs, in the AAA Servers table, click the name of
the AAA server to be edited.
The AAA Server Setup for X page appears.
Step 3 Enter or select new settings for one or more of the following fields:
• AAA Server IP Address
• Key
• Log Update/Watchdog Packets from this remote AAA Server
• AAA Server Type

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-27
 Chapter 4 Network Configuration
AAA Server Configuration

• Traffic Type
Step 4 To save your changes and apply them immediately, click Submit + Restart.

Tip To save your changes and apply them later, click Submit. When you are
ready to implement the changes, click System Configuration, click
Service Control, and then click Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter and resets it to zero.

Deleting a AAA Server

To delete a AAA server, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG to which the AAA server
is assigned. Then, click the AAA server name in the AAA Servers table.
• If you have not enabled NDGs, click the AAA server name in the AAA
Servers table.
The AAA Server Setup for X page appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-28 78-14698-02
 Chapter 4 Network Configuration
Remote Agent Configuration

Step 3 To delete the AAA server and have the deletion take effect immediately, click
Delete + Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. As an alternative to restarting
when you delete a AAA server, in the preceding step you can click Delete.
However, when you do this, the change does not take effect until you
restart the system, which you can do by clicking System Configuration,
clicking Service Control, and then clicking Restart.

A confirmation dialog box appears.

Step 4 Click OK.
Cisco Secure ACS performs a restart and the AAA server is deleted.

Remote Agent Configuration

This section presents information about remote agents and procedures for
configuring remote agents in the Cisco Secure ACS HTML interface.
This section contains the following topics:
• About Remote Agents, page 4-29
• Remote Agent Configuration Options, page 4-30
• Adding a Remote Agent, page 4-32
• Editing a Remote Agent Configuration, page 4-34
• Deleting a Remote Agent Configuration, page 4-35

About Remote Agents

Remote agents are small programs that run on computers on your network. A
Cisco Secure ACS Appliance can use them for remote logging and authentication
of users with a Windows external user database. Before you can configure remote

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-29
 Chapter 4 Network Configuration
Remote Agent Configuration

logging and before you can configure authentication using a Windows external
user database, you must add at least one remote agent configuration to the Remote
Agents table in the Network Configuration section.
For more information about remote agents, including how to install and configure
them, see Installation and Configuration Guide for Cisco Secure ACS Remote
Agents.

Remote Agent Configuration Options

A remote agent configuration enables Cisco Secure ACS to interact with the
remote agent that the configuration represents. A remote agent that does not have
a corresponding configuration in Cisco Secure ACS, or whose configuration in
Cisco Secure ACS is incorrect, cannot communicate with Cisco Secure ACS to
receive its configuration, logging data, or Windows authentication requests.
The Add Remote Agent and Remote Agent Setup pages include the following
options:
• Remote Agent Name—The name you assign to the remote agent
configuration. Remote agent logging and Windows authentication are
configured by referring to remote agents by their name. We recommend that
you adopt a descriptive, consistent naming convention for remote agent
names. For example, you could assign to remote agent configurations the
same name as the hostname of the server that runs the remote agent.
Maximum length for a remote agent name is 32 characters.

Note After you submit the remote agent name, you cannot change it. If you
want to use a different name for a remote agent, delete the remote
agent configuration, create a new remote agent configuration using
the new name, and change remote logging and Windows
authentication configurations that use the remote agent.

• Remote Agent IP Address—The IP address of the remote agent, in dotted,

four-octet format. For example, 10.77.234.3.
• Remote Agent Port—The TCP port that the remote agent listens to for
communication from Cisco Secure ACS. Maximum length for the TCP port
number is 6 characters.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-30 78-14698-02
Chapter 4 Network Configuration
Remote Agent Configuration

If the port number provided here does not match the port the remote agent is
configured to listen to, Cisco Secure ACS cannot communicate with the
remote agent. For information about configuring the port number that the
remote agent listens to, see Installation and Configuration Guide for
Cisco Secure ACS Remote Agents.
• Network Device Group—The name of the NDG to which this remote agent
should belong. To make the remote agent independent of NDGs, use the Not
Assigned selection.

Note This option does not appear if you have not configured Cisco Secure
ACS to use NDGs. To enable NDGs, click Interface Configuration,
click Advanced Options, and then select the Network Device
Groups check box.

In addition to the options in the preceding list, the Remote Agent Setup page
includes the following options:
• Running Status—Information about the status of the remote agent. If
Cisco Secure ACS can contact the remote agent, the uptime for the remote
agent is displayed. If Cisco Secure ACS cannot contact the remote agent, the
message “Not responding” is displayed.
• Configuration Provider—The Cisco Secure ACS that the remote agent
receives its configuration from.

Tip You can access the HTML interface for the Cisco Secure ACS that provides a
remote agent its configuration by clicking on the Cisco Secure ACS name. A new
browser window displays the HTML interface for the Cisco Secure ACS
providing configuration data to the remote agent.

• Service Table—Below the Configuration Provider, Cisco Secure ACS

displays a table of information about the remote agent. The table includes the
following columns:
– Service—A list of services that a remote agent can provide: remote
logging and Windows authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-31
 Chapter 4 Network Configuration
Remote Agent Configuration

– Available—Whether the remote agent can currently provide the

corresponding service.
– Used by this ACS—Whether the corresponding service is currently used
by the Cisco Secure ACS you are logged into.

Adding a Remote Agent

Before You Begin
For descriptions of the options available while adding a remote agent
configuration, see Remote Agent Configuration Options, page 4-30.
For Cisco Secure ACS to communicate with a remote agent, you must ensure that
gateway devices between a remote agent and Cisco Secure ACS permit
communication over the TCP ports used by remote agents. For information about
ports used by remote agents, see Installation and Configuration Guide for
Cisco Secure ACS Remote Agents.
To add and configure a remote agent, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration section opens.
Step 2 Do one of the following:
• If you are using NDGs, click the name of the NDG that you want to assign
the remote agent to. Then, in the NDG Remote Agents table, click Add
Entry.
• If you are not using NDGs, in the Remote Agents table, click Add Entry.
The Add Remote Agent page appears.
Step 3 In the Remote Agent Name box, type a name for the remote agent (up to 32
characters).
Step 4 In the Remote Agent IP Address box, type the IP address of the computer that runs
the remote agent.
Step 5 In the Port box, type the number of the TCP port the remote agent listens to for
communication from Cisco Secure ACS (up to 6 digits). The default TCP port is
2003.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-32 78-14698-02
Chapter 4 Network Configuration
Remote Agent Configuration

Note If the port number provided here does not match the port the remote agent
is configured to listen to, Cisco Secure ACS cannot communicate with the
remote agent. For information about configuring the port number that the
remote agent listens to, see Installation and Configuration Guide for
Cisco Secure ACS Remote Agents.

Step 6 From the Network Device Group list, select the NDG to which this remote agent
belongs.

Note The Network Device Group list appears only if NDGs are enabled. To
enable NDGs, click Interface Configuration, click Advanced Options,
and then click Network Device Groups.

Step 7 To save your changes and apply them immediately, click Submit + Restart.

Tip To save your changes and apply them later, click Submit. When you are
ready to implement the changes, click System Configuration, click
Service Control, and then click Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter and resets it to zero.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-33
 Chapter 4 Network Configuration
Remote Agent Configuration

Editing a Remote Agent Configuration

Use this procedure to edit the settings for a remote agent that you have previously
configured.

Note You cannot edit the name of a remote agent. If you want to use a different name
for a remote agent, delete the remote agent configuration, create a remote agent
configuration using the new name, and change remote logging and Windows
authentication configurations that use the remote agent.

Before You Begin

For descriptions of the options available while editing a remote agent
configuration, see Remote Agent Configuration Options, page 4-30.
For Cisco Secure ACS to communicate with a remote agent, you must ensure that
gateway devices between a remote agent and Cisco Secure ACS permit
communication over the TCP ports used by remote agents. For information about
ports used by remote agents, see Installation and Configuration Guide for
Cisco Secure ACS Remote Agents.
To edit a remote agent configuration, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration section opens.
Step 2 Do one of the following:
a. If you are using NDGs, click the name of the NDG that the remote agent
belongs to. Then, in the NDG Remote Agents table, click the name of the
remote agent configuration you want to edit.
b. If you are not using NDGs, in the Remote Agents table, click the name of the
remote agent you want to edit.
The Remote Agent Setup for agent page appears.
Step 3 Enter or select new settings for one or more of the following options:
• Remote Agent IP Address
• Port

User Guide for Cisco Secure ACS Appliance, version 3.2

4-34 78-14698-02
 Chapter 4 Network Configuration
Remote Agent Configuration

• Network Device Group

Note If the Cisco Secure ACS you are currently logged into does not provide
configuration data for the remote agent, none of the options are editable.
You can access the HTML interface for the Cisco Secure ACS that does
provide configuration data to the remote agent by clicking the
Cisco Secure ACS name listed as the Configuration Provider.

Step 4 To save your changes and apply them immediately, click Submit + Restart.

Tip To save your changes and apply them later, click Submit. When you are
ready to implement the changes, click System Configuration, click
Service Control, and then click Restart.

Note Restarting the service clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter and resets it to zero.

Deleting a Remote Agent Configuration

Note You cannot delete a remote agent that Cisco Secure ACS is configured to use for
remote logging or Windows authentication.

To delete a remote agent configuration, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration section opens.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-35
 Chapter 4 Network Configuration
Network Device Group Configuration

Step 2 Do one of the following:

• If you are using NDGs, click the name of the NDG that the remote agent
belongs to. Then, in the NDG Remote Agents table, click the name of the
remote agent configuration that you want to delete.
• If you are not using NDGs, in the Remote Agents table, click the name of the
remote agent configuration that you want to delete.
The Remote Agent Setup for agent page appears.
Step 3 To delete the remote agent and have the deletion take effect immediately, click
Delete + Restart.

Note Restarting services clears the Logged-in User report and temporarily
interrupts all Cisco Secure ACS services. As an alternative to restarting
when you delete a remote agent, in the preceding step you can click
Delete. However, when you do this, the change does not take effect until
you restart services, which you can do by clicking System
Configuration, clicking Service Control, and then clicking Restart.

A confirmation dialog box appears.

Step 4 Click OK.
Cisco Secure ACS restarts its services and the remote agent configuration is
deleted.

Network Device Group Configuration

Network Device Grouping is an advanced feature that enables you to view and
administer a collection of network devices as a single logical group. To simplify
administration, you can assign each group a name that can be used to refer to all
devices within that group. This creates two levels of network devices within
Cisco Secure ACS—single discrete devices such as an individual router or
network access server, and an NDG; that is, a collection of routers or AAA
servers.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-36 78-14698-02
 Chapter 4 Network Configuration
Network Device Group Configuration

Caution To see the Network Device Groups table in the HTML interface, you must have
the Network Device Groups option selected on the Advanced Options page of the
Interface Configuration section. Unlike in other areas of Interface Configuration,
it is possible to remove from sight an active NDG if you deselect the Network
Device Groups option. Therefore, if you choose to configure NDGs, make sure
you leave the Network Device Groups option selected on the Advanced Option
page.

This section contains the following topics:

• Adding a Network Device Group, page 4-37
• Assigning an Unassigned AAA Client or AAA Server to an NDG, page 4-38
• Reassigning a AAA Client or AAA Server to an NDG, page 4-39
• Renaming a Network Device Group, page 4-39
• Deleting a Network Device Group, page 4-40

Adding a Network Device Group

You can assign users or groups of users to NDGs. For more information, see one
of the following sections:
• Setting TACACS+ Enable Password Options for a User, page 7-34
• Setting Enable Privilege Options for a User Group, page 6-18
To add an NDG, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Under the Network Device Groups table, click Add Entry.

Tip If the Network Device Groups table does not appear, click Interface
Configuration, click Advanced Options, and then select Network
Device Groups.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-37
 Chapter 4 Network Configuration
Network Device Group Configuration

Step 3 In the Network Device Group Name box, type the name of the new NDG.

Tip The maximum name length is 24 characters. Quotation marks (“) and
commas (,) are not allowed. Spaces are allowed.

Step 4 Click Submit.

The Network Device Groups table displays the new NDG.
Step 5 To populate the newly established NDG with AAA clients or AAA servers,
perform one or more of the following procedures, as applicable:
• Adding a AAA Client, page 4-17
• Adding a AAA Server, page 4-25
• Assigning an Unassigned AAA Client or AAA Server to an NDG, page 4-38
• Reassigning a AAA Client or AAA Server to an NDG, page 4-39

Assigning an Unassigned AAA Client or AAA Server to an NDG

You use this procedure to assign an unassigned AAA client or AAA server to an
NDG. Before you begin this procedure, you should have already configured the
client or server and it should appear in the Not Assigned AAA Clients or Not
Assigned AAA Servers table.
To assign a network device to an NDG, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Network Device Groups table, click Not Assigned.

Tip If the Network Device Groups table does not appear, click Interface
Configuration, click Advanced Options, and then select the Network
Device Groups check box.

Step 3 Click the name of the network device you want to assign to an NDG.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-38 78-14698-02
 Chapter 4 Network Configuration
Network Device Group Configuration

Step 4 From the Network Device Groups list, select the NDG to which you want to assign
the AAA client or AAA server.
Step 5 Click Submit.
The client or server is assigned to an NDG.

Reassigning a AAA Client or AAA Server to an NDG

To reassign a AAA client or AAA server to a new NDG, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Network Device Groups table, click the name of the current group of the
network device.
Step 3 In either the AAA Clients table or AAA Servers table, as applicable, click the
name of the client or server you want to assign to a new NDG.
Step 4 From the Network Device Group list, select the NDG to which you want to
reassign the network device.
Step 5 Click Submit.
The network device is assigned to the NDG you selected.

Renaming a Network Device Group

Caution When renaming an NDG, ensure that there are no NARs or other shared profile
components (SPCs) that invoke the original NDG name. Cisco Secure ACS
performs no automatic checking to determine whether the original NDG is still
invoked. If a user’s authentication request incorporates an SPC that invokes a
non-existent (or renamed) NDG, the attempt will fail and the user will be rejected.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-39
 Chapter 4 Network Configuration
Network Device Group Configuration

To rename an NDG, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Network Device Groups table, click the NDG that you want to rename.

Tip If the Network Device Groups table does not appear, click Interface
Configuration, click Advanced Options, and then select the Network
Device Groups check box.

Step 3 At the bottom of the page, click Rename.

The Rename Network Device Group page appears.
Step 4 In the Network Device Group Name box, type the new name (up to 24 characters).
Step 5 Click Submit.
The name of the NDG is changed.

Deleting a Network Device Group

When you delete an NDG, all AAA clients and AAA servers that belong to the
deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA
Servers table.

Tip It may be useful to empty an NDG of AAA clients and AAA servers before you
delete it. You can do this manually by performing the procedure Reassigning a
AAA Client or AAA Server to an NDG, page 4-39, or, in cases where there are a
large number of devices to reassign, you can use the RDBMS Synchronization
feature.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-40 78-14698-02
Chapter 4 Network Configuration
Proxy Distribution Table Configuration

Caution When deleting an NDG, ensure that there are no NARs or other SPCs that invoke
the original NDG. Cisco Secure ACS performs no automatic checking to
determine whether the original NDG is still invoked. If a user authentication
request incorporates an SPC that invokes a non-existent (or renamed) NDG, the
attempt will fail and the user will be rejected.

To delete an NDG, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Network Device Groups table, click the NDG that you want to delete.

Tip If the Network Device Groups table does not appear, click Interface
Configuration, click Advanced Options, and then select the Network
Device Groups check box.

Step 3 At the bottom of the page, click Delete Group.

A confirmation dialog box appears.
Step 4 Click OK.
The NDG is deleted and its name is removed from the Network Device Groups
table. Any AAA clients and AAA servers that were in the NDG are now in the Not
Assigned AAA Clients or Not Assigned AAA Servers table.

Proxy Distribution Table Configuration

This section describes the Proxy Distribution Table and provides procedures for
working with the Proxy Distribution Table.
This section contains the following topics:
• About the Proxy Distribution Table, page 4-42
• Adding a New Proxy Distribution Table Entry, page 4-43

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-41
 Chapter 4 Network Configuration
Proxy Distribution Table Configuration

• Sorting the Character String Match Order of Distribution Entries, page 4-44
• Editing a Proxy Distribution Table Entry, page 4-45
• Deleting a Proxy Distribution Table Entry, page 4-46

About the Proxy Distribution Table

If you have Distributed Systems Settings enabled, when you click Network
Configuration, you will see the Proxy Distribution Table.

Tip To enable Distributed Systems Settings in the Cisco Secure ACS, click Interface
Configuration, click Advanced Options, and then select the Distributed
System Settings check box.

The Proxy Distribution Table includes entries that show the character strings on
which to proxy, the AAA servers to proxy to, whether to strip the character string,
and where to send the accounting information (Local/Remote, Remote, or Local).
For more information about the proxy feature, see Proxy in Distributed Systems,
page 4-4.
The entries you define and place in the Proxy Distribution Table can be considered
turnstiles for each authentication request that Cisco Secure ACS receives from the
AAA client. The authentication request is defined in the Proxy Distribution Table
according to where it is to be forwarded. If a match to an entry in the Proxy
Distribution Table that contains proxy information is found, Cisco Secure ACS
forwards the request to the appropriate AAA server.
The Character String column in the Proxy Distribution Table always contains an
entry of “(Default)”. The “(Default)” entry matches authentication requests
received by the local Cisco Secure ACS that do not match any other defined
character strings. While you cannot change the character string definition for the
“(Default)” entry, you can change the distribution of authentication requests
matching the “(Default)” entry. At installation, the AAA server associated with
the “(Default)” entry is the local Cisco Secure ACS. It can sometimes be easier to
define strings that match authentication requests to be processed locally rather
than defining strings that match authentication requests to be processed remotely.
In such a case, associating the “(Default)” entry with a remote AAA server
permits you to configure your Proxy Distribution Table with the more easily
written entries.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-42 78-14698-02
 Chapter 4 Network Configuration
Proxy Distribution Table Configuration

Adding a New Proxy Distribution Table Entry

To create a Proxy Distribution Table entry, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Under the Proxy Distribution Table, click Add Entry.

Note If the Proxy Distribution Table does not appear, click Interface
Configuration, click Advanced Options, and then select the
Distributed System Settings check box.

Step 3 In the Character String box, type the string of characters, including the delimiter
to forward on when users dial in to be authenticated. For example, .uk.

Note Angle brackets (< and >) cannot be used.

Step 4 From the Position list, select Prefix if the character string you typed appears at
the beginning of the username or Suffix if the character string appears at the end
of the username.
Step 5 From the Strip list, select Yes if the character string you entered is to be stripped
off the username, or select No if it is to be left intact.
Step 6 In the AAA Servers column, select the AAA server you want to use for proxy.
Click --> (right arrow button) to move it to the Forward To column.

Tip You can also select additional AAA servers to use for backup proxy if the
prior servers fail. To set the order of AAA servers, in the Forward To
column, click the name of the applicable server and click Up or Down to
move it into the position you want.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-43
 Chapter 4 Network Configuration
Proxy Distribution Table Configuration

Tip If the AAA server you want to use is not listed, click Network
Configuration, click AAA Servers, click Add Entry and complete the
applicable information.

Step 7 From the Send Accounting Information list, select one of the following areas to
which to report accounting information:
• Local—Keep accounting packets on the local Cisco Secure ACS.
• Remote—Send accounting packets to the remote Cisco Secure ACS.
• Local/Remote—Keep accounting packets on the local Cisco Secure ACS and
send them to the remote Cisco Secure ACS.

Tip This information is especially important if you are using the Max
Sessions feature to control the number of connections a user is allowed.
Max Sessions depends on accounting start and stop records, and where
the accounting information is sent determines where the Max Sessions
counter is tracked. The Failed Attempts log and the Logged in Users
report are also affected by where the accounting records are sent.

Step 8 When you finish, click Submit or Submit + Restart.

Sorting the Character String Match Order of Distribution Entries

You can use this procedure to set the priority by which Cisco Secure ACS searches
character string entries in the Proxy Distribution Table when users dial in.
To determine the order by which Cisco Secure ACS searches entries in the Proxy
Distribution Table, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 Below the Proxy Distribution Table, click Sort Entries.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-44 78-14698-02
 Chapter 4 Network Configuration
Proxy Distribution Table Configuration

Tip Before you sort the entries, you must have configured at least two unique
Proxy Distribution Table entries in addition to the (Default) table entry.

Step 3 Select the character string entry to reorder, and then click Up or Down to move
its position to reflect the search order you want.
Step 4 When you finish sorting, click Submit or Submit + Restart.

Editing a Proxy Distribution Table Entry

To edit a Proxy Distribution Table entry, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Character String column of the Proxy Distribution Table, click the
distribution entry you want to edit.
The Edit Proxy Distribution Entry page appears.
Step 3 Edit the entry as necessary.

Tip For information about the parameters that make up a distribution entry,
see Adding a New Proxy Distribution Table Entry, page 4-43.

Step 4 When you finish editing the entry, click Submit or Submit + Restart.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 4-45
 Chapter 4 Network Configuration
Proxy Distribution Table Configuration

Deleting a Proxy Distribution Table Entry

To delete a Proxy Distribution Table entry, follow these steps:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.
Step 2 In the Character String column of the Proxy Distribution Table, click the
distribution entry you want to delete.
The Edit Proxy Distribution Entry page appears.
Step 3 Click Delete.
A confirmation dialog box appears.
Step 4 Click OK.
The distribution entry is deleted from the Proxy Distribution Table.

User Guide for Cisco Secure ACS Appliance, version 3.2

4-46 78-14698-02
 C H A P T E R 5
Shared Profile Components

This chapter addresses the Cisco Secure ACS Appliance features found in the
Shared Profile Components section of the HTML interface.
This chapter contains the following topics:
• About Shared Profile Components, page 5-1
• Downloadable IP ACLs, page 5-2
• Network Access Restrictions, page 5-7
• Command Authorization Sets, page 5-15

About Shared Profile Components

The Shared Profile Components section enables you to develop and name
reusable, shared sets of authorization components that may be applied to one or
more users or groups of users and referenced by name within their profiles. These
include downloadable IP access control lists (ACLs), network access restrictions
(NARs), and command authorization sets.
The Shared Profile Components section of Cisco Secure ACS addresses the
scalability of selective authorization. Shared profile components can be
configured once and then applied to many users or groups. Without this ability,
flexible and comprehensive authorization could only be accomplished by
explicitly configuring the authorization of each user group for each possible
command on each possible device. Creating and applying these named shared

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-1
 Chapter 5 Shared Profile Components
Downloadable IP ACLs

profile components (ACLs, access restrictions, and command sets) makes it

unnecessary to repeatedly enter long lists of devices or commands when defining
network access parameters.
Shared profile components also enable Cisco Secure ACS to authorize a
command on behalf of another device or devices. Their scalability extends to the
following capabilities:
• A way to determine the list of commands a user could issue against one or
more devices in the network.
• A way to determine the list of devices on which a particular user may execute
a particular command.

Downloadable IP ACLs
This section describes downloadable ACLs followed by detailed instructions for
configuring and managing them.
This section contains the following topics:
• About Downloadable IP ACLs, page 5-2
• Adding a Downloadable IP ACL, page 5-4
• Editing a Downloadable IP ACL, page 5-5
• Deleting a Downloadable IP ACL, page 5-6

About Downloadable IP ACLs

Downloadable IP ACLs provide a means of creating sets of ACL commands that
you can apply to many users or user groups. When Cisco Secure ACS grants
network access to a user whose profile includes a downloadable IP ACL,
Cisco Secure ACS returns an attribute with a named ACL as part of a user session
RADIUS access accept packet, the network device applies that ACL to the session
of that user. Cisco Secure ACS uses a versioning stamp to ensure that the network
device has cached the latest ACL version. If a network responds that it does not
have the current version of the named ACL in its cache (that is, the ACL is new
or has changed), Cisco Secure ACS sends the updated ACL to the device. The
network device applies the downloadable IP ACL to the user session.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-2 78-14698-02
Chapter 5 Shared Profile Components
Downloadable IP ACLs

Downloadable IP ACLs are an alternative to configuring ACLs in the RADIUS

Cisco cisco-av-pair attribute [26/9/1] of each user or user group. While the
RADIUS Cisco cisco-av-pair attribute is limited to a maximum of 4 kilobytes of
ACLs, downloadable IP ACLs can be up to 32 kilobytes, a limit of the HTML
interface. You can create a downloadable IP ACL once, give it a name, and then
assign the downloadable IP ACL to each applicable user or user group by
referencing its name. This is more efficient than configuring the RADIUS Cisco
cisco-av-pair attribute for each user or user group. It is far more efficient than
directly entering the ACL into each network device. No additional configuration
of the network device is necessary after the device has been configured to use
downloadable IP ACLs from Cisco Secure ACS. Downloadable ACLs are
protected by the backup or replication regimen you have established.
While entering the ACL definitions in the Cisco Secure ACS HTML interface, do
not use keyword and name entries; in all other respects, use standard ACL
command syntax and semantics for the network device on which you intend to
apply the downloadable IP ACL. The ACL definitions that you enter into
Cisco Secure ACS consist of one or more ACL commands. Each ACL command
must be on a separate line.
Using downloadable IP ACLs requires the following of the AAA clients that you
want to enforce the ACLs on:
• AAA clients must use RADIUS for authentication
• AAA clients must support downloadable IP ACLs
Examples of Cisco devices that support downloadable IP ACLs are:
• PIX Firewalls
• VPN 3000-series Concentrators
An example of the format you should use to enter PIX Firewall ACLs in the ACL
Definitions box follows:
permit tcp any host 10.0.0.254
permit udp any host 10.0.0.254
permit icmp any host 10.0.0.254
permit tcp any host 10.0.0.253

An example of the format you should use to enter VPN 3000 ACLs in the ACL
Definitions box follows:
permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1
permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255
permit 0 any host 10.159.1.22
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-3
 Chapter 5 Shared Profile Components
Downloadable IP ACLs

permit TCP any host 10.160.0.1 eq 80 log

permit TCP any host 10.160.0.2 eq 23 log
permit TCP any host 10.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 10.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80

For detailed ACL definition information, see the command reference section of
your device configuration guide.

Adding a Downloadable IP ACL

To add a downloadable IP ACL, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.
Step 2 Click Downloadable IP ACLs.

Tip If Downloadable IP ACLs does not appear on the Shared Profile

Components page, you must enable either the User-Level Downloadable
ACLs or Group-Level Downloadable ACLs option, or both, on the
Advanced Options page of the Interface Configuration section.

Step 3 Click Add.

The Downloadable IP ACLs page appears.
Step 4 In the Name: box, type the name of the new IP ACL.

Note The name of a IP ACL may contain up to 27 characters. The name may
contain spaces; but it cannot contain leading, trailing, or multiple spaces,
or the following five characters: - [ ] / —

Step 5 In the Description: box, type a description of the new IP ACL.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-4 78-14698-02
 Chapter 5 Shared Profile Components
Downloadable IP ACLs

Step 6 In the ACL Definitions box, type the new IP ACL definitions.

Note Do not enter more than 32,000 characters.

Tip In entering the ACL definitions in the Cisco Secure ACS HTML
interface, you do not use keyword and name entries; rather, you begin
with a permit/deny keyword. For an example of the proper format of the
ACL definitions, see About Downloadable IP ACLs, page 5-2.

Step 7 When you have completed specifying the IP ACL, click Submit.
Cisco Secure ACS enters the new IP ACL, which takes effect immediately. For
example, if the IP ACL is for use with PIX Firewalls, it is available to be sent to
any PIX Firewall that is attempting authentication of a user who has that ACL
name as part of his or her user or group profile. For information on assigning a
downloadable IP ACL to user or a user group, see Assigning a Downloadable IP
ACL to a User, page 7-20, or Assigning a Downloadable IP ACL to a Group,
page 6-28.

Editing a Downloadable IP ACL

To edit a downloadable IP ACL, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.
Step 2 Click Downloadable IP ACLs.
The Downloadable IP ACLs table appears.
Step 3 In the Name column, click the IP ACL you want to edit.
The Downloadable IP ACLs page appears with information displayed for the
selected ACL.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-5
 Chapter 5 Shared Profile Components
Downloadable IP ACLs

Step 4 Edit the Name or Description or ACL Definitions information, as applicable.

Note Do not enter more than 32,000 characters in the ACL Definitions box.

Tip Do not use keyword and name entries in the ACL Definitions box; instead,
begin with a permit/deny keyword. For an example of the proper format
of the ACL definitions, see About Downloadable IP ACLs, page 5-2.

Step 5 When you have finished editing the information for the IP ACL, click Submit.
Cisco Secure ACS re-enters the IP ACL with the new information, which takes
effect immediately.

Deleting a Downloadable IP ACL

Before You Begin
You should remove the association of a IP ACL with any user, or user group,
profile before deleting the IP ACL.
To delete a IP ACL, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.
Step 2 Click Downloadable IP ACLs.
Step 3 Click the name of the downloadable IP ACL you want to edit.
The Downloadable IP ACLs page appears with information displayed for the
selected IP ACL.
Step 4 At the bottom of the page, click Delete.
A dialog box warns you that you are about to delete a IP ACL.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-6 78-14698-02
 Chapter 5 Shared Profile Components
Network Access Restrictions

Step 5 To confirm that you want to delete the IP ACL, click OK.
The selected IP ACL is deleted.

Network Access Restrictions

This section describes network access restrictions (NARs) and provides detailed
instructions for configuring and managing shared NARs.
This section contains the following topics:
• About Network Access Restrictions, page 5-7
• Adding a Shared Network Access Restriction, page 5-9
• Editing a Shared Network Access Restriction, page 5-12
• Deleting a Shared Network Access Restriction, page 5-14

About Network Access Restrictions

NARs enable you to define additional authorization and authentication conditions
that must be met before a user can access the network. Cisco Secure ACS applies
these conditions using information from attributes sent by your AAA clients.
Although there are several ways you can set up NARs, they all are based on
matching attribute information sent by a AAA client. Therefore, you must
understand the format and content of the attributes your AAA clients send if you
want to employ effective NARs.
In setting up a NAR you can choose whether the filter operates positively or
negatively. That is, you specify in the NAR whether to permit—or deny—access
from AAA clients that send information that matches the information stored in the
NAR. However, if a NAR encounters insufficient information to operate, it
defaults to denied access. This is shown in Table 5-1.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-7
 Chapter 5 Shared Profile Components
Network Access Restrictions

Table 5-1 NAR Permit/Deny Conditions

Match No Match Insufficient Information

Permit Access Granted Access Denied Access Denied
Deny Access Denied Access Granted Access Denied

Cisco Secure ACS supports two basic types of NARs:

• IP-based restrictions where the originating request relates to an existing IP
address.
• Non-IP-based filters for all other cases where automatic number
identification (ANI) may be used.
IP-based restrictions are based on one of the following attribute fields, depending
on the protocol the AAA client uses:
• If you are using TACACS+—The rem_addr field is used.
• If you are using RADIUS IETF—The calling-station-id (attribute 31)
and called-station-id (attribute 30) fields are used.
AAA clients that do not provide sufficient IP address information (for example,
some types of firewall) do not support full NAR functionality.
A non-IP-based NAR is a list of permitted or denied “calling/point of access”
locations that you can employ in restricting a AAA client when you do not have
an IP-based connection established. The non-IP-based NAR generally uses the
calling line ID (CLI) number and the Dialed Number Identification Service
(DNIS) number.
However, by entering an IP address in place of the CLI you can use the
non-IP-based filter even when the AAA client does not use a Cisco IOS release
that supports CLI or DNIS. In another exception to entering a CLI, you can enter
a MAC address to permit or deny; for example, when you are using a Cisco
Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC
address in place of the DNIS. The format of what you specify in the CLI
box—CLI, IP address, or MAC address— must match the format of what you
receive from your AAA client. You can determine this format from your RADIUS
Accounting Log.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-8 78-14698-02
 Chapter 5 Shared Profile Components
Network Access Restrictions

When specifying a NAR you may use asterisks (*) as wildcards for any value, or
as part of any value to establish a range. All the values/conditions in a NAR
specification must be met for the NAR to restrict access; that is, the values are
“ANDed”.

Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any
NARs for TACACS+ requests are applied to the IP address of the forwarding
AAA server, not to the IP address of the originating AAA client.

You can define a NAR for, and apply it to, a specific user or user group. For more
information on this, see Setting Network Access Restrictions for a User,
page 7-10, or Setting Network Access Restrictions for a User Group, page 6-7.
However, in the Shared Profile Components section of Cisco Secure ACS you can
create and name a shared NAR without directly citing any user or user group. You
give the shared NAR a name that can be referenced in other parts of the
Cisco Secure ACS HTML interface. Then, when you set up users or user groups,
you can select none, one, or multiple shared restrictions to be applied. When you
specify the application of multiple shared NARs to a user or user group, you
choose one of two access criteria: either “All selected filters must permit”, or
“Any one selected filter must permit”.
Shared access restrictions are kept in the CiscoSecure user database. You can use
the Cisco Secure ACS backup and restore features to back up and restore them.
You can also replicate the shared access restrictions, along with other
configurations, to secondary Cisco Secure ACSes.

Adding a Shared Network Access Restriction

You can create a shared NAR that contains many access restrictions. Cisco Secure
ACS does not enforce limits to the number of access restrictions in a shared NAR
and it does not enforce a limit to the length of each access restriction; however,
there are strict limits, as follows.
• The combination of fields for each line item cannot exceed 1024 characters.
• The shared NAR cannot have more than 16 KB of characters. The number of
line items supported depends on the length of each line item. For example, if
you create a CLI/DINIS-based NAR where the AAA client names are 10

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-9
 Chapter 5 Shared Profile Components
Network Access Restrictions

characters, the port numbers are 5 characters, the CLI entries are 15
characters, and the DNIS entries are 20 characters, you can add 450 line items
before reaching the 16 KB limit.
To add a shared NAR, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.
Step 2 Click Network Access Restrictions.
Step 3 Click Add.
The Network Access Restriction page appears.
Step 4 In the Name box, type a name for the new shared NAR.

Note The name can contain up to 31 characters. Leading and trailing spaces are
not allowed. Names cannot contain the following four characters:
[],/

Step 5 In the Description box, type a description of the new shared NAR.
Step 6 To permit or deny access based on IP addressing, follow these steps:

Note This step is performed for IP-based restrictions where an IP connection

exists. For other restriction types, see About Network Access
Restrictions, page 5-7.

a. Select the Define IP-based access descriptions check box.

b. To specify whether you are listing addresses that are permitted or denied,
from the Table Defines list, select the applicable value.
c. Select or type the applicable information in each of the following boxes:
• AAA Client—Select All AAA clients, or the name of the network device
group (NDG), or the individual AAA client, to which access is permitted
or denied.
• Port—Type the number of the port that you want to permit or deny access
to. You can use the wildcard asterisk (*) to permit or deny access to all
ports on the selected AAA client.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-10 78-14698-02
Chapter 5 Shared Profile Components
Network Access Restrictions

• Src IP Address—Type the IP address to filter on when performing

access restrictions. You can use the wildcard asterisk (*) to specify all IP
addresses.

Note The total number of characters in the AAA Client list and the Port and
Src IP Address boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

d. Click enter.
The AAA client, port, and address information appears as a line item in the
table.
e. To enter additional IP-based line items, repeat Step c and Step d.
Step 7 To permit or deny access based on calling location or values other than an
established IP address, follow these steps:
a. Select the Define CLI/DNIS based access restrictions check box.
b. To specify whether you are listing addresses that are permitted or denied,
from the Table Defines list, select the applicable value.
c. To specify the applicability of this NAR, from the AAA Client list, select one
of the following values:
• The name of the NDG
• The name of the particular AAA client
• All AAA clients

Tip Only NDGs that you have already configured are listed.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-11
 Chapter 5 Shared Profile Components
Network Access Restrictions

d. To specify the information that this NAR should filter on, type values in the
following boxes, as applicable:

Tip You can type an asterisk (*) as a wildcard to specify “all” as a value.

• Port—Type the number of the port to filter on.

• CLI—Type the CLI number to filter on. You can also use this box to
restrict access based on values other than CLIs, such as an IP address or
MAC address; for information, see About Network Access Restrictions,
page 5-7.
• DNIS—Type the number being dialed into to filter on.

Note The total number of characters in the AAA Client list and the Port,
CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

e. Click enter.
The information specifying the NAR line item appears in the table.
f. To enter additional non-IP-based NAR line items, repeat Step c through
Step e.
Step 8 When you are finished defining the shared NAR, click Submit.
Cisco Secure ACS saves the named shared NAR and lists it in the Network Access
Restrictions table.

Editing a Shared Network Access Restriction

To edit a shared NAR, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-12 78-14698-02
Chapter 5 Shared Profile Components
Network Access Restrictions

Step 2 Click Network Access Restrictions.

The Network Access Restrictions table appears.
Step 3 In the Name column, click the shared NAR you want to edit.
The Network Access Restriction page appears with information displayed for the
selected NAR.
Step 4 To edit the Name or Description of the filter, type and delete information, as
applicable.
Step 5 To edit a line item in the IP-based access restrictions table, follow these steps:
a. Double-click the line item that you want to edit.
Information for the line item is removed from the table and written to the
boxes below the table.
b. Edit the information, as necessary.

Note The total number of characters in the AAA Client list and the Port and
Src IP Address boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

c. Click enter.
The edited information for this line item is written to the IP-based access
restrictions table.
Step 6 To remove a line item from the IP-based access restrictions table, follow these
steps:
a. Select the line item.
b. Below the table, click remove.
The line item is removed from the IP-based access restrictions table.
Step 7 To edit a line item in the CLI/DNIS access restrictions table, follow these steps:
a. Double-click the line item that you want to edit.
Information for the line item is removed from the table and written to the
boxes below the table.
b. Edit the information, as necessary.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-13
 Chapter 5 Shared Profile Components
Network Access Restrictions

Note The total number of characters in the AAA Client list and the Port,
CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

c. Click enter.
The edited information for this line item is written to the CLI/DNIS access
restrictions table.
Step 8 To remove a line item from the CLI/DNIS access restrictions table, follow these
steps:
a. Select the line item.
b. Below the table, click remove.
The line item is removed from the CLI/DNIS access restrictions table.
Step 9 When you have finished editing the line items that make up the filter, click
Submit.
Cisco Secure ACS re-enters the filter with the new information, which takes effect
immediately.

Deleting a Shared Network Access Restriction

To delete a shared NAR, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page appears.
Step 2 Click Network Access Restrictions.
Step 3 Click the Name of the shared NAR you want to delete.
The Network Access Restriction page appears with information displayed for the
selected NAR.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-14 78-14698-02
 Chapter 5 Shared Profile Components
Command Authorization Sets

Step 4 At the bottom of the page, click Delete.

A dialog box warns you that you are about to delete a shared NAR.
Step 5 To confirm that you want to delete the shared NAR, click OK.
The selected shared NAR is deleted.

Command Authorization Sets

This section describes command authorization sets and pattern matching and
provides detailed instructions for configuring and managing them.
This section contains the following topics:
• About Command Authorization Sets, page 5-15
– Command Authorization Sets Description, page 5-16
– Command Authorization Sets Assignment, page 5-17
– Case Sensitivity and Command Authorization, page 5-17
– Arguments and Command Authorization, page 5-18
– About Pattern Matching, page 5-19
• Adding a Command Authorization Set, page 5-19
• Editing a Command Authorization Set, page 5-22
• Deleting a Command Authorization Set, page 5-23

About Command Authorization Sets

This section contains the following topics:
• Command Authorization Sets Description, page 5-16
• Command Authorization Sets Assignment, page 5-17
• Case Sensitivity and Command Authorization, page 5-17
• Arguments and Command Authorization, page 5-18
• About Pattern Matching, page 5-19

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-15
 Chapter 5 Shared Profile Components
Command Authorization Sets

Command Authorization Sets Description

Command authorization sets provide a central mechanism to control the
authorization of each command issued on any given network device. This greatly
enhances the scalability and manageability of setting authorization restrictions. In
Cisco Secure ACS, the default command authorization sets include Shell
Command Authorization Sets and PIX Command Authorization Sets. Cisco
device-management applications, such as Management Center for Firewalls
(Firewall MC), can instruct Cisco Secure ACS to support additional command
authorization set types.
To offer fine-grained control of device-hosted, administrative Telnet sessions, a
network device using TACACS+ can request authorization for each command line
before its execution. You can define a set of commands that are either permitted
or denied for execution by a particular user on a given device. Cisco Secure ACS
has further enhanced this capability as follows:
• Reusable Named Command Authorization Sets—Without directly citing
any user or user group, you can create a named set of command
authorizations. You can define several command authorization sets, each
delineating different access profiles. For example, a “Help desk” command
authorization set could permit access to high level browsing commands, such
as “show run”, and deny any configuration commands. An “All network
engineers” command authorization set could contain a limited list of
permitted commands for any network engineer in the enterprise. A “Local
network engineers” command authorization set could permit all commands,
including IP address configuration.
• Fine Configuration Granularity—You can create associations between
named command authorization sets and NDGs. Thus, you can define different
access profiles for users depending on which network devices they access.
You can associate the same named command authorization set with more than
one NDG and use it for more than one user group. Cisco Secure ACS enforces
data integrity. Named command authorization sets are kept in the
CiscoSecure user database. You can use the Cisco Secure ACS backup and
restore features to back up and restore them. You can also replicate command
authorization sets to secondary Cisco Secure ACSes along with other
configuration data.
For command authorization set types that support Cisco device-management
applications, the benefits of using command authorization sets are similar. You
can enforce authorization of various privileges in a device-management

User Guide for Cisco Secure ACS Appliance, version 3.2

5-16 78-14698-02
 Chapter 5 Shared Profile Components
Command Authorization Sets

application by applying command authorization sets to Cisco Secure ACS groups

that contain users of the device-management application. The Cisco Secure ACS
groups can correspond to different roles within the device-management
application and you can apply different command authorization sets to each
group, as applicable.

Command Authorization Sets Assignment

For information on assigning command authorization sets, see the following
procedures:
• Shell Command Authorization Sets—See either of the following:
– Configuring a Shell Command Authorization Set for a User Group,
page 6-31
– Configuring a Shell Command Authorization Set for a User, page 7-25
• PIX Command Authorization Sets—See either of the following:
– Configuring a PIX Command Authorization Set for a User Group,
page 6-33
– Configuring a PIX Command Authorization Set for a User, page 7-28
• Device Management Command Authorization Sets—See either of the
following:
– Configuring Device-Management Command Authorization for a User
Group, page 6-35
– Configuring Device-Management Command Authorization for a User,
page 7-29

Case Sensitivity and Command Authorization

When performing command authorization, Cisco Secure ACS evaluates
commands and arguments in a case-sensitive manner. For successful command
authorization, you must configure command authorization sets with case-sensitive
commands and arguments.
As an additional complication, a device requesting command authorization may
send commands and arguments using different case than you type to issue the
command.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-17
 Chapter 5 Shared Profile Components
Command Authorization Sets

For example, if you type the following command during a router-hosted session:
interface FASTETHERNET 0/1

the router may submit the command and arguments to Cisco Secure ACS as:
interface FastEthernet 0 1

If, for the interface command, the command authorization set explicitly permits
the FastEthernet argument using the spelling “fastethernet”, Cisco Secure ACS
fails the command authorization request. If the command authorization rule
instead permits the argument “FastEthernet”, Cisco Secure ACS grants the
command authorization request. The case used in command authorization sets
must match what the device sends, which may or may not match the case you use
when you type the command.

Arguments and Command Authorization

When you explicitly permit or deny arguments rather than rely on Cisco Secure
ACS to permit unmatched arguments, you must make certain that you know how
devices send arguments to Cisco Secure ACS. A device requesting command
authorization may send different arguments than the user typed to issue the
command.
For example, if a user typed the following command during a router-hosted
session:
interface FastEthernet0/1

the router may send the command and arguments Cisco Secure ACS as follows:
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd=interface
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=FastEthernet
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=0
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=1
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=<cr>

In this example, the router sees multiple arguments where the user typed one
string of characters without spaces after the command. It also omits the slash
character that separated 0 and 1 when the user issued the command.
If the command authorization rule for the interface command explicitly permits
the FastEthernet argument using the spelling “FastEthernet0/1”, Cisco Secure
ACS fails the command authorization request because it does not match what the
router submitted to Cisco Secure ACS. If the command authorization rule instead

User Guide for Cisco Secure ACS Appliance, version 3.2

5-18 78-14698-02
 Chapter 5 Shared Profile Components
Command Authorization Sets

permits the argument “FastEthernet 0 1", Cisco Secure ACS grants the command
authorization request. The case of arguments specified in command authorization
sets must match what the device sends, which may or may not match the case you
use when you type the arguments.

About Pattern Matching

For permit/deny command arguments, Cisco Secure ACS applies pattern
matching. That is, the argument permit wid matches any argument that contains
the string wid. Thus, for example, permit wid would allow not only the argument
wid but also the arguments anywid and widget.
To limit the extent of pattern matching you can add the following expressions:
• dollar sign ($)—Expresses that the argument must end with what has gone
before. Thus permit wid$ would match wid or anywid, but not widget.
• caret (^)—Expresses that the argument must begin with what follows. Thus
permit ^wid would match wid or widget, but not anywid.
You can combine these expressions to specify absolute matching. In the example
given, you would use permit ^wid$ to ensure that only wid was permitted, and
not anywid or widget.

Adding a Command Authorization Set

To add a command authorization set, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page lists the command authorization set types
available. These always include Shell Command Authorization Sets and may
include others, such as command authorization set types that support Cisco
device-management applications.
Step 2 Click one of the listed command authorization set types, as applicable.
The selected Command Authorization Sets table appears.
Step 3 Click Add.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-19
 Chapter 5 Shared Profile Components
Command Authorization Sets

The applicable Command Authorization Set page appears. Depending upon the
type of command authorization set you are adding, the contents of the page vary.
Below the Name and Description boxes, Cisco Secure ACS displays either
additional boxes or an expandable checklist tree. The expandable checklist tree
appears for device command set types that support a Cisco device-management
application.
Step 4 In the Name box, type a name for the command authorization set.

Note The set name can contain up to 27 characters. Names cannot contain the
following characters:
#?"*><
Leading and trailing spaces are not allowed.

Step 5 In the Description box, type a description of the command authorization set.
Step 6 If Cisco Secure ACS displays an expandable checklist tree below the Name and
Description boxes, use the checklist tree to specify the actions permitted by the
command authorization set. To do so, follow these steps:
a. To expand a checklist node, click the plus (+) symbol to its left.
b. To enable an action, select its check box. For example, to enable a Device
View action, select the View check box under the Device checklist node.

Tip Selecting an expandable check box node selects all check boxes within
that node. Selecting the first check box in the checklist tree selects all
check boxes in the checklist tree.

c. To enable other actions in this command authorization set, repeat Step a and
Step b, as needed.
Step 7 If Cisco Secure ACS displays additional boxes below the Name and Description
boxes, use the boxes to specify the commands and arguments permitted or denied
by the command authorization set. To do so, follow these steps:
a. To specify how Cisco Secure ACS should handle unmatched commands,
select either the Permit or Deny option, as applicable.

Note The default setting is Deny.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-20 78-14698-02
Chapter 5 Shared Profile Components
Command Authorization Sets

b. In the box just above the Add Command button, type a command that is to be
part of the set.

Caution Enter the full command word; if you use command abbreviations, authorization
control may not function.

Note Enter only the command portion of the command/argument string

here. Arguments are added only after the command is listed. For
example, with the command/argument string “show run” you would
type only the command show.

c. Click Add Command.

The typed command is added to the command list box.
d. To add an argument to a command, in the command list box, select the
command and then type the argument in the box to the right of the command.

Note The correct format for arguments is <permit | deny> <argument>. For
example, with the command show already listed, you might enter
permit run as the argument.

Tip You can list several arguments for a single command by pressing Enter
between arguments.

e. To allow arguments, which you have not listed, to be effective with this
command, select the Permit Unmatched Args check box.
f. To add other commands to this command authorization set, repeat Step a
through Step e.
Step 8 When you finish creating the command authorization set, click Submit.
Cisco Secure ACS displays the name and description of the new command
authorization set in the applicable Command Authorization Sets table.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-21
 Chapter 5 Shared Profile Components
Command Authorization Sets

Editing a Command Authorization Set

To edit a command authorization set, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page lists the command authorization set types
available.
Step 2 Click a command authorization set type, as applicable.
The selected Command Authorization Sets table appears.
Step 3 From the Name column, click the name of the set you want to change.
Information for the selected set appears on the applicable Command
Authorization Set page.
Step 4 If an expandable checklist tree appears below the Name and Description boxes,
you can do any or all of the following:
• To expand a checklist node, click the plus (+) symbol to its left. To collapse
an expanded checklist node, click the minus (-) symbol to its left.
• To enable an action, select its check box. For example, to enable a Device
View action, select the View check box under the Device checklist node.

Tip Selecting an expandable check box node selects all check boxes within
that node. Selecting the first check box in the checklist tree selects all
check boxes in the checklist tree.

• To disable an action, clear its check box. For example, to disable a Device
View action, clear the View check box under the Device checklist node.

User Guide for Cisco Secure ACS Appliance, version 3.2

5-22 78-14698-02
 Chapter 5 Shared Profile Components
Command Authorization Sets

Step 5 If additional boxes appear below the Name and Description boxes, you can do any
or all of the following:
• To change the set Name or Description, edit the words in the corresponding
box.
• To remove a command from the set, from the Matched Commands list, select
the command, and then click Remove Command.
• To edit arguments of a command, from the command list box, select the
command and then type changes to the arguments in the box to the right of
the command list box.
Step 6 When you finish editing the set, click Submit.

Deleting a Command Authorization Set

To delete a command authorization set, follow these steps:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page lists the command authorization set types
available.
Step 2 Click a command authorization set type, as applicable.
The selected Command Authorization Sets table appears.
Step 3 From the Name column, click the name of the command set you want to delete.
Information for the selected set appears on the applicable Command
Authorization Set page.
Step 4 Click Delete.
A dialog box warns you that you are about to delete a command authorization set.
Step 5 To confirm that you want to delete that command authorization set, click OK.
Cisco Secure ACS displays the applicable Command Authorization Sets table.
The command authorization set is no longer listed.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 5-23
 Chapter 5 Shared Profile Components
Command Authorization Sets

User Guide for Cisco Secure ACS Appliance, version 3.2

5-24 78-14698-02
 C H A P T E R 6
User Group Management

This chapter provides information about setting up and managing user groups in
Cisco Secure ACS Appliance to control authorization. Cisco Secure ACS enables
you to group network users for more efficient administration. Each user can
belong to only one group in Cisco Secure ACS. You can establish up to 500
groups to effect different levels of authorization.
Cisco Secure ACS also supports external database group mapping; that is, if your
external user database distinguishes user groups, these groups can be mapped into
Cisco Secure ACS. And if the external database does not support groups, you can
map all users from that database to a Cisco Secure ACS user group. For
information about external database mapping, see Chapter 15, “User Group
Mapping and Specification.”
Before you configure Group Setup, you should understand how this section
functions. Cisco Secure ACS dynamically builds the Group Setup section
interface depending on the configuration of your network devices and the security
protocols being used. That is, what you see under Group Setup is affected by
settings in the Network Configuration and Interface Configuration sections.
This chapter contains the following topics:
• About User Group Setup Features and Functions, page 6-2
• Basic User Group Settings, page 6-3
• Configuration-specific User Group Settings, page 6-15
• Group Setting Management, page 6-52

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-1
 Chapter 6 User Group Management
About User Group Setup Features and Functions

About User Group Setup Features and Functions

The Group Setup section of the Cisco Secure ACS HTML interface is the
centralized location for operations regarding user group configuration and
administration. For information about network device groups (NDGs), see
Network Device Group Configuration, page 4-36.
This section contains the following topics:
• Default Group, page 6-2
• Group TACACS+ Settings, page 6-2

Default Group
If you have not configured group mapping for an external user database,
Cisco Secure ACS assigns users who are authenticated by the Unknown User
Policy to the Default Group the first time they log in. The privileges and
restrictions for the default group are applied to first-time users. If you have
upgraded from a previous version of Cisco Secure ACS and kept your database
information, Cisco Secure ACS retains the group mappings you configured before
upgrading.

Group TACACS+ Settings

Cisco Secure ACS enables a full range of settings for TACACS+ at the group
level. If a AAA client has been configured to use TACACS+ as the security
control protocol, you can configure standard service protocols, including PPP IP,
PPP LCP, ARAP, SLIP, and shell (exec), to be applied for the authorization of
each user who belongs to a particular group.

Note You can also configure TACACS+ settings at the user level. User-level settings
always override group level settings.

Cisco Secure ACS also enables you to enter and configure new TACACS+
services. For information about how to configure a new TACACS+ service to
appear on the group setup page, see Protocol Configuration Options for
TACACS+, page 3-7.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-2 78-14698-02
Chapter 6 User Group Management
Basic User Group Settings

If you have configured Cisco Secure ACS to interact with a Cisco

device-management application, new TACACS+ services may appear
automatically, as needed, to support the device-management application. For
more information about Cisco Secure ACS interaction with device-management
applications, see Support for Cisco Device-Management Applications, page 1-18.
You can use the Shell Command Authorization Set feature to configure TACACS+
group settings. This feature enables you to apply shell commands to a particular
user group in the following ways:
• Assign a shell command authorization set, which you have already
configured, for any network device.
• Assign a shell command authorization set, which you have already
configured, to particular NDGs.
• Permit or deny specific shell commands, which you define, on a per-group
basis.
For more information about shell command authorization sets, see Chapter 5,
“Shared Profile Components.”

Basic User Group Settings

This section presents the basic activities you perform when configuring a new
user group.
This section contains the following topics:
• Enabling VoIP Support for a User Group, page 6-4
• Setting Default Time-of-Day Access for a User Group, page 6-5
• Setting Callback Options for a User Group, page 6-6
• Setting Network Access Restrictions for a User Group, page 6-7
• Setting Max Sessions for a User Group, page 6-11
• Setting Usage Quotas for a User Group, page 6-13

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-3
 Chapter 6 User Group Management
Basic User Group Settings

Enabling VoIP Support for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced
Options, and then select the Voice-over-IP (VoIP) Group Settings check box.

Perform this procedure to enable support for the null password function of VoIP.
This enables users to authenticate (session or telephone call) on only the user ID
(telephone number).
When you enable VoIP at the group level, all users in this group become VoIP
users, and the user IDs are treated similarly to a telephone number. VoIP users do
not need to enter passwords to authenticate.

Caution Enabling VoIP disables password authentication and most advanced settings,
including password aging and protocol attributes.

To enable VoIP support for a group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select the group you want to configure for VoIP support, and
then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 In the Voice-over-IP Support table, select the check box labeled This is a
Voice-over-IP (VoIP) group - and all users of this group are VoIP users.
Step 4 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 5 To continue, and specify other group settings, perform other procedures in this
chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-4 78-14698-02
 Chapter 6 User Group Management
Basic User Group Settings

Setting Default Time-of-Day Access for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced
Options, and then select the Default Time-of-Day / Day-of-Week Specification
check box.

To define the times during which users in a particular group are permitted or
denied access, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 In the Default Time-of-Day Access Settings table, select the Set as default
Access Times check box.

Note You must select the Set as default Access Times check box to limit
access based on time or day.

Times at which the system permits access are highlighted in green on the day and
hour matrix.

Note The default sets accessibility during all hours.

Step 4 In the day and hour matrix, click the times at which you do not want to permit
access to members of this group.

Tip Clicking times of day on the graph deselects those times; clicking again
reselects them.
At any time, you can click Clear All to clear all hours, or you can click
Set All to select all hours.

Step 5 To save the group settings you have just made, click Submit.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-5
 Chapter 6 User Group Management
Basic User Group Settings

For more information, see Saving Changes to User Group Settings, page 6-54.
Step 6 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Setting Callback Options for a User Group

Callback is a command string that is passed back to the access server. You can use
callback strings to initiate a modem to call the user back on a specific number for
added security or reversal of line charges. There are three options, as follows:
• No callback allowed—Disables callback for users in this group. This is the
default setting.
• Dialup client specifies callback number—Allows the dialup client to
specify the callback number. The dialup client must support RFC 1570, PPP
LCP Extensions.
• Use Windows Database callback settings (where possible)—Uses the
Microsoft Windows callback settings. If a Windows account for a user resides
in a remote domain, the domain in which Cisco Secure ACS resides must
have a two-way trust with that domain for the Microsoft Windows callback
settings to operate for that user.
To set callback options for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 Select a group from the Group list, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 In the Callback table, select one of the following three options:
• No callback allowed
• Dialup client specifies callback number
• Use Windows Database callback settings (where possible)
Step 4 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-6 78-14698-02
 Chapter 6 User Group Management
Basic User Group Settings

Step 5 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Setting Network Access Restrictions for a User Group

The Network Access Restrictions table in Group Setup enables you to apply
network access restrictions (NARs) in three distinct ways:
• Apply existing shared NARs by name.
• Define IP-based group access restrictions to permit or deny access to a
specified AAA client or to specified ports on a AAA client when an IP
connection has been established.
• Define CLI/DNIS-based group NARs to permit or deny access to either, or
both, the calling line ID (CLI) number or the Dialed Number Identification
Service (DNIS) number used.

Note You can also use the CLI/DNIS-based access restrictions area to
specify other values. For more information, see About Network
Access Restrictions, page 5-7.

Typically, you define (shared) NARs from within the Shared Components section
so that these restrictions can be applied to more than one group or user. For more
information, see Adding a Shared Network Access Restriction, page 5-9. You
must have enabled the Group-Level Shared Network Access Restriction check
box on the Advanced Options page of the Interface Configuration section for
these options to appear in the Cisco Secure ACS HTML interface.
However, Cisco Secure ACS also enables you to define and apply a NAR for a
single group from within the Group Setup section. You must have enabled the
Group-Level Network Access Restriction setting under the Advanced Options
page of the Interface Configuration section for single group IP-based filter options
and single group CLI/DNIS-based filter options to appear in the Cisco Secure
ACS HTML interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-7
 Chapter 6 User Group Management
Basic User Group Settings

Note When an authentication request is forwarded by proxy to a Cisco Secure ACS

server, any NARs for TACACS+ requests are applied to the IP address of the
forwarding AAA server, not to the IP address of the originating AAA client.

To set NARs for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 To apply a previously configured shared NAR to this group, follow these steps:

Note To apply a shared NAR, you must have configured it under Network
Access Restrictions in the Shared Profile Components section. For more
information, see Adding a Shared Network Access Restriction, page 5-9.

a. Select the Only Allow network access when check box.

b. To specify whether one or all shared NARs must apply for a member of the
group to be permitted access, select one of the following options:
• All selected shared NARS result in permit
• Any one selected shared NAR results in permit
c. Select a shared NAR name in the Shared NAR list, and then click --> (right
arrow button) to move the name into the Selected Shared NARs list.

Tip To view the server details of the shared NARs you have selected to apply,
you can click either View IP NAR or View CLID/DNIS NAR, as
applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-8 78-14698-02
Chapter 6 User Group Management
Basic User Group Settings

Step 4 To define and apply a NAR, for this particular user group, that permits or denies
access to this group based on IP address, or IP address and port, follow these
steps:

Tip You should define most NARs from within the Shared Components
section so that the restrictions can be applied to more than one group or
user. For more information, see Adding a Shared Network Access
Restriction, page 5-9.

a. In the Per Group Defined Network Access Restrictions section of the

Network Access Restrictions table, select the Define IP-based access
restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied IP
addresses, from the Table Defines list, select either Permitted Calling/Point
of Access Locations or Denied Calling/Point of Access Locations.
c. Select or enter the information in the following boxes:
• AAA Client—Select either All AAA Clients or the name of the NDG or
the name of the individual AAA client to which to permit or deny access.
• Port—Type the number of the port to which to permit or deny access.
You can use the wildcard asterisk (*) to permit or deny access to all ports
on the selected AAA client.
• Address—Type the IP address or addresses to filter on when performing
access restrictions. You can use the wildcard asterisk (*).

Note The total number of characters in the AAA Client list and the Port and
Src IP Address boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

d. Click Enter.
The specified the AAA client, port, and address information appears in the
NAR Access Control list.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-9
 Chapter 6 User Group Management
Basic User Group Settings

Step 5 To permit or deny access to this user group based on calling location or values
other than an established IP address, follow these steps:
a. Select the Define CLI/DNIS-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied
values, from the Table Defines list, select one of the following:
• Permitted Calling/Point of Access Locations
• Denied Calling/Point of Access Locations
c. From the AAA Client list, select either All AAA Clients or the name of the
NDG or the name of the particular AAA client to which to permit or deny
access.
d. Complete the following boxes:

Note You must type an entry in each box. You can use the wildcard asterisk
(*) for all or part of a value. The format you use must match the
format of the string you receive from your AAA client. You can
determine this format from your RADIUS Accounting Log.

• PORT—Type the number of the port to which to permit or deny access.

You can use the wildcard asterisk (*) to permit or deny access to all ports.
• CLI—Type the CLI number to which to permit or deny access. You can
use the wildcard asterisk (*) to permit or deny access based on part of the
number or all numbers.

Tip This is also the selection to use if you want to restrict access based on
other values, such as a Cisco Aironet client MAC address. For more
information, see About Network Access Restrictions, page 5-7.

• DNIS—Type the DNIS number to restrict access based on the number

into which the user will be dialing. You can use the wildcard asterisk (*)
to permit or deny access based on part of the number or all numbers.

Tip This is also the selection to use if you want to restrict access based on
other values, such as a Cisco Aironet AP MAC address. For more
information, see About Network Access Restrictions, page 5-7.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-10 78-14698-02
 Chapter 6 User Group Management
Basic User Group Settings

Note The total number of characters in the AAA Client list and the Port,
CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

e. Click Enter.
The information, specifying the AAA client, port, CLI, and DNIS appears in
the list.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Setting Max Sessions for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced
Options, and then select the Max Sessions check box.

Perform this procedure to define the maximum number of sessions available to a

group, or to each user in a group, or both. The settings are as follows:
• Sessions available to group—Sets the maximum number of simultaneous
connections for the entire group.
• Sessions available to users of this group—Sets the maximum number of
total simultaneous connections for each user in this group.

Tip As an example, Sessions available to group is set to 10 and Sessions available to

users of this group is set to 2. If each user is using the maximum 2 simultaneous
sessions, no more than 5 users can log in.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-11
 Chapter 6 User Group Management
Basic User Group Settings

Note A session is any type of connection supported by RADIUS or TACACS+, such as

PPP, NAS prompt, Telnet, ARAP, IPX/SLIP.

Note The default setting for group Max Sessions is Unlimited for both the group and
the user within the group.

To configure max sessions settings for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 In the Max Sessions table, under Sessions available to group, select one of the
following options:
• Unlimited—Select to allow this group an unlimited number of simultaneous
sessions. (This effectively disables Max Sessions.)
• n—Type the maximum number of simultaneous sessions to allow this group.
Step 4 In the lower portion of the Max Sessions table, under Sessions available to users
of this group, select one of the following two options:
• Unlimited—Select to allow each individual in this group an unlimited
number of simultaneous sessions. (This effectively disables Max Sessions.)
• n—Type the maximum number of simultaneous sessions to allow each user
in this group.

Note Settings made in User Setup override group settings. For more
information, see Setting Max Sessions Options for a User, page 7-15.

Step 5 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-12 78-14698-02
 Chapter 6 User Group Management
Basic User Group Settings

Step 6 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Setting Usage Quotas for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced
Options, and then select the Usage Quotas check box.

Perform this procedure to define usage quotas for members of a group. Session
quotas affect each user of a group individually, not the group collectively. You can
set quotas for a given period in two ways:
• By total duration of session
• By the total number of sessions
If you make no selections in the Usage Quotas section for a group, no usage
quotas are enforced on users assigned to that group, unless you configure usage
quotas for the individual users.

Note The Usage Quotas section on the Group Settings page does not show usage
statistics.
Usage statistics are available only on the settings page for an individual user. For
more information, see Setting User Usage Quotas Options, page 7-17.

When a user exceeds his or her assigned quota, Cisco Secure ACS denies that user
access upon attempting to start a session. If a quota is exceeded during a session,
Cisco Secure ACS allows the session to continue.
You can reset the usage quota counters for all users of a group from the Group
Settings page. For more information about resetting usage quota counters for a
whole group, see Resetting Usage Quota Counters for a User Group, page 6-53.

Tip To support time-based quotas, we recommend enabling accounting update packets

on all AAA clients. If update packets are not enabled, the quota is updated when
the user logs off. If the AAA client through which the user is accessing your

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-13
 Chapter 6 User Group Management
Basic User Group Settings

network fails, the quota is not updated. In the case of multiple sessions, such as
with ISDN, the quota is not updated until all sessions terminate. This means that
a second channel will be accepted even if the first channel has exhausted the quota
for the user.

To set user usage quotas for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 To define usage quotas based on duration of sessions, follow these steps:
a. In the Usage Quotas table, select the Limit each user of this group to x
hours of online time per time unit check box.
b. Type the number of hours to which you want to limit group members in the
to x hours box.
Use decimal values to indicate minutes. For example, a value of 10.5 would
equal ten hours and 30 minutes.

Note Up to 5 characters are allowed in the to x hours box.

c. Select the period for which the quota is effective from the following:
• per Day—From 12:01 a.m. until midnight.
• per Week—From 12:01 a.m. Sunday until midnight Saturday.
• per Month—From 12:01 a.m. on the first of the month until midnight on
the last day of the month.
• Total—An ongoing count of hours, with no end.
Step 4 To define user session quotas based on number of sessions, follow these steps:
a. In the Usage Quotas table, select the Limit each user of this group to x
sessions check box.
b. Type the number of sessions to which you want to limit users in the to x
sessions box.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-14 78-14698-02
Chapter 6 User Group Management
Configuration-specific User Group Settings

Note Up to 5 characters are allowed in the to x sessions box.

c. Select the period for which the session quota is effective from the following:
• per Day—From 12:01 a.m. until midnight.
• per Week—From 12:01 a.m. Sunday until midnight Saturday.
• per Month—From 12:01 a.m. on the first of the month until midnight on
the last day of the month.
• Total—An ongoing count of session, with no end.
Step 5 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 6 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuration-specific User Group Settings

This section details procedures that you perform only as applicable to your
particular network security configuration. For instance, if you have no token
server configured, you do not have to set token card settings for each group.

Note When a vendor-specific variety of RADIUS is configured for use by network

devices, the RADIUS (IETF) attributes are available because they are the base set
of attributes, used by all RADIUS vendors per the RADIUS IETF specifications.

The HTML interface content corresponding to these procedures is dynamic, its

appearance based upon the following two factors:
• For a particular protocol (RADIUS or TACACS+) to be listed, at least one
AAA client entry in the Network Configuration section of the HTML
interface must use that protocol. For more information, see AAA Client
Configuration, page 4-11.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-15
 Chapter 6 User Group Management
Configuration-specific User Group Settings

• To cause specific protocol attributes to appear on a group profile page, you

must enable the display of those attributes in the Interface Configuration
section of the HTML interface. For more information, see Protocol
Configuration Options for TACACS+, page 3-7 or Protocol Configuration
Options for RADIUS, page 3-11.
This section contains the following topics:
• Setting Token Card Settings for a User Group, page 6-17
• Setting Enable Privilege Options for a User Group, page 6-18
• Enabling Password Aging for the CiscoSecure User Database, page 6-20
• Enabling Password Aging for Users in Windows Databases, page 6-25
• Setting IP Address Assignment Method for a User Group, page 6-27
• Assigning a Downloadable IP ACL to a Group, page 6-28
• Configuring TACACS+ Settings for a User Group, page 6-29
• Configuring a Shell Command Authorization Set for a User Group, page 6-31
• Configuring a PIX Command Authorization Set for a User Group, page 6-33
• Configuring Device-Management Command Authorization for a User Group,
page 6-35
• Configuring IETF RADIUS Settings for a User Group, page 6-37
• Configuring Cisco IOS/PIX RADIUS Settings for a User Group, page 6-38
• Configuring Cisco Aironet RADIUS Settings for a User Group, page 6-39
• Configuring Ascend RADIUS Settings for a User Group, page 6-41
• Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group, page 6-42
• Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User
Group, page 6-44
• Configuring Microsoft RADIUS Settings for a User Group, page 6-45
• Configuring Nortel RADIUS Settings for a User Group, page 6-47
• Configuring Juniper RADIUS Settings for a User Group, page 6-49
• Configuring BBSM RADIUS Settings for a User Group, page 6-50
• Configuring Custom RADIUS VSA Settings for a User Group, page 6-51

User Guide for Cisco Secure ACS Appliance, version 3.2

6-16 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Setting Token Card Settings for a User Group

Note If this section does not appear, configure a token server. Then, click External
User Databases, click Database Configuration, and then add the applicable
token card server.

Perform this procedure to allow a token to be cached. This means users can use a
second B channel without having to enter a second one-time password (OTP).

Caution This option is for use with token caching only for ISDN terminal adapters. You
should fully understand token caching and ISDN concepts and principles before
implementing this option. Token caching allows you to connect to multiple B
channels without having to provide a token for each channel connection. Token
card settings are applied to all users in the selected group.

Options for token caching include the following:

• Session—You can select Session to cache the token for the entire session.
This allows the second B channel to dynamically go in and out of service.
• Duration—You can select Duration and specify a period of time to have the
token cached (from the time of first authentication). If this time period
expires, the user cannot start a second B channel.
• Session and Duration—You can select both Session and Duration so that, if
the session runs longer than the duration value, a new token is required to
open a second B channel. Type a value high enough to allow the token to be
cached for the entire session. If the session runs longer than the duration
value, a new token is required to open a second B channel.
To set token card settings for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose Token Cards.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-17
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 4 In the Token Card Settings table, to cache the token for the entire session, select
Session.
Step 5 Also in the Token Card Settings table, to cache the token for a specified time
period (measured from the time of first authentication), follow these steps:
a. Select Duration.
b. Type the duration length in the box.
c. Select the unit of measure, either Seconds, Minutes or Hours.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Setting Enable Privilege Options for a User Group

Note If this section does not appear, click Interface Configuration and then click
TACACS+ (Cisco). At the bottom of the page in the Advanced Configuration
Options table, select the Advanced TACACS+ features check box.

Perform this procedure to configure group-level TACACS+ enable parameters.

The three possible TACACS+ enable options are as follows:
• No Enable Privilege—(default) Select this option to disallow enable
privileges for this user group.
• Max Privilege for Any AAA Client—Select this option to select the
maximum privilege level for this user group for any AAA client on which this
group is authorized.
• Define max Privilege on a per-network device group basis—Select this
option to define maximum privilege levels for an NDG. To use this option,
you create a list of device groups and corresponding maximum privilege
levels. See your AAA client documentation for information about privilege
levels.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-18 78-14698-02
Chapter 6 User Group Management
Configuration-specific User Group Settings

Note To define levels in this manner, you must have configured the option
in Interface Configuration; if you have not done so already, click
Interface Configuration, click Advanced Settings, and then select
the Network Device Groups check box.

If you are using NDGs, this option lets you configure the NDG for
enable-level mapping rather than having to do it for each user in the group.
To set enable privilege options for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose Enable Options.
Step 4 Do one of the following:
• To disallow enable privileges for this user group, select the No Enable
Privilege option.
• To set the maximum privilege level for this user group, for any ACS on which
this group is authorized, select the Max Privilege for Any Access Server
option. Then, select the maximum privilege level from the list.
• To define the maximum NDG privilege level for this user group, select the
Define max Privilege on a per-network device group basis option. Then,
from the lists, select the NDG and a corresponding privilege level. Finally,
click Add Association.
Result: The association of NDG and maximum privilege level appears in the
table.
Step 5 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 6 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-19
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Enabling Password Aging for the CiscoSecure User Database

The password aging feature of Cisco Secure ACS enables you to force users to
change their passwords under one or more of the following conditions:
• After a specified number of days (age-by-date rules).
• After a specified number of logins (age-by-uses rules).
• The first time a new user logs in (password change rule).
Varieties of Password Aging Supported by Cisco Secure ACS
Cisco Secure ACS supports four distinct password aging mechanisms:
• PEAP and EAP-FAST Windows Password Aging—Users must be in the
Windows user database and be using a Microsoft client that supports EAP,
such as Windows XP. For information on the requirements and configuration
of this password aging mechanism, see Enabling Password Aging for Users
in Windows Databases, page 6-25.
• RADIUS-based Windows Password Aging—Users must be in the Windows
user database and be using the Windows Dial-up Networking (DUN) client.
For information on the requirements and configuration of this password aging
mechanism, see Enabling Password Aging for Users in Windows Databases,
page 6-25.
• Password Aging for Device-hosted Sessions—Users must be in the
CiscoSecure user database, the AAA client must be running TACACS+, and
the connection must use Telnet. You can control the ability of users to change
passwords during a device-hosted Telnet session. You can also control
whether Cisco Secure ACS propagates passwords changed by this feature.
For more information, see Local Password Management, page 8-5.
• Password Aging for Transit Sessions—Users must be in the CiscoSecure
user database. Users must use a PPP dialup client. Further, the end-user client
must have CiscoSecure Authentication Agent (CAA) installed.

Tip The CAA software is available at http://www.cisco.com.

Also, to run password aging for transit sessions, the AAA client can be
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a watchdog
accounting packet (aaa accounting new-info update) with the IP address of

User Guide for Cisco Secure ACS Appliance, version 3.2

6-20 78-14698-02
Chapter 6 User Group Management
Configuration-specific User Group Settings

the calling station. (Watchdog packets are interim packets sent periodically
during a session. They provide an approximate session length in the event that
no stop packet is received to mark the end of the session.)
You can control whether Cisco Secure ACS propagates passwords changed
by this feature. For more information, see Local Password Management,
page 8-5.
Cisco Secure ACS supports password aging using the RADIUS protocol under
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.

Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA
client during or after the password aging warning or grace period, the change
password option does not appear, and the user account is expired.

Password Aging Feature Settings

This section details only the Password Aging for Device-hosted Sessions and
Password Aging for Transit Sessions mechanisms. For information on the
Windows Password Aging mechanism, see Enabling Password Aging for Users in
Windows Databases, page 6-25. For information on configuring local password
validation options, see Local Password Management, page 8-5.
The password aging feature in Cisco Secure ACS has the following options:
• Apply age-by-date rules—Selecting this check box configures Cisco Secure
ACS to determine password aging by date. The age-by-date rules contain the
following settings:
– Active period—The number of days users will be allowed to log in
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.
– Warning period—The number of days users will be notified to change
their passwords. The existing password can be used, but the Cisco Secure
ACS presents a warning indicating that the password must be changed
and displays the number of days left before the password expires. For
example, if you enter 5 in this box and 20 in the Active period box, users
will be notified to change their passwords on the 21st through 25th days.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-21
 Chapter 6 User Group Management
Configuration-specific User Group Settings

– Grace period—The number of days to provide as the user grace period.

The grace period allows a user to log in once to change the password. The
existing password can be used one last time after the number of days
specified in the active and warning period fields has been exceeded.
Then, a dialog box warns the user that the account will be disabled if the
password is not changed, and enables the user to change it. Continuing
with the examples above, if you allow a 5-day grace period, a user who
did not log in during the active and warning periods would be permitted
to change passwords up to and including the 30th day. However, even
though the grace period is set for 5 days, a user is allowed only one
attempt to change the password when the password is in the grace period.
Cisco Secure ACS displays the “last chance” warning only once. If the
user does not change the password, this login is still permitted, but the
password expires, and the next authentication is denied. An entry is
logged in the Failed-Attempts log, and the user must contact an
administrator to have the account reinstated.

Note All passwords expire at midnight, not the time at which they were set.

• Apply age-by-uses rules—Selecting this check box configures Cisco Secure

ACS to determine password aging by the number of logins. The age-by-uses
rules contain the following settings:
– Issue warning after x logins—The number of the login upon which
Cisco Secure ACS begins prompting users to change their passwords. For
example, if you enter 10, users are allowed to log in 10 times without a
change-password prompt. On the 11th login, they are prompted to change
their passwords.

Tip To allow users to log in an unlimited number of times without changing their
passwords, type -1.

– Require change after x logins—The number of the login after which to

notify users that they must to change their passwords. Continuing with
the previous example, if this number is set to 12, users receive prompts
requesting them to change their passwords on their 11th and 12th login
attempts. On the 13th login attempt, they receive a prompt telling them

User Guide for Cisco Secure ACS Appliance, version 3.2

6-22 78-14698-02
Chapter 6 User Group Management
Configuration-specific User Group Settings

that they must change their passwords. If users do not change their
passwords now, their accounts expire and they cannot log in. This
number must be greater than the Issue warning after x login number.

Tip To allow users to log in an unlimited number of times without changing their
passwords, type -1.

• Apply password change rule—Selecting this check box forces new users to
change their passwords the first time they log in.
• Generate greetings for successful logins—Selecting this check box enables
a Greetings message to display whenever users log in successfully via the
CAA client. The message contains up-to-date password information specific
to this user account.
The password aging rules are not mutually exclusive; a rule is applied for each
check box that is selected. For example, users can be forced to change their
passwords every 20 days, and every 10 logins, and to receive warnings and grace
periods accordingly.
If no options are selected, passwords never expire.
Unlike most other parameters, which have corresponding settings at the user level,
password aging parameters are configured only on a group basis.
Users who fail authentication because they have not changed their passwords and
have exceeded their grace periods are logged in the Failed Attempts log. The
accounts expire and appear in the Accounts Disabled list.
Before You Begin
• Verify that your AAA client is running the TACACS+ or RADIUS protocol.
(TACACS+ only supports password aging for device-hosted sessions.)
• Set up your AAA client to perform authentication and accounting using the
same protocol, either TACACS+ or RADIUS.
• Verify that you have configured your password validation options. For more
information, see Local Password Management, page 8-5.
• Set up your AAA client to use Cisco IOS Release 11.2.7 or later and to send
a watchdog accounting packet (aaa accounting new-info update) with the IP
address of the calling station.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-23
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To set password aging rules for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose Password Aging.
The Password Aging Rules table appears.
Step 4 To set password aging by date, select the Apply age-by-date rules check box and
type the number of days for the following options, as applicable:
• Active period
• Warning period
• Grace period

Note Up to 5 characters are allowed in each field.

Step 5 To set password aging by use, select the Apply age-by-uses rules check box and
type the number of logins for each of the following options, as applicable:
• Issue warning after x logins
• Require change after x logins

Note Up to 5 characters are allowed in each field.

Step 6 To force the user to change the password on the first login after an administrator
has changed it, select the Apply password change rule check box.
Step 7 To enable a Greetings message display, select the Generate greetings for
successful logins check box.
Step 8 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-24 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 9 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Enabling Password Aging for Users in Windows Databases

Cisco Secure ACS supports two types of password aging for users in Windows
databases. Both types of Windows password aging mechanisms are separate and
distinct from the other Cisco Secure ACS password aging mechanisms. For
information on the requirements and settings for the password aging mechanisms
that control users in the CiscoSecure user database, see Enabling Password Aging
for the CiscoSecure User Database, page 6-20.

Note You can run both Windows Password Aging and Cisco Secure ACS Password
Aging for Transit Sessions mechanisms concurrently, provided that the users
authenticate from the two different databases.

The two types of password aging in Windows databases are as follows:

• RADIUS-based password aging—RADIUS-based password aging depends
upon the RADIUS AAA protocol to send and receive the password change
messages. Requirements for implementing the RADIUS-based Windows
password aging mechanism include the following:
– Communication between Cisco Secure ACS and the AAA client must be
using RADIUS.
– The AAA client must support MS CHAP password aging in addition to
MS CHAP authentication.
– Users must be in a Windows user database.
– Users must be using the Windows DUN client.
– You must enable MS CHAP version 1 or MS CHAP version 2, or both,
in the Windows configuration within the External User Databases
section.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-25
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Tip For information on enabling MS CHAP for password changes, see Configuring
Windows Authentication, page 13-29. For information on enabling MS CHAP in
System Configuration, see Global Authentication Setup, page 10-25.

• PEAP password aging—PEAP password aging depends upon the

PEAP(EAP-GTC) or PEAP(EAP-MSCHAPv2) authentication protocol to
send and receive the password change messages. Requirements for
implementing the PEAP Windows password aging mechanism include the
following:
– The AAA client must support EAP.
– Users must be in a Windows user database.
– Users must be using a Microsoft PEAP client, such as Windows XP.
– You must enable PEAP on the Global Authentication Configuration page
within the System Configuration section.

Tip For information about enabling PEAP in System Configuration, see Global
Authentication Setup, page 10-25.

– You must enable PEAP password changes on the Windows

Authentication Configuration page within the External User Databases
section.

Tip For information about enabling PEAP password changes, see Configuring
Windows Authentication, page 13-29.

Users whose Windows accounts reside in “remote” domains (that is, not the
domain within which Cisco Secure ACS is running) can only use the
Windows-based password aging if they supply their domain names.
The methods and functionality of Windows password aging differ according to
which Microsoft Windows operating system you are using, and whether you
employ Active Directory (AD) or Security Accounts Manager (SAM). Setting
password aging for users in the Windows user database is only one part of the

User Guide for Cisco Secure ACS Appliance, version 3.2

6-26 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

larger task of setting security policies in Windows. For comprehensive

information on Windows procedures, refer to your Windows system
documentation.

Setting IP Address Assignment Method for a User Group

Perform this procedure to configure the way Cisco Secure ACS assigns IP
addresses to users in the group. The four possible methods are as follows:
• No IP address assignment—No IP address is assigned to this group.
• Assigned by dialup client—Use the IP address that is configured on the
dialup client network settings for TCP/IP.
• Assigned from AAA Client pool—The IP address is assigned by an IP
address pool assigned on the AAA client.
• Assigned from AAA server pool—The IP address is assigned by an IP
address pool assigned on the AAA server.
To set an IP address assignment method for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose IP Address Assignment.
Step 4 In the IP Assignment table, do one of the following:
• Select No IP address assignment.
• Select Assigned by dialup client.
• Select Assigned from AAA Client pool. Then, type the AAA client IP pool
name.
• Select Assigned from AAA pool. Then, select the AAA server IP pool name
in the Available Pools list and click --> (right arrow button) to move the name
into the Selected Pools list.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-27
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Note If there is more than one pool in the Selected Pools list, the users
in this group are assigned to the first available pool in the order
listed.

Tip To change the position of a pool in the list, select the pool name and click
Up or Down until the pool is in the position you want.

Step 5 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 6 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Assigning a Downloadable IP ACL to a Group

The Downloadable ACLs feature enables you to assign an IP ACL at the group
level.

Note You must have established one or more IP ACLs before attempting to assign one.
For instructions on how to add a downloadable IP ACL using the Shared Profile
Components section of the Cisco Secure ACS HTML interface, see Adding a
Downloadable IP ACL, page 5-4.

Tip The Downloadable ACLs table does not appear if it has not been enabled. To
enable the Downloadable ACLs table, click Interface Configuration, click
Advanced Options, and then select the Group-Level Downloadable ACLs
check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-28 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To assign a downloadable IP ACL to a group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose Downloadable ACLs.
Step 4 Under the Downloadable ACLs section, click the Assign IP ACL check box.
Step 5 Select an IP ACL from the list.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring TACACS+ Settings for a User Group

Perform this procedure to configure and enable the service/protocol parameters to
be applied for the authorization of each user who belongs to the group. For
information on how to configure settings for the Shell Command Authorization
Set, see Configuring a Shell Command Authorization Set for a User Group,
page 6-31.

Note To display or hide additional services or protocols, click Interface

Configuration, click TACACS+ (Cisco IOS), and then select or clear items in the
group column, as applicable.

To configure TACACS+ settings for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-29
 Chapter 6 User Group Management
Configuration-specific User Group Settings

The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose TACACS+.
The system displays the TACACS+ Settings table section.
Step 4 To configure services and protocols in the TACACS+ Settings table to be
authorized for the group, follow these steps:
a. Select one or more service/protocol check boxes (for example, PPP IP or
ARAP).
b. Under each service/protocol that you selected in Step a, select attributes and
then type in the corresponding values, as applicable, to further define
authorization for that service/protocol.
To employ custom attributes for a particular service, you must select the
Custom attributes check box under that service, and then specify the
attribute/value in the box below the check box.
For more information about attributes, see Appendix B, “TACACS+
Attribute-Value Pairs,” or your AAA client documentation.

Tip For ACLs and IP address pools, the name of the ACL or pool as defined
on the AAA client should be entered. (An ACL is a list of Cisco IOS
commands used to restrict access to or from other devices and users on
the network.)

Note Leave the attribute value box blank if the default (as defined on the
AAA client) should be used.

Note You can define and download an ACL. Click Interface

Configuration, click TACACS+ (Cisco IOS), and then select
Display a window for each service selected in which you can enter
customized TACACS+ attributes. A box opens under each
service/protocol in which you can define an ACL.

Step 5 To allow all services to be permitted unless specifically listed and disabled, you
can select the Default (Undefined) Services check box under the Checking this
option will PERMIT all UNKNOWN Services table.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-30 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Caution This is an advanced feature and should only be used by administrators who
understand the security implications.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring a Shell Command Authorization Set for a User Group

Use this procedure to specify the shell command authorization set parameters for
a group. There are four options:
• None—No authorization for shell commands.
• Assign a Shell Command Authorization Set for any network device—One
shell command authorization set is assigned, and it applies to all network
devices.
• Assign a Shell Command Authorization Set on a per Network Device
Group Basis—Enables you to associate particular shell command
authorization sets to be effective on particular NDGs.
• Per Group Command Authorization—Enables you to permit or deny
specific Cisco IOS commands and arguments at the group level.

Note This feature requires that you have previously configured a shell command
authorization set. For detailed steps, see Adding a Command Authorization Set,
page 5-19.

To specify shell command authorization set parameters for a user group, follow
these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-31
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose TACACS+.
The system displays the TACACS+ Settings table section.
Step 4 Use the vertical scrollbar to scroll to the Shell Command Authorization Set
feature area.
Step 5 To prevent the application of any shell command authorization set, select (or
accept the default of) the None option.
Step 6 To assign a particular shell command authorization set to be effective on any
configured network device, follow these steps:
a. Select the Assign a Shell Command Authorization Set for any network
device option.
b. Then, from the list directly below that option, select the shell command
authorization set you want applied to this group.
Step 7 To create associations that assign a particular shell command authorization set to
be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a Shell Command Authorization Set on a per Network
Device Group Basis option.
b. Select a Device Group and a corresponding Command Set.

Tip You can select a Command Set that will be effective for all Device
Groups, that are not otherwise assigned, by assigning that set to the
<default> Device Group.

c. Click Add Association.

The associated NDG and shell command authorization set appear in the table.
Step 8 To define the specific Cisco IOS commands and arguments to be permitted or
denied at the group level, follow these steps:
a. Select the Per Group Command Authorization option.
b. Under Unmatched Cisco IOS commands, select either Permit or Deny.
If you select Permit, users can issue all commands not specifically listed. If
you select Deny, users can issue only those commands listed.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-32 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

c. To list particular commands to be permitted or denied, select the Command

check box and then type the name of the command, define its arguments using
standard permit or deny syntax, and select whether unlisted arguments should
be permitted or denied.

Caution This is a powerful, advanced feature and should be used by an administrator

skilled with Cisco IOS commands. Correct syntax is the responsibility of the
administrator. For information on how Cisco Secure ACS uses pattern matching
in command arguments, see About Pattern Matching, page 5-19.

Tip To enter several commands, you must click Submit after specifying a
command. A new command entry box appears below the box you just
completed.

Configuring a PIX Command Authorization Set for a User Group

Use this procedure to specify the PIX command authorization set parameters for
a user group. There are three options:
• None—No authorization for PIX commands.
• Assign a PIX Command Authorization Set for any network device—One
PIX command authorization set is assigned, and it applies all network
devices.
• Assign a PIX Command Authorization Set on a per Network Device
Group Basis—Particular PIX command authorization sets are to be effective
on particular NDGs.
Before You Begin
• Ensure that a AAA client has been configured to use TACACS+ as the
security control protocol.
• On the TACACS+ (Cisco) page of Interface Configuration section, ensure
that the PIX Shell (pixShell) option is selected in the Group column.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-33
 Chapter 6 User Group Management
Configuration-specific User Group Settings

• Make sure that you have already configured one or more PIX command
authorization sets. For detailed steps, see Adding a Command Authorization
Set, page 5-19.
To specify PIX command authorization set parameters for a user group, follow
these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose TACACS+.
The system displays the TACACS+ Settings table section.
Step 4 Scroll down to the PIX Command Authorization Set feature area within the
TACACS+ Settings table.
Step 5 To prevent the application of any PIX command authorization set, select (or
accept the default of) the None option.
Step 6 To assign a particular PIX command authorization set to be effective on any
configured network device, follow these steps:
a. Select the Assign a PIX Command Authorization Set for any network
device option.
b. From the list directly below that option, select the PIX command
authorization set you want applied to this user group.
Step 7 To create associations that assign a particular PIX command authorization set to
be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a PIX Command Authorization Set on a per Network
Device Group Basis option.
b. Select a Device Group and an associated Command Set.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-34 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

c. Click Add Association.

The associated NDG and PIX command authorization set appear in the table.

Note To remove or edit an existing PIX command authorization set

association, you can select the association from the list, and then click
Remove Association.

Configuring Device-Management Command Authorization for a

User Group
Use this procedure to specify the device-management command authorization set
parameters for a group. Device-management command authorization sets support
the authorization of tasks in Cisco device-management applications that are
configured to use Cisco Secure ACS for authorization. There are three options:
• None—No authorization is performed for commands issued in the applicable
Cisco device-management application.
• Assign a device-management application for any network device—For the
applicable device-management application, one command authorization set is
assigned, and it applies to management tasks on all network devices.
• Assign a device-management application on a per Network Device Group
Basis—For the applicable device-management application, this option
enables you to apply command authorization sets to specific NDGs, so that it
affects all management tasks on the network devices belonging to the NDG.

Note This feature requires that you have configured a command authorization set for
the applicable Cisco device-management application. For detailed steps, see
Adding a Command Authorization Set, page 5-19.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-35
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To specify device-management application command authorization for a user

group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose TACACS+.
The system displays the TACACS+ Settings table section.
Step 4 Use the vertical scrollbar to scroll to the device-management application feature
area, where device-management application is the name of the applicable Cisco
device-management application.
Step 5 To prevent the application of any command authorization set for the applicable
device-management application, select the None option.
Step 6 To assign a particular command authorization set that affects device-management
application actions on any network device, follow these steps:
a. Select the Assign a device-management application for any network device
option.
b. Then, from the list directly below that option, select the command
authorization set you want applied to this group.
Step 7 To create associations that assign a particular command authorization set that
affects device-management application actions on a particular NDG, for each
association, follow these steps:
a. Select the Assign a device-management application on a per Network Device
Group Basis option.
b. Select a Device Group and a corresponding device-management
application.
c. Click Add Association.
The associated NDG and command authorization set appear in the table.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-36 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Configuring IETF RADIUS Settings for a User Group

These parameters appear only when both the following are true:
• A AAA client has been configured to use one of the RADIUS protocols in
Network Configuration.
• Group-level RADIUS attributes have been enabled on the RADIUS (IETF)
page in the Interface Configuration section of the HTML interface.
RADIUS attributes are sent as a profile for each user from Cisco Secure ACS to
the requesting AAA client. To display or hide any of these attributes, see Protocol
Configuration Options for RADIUS, page 3-11. For a list and explanation of
RADIUS attributes, see Appendix C, “RADIUS Attributes.” For more
information about how your AAA client uses RADIUS, refer to your AAA client
vendor documentation.
To configure IETF RADIUS attribute settings to be applied as an authorization for
each user in the current group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 3 From the Jump To list at the top of the page, choose RADIUS (IETF).
Step 4 For each IETF RADIUS attribute you need to authorize for the current group,
select the check box next to the attribute and then define the authorization for the
attribute in the field or fields next to it.
Step 5 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 6 To configure the vendor-specific attributes (VSAs) for any RADIUS network
device vendor supported by Cisco Secure ACS, see the appropriate section:
• Configuring Cisco IOS/PIX RADIUS Settings for a User Group, page 6-38
• Configuring Cisco Aironet RADIUS Settings for a User Group, page 6-39
• Configuring Ascend RADIUS Settings for a User Group, page 6-41
• Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group, page 6-42

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-37
 Chapter 6 User Group Management
Configuration-specific User Group Settings

• Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User

Group, page 6-44
• Configuring Microsoft RADIUS Settings for a User Group, page 6-45
• Configuring Nortel RADIUS Settings for a User Group, page 6-47
• Configuring Juniper RADIUS Settings for a User Group, page 6-49
• Configuring BBSM RADIUS Settings for a User Group, page 6-50
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Cisco IOS/PIX RADIUS Settings for a User Group

The Cisco IOS/PIX RADIUS parameters appear only when both the following are
true:
• A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in
Network Configuration.
• Group-level RADIUS (Cisco IOS/PIX) attributes have been enabled in
Interface Configuration: RADIUS (Cisco IOS/PIX).
Cisco IOS/PIX RADIUS represents only the Cisco VSAs. You must configure
both the IETF RADIUS and Cisco IOS/PIX RADIUS attributes.

Note To hide or display Cisco IOS/PIX RADIUS attributes, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular group persists, even when you remove
or replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the group
configuration interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-38 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To configure and enable Cisco IOS/PIX RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Before you configure Cisco IOS/PIX RADIUS attributes, be sure your IETF
RADIUS attributes are configured properly. For more information about setting
IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User
Group, page 6-37.
Step 2 For the Cisco attributes, determine the attributes to be authorized for the group by
selecting the check box next to the attribute, and then type the commands (such
as TACACS+ commands) to be packed as a RADIUS VSA.
Step 3 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 4 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Cisco Aironet RADIUS Settings for a User Group

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a
virtual VSA. It is a specialized implementation of the IETF RADIUS
Session-Timeout attribute (27) that Cisco Secure ACS uses only when it responds
to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This
enables you to provide different timeout values for users accessing your network
through wireless and wired access devices. By specifying a timeout value
specifically for WLAN connections, you avoid the difficulties that would arise if
you had to use a standard timeout value (typically measured in hours) for a WLAN
connection (that is typically measured in minutes).

Tip Only enable and configure the Cisco-Aironet-Session-Timeout when some or all
members of a group may connect through wired or wireless access devices. If
members of a group always connect with a Cisco Aironet Access Point (AP) or
always connect only with a wired access device, you do not need to use
Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF)
attribute 27, Session-Timeout.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-39
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Imagine a user group Cisco-Aironet-Session-Timeout set to 600 seconds (10

minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours.
When a member of this group connects through a VPN concentrator, Cisco Secure
ACS uses 3 hours as the timeout value. However, if that same user connects via a
Cisco Aironet AP, Cisco Secure ACS responds to an authentication request from
the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout
attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured,
different session timeout values can be sent depending on whether the end-user
client is a wired access device or a Cisco Aironet AP.
The Cisco-Aironet-Session-Timeout VSA appears on the Group Setup page only
when both the following are true:
• A AAA client has been configured to use RADIUS (Cisco Aironet) in
Network Configuration.
• The group-level RADIUS (Cisco Aironet) attribute has been enabled in
Interface Configuration: RADIUS (Cisco Aironet).

Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular group persists, even when you remove
or replace the associated AAA client; however, if you have no AAA clients
configured to use RADIUS (Cisco Aironet), the VSA settings do not appear in the
group configuration interface.

To configure and enable the Cisco Aironet RADIUS attribute to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more
information about setting IETF RADIUS attributes, see Configuring IETF
RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco Aironet).

User Guide for Cisco Secure ACS Appliance, version 3.2

6-40 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 5 In the Cisco Aironet RADIUS Attributes table, select the [5842\001]
Cisco-Aironet-Session-Timeout check box.
Step 6 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout
value (in seconds) that Cisco Secure ACS is to send in the IETF RADIUS
Session-Timeout (27) attribute when the AAA client is configured in Network
Configuration to use the RADIUS (Cisco Aironet) authentication option. The
recommended value is 600 seconds.
For more information about the IETF RADIUS Session-Timeout attribute, see
Appendix C, “RADIUS Attributes,” or your AAA client documentation.
Step 7 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 8 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Ascend RADIUS Settings for a User Group

The Ascend RADIUS parameters appear only when both the following are true:
• A AAA client has been configured to use RADIUS (Ascend) or RADIUS
(Cisco IOS/PIX) in Network Configuration.
• Group-level RADIUS (Ascend) attributes have been enabled in Interface
Configuration: RADIUS (Ascend).
Ascend RADIUS represents only the Ascend proprietary attributes. You must
configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary
attributes override IETF attributes.
The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.

Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular group persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the group configuration interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-41
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To configure and enable Ascend RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more
information about setting IETF RADIUS attributes, see Configuring IETF
RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Ascend).
Step 5 In the Ascend RADIUS Attributes table, determine the attributes to be authorized
for the group by selecting the check box next to the attribute. Be sure to define the
authorization for that attribute in the field next to it. For more information about
attributes, see Appendix C, “RADIUS Attributes,” or your AAA client
documentation.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a

User Group
To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is
enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS
(Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000)

User Guide for Cisco Secure ACS Appliance, version 3.2

6-42 78-14698-02
Chapter 6 User Group Management
Configuration-specific User Group Settings

attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in

the Cisco Secure ACS HTML interface or how those attributes might be
configured.
The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only
if both the following are true:
• A AAA client has been configured to use RADIUS (Cisco VPN 3000) in
Network Configuration.
• Group-level RADIUS (Cisco VPN 3000) attributes have been enabled on the
RADIUS (Cisco VPN 3000) page of the Interface Configuration section.
Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000
Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN
3000 Concentrator RADIUS attributes.

Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes, see Setting
Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A
VSA applied as an authorization to a particular group persists, even when you
remove or replace the associated AAA client; however, if you have no AAA
clients of this (vendor) type configured, the VSA settings do not appear in the
group configuration interface.

To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be

applied as an authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 3000).
Step 5 In the Cisco VPN 3000 Concentrator RADIUS Attributes table, determine the
attributes to be authorized for the group by selecting the check box next to the
attribute. Further define the authorization for that attribute in the field next to it.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-43
 Chapter 6 User Group Management
Configuration-specific User Group Settings

For more information about attributes, see Appendix C, “RADIUS Attributes,” or

the documentation for network devices using RADIUS.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a

User Group
The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only
when both the following are true:
• A network device has been configured to use RADIUS (Cisco VPN 5000) in
Network Configuration.
• Group-level RADIUS (Cisco VPN 5000) attributes have been enabled on the
RADIUS (Cisco VPN 5000) page of the Interface Configuration section.
Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000
Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN
5000 Concentrator RADIUS attributes.

Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting
Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A
VSA applied as an authorization to a particular group persists, even when you
remove or replace the associated AAA client; however, if you have no AAA
clients of this (vendor) type configured, the VSA settings do not appear in the
group configuration interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-44 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be

applied as an authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000).
Step 5 In the Cisco VPN 5000 Concentrator RADIUS Attributes table, select the
attributes that should be authorized for the group by selecting the check box next
to the attribute. Further define the authorization for each attribute in the field next
to it.
For more information about attributes, see Appendix C, “RADIUS Attributes,” or
the documentation for network devices using RADIUS.
Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Microsoft RADIUS Settings for a User Group

Microsoft RADIUS provides VSAs supporting MPPE, which is an encryption
technology developed by Microsoft to encrypt PPP links. These PPP connections
can be via a dial-in line, or over a VPN tunnel.
To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-45
 Chapter 6 User Group Management
Configuration-specific User Group Settings

enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS
(Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000)
attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in
the Cisco Secure ACS HTML interface or how those attributes might be
configured.
The Microsoft RADIUS attribute configurations appear only when both the
following are true:
• A network device has been configured in Network Configuration that uses a
RADIUS protocol that supports the Microsoft RADIUS VSA.
• Group-level Microsoft RADIUS attributes have been enabled on the RADIUS
(Microsoft) page of the Interface Configuration section.
The following Cisco Secure ACS RADIUS protocols support the Microsoft
RADIUS VSA:
• Cisco IOS/PIX
• Cisco VPN 3000
• Ascend
Microsoft RADIUS represents only the Microsoft VSA. You must configure both
the IETF RADIUS and Microsoft RADIUS attributes.

Note To hide or display Microsoft RADIUS attributes, see Setting Protocol

Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular group persists, even when you remove
or replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the group
configuration interface.

To configure and enable Microsoft RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-46 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Microsoft).
Step 5 In the Microsoft RADIUS Attributes table, specify the attributes to be authorized
for the group by selecting the check box next to the attribute. Where applicable,
further define the authorization for that attribute in the field next to it. For more
information about attributes, see Appendix C, “RADIUS Attributes,” or the
documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Nortel RADIUS Settings for a User Group

The Nortel RADIUS attribute configurations appear only when both the following
are true:
• A network device has been configured in Network Configuration that uses a
RADIUS protocol that supports the Nortel RADIUS VSA.
• Group-level Nortel RADIUS attributes have been enabled on the RADIUS
(Nortel) page of the Interface Configuration section.
Nortel RADIUS represents only the Nortel VSA. You must configure both the
IETF RADIUS and Nortel RADIUS attributes.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-47
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular group persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Nortel RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Nortel).
Step 5 In the Nortel RADIUS Attributes table, specify the attributes to be authorized for
the group by selecting the check box next to the attribute. Where applicable,
further define the authorization for that attribute in the field next to it. For more
information about attributes, see Appendix C, “RADIUS Attributes,” or the
documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-48 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Configuring Juniper RADIUS Settings for a User Group

Juniper RADIUS represents only the Juniper VSA. You must configure both the
IETF RADIUS and Juniper RADIUS attributes.

Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular group persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Juniper RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (Juniper).
Step 5 In the Juniper RADIUS Attributes table, specify the attributes to be authorized for
the group by selecting the check box next to the attribute. Where applicable,
further define the authorization for that attribute in the field next to it. For more
information about attributes, see Appendix C, “RADIUS Attributes,” or the
documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-49
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring BBSM RADIUS Settings for a User Group

BBSM RADIUS represents only the BBSM RADIUS VSA. You must configure
both the IETF RADIUS and BBSM RADIUS attributes.

Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular group persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the group configuration interface.

To configure and enable BBSM RADIUS attributes to be applied as an

authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.
Step 4 From the Jump To list at the top of the page, choose RADIUS (BBSM).
Step 5 In the BBSM RADIUS Attributes table, specify the attribute to be authorized for
the group by selecting the check box next to the attribute. Where applicable,
further define the authorization for that attribute in the field next to it. For more
information about attributes, see Appendix C, “RADIUS Attributes,” or the
documentation for network devices using RADIUS.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-50 78-14698-02
 Chapter 6 User Group Management
Configuration-specific User Group Settings

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Custom RADIUS VSA Settings for a User Group

User-defined, custom Radius VSA configurations appear only when all the
following are true:
• You have defined and configured the custom RADIUS VSAs. (For
information about creating user-defined RADIUS VSAs, see Custom
RADIUS Vendors and VSAs, page 9-27.)
• A network device has been configured in Network Configuration that uses a
RADIUS protocol that supports the custom VSA.
• Group-level custom RADIUS attributes have been enabled on the RADIUS
(Name) page of the Interface Configuration section.
You must configure both the IETF RADIUS and the custom RADIUS attributes.
To configure and enable custom RADIUS attributes to be applied as an
authorization for each user in the current group, follow these steps:

Step 1 Confirm that your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Configuring
IETF RADIUS Settings for a User Group, page 6-37.
Step 2 In the navigation bar, click Group Setup.
The Group Setup Select page opens.
Step 3 From the Group list, select a group, and then click Edit Settings.
The Group Settings page displays the name of the group at its top.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-51
 Chapter 6 User Group Management
Group Setting Management

Step 4 From the Jump To list at the top of the page, choose RADIUS (custom name).
Step 5 In the RADIUS (custom name) Attributes table, specify the attributes to be
authorized for the group by selecting the check box next to the attribute. Where
applicable, further define the authorization for that attribute in the field next to it.
For more information about attributes, see Appendix C, “RADIUS Attributes,” or
the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 6 To save the group settings you have just made, click Submit.
For more information, see Saving Changes to User Group Settings, page 6-54.
Step 7 To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Group Setting Management

This section describes how to use the Group Setup section to perform a variety of
managerial tasks.
This section contains the following topics:
• Listing Users in a User Group, page 6-53
• Resetting Usage Quota Counters for a User Group, page 6-53
• Renaming a User Group, page 6-54
• Saving Changes to User Group Settings, page 6-54

User Guide for Cisco Secure ACS Appliance, version 3.2

6-52 78-14698-02
 Chapter 6 User Group Management
Group Setting Management

Listing Users in a User Group

To list all users in a specified group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select the group.
Step 3 Click Users in Group.
The User List page for the particular group selected opens in the display area.
Step 4 To open a user account (to view, modify, or delete a user), click the name of the
user in the User List.
The User Setup page for the particular user account selected appears.

Resetting Usage Quota Counters for a User Group

You can reset the usage quota counters for all members of a group, either before
or after a quota has been exceeded.
To reset usage quota counters for all members of a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select the group.
Step 3 In the Usage Quotas section, select the On submit reset all usage counters for
all users of this group check box.
Step 4 Click Submit at the bottom of the browser page.
The usage quota counters for all users in the group are reset. The Group Setup
Select page appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-53
 Chapter 6 User Group Management
Group Setting Management

Renaming a User Group

To rename a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.
Step 2 From the Group list, select the group.
Step 3 Click Rename Group.
The Renaming Group: Group Name page appears.
Step 4 Type the new name in the Group field. Group names cannot contain angle
brackets (< or >).
Step 5 Click Submit.

Note The group remains in the same position in the list. The number value of
the group is still associated with this group name. Some utilities, such as
the database import utility, use the numeric value associated with the
group.

The Select page opens with the new group name selected.

Saving Changes to User Group Settings

After you have completed configuration for a group, be sure to save your work.
To save the configuration for the current group, follow these steps:

Step 1 To save your changes and apply them later, click Submit. When you are ready to
implement the changes, click System Configuration, and then click Service
Control, and click Restart.

Tip To save your changes and apply them immediately, click

Submit + Restart.

User Guide for Cisco Secure ACS Appliance, version 3.2

6-54 78-14698-02
Chapter 6 User Group Management
Group Setting Management

The group attributes are applied and services are restarted. The Edit page opens.

Note Restarting the service clears the Logged-in User Report and temporarily
interrupts all Cisco Secure ACS services. This affects the Max Sessions
counter.

Step 2 To verify that your changes were applied, select the group and click Edit Settings.
View the settings.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 6-55
 Chapter 6 User Group Management
Group Setting Management

User Guide for Cisco Secure ACS Appliance, version 3.2

6-56 78-14698-02
 C H A P T E R 7
User Management

This chapter provides information about setting up and managing user accounts
in Cisco Secure ACS Appliance.

Note Settings at the user level override settings configured at the group level.

Before you configure User Setup, you should understand how this section
functions. Cisco Secure ACS dynamically builds the User Setup section interface
depending on the configuration of your AAA client and the security protocols
being used. That is, what you see under User Setup is affected by settings in both
the Network Configuration and Interface Configuration sections.
This chapter contains the following topics:
• About User Setup Features and Functions, page 7-1
• Basic User Setup Options, page 7-2
• Advanced User Authentication Settings, page 7-21
• User Management, page 7-53

About User Setup Features and Functions

The User Setup section of the Cisco Secure ACS HTML interface is the
centralized location for all operations regarding user account configuration and
administration.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-1
 Chapter 7 User Management
Basic User Setup Options

From within the User Setup section, you can perform the following tasks:
• View a list of all users in the CiscoSecure user database.
• Find a user.
• Add a user.
• Assign the user to a group, including Voice-over-IP (VoIP) Groups.
• Edit user account information.
• Establish or change user authentication type.
• Configure callback information for the user.
• Set network access restrictions (NARs) for the user.
• Configure Advanced Settings.
• Set the maximum number of concurrent sessions (Max Sessions) for the user.
• Disable or re-enable the user account.
• Delete the user.

Basic User Setup Options

This section presents the basic activities you perform when configuring a new
user. At its most basic level, configuring a new user requires only three steps, as
follows:
• Specify a name.
• Specify either an external user database or a password.
• Submit the information.
The steps for editing user account settings are essentially identical to those used
when adding a user account but, to edit, you navigate directly to the field or fields
to be changed. You cannot edit the name associated with a user account; to change
a username you must delete the user account and establish another.
What other procedures you perform when setting up new user accounts is a
function both of the complexity of your network and of the granularity of control
you desire.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-2 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

This section contains the following topics:

• Adding a Basic User Account, page 7-3
• Setting Supplementary User Information, page 7-5
• Setting a Separate CHAP/MS-CHAP/ARAP Password, page 7-6
• Assigning a User to a Group, page 7-7
• Setting User Callback Option, page 7-8
• Assigning a User to a Client IP Address, page 7-9
• Setting Network Access Restrictions for a User, page 7-10
• Setting Max Sessions Options for a User, page 7-15
• Setting User Usage Quotas Options, page 7-17
• Setting Options for User Account Disablement, page 7-19
• Assigning a Downloadable IP ACL to a User, page 7-20

Adding a Basic User Account

This procedure details the minimum steps necessary to add a new user account to
the CiscoSecure user database.
To add a user account, follow these steps:

Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.
Step 2 Type a name in the User box.

Note The username can contain up to 64 characters. Names cannot contain the
following special characters:
#?"*><
Leading and trailing spaces are not allowed.

Step 3 Click Add/Edit.

The User Setup Edit page opens. The username being added is at the top of the
page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-3
 Chapter 7 User Management
Basic User Setup Options

Step 4 Make sure that the Account Disabled check box is cleared.

Note Alternatively, you can select the Account Disabled check box to create a
user account that is disabled, and enable the account at another time.

Step 5 Under Password Authentication in the User Setup table, select the applicable
authentication type from the list.

Tip The authentication types that appear reflect the databases that you have
configured in the Database Configuration area of the External User
Databases section.

Step 6 Specify a single CiscoSecure PAP password by typing it in the first set of
Password and Confirm Password boxes.

Note Up to 32 characters are allowed each for the Password box and the
Confirm Password box.

Tip The CiscoSecure PAP password is also used for CHAP/MS-CHAP/ARAP

if the Separate CHAP/MS-CHAP/ARAP check box is not selected.

Tip You can configure the AAA client to ask for a PAP password first and then
a CHAP or MS-CHAP password so that when users dial in using a PAP
password, they will authenticate. For example, the following line in the
AAA client configuration file causes the AAA client to enable CHAP
after PAP:
ppp authentication pap chap

Step 7 Do one of the following:

• To finish configuring the user account options and establish the user account,
click Submit.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-4 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

Tip For lengthy account configurations, you can click Submit before
continuing. This will prevent loss of information you have already entered
if an unforeseen problem occurs.

Setting Supplementary User Information

Supplementary User Information can contain up to five fields that you configure.
The default configuration includes two fields: Real Name and Description.
For information about how to display and configure these optional fields, see User
Data Configuration Options, page 3-3.
To enter optional information into the Supplementary User Information table,
follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Complete each box that appears in the Supplementary User Info table.

Note Up to 128 characters are allowed each for the Real Name and the
Description boxes.

Step 3 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-5
 Chapter 7 User Management
Basic User Setup Options

Setting a Separate CHAP/MS-CHAP/ARAP Password

Setting a separate CHAP/MS-CHAP/ARAP password adds more security to
Cisco Secure ACS authentication. However, you must have a AAA client
configured to support the separate password.
To allow the user to authenticate using a CHAP, MS-CHAP, or ARAP password,
instead of the PAP password in the CiscoSecure user database, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Select the Separate CHAP/MS-CHAP/ARAP check box in the User Setup table.
Step 3 Specify the CHAP/MS-CHAP/ARAP password to be used by typing it in each of
the second set of Password/Confirm boxes under the Separate
(CHAP/MS-CHAP/ARAP) check box.

Note Up to 32 characters are allowed each for the Password box and the
Confirm Password box.

Note These Password and Confirm Password boxes are only required for
authentication by the Cisco Secure ACS database. Additionally, if a user
is assigned to a VoIP (null password) group, and the optional password is
also included in the user profile, the password is not used until the user is
re-mapped to a non-VoIP group.

Step 4 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-6 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

Assigning a User to a Group

A user can only belong to one group in Cisco Secure ACS. The user inherits the
attributes and operations assigned to his or her group. However, in the case of
conflicting settings, the settings at the user level override the settings configured
at the group level.
By default, users are assigned to the Default Group. Users who authenticate via
the Unknown User method and who are not mapped to an existing Cisco Secure
ACS group are also assigned to the Default Group.
Alternatively, you can choose not to map a user to a particular group, but rather,
to have the group mapped by an external authenticator. For external user databases
from which Cisco Secure ACS can derive group information, you can associate
the group memberships—defined for the users in the external user database—to
specific Cisco Secure ACS groups. For more information, see Chapter 15, “User
Group Mapping and Specification.”
To assign a user to a group, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited appears at
the top of the page.
Step 2 From the Group to which user is assigned list in the User Setup table, select the
group to which you want to assign the user.

Tip Alternatively, you can scroll up in the list to select the Mapped By
External Authenticator option.

Step 3 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-7
 Chapter 7 User Management
Basic User Setup Options

Setting User Callback Option

Callback is a command string that is passed to the access server. You can use a
callback string to initiate a modem to call the user back on a specific number for
added security or reversal of line charges.
To set the user callback option, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited appears at
the top of the page.
Step 2 Under Callback in the User Setup table, select the applicable option. Choices
include the following:
• Use group setting—Select if you want this user to use the setting for the
group.
• No callback allowed—Select to disable callback for this user.
• Callback using this number—Select and type the complete number,
including area code if necessary, on which to always call back this user.

Note The maximum character length for the callback number is 199
characters.

• Dialup client specifies callback number—Select to enable the Windows

dialup client to specify the callback number.
• Use Windows Database callback settings—Select to use the settings
specified for Windows callback. If a Windows account for a user resides in a
remote domain, the domain in which Cisco Secure ACS resides must have a
two-way trust with that domain for the Microsoft Windows callback settings
to operate for that user.

Note The dial-in user must have configured software that supports
callback.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-8 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

Step 3 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Assigning a User to a Client IP Address

To assign a user to a client IP address, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Under Client IP Address Assignment in the User Setup table, select the applicable
option. Choices include the following:

Note The IP address assignment in User Setup overrides the IP address

assignment in Group Setup.

• Use group settings—Select this option to use the IP address group

assignment.
• No IP address assignment—Select this option to override the group setting
if you do not want an IP address returned by the client.
• Assigned by dialup client—Select this option to use the IP address dialup
client assignment.
• Assign static IP address—Select this option and type the IP address in the
box (up to 15 characters), if a specific IP address should be used for this user.

Note If the IP address is being assigned from a pool of IP addresses or

by the dialup client, leave the Assign static IP address box blank.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-9
 Chapter 7 User Management
Basic User Setup Options

• Assigned by AAA client pool—Select this option and type the AAA client
IP pool name in the box, if this user is to have the IP address assigned by an
IP address pool configured on the AAA client.
• Assigned from AAA pool—Select this option and type the applicable pool
name in the box, if this user is to have the IP address assigned by an IP address
pool configured on the AAA server. Select the AAA server IP pool name from
the Available Pools list, and then click --> (right arrow button) to move the
name into the Selected Pools list. If there is more than one pool in the
Selected Pools list, the users in this group are assigned to the first available
pool in the order listed. To move the position of a pool in the list, select the
pool name and click Up or Down until the pool is in the position you want.
Step 3 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Network Access Restrictions for a User

The Network Access Restrictions table in the Advanced Settings area of User
Setup enables you to set NARs in three distinct ways:
• Apply existing shared NARs by name.
• Define IP-based access restrictions to permit or deny user access to a
specified AAA client or to specified ports on a AAA client when an IP
connection has been established.
• Define CLI/DNIS-based access restrictions to permit or deny user access
based on the CLI/DNIS used.

Note You can also use the CLI/DNIS-based access restrictions area to
specify other values. For more information, see About Network
Access Restrictions, page 5-7.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-10 78-14698-02
Chapter 7 User Management
Basic User Setup Options

Typically, you define (shared) NARs from within the Shared Components section
so that these restrictions can be applied to more than one group or user. For more
information, see Adding a Shared Network Access Restriction, page 5-9. You
must have selected the User-Level Shared Network Access Restriction check box
on the Advanced Options page of the Interface Configuration section for this set
of options to appear in the HTML interface.
However, Cisco Secure ACS also enables you to define and apply a NAR for a
single user from within the User Setup section. You must have enabled the
User-Level Network Access Restriction setting on the Advanced Options page of
the Interface Configuration section for single user IP-based filter options and
single user CLI/DNIS-based filter options to appear in the HTML interface.

Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any
NARs for TACACS+ requests are applied to the IP address of the forwarding
AAA server, not to the IP address of the originating AAA client.

When you create access restrictions on a per-user basis, Cisco Secure ACS does
not enforce limits to the number of access restrictions and it does not enforce a
limit to the length of each access restriction; however, there are strict limits, as
follows:
• The combination of fields for each line item cannot exceed 1024 characters
in length.
• The shared NAR cannot have more than 16 KB of characters. The number of
line items supported depends on the length of each line item. For example, if
you create a CLI/DNIS-based NAR where the AAA client names are 10
characters, the port numbers are 5 characters, the CLI entries are 15
characters, and the DNIS entries are 20 characters, you can add 450 line items
before reaching the 16 KB limit.
To set NARs for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-11
 Chapter 7 User Management
Basic User Setup Options

Step 2 To apply a previously configured shared NAR to this user, follow these steps:

Note To apply a shared NAR, you must have configured it under Network
Access Restrictions in the Shared Profile Components section. For more
information, see Adding a Shared Network Access Restriction, page 5-9.

a. Select the Only Allow network access when check box.

b. To specify whether one or all shared NARs must apply for the user to be
permitted access, select one of the following two options, as applicable:
• All selected NARS result in permit
• Any one selected NAR results in permit
c. Select a shared NAR name in the NARs list, and then click --> (right arrow
button) to move the name into the Selected NARs list.

Tip To view the server details of the shared NARs you have selected to apply,
you can click either View IP NAR or View CLID/DNIS NAR, as
applicable.

Step 3 To define and apply a NAR, for this particular user, that permits or denies this user
access based on IP address, or IP address and port, follow these steps:

Tip You should define most NARs from within the Shared Components
section so that they can be applied to more than one group or user. For
more information, see Adding a Shared Network Access Restriction,
page 5-9.

a. In the Network Access Restrictions table, under Per User Defined Network
Access Restrictions, select the Define IP-based access restrictions check
box.
b. To specify whether the subsequent listing specifies permitted or denied IP
addresses, from the Table Defines list, select one of the following:
• Permitted Calling/Point of Access Locations
• Denied Calling/Point of Access Locations

User Guide for Cisco Secure ACS Appliance, version 3.2

7-12 78-14698-02
Chapter 7 User Management
Basic User Setup Options

c. Select or enter the information in the following boxes:

• AAA Client—Select All AAA Clients, or the name of a network device
group (NDG), or the name of the individual AAA client, to which to
permit or deny access.
• Port—Type the number of the port to which to permit or deny access.
You can use the wildcard asterisk (*) to permit or deny access to all ports
on the selected AAA client.
• Address—Type the IP address or addresses to use when performing
access restrictions. You can use the wildcard asterisk (*).

Note The total number of characters in the AAA Client list and the Port and
Src IP Address boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

d. Click enter.
The specified AAA client, port, and address information appears in the table
above the AAA Client list.
Step 4 To permit or deny this user access based on calling location or values other than
an established IP address, follow these steps:
a. Select the Define CLI/DNIS based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied
values, from the Table Defines list, select one of the following:
• Permitted Calling/Point of Access Locations
• Denied Calling/Point of Access Locations
c. Complete the following boxes:

Note You must make an entry in each box. You can use the wildcard
asterisk (*) for all or part of a value. The format you use must match
the format of the string you receive from your AAA client. You can
determine this format from your RADIUS Accounting Log.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-13
 Chapter 7 User Management
Basic User Setup Options

• AAA Client—Select All AAA Clients, or the name of the NDG, or the
name of the individual AAA client, to which to permit or deny access.
• PORT—Type the number of the port to which to permit or deny access.
You can use the wildcard asterisk (*) to permit or deny access to all ports.
• CLI—Type the CLI number to which to permit or deny access. You can
use the wildcard asterisk (*) to permit or deny access based on part of the
number.

Tip This is also the selection to use if you want to restrict access based on
other values such as a Cisco Aironet client MAC address. For more
information, see About Network Access Restrictions, page 5-7.

• DNIS—Type the DNIS number to which to permit or deny access. Use

this to restrict access based on the number into which the user will be
dialing. You can use the wildcard asterisk (*) to permit or deny access
based on part of the number.

Tip This is also the selection to use if you want to restrict access based on
other values such as a Cisco Aironet AP MAC address. For more
information, see About Network Access Restrictions, page 5-7.

Note The total number of characters in the AAA Client list and the Port,
CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure
ACS accepts more than 1024 characters when you add a NAR, you
cannot edit the NAR and Cisco Secure ACS cannot accurately apply
it to users.

d. Click enter.
The information, specifying the AAA client, port, CLI, and DNIS, appears in
the table above the AAA Client list.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-14 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

Step 5 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Max Sessions Options for a User

The Max Sessions feature enables you to set the maximum number of
simultaneous connections permitted for this user. For Cisco Secure ACS
purposes, a session is considered any type of user connection supported by
RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that
accounting must be enabled on the AAA client for Cisco Secure ACS to be aware
of a session. All session counts are based on user and group names only.
Cisco Secure ACS does not support any differentiation by type of session—all
sessions are counted as the same. To illustrate, a user with a Max Session count
of 1 who is dialed in to a AAA client with a PPP session will be refused a
connection if that user then tries to Telnet to a location whose access is controlled
by the same Cisco Secure ACS.

Note Each Cisco Secure ACS holds its own Max Sessions counts. There is no
mechanism for Cisco Secure ACS to share Max Sessions counts across multiple
Cisco Secure ACSes. Therefore, if two Cisco Secure ACS are set up as a mirror
pair with the workload distributed between them, they will have completely
independent views of the Max Sessions totals.

Tip If the Max Sessions table does not appear, click Interface Configuration, click
Advanced Options, and then select the Max Sessions check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-15
 Chapter 7 User Management
Basic User Setup Options

To set max sessions options for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 In the Max Sessions table, under Sessions available to user, select one of the
following three options:
• Unlimited—Select to allow this user an unlimited number of simultaneous
sessions. (This effectively disables Max Sessions.)
• n—Select and then type the maximum number of simultaneous sessions to
allow this user.
• Use group setting—Select to use the Max Sessions value for the group.

Note The default setting is Use group setting.

Note User Max Sessions settings override the group Max Sessions settings. For
example, if the group Sales has a Max Sessions value of only 10, but a
user in the group Sales, John, has a User Max Sessions value of
Unlimited, John is still allowed an unlimited number of sessions.

Step 3 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-16 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

Setting User Usage Quotas Options

You can define usage quotas for individual users. You can limit users in one or
both of two ways:
• By total duration of sessions for the period selected.
• By the total number of sessions for the period selected.
For Cisco Secure ACS purposes, a session is considered any type of user
connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or
ARAP. Note, however, that accounting must be enabled on the AAA client for
Cisco Secure ACS to be aware of a session. If you make no selections in the
Session Quotas section for an individual user, Cisco Secure ACS applies the
session quotas of the group to which the user is assigned.

Note If the User Usage Quotas feature does not appear, click Interface Configuration,
click Advanced Options, and then select the Usage Quotas check box.

Tip The Current Usage table under the User Usage Quotas table on the User Setup
Edit page displays usage statistics for the current user. The Current Usage table
lists both online time and sessions used by the user, with columns for daily,
weekly, monthly, and total usage. The Current Usage table appears only on user
accounts that you have established; that is, it does not appear during initial user
setup.

For a user who has exceeded his quota, Cisco Secure ACS denies him access upon
his next attempt to start a session. If a quota is exceeded during a session,
Cisco Secure ACS allows the session to continue. If a user account has been
disabled because the user has exceeded usage quotas, the User Setup Edit page
displays a message stating that the account has been disabled for this reason.
You can reset the session quota counters on the User Setup page for a user. For
more information about resetting usage quota counters, see Resetting User
Session Quota Counters, page 7-57.
To support time-based quotas, we recommend enabling accounting update packets
on all AAA clients. If update packets are not enabled, the quota is updated only
when the user logs off. If the AAA client through which the user is accessing your
network fails, the quota is not updated. In the case of multiple sessions, such as

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-17
 Chapter 7 User Management
Basic User Setup Options

with ISDN, the quota is not updated until all sessions terminate, which means that
a second channel will be accepted even if the first channel has exhausted the quota
allocated to the user.
To set usage quota options for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 In the Usage Quotas table, select Use these settings.
Step 3 To define a usage quota based on duration of sessions for a user, follow these
steps:
a. Select the Limit user to x hours of online time check box.
b. Type the number of hours to which you want to limit the user in the Limit
user to x hours of online time box. Use decimal values to indicate minutes.
For example, a value of 10.5 would equal 10 hours and 30 minutes.

Note Up to 10 characters are allowed for this field.

c. Select the period for which you want to enforce the time usage quota:
• per Day—From 12:01 a.m. until midnight.
• per Week—From 12:01 a.m. Sunday until midnight Saturday.
• per Month—From 12:01 a.m. on the first of the month until midnight on
the last day of the month.
• Absolute—A continuous, open-ended count of hours.
Step 4 To define usage quotas based on the number of sessions for a user, follow these
steps:
a. Select the Limit user to x sessions check box.
b. Type the number of sessions to which you want to limit the user in the Limit
user to x sessions box.

Note Up to 10 characters are allowed for this field.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-18 78-14698-02
 Chapter 7 User Management
Basic User Setup Options

c. Select the period for which you want to enforce the session usage quota:
• per Day—From 12:01 a.m. until midnight.
• per Week—From 12:01 a.m. Sunday until midnight Saturday.
• per Month—From 12:01 a.m. on the first of the month until midnight on
the last day of the month.
• Absolute—A continuous, open-ended count of hours.

Setting Options for User Account Disablement

The Account Disable feature defines the circumstances upon which a user account
is disabled.

Note Do not confuse this feature with account expiration due to password aging.
Password aging is defined for groups only, not for individual users. Also note that
this feature is distinct from the Account Disabled check box. For instructions on
how to disable a user account, see Disabling a User Account, page 7-55.

Note If the user is authenticated with a Windows user database, this expiration
information is in addition to the information in the Windows user account.
Changes here do not alter settings configured in Windows.

To set options for user account disablement, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Do one of the following:
a. Select the Never option to keep the user account always enabled.

Note This is the default setting.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-19
 Chapter 7 User Management
Basic User Setup Options

b. Select the Disable account if option to disable the account under specific
circumstances. Then, specify one or both of the circumstances under the
following boxes:
• Date exceeds—Select the Date exceeds: check box. Then select the
month and type the date (two characters) and year (four characters) on
which to disable the account.

Note The default is 30 days after the user is added.

• Failed attempts exceed—Select the Failed attempts exceed check box

and then type the number of consecutive unsuccessful login attempts to
allow before disabling the account.

Note The default is 5.

Step 3 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Assigning a Downloadable IP ACL to a User

The Downloadable ACLs feature enables you to assign an IP Access Control List
(ACL) at the user level. You must configure one or more IP ACLs before you
assign one. For instructions on how to configure a downloadable IP ACL using
the Shared Profile Components section of the Cisco Secure ACS HTML interface,
see Adding a Downloadable IP ACL, page 5-4.

Note The Downloadable ACLs table does not appear if it has not been enabled. To
enable the Downloadable ACLs table, click Interface Configuration, click
Advanced Options, and then select the User-Level Downloadable ACLs check
box.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-20 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

To assign a downloadable IP ACL to a user account, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added and edited is at the
top of the page.
Step 2 Under the Downloadable ACLs section, click the Assign IP ACL: check box.
Step 3 Select an IP ACL from the list.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Advanced User Authentication Settings

This section presents the activities you perform to configure user-level TACACS+
and RADIUS enable parameters.
This section contains the following topics:
• TACACS+ Settings (User), page 7-22
– Configuring TACACS+ Settings for a User, page 7-23
– Configuring a Shell Command Authorization Set for a User, page 7-25
– Configuring a PIX Command Authorization Set for a User, page 7-28
– Configuring Device-Management Command Authorization for a User,
page 7-29
– Configuring the Unknown Service Setting for a User, page 7-31
• Advanced TACACS+ Settings (User), page 7-32
– Setting Enable Privilege Options for a User, page 7-32
– Setting TACACS+ Enable Password Options for a User, page 7-34
– Setting TACACS+ Outbound Password for a User, page 7-36

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-21
 Chapter 7 User Management
Advanced User Authentication Settings

• RADIUS Attributes, page 7-36

– Setting IETF RADIUS Parameters for a User, page 7-37
– Setting Cisco IOS/PIX RADIUS Parameters for a User, page 7-38
– Setting Cisco Aironet RADIUS Parameters for a User, page 7-39
– Setting Ascend RADIUS Parameters for a User, page 7-41
– Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User,
page 7-43
– Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User,
page 7-45
– Setting Microsoft RADIUS Parameters for a User, page 7-46
– Setting Nortel RADIUS Parameters for a User, page 7-48
– Setting Juniper RADIUS Parameters for a User, page 7-50
– Setting BBSM RADIUS Parameters for a User, page 7-51
– Setting Custom RADIUS Attributes for a User, page 7-52

TACACS+ Settings (User)

The TACACS+ Settings section permits you to enable and configure the
service/protocol parameters to be applied for the authorization of a user.
This section contains the following topics:
• Configuring TACACS+ Settings for a User, page 7-23
• Configuring a Shell Command Authorization Set for a User, page 7-25
• Configuring a PIX Command Authorization Set for a User, page 7-28
• Configuring Device-Management Command Authorization for a User,
page 7-29
• Configuring the Unknown Service Setting for a User, page 7-31

User Guide for Cisco Secure ACS Appliance, version 3.2

7-22 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Configuring TACACS+ Settings for a User

You can use this procedure to configure TACACS+ settings at the user level for
the following service/protocols:
• PPP IP
• PPP IPX
• PPP Multilink
• PPP Apple Talk
• PPP VPDN
• PPP LCP
• ARAP
• Shell (exec)
• PIX Shell (pixShell)
• SLIP
You can also enable any new TACACS+ services that you may have configured.
Because having all service/protocol settings display within the User Setup section
would be cumbersome, you choose what settings to hide or display at the user
level when you configure the interface. For more information about setting up new
or existing TACACS+ services in the Cisco Secure ACS HTML interface, see
Protocol Configuration Options for TACACS+, page 3-7.
If you have configured Cisco Secure ACS to interact with a Cisco
device-management application, new TACACS+ services may appear
automatically, as needed to support the device-management application. For more
information about Cisco Secure ACS interaction with device-management
applications, see Support for Cisco Device-Management Applications, page 1-18.
For more information about attributes, see Appendix B, “TACACS+
Attribute-Value Pairs,” or your AAA client documentation. For information on
assigning an IP ACL, see Assigning a Downloadable IP ACL to a User, page 7-20.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-23
 Chapter 7 User Management
Advanced User Authentication Settings

Before You Begin

• For the TACACS+ service/protocol configuration to be displayed, a AAA
client must be configured to use TACACS+ as the security control protocol.
• In the Advanced Options section of Interface Configuration, ensure that the
Per-user TACACS+/RADIUS Attributes check box is selected.
To configure TACACS+ settings for a user, follow these steps:

Step 1 Click Interface Configuration and then click TACACS+ (Cisco IOS). In the
TACACS+ Services table, under the heading User, ensure that the check box is
selected for each service/protocol you want to configure.
Step 2 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 3 Scroll down to the TACACS+ Settings table and select the bold service name
check box to enable that protocol; for example (PPP IP).
Step 4 To enable specific parameters within the selected service, select the check box
next to a specific parameter and then do one of the following, as applicable:
• Select the Enabled check box.
• Specify a value in the corresponding attribute box.
To specify ACLs and IP address pools, enter the name of the ACL or pool as
defined on the AAA client. Leave the box blank if the default (as defined on
the AAA client) should be used. For more information about attributes, see
Appendix B, “TACACS+ Attribute-Value Pairs,” or your AAA client
documentation. For information on assigning a IP ACL, see Assigning a
Downloadable IP ACL to a User, page 7-20.

Tip An ACL is a list of Cisco IOS commands used to restrict access to or from
other devices and users on the network.

Step 5 To employ custom attributes for a particular service, select the Custom attributes
check box under that service, and then specify the attribute/value in the box below
the check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-24 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Step 6 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Configuring a Shell Command Authorization Set for a User

Use this procedure to specify the shell command authorization set parameters for
a user. You can choose one of five options:
• None—There is no authorization for shell commands.
• Group—For this user, the group-level shell command authorization set
applies.
• Assign a Shell Command Authorization Set for any network device—One
shell command authorization set is assigned, and it applies all network
devices.
• Assign a Shell Command Authorization Set on a per Network Device
Group Basis—Particular shell command authorization sets are to be effective
on particular NDGs. When you select this option, you create the table that
lists what NDG associates with what shell command authorization set.
• Per User Command Authorization—Enables you to permit or deny specific
Cisco IOS commands and arguments at the user level.
Before You Begin
• Make sure that a AAA client has been configured to use TACACS+ as the
security control protocol.
• In the Advanced Options section of Interface Configuration, ensure that the
Per-user TACACS+/RADIUS Attributes check box is selected.
• In the TACACS+ (Cisco) section of Interface Configuration, ensure that the
Shell (exec) option is selected in the User column.
• Ensure that you have already configured one or more shell command
authorization sets. For detailed steps, see Adding a Command Authorization
Set, page 5-19.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-25
 Chapter 7 User Management
Advanced User Authentication Settings

To specify shell command authorization set parameters for a user, follow these
steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the Shell Command
Authorization Set feature area within it.
Step 3 To prevent the application of any shell command authorization set, select (or
accept the default of) the None option.
Step 4 To assign the shell command authorization set at the group level, select the As
Group option.
Step 5 To assign a particular shell command authorization set to be effective on any
configured network device, follow these steps:
a. Select the Assign a Shell Command Authorization Set for any network
device option.
b. Then, from the list directly below that option, select the shell command
authorization set you want applied to this user.
Step 6 To create associations that assign a particular shell command authorization set to
be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a Shell Command Authorization Set on a per Network
Device Group Basis option.
b. Select a Device Group and an associated Command Set.
c. Click Add Association.

Tip You can also select which command set applies to network device groups
that are not listed simply by associating that command set with the NDG
<default> listing.

The NDG or NDGs and associated shell command authorization set or sets
are paired in the table.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-26 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

Step 7 To define the specific Cisco IOS commands and arguments to be permitted or
denied for this user, follow these steps:
a. Select the Per User Command Authorization option.
b. Under Unmatched Cisco IOS commands, select either Permit or Deny.
If you select Permit, the user can issue all commands not specifically listed.
If you select Deny, the user can issue only those commands listed.
c. To list particular commands to be permitted or denied, select the Command
check box and then type the name of the command, define its arguments using
standard permit or deny syntax, and select whether unlisted arguments are to
be permitted or denied.

Caution This is a powerful, advanced feature and should be used by an administrator

skilled with Cisco IOS commands. Correct syntax is the responsibility of the
administrator. For information on how Cisco Secure ACS uses pattern matching
in command arguments, see About Pattern Matching, page 5-19.

Tip To enter several commands, you must click Submit after specifying a
command. A new command entry box appears below the box you just
completed.

Step 8 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-27
 Chapter 7 User Management
Advanced User Authentication Settings

Configuring a PIX Command Authorization Set for a User

Use this procedure to specify the PIX command authorization set parameters for
a user. There are four options:
• None—No authorization for PIX commands.
• Group—For this user, the group-level PIX command authorization set
applies.
• Assign a PIX Command Authorization Set for any network device—One
PIX command authorization set is assigned, and it applies to all network
devices.
• Assign a PIX Command Authorization Set on a per Network Device
Group Basis—Particular PIX command authorization sets are to be effective
on particular NDGs.
Before You Begin
• Make sure that a AAA client is configured to use TACACS+ as the security
control protocol.
• In the Advanced Options section of Interface Configuration, make sure that
the Per-user TACACS+/RADIUS Attributes check box is selected.
• In the TACACS+ (Cisco) section of Interface Configuration, make sure that
the PIX Shell (pixShell) option is selected in the User column.
• Make sure that you have configured one or more PIX command authorization
sets. For detailed steps, see Adding a Command Authorization Set,
page 5-19.
To specify PIX command authorization set parameters for a user, follow these
steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the PIX Command
Authorization Set feature area within it.
Step 3 To prevent the application of any PIX command authorization set, select (or
accept the default of) the None option.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-28 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Step 4 To assign the PIX command authorization set at the group level, select the As
Group option.
Step 5 To assign a particular PIX command authorization set to be effective on any
configured network device, follow these steps:
a. Select the Assign a PIX Command Authorization Set for any network
device option.
b. From the list directly below that option, select the PIX command
authorization set you want applied to this user.
Step 6 To create associations that assign a particular PIX command authorization set to
be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a PIX Command Authorization Set on a per Network
Device Group Basis option.
b. Select a Device Group and an associated Command Set.
c. Click Add Association.
The associated NDG and PIX command authorization set appear in the table.
Step 7 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Configuring Device-Management Command Authorization for a User

Use this procedure to specify the device-management command authorization set
parameters for a user. Device-management command authorization sets support
the authorization of tasks in Cisco device-management applications that are
configured to use Cisco Secure ACS for authorization. You can choose one of four
options:
• None—No authorization is performed for commands issued in the applicable
Cisco device-management application.
• Group—For this user, the group-level command authorization set applies for
the applicable device-management application.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-29
 Chapter 7 User Management
Advanced User Authentication Settings

• Assign a device-management application for any network device—For the

applicable device-management application, one command authorization set is
assigned, and it applies to management tasks on all network devices.
• Assign a device-management application on a per Network Device Group
Basis—For the applicable device-management application, this option
enables you to apply command authorization sets to specific NDGs, so that it
affects all management tasks on the network devices belonging to the NDG.
Before You Begin
• Make sure that a AAA client is configured to use TACACS+ as the security
control protocol.
• In the Advanced Options section of Interface Configuration, make sure that
the Per-user TACACS+/RADIUS Attributes check box is selected.
• In the TACACS+ (Cisco) section of Interface Configuration, make sure that,
under New Services, the new TACACS+ service corresponding to the
applicable device-management application is selected in the User column.
• If you want to apply command authorization sets, make sure that you have
configured one or more device management command authorization sets. For
detailed steps, see Adding a Command Authorization Set, page 5-19.
To specify device-management application command authorization for a user,
follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the applicable
device-management command authorization feature area within it.
Step 3 To prevent the application of any command authorization for actions performed
in the applicable device-management application, select (or accept the default of)
the None option.
Step 4 To assign command authorization for the applicable device-management
application at the group level, select the As Group option.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-30 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Step 5 To assign a particular command authorization set that affects device-management

application actions on any network device, follow these steps:
a. Select the Assign a device-management application for any network device
option.
b. Then, from the list directly below that option, select the command
authorization set you want applied to this user.
Step 6 To create associations that assign a particular command authorization set that
affects device-management application actions on a particular NDG, for each
association, follow these steps:
a. Select the Assign a device-management application on a per Network Device
Group Basis option.
b. Select a Device Group and an associated device-management application.
c. Click Add Association.
The associated NDG and command authorization set appear in the table.
Step 7 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Configuring the Unknown Service Setting for a User

If you want TACACS+ AAA clients to permit unknown services, you can select
the Default (Undefined) Services check box under Checking this option will
PERMIT all UNKNOWN Services.
To configure the Unknown Service setting for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Scroll down to the table under the heading Checking this option will PERMIT all
UNKNOWN Services.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-31
 Chapter 7 User Management
Advanced User Authentication Settings

Step 3 To allow TACACS+ AAA clients to permit unknown services for this user, select
the Default (Undefined) Services check box.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Advanced TACACS+ Settings (User)

The information presented in this section applies when you have a AAA client
with TACACS+ configured.

Tip If the Advanced TACACS+ Settings (User) table does not appear, click Interface
Configuration, click TACACS+ (Cisco IOS), and then click Advanced
TACACS+ Features.

This section contains the following topics:

• Setting Enable Privilege Options for a User, page 7-32
• Setting TACACS+ Enable Password Options for a User, page 7-34
• Setting TACACS+ Outbound Password for a User, page 7-36

Setting Enable Privilege Options for a User

You use TACACS+ Enable Control with Exec session to control administrator
access. Typically, you use it for router management control. From the following
four options, you can select and specify the privilege level you want a user to
have.
• Use Group Level Setting—Sets the privileges for this user as those
configured at the group level.
• No Enable Privilege—Disallows enable privileges for this user.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-32 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

Note This is the default setting.

• Max Privilege for any AAA Client—Enables you to select from a list the
maximum privilege level that will apply to this user on any AAA client on
which this user is authorized.
• Define Max Privilege on a per-Network Device Group Basis—Enables you
to associate maximum privilege levels to this user in one or more NDGs.

Note For information about privilege levels, refer to your AAA client
documentation.

Tip You must configure NDGs from within Interface Configuration before you can
assign user privilege levels to them.

To select and specify the privilege level for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Under TACACS+ Enable Control in the Advanced TACACS+ Settings table,
select one of the four privilege options, as follows:
• Use Group Level Setting
• No Enable Privilege

Note (No Enable Privilege is the default setting; when setting up an

new user account, it should already be selected.)

• Max Privilege for Any Access Server

• Define Max Privilege on a per-Network Device Group Basis
Step 3 If you selected Max Privilege for Any Access Server in Step 2, select the
appropriate privilege level from the corresponding list.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-33
 Chapter 7 User Management
Advanced User Authentication Settings

Step 4 If you selected Define Max Privilege on a per-Network Device Group Basis in
Step 2, perform the following steps to define the privilege levels on each NDG, as
applicable:
a. From the Device Group list, select a device group.

Note You must have already configured a device group for it to be listed.

b. From the Privilege list, select a privilege level to associate with the selected
device group.
c. Click Add Association.
An entry appears in the table, associating the device group with a particular
privilege level.
d. Repeat Step a through Step c for each device group you want to associate to
this user.

Tip To delete an entry, select the entry and then click Remove Associate.

Step 5 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting TACACS+ Enable Password Options for a User

When setting the TACACS+ Enable Password Options for a user, you have three
options to chose from:
• Use CiscoSecure PAP password.
• Use external database password.
• Use separate password.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-34 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

To set the options for the TACACS+ Enable password, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Do one of the following:
• To use the information configured in the Password Authentication section,
select Use CiscoSecure PAP password.

Note For information about basic password setup, see Adding a Basic
User Account, page 7-3.

• To use an external database password, select Use external database

password, and then choose from the list the database that authenticates the
enable password for this user.

Note The list of databases displays only the databases that you have
configured. For more information, see About External User
Databases, page 13-3.

• To use a separate password, click Use separate password, and then type and
retype to confirm a control password for this user. This password is used in
addition to the regular authentication.
Step 3 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-35
 Chapter 7 User Management
Advanced User Authentication Settings

Setting TACACS+ Outbound Password for a User

The TACACS+ outbound password enables a AAA client to authenticate itself to
another AAA client via outbound authentication. The outbound authentication
can be PAP, CHAP, MS-CHAP, or ARAP, and results in the Cisco Secure ACS
password being given out. By default, the user ASCII/PAP or
CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound
passwords, you can configure a separate SENDAUTH password.

Caution Use an outbound password only if you are familiar with the use of a TACACS+
SendAuth/OutBound password.

To set a TACACS+ outbound password for a user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Type and retype to confirm a TACACS+ outbound password for this user.
Step 3 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

RADIUS Attributes
You can configure user attributes for RADIUS authentication either generally, at
the IETF level, or for vendor-specific attributes (VSAs) on a vendor-by-vendor
basis. For general attributes, see Setting IETF RADIUS Parameters for a User,
page 7-37. Cisco Secure ACS ships with many popular VSAs already loaded and
available to configure and apply. For information about creating additional,
custom RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 9-27.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-36 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

This section contains the following topics:

• Setting IETF RADIUS Parameters for a User, page 7-37
• Setting Cisco IOS/PIX RADIUS Parameters for a User, page 7-38
• Setting Cisco Aironet RADIUS Parameters for a User, page 7-39
• Setting Ascend RADIUS Parameters for a User, page 7-41
• Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User,
page 7-43
• Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User,
page 7-45
• Setting Microsoft RADIUS Parameters for a User, page 7-46
• Setting Nortel RADIUS Parameters for a User, page 7-48
• Setting Juniper RADIUS Parameters for a User, page 7-50
• Setting BBSM RADIUS Parameters for a User, page 7-51
• Setting Custom RADIUS Attributes for a User, page 7-52

Setting IETF RADIUS Parameters for a User

RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the
requesting AAA client.
These parameters display only if all the following are true:
• A AAA client is configured to use one of the RADIUS protocols in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level IETF RADIUS attributes are enabled under RADIUS (IETF) in the
Interface Configuration section.

Note To display or hide any of these attributes in the HTML interface, see Protocol
Configuration Options for RADIUS, page 3-11.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-37
 Chapter 7 User Management
Advanced User Authentication Settings

Note For a list and explanation of RADIUS attributes, see Appendix C, “RADIUS
Attributes,” or the documentation for your particular network device using
RADIUS.

To configure IETF RADIUS attribute settings to be applied as an authorization for

the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 In the IETF RADIUS table, for each attribute that you need to authorize for the
current user, select the check box next to the attribute and then further define the
authorization for the attribute in the box or boxes next to it, as applicable.
Step 3 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Cisco IOS/PIX RADIUS Parameters for a User

The Cisco IOS RADIUS parameters appear only if all the following are true:
• A AAA client is configured to use RADIUS (Cisco IOS/PIX) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Cisco IOS/PIX) attributes are enabled under RADIUS
(Cisco IOS/PIX) in the Interface Configuration section.

Note To hide or display the Cisco IOS RADIUS VSA, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular user persists, even when you remove or

User Guide for Cisco Secure ACS Appliance, version 3.2

7-38 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the user configuration
interface.

Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure
both the IETF RADIUS and Cisco IOS RADIUS attributes.
To configure and enable Cisco IOS RADIUS attributes to be applied as an
authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the Cisco IOS/PIX RADIUS Attributes table, to specify the attributes to be
authorized for the user, follow these steps:
a. Select the [009\001] cisco-av-pair attribute check box.
b. Type the commands (such as TACACS+ commands) to be packed as a
RADIUS VSA.
c. Continue to select and define attributes, as applicable.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Cisco Aironet RADIUS Parameters for a User

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a
virtual VSA. It acts as a specialized implementation (that is, a remapping) of the
IETF RADIUS Session-Timeout attribute (27) to respond to a request from a
Cisco Aironet Access Point. You use it to provide a different timeout values when

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-39
 Chapter 7 User Management
Advanced User Authentication Settings

a user must be able to connect via both wireless and wired devices. This capability
to provide a second timeout value specifically for WLAN connections avoids the
difficulties that would arise if you had to use a standard timeout value (typically
measured in hours) for a WLAN connection (that is typically measured in
minutes). You do not need to use Cisco-Aironet-Session-Timeout if the particular
user will always connect only with a Cisco Aironet Access Point. Rather, use this
setting when a user may connect via wired or wireless clients.
For example, imagine a user’s Cisco-Aironet-Session-Timeout set to 600 seconds
(10 minutes) and that same user’s IETF RADIUS Session-Timeout set to 3 hours.
When the user connects via a VPN, Cisco Secure ACS uses 3 hours as the timeout
value. However, if that same user connects via a Cisco Aironet Access Point,
Cisco Secure ACS responds to an authentication request from the Aironet AP by
sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with
the Cisco-Aironet-Session-Timeout attribute configured, different session
timeout values can be sent depending on whether the end-user client is a wired
device or a Cisco Aironet Access Point.
The Cisco Aironet RADIUS parameters appear on the User Setup page only if all
the following are true:
• A AAA client is configured to use RADIUS (Cisco Aironet) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Cisco Aironet) attribute is enabled under RADIUS
(Cisco Aironet) in the Interface Configuration section.

Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol
Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular user persists, even when you remove or
replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the user configuration
interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-40 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

To configure and enable the Cisco Aironet RADIUS attribute to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Cisco Aironet RADIUS attributes, be sure your IETF
RADIUS attributes are configured properly. For more information about setting
IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User,
page 7-37.
Step 3 In the Cisco Aironet RADIUS Attributes table, select the [5842\001]
Cisco-Aironet-Session-Timeout check box.
Step 4 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout
value (in seconds) that Cisco Secure ACS is to send in the IETF RADIUS
Session-Timeout (27) attribute when the AAA client is configured in Network
Configuration to use the RADIUS (Cisco Aironet) authentication option. The
recommended value is 600 seconds.
For more information about the IETF RADIUS Session-Timeout attribute, see
Appendix C, “RADIUS Attributes” or your AAA client documentation.
Step 5 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Ascend RADIUS Parameters for a User

The Ascend RADIUS parameters appear only if all the following are true:
• A AAA client is configured to use RADIUS (Ascend) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-41
 Chapter 7 User Management
Advanced User Authentication Settings

• User-level RADIUS (Ascend) attributes you want to apply are enabled under
RADIUS (Ascend) in the Interface Configuration section.
Ascend RADIUS represents only the Ascend proprietary attributes. You must
configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary
attributes override IETF attributes.
The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.

Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular user persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the user configuration interface.

To configure and enable Ascend RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Ascend RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the Ascend RADIUS Attributes table, to specify the attributes that should be
authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-42 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Step 4 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User

To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is
enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS
(Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000)
attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in
the Cisco Secure ACS HTML interface or how those attributes might be
configured.
The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only
if all the following are true:
• A AAA client is configured to use RADIUS (Cisco VPN 3000) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Cisco VPN 3000) attributes you want to apply are
enabled under RADIUS (Cisco VPN 3000) in the Interface Configuration
section.
Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000
Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN
3000 Concentrator RADIUS attributes.

Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting
Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A
VSA applied as an authorization to a particular user persists, even when you

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-43
 Chapter 7 User Management
Advanced User Authentication Settings

remove or replace the associated AAA client; however, if you have no AAA
clients of this (vendor) type configured, the VSA settings do not appear in the user
configuration interface.

To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be

applied as an authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Cisco VPN 3000 Concentrator RADIUS attributes, be sure
your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Setting IETF
RADIUS Parameters for a User, page 7-37.
Step 3 In the Cisco VPN 3000 Concentrator Attribute table, to specify the attributes that
should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-44 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User

The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only
if all the following are true:
• A AAA client is configured to use RADIUS (Cisco VPN 5000) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Cisco VPN 5000) attributes you want to apply are
enabled under RADIUS (Cisco VPN 5000) in the Interface Configuration
section.
Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000
Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN
5000 Concentrator RADIUS attributes.

Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting
Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A
VSA applied as an authorization to a particular user persists, even when you
remove or replace the associated AAA client; however, if you have no AAA
clients of this (vendor) type configured, the VSA settings do not appear in the user
configuration interface.

To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be

applied as an authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Cisco VPN 5000 Concentrator RADIUS attributes, be sure
your IETF RADIUS attributes are configured properly. For more information
about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for
a User, page 7-37.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-45
 Chapter 7 User Management
Advanced User Authentication Settings

Step 3 In the Cisco VPN 5000 Concentrator Attribute table, to specify the attributes that
should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Microsoft RADIUS Parameters for a User

Microsoft RADIUS provides VSAs supporting Microsoft Point-to-Point
Encryption (MPPE), which is an encryption technology developed by Microsoft
to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-in
line, or over a Virtual Private Network (VPN) tunnel.
To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is
enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS
(Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000)
attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in
the Cisco Secure ACS HTML interface or how those attributes might be
configured.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-46 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

The Microsoft RADIUS attribute configurations display only if both the following
are true:
• A AAA client is configured in Network Configuration that uses a RADIUS
protocol that supports the Microsoft RADIUS VSA.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• The user-level RADIUS (Microsoft) attributes you want to apply are enabled
under RADIUS (Microsoft) in the Interface Configuration section.
The following Cisco Secure ACS RADIUS protocols support the Microsoft
RADIUS VSA:
• Cisco IOS
• Cisco VPN 3000
• Cisco VPN 5000
• Ascend
Microsoft RADIUS represents only the Microsoft VSA. You must configure both
the IETF RADIUS and Microsoft RADIUS attributes.

Note To hide or display Microsoft RADIUS attributes, see Setting Protocol

Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA
applied as an authorization to a particular user persists, even when you remove or
replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the user configuration
interface.

To configure and enable Microsoft RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-47
 Chapter 7 User Management
Advanced User Authentication Settings

Step 3 In the Microsoft RADIUS Attributes table, to specify the attributes that should be
authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by

Cisco Secure ACS; there is no value to set in the HTML interface.

Step 4 Do one of the following:

• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Nortel RADIUS Parameters for a User

The Nortel RADIUS parameters appear only if all the following are true:
• A AAA client is configured to use RADIUS (Nortel) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Nortel) attributes you want to apply are enabled under
RADIUS (Nortel) in the Interface Configuration section.
Nortel RADIUS represents only the Nortel proprietary attributes. You must
configure both the IETF RADIUS and Nortel RADIUS attributes. Proprietary
attributes override IETF attributes.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-48 78-14698-02
Chapter 7 User Management
Advanced User Authentication Settings

Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular user persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the user configuration interface.

To configure and enable Nortel RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Nortel RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the Nortel RADIUS Attributes table, to specify the attributes that should be
authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-49
 Chapter 7 User Management
Advanced User Authentication Settings

Setting Juniper RADIUS Parameters for a User

The Juniper RADIUS parameters appear only if all the following are true:
• A AAA client is configured to use RADIUS (Juniper) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (Juniper) attributes you want to apply are enabled under
RADIUS (Juniper) in the Interface Configuration section.
Juniper RADIUS represents only the Juniper proprietary attributes. You must
configure both the IETF RADIUS and Juniper RADIUS attributes. Proprietary
attributes override IETF attributes.

Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular user persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the user configuration interface.

To configure and enable Juniper RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring Juniper RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the Juniper RADIUS Attributes table, to specify the attributes that should be
authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-50 78-14698-02
 Chapter 7 User Management
Advanced User Authentication Settings

For more information about attributes, see Appendix C, “RADIUS

Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting BBSM RADIUS Parameters for a User

The BBSM RADIUS parameters appear only if all the following are true:
• A AAA client is configured to use RADIUS (BBSM) in Network
Configuration.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (BBSM) attributes you want to apply are enabled under
RADIUS (BBSM) in the Interface Configuration section.
BBSM RADIUS represents only the BBSM proprietary attributes. You must
configure both the IETF RADIUS and BBSM RADIUS attributes. Proprietary
attributes override IETF attributes.

Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an
authorization to a particular user persists, even when you remove or replace the
associated AAA client; however, if you have no AAA clients of this (vendor) type
configured, the VSA settings do not appear in the user configuration interface.

To configure and enable BBSM RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-51
 Chapter 7 User Management
Advanced User Authentication Settings

Step 2 Before configuring BBSM RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the BBSM RADIUS Attributes table, to specify the attributes that should be
authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

Setting Custom RADIUS Attributes for a User

Custom RADIUS parameters appear only if all the following are true:
• You have defined and configured the custom RADIUS VSAs. (For
information about creating user-defined RADIUS VSAs, see Custom
RADIUS Vendors and VSAs, page 9-27.)
• A AAA client is configured in Network Configuration that uses a RADIUS
protocol that supports the custom VSA.
• The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
• User-level RADIUS (custom name) attributes you want to apply are enabled
under RADIUS (custom name) in the Interface Configuration section.
You must configure both the IETF RADIUS and the custom RADIUS attributes.
Proprietary attributes override IETF attributes.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-52 78-14698-02
Chapter 7 User Management
User Management

To configure and enable custom RADIUS attributes to be applied as an

authorization for the current user, follow these steps:

Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.
Step 2 Before configuring custom RADIUS attributes, be sure your IETF RADIUS
attributes are configured properly. For more information about setting IETF
RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-37.
Step 3 In the RADIUS custom name Attributes table, to specify the attributes that should
be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it, as
required.
c. Continue to select and define attributes, as applicable.
For more information about attributes, see Appendix C, “RADIUS
Attributes,” or your AAA client documentation.
Step 4 Do one of the following:
• If you are finished configuring the user account options, click Submit to
record the options.
• To continue to specify the user account options, perform other procedures in
this chapter, as applicable.

User Management
This section describes how to use the User Setup section to perform a variety of
user account managerial tasks.
This section contains the following topics:
• Listing All Users, page 7-54
• Finding a User, page 7-54
• Disabling a User Account, page 7-55

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-53
 Chapter 7 User Management
User Management

• Deleting a User Account, page 7-56

• Resetting User Session Quota Counters, page 7-57
• Resetting a User Account after Login Failure, page 7-57
• Saving User Settings, page 7-59

Listing All Users

The User List displays all user accounts (enabled and disabled). The list includes,
for each user, the username, status, and the group to which the user belongs.
Usernames are displayed in the order in which they were entered into the
database. This list cannot be sorted.
To view a list of all user accounts, follow these steps:

Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.
Step 2 Click List All Users.
In the display area on the right, the User List appears.
Step 3 To view or edit the information for an individual user, click the username in the
right window.
The user account information appears.

Finding a User
To find a user, follow these steps:

Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.
Step 2 Type the name in the User box, and then click Find.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-54 78-14698-02
 Chapter 7 User Management
User Management

Tip You can use wildcard characters (*) in this box.

Tip To display a list of usernames that begin with a particular letter or number,
click the letter or number in the alphanumeric list. A list of users whose
names begin with that letter or number opens in the display area on the
right.

The username, status (enabled or disabled), and group to which the user belongs
appear in the display area on the right.
Step 3 To view or edit the information for the user, click the username in the display area
on the right.
The user account information appears.

Disabling a User Account

This procedure details how to manually disable a user account in the CiscoSecure
user database.

Note To configure the conditions by which a user account will automatically be

disabled, see Setting Options for User Account Disablement, page 7-19.

Note This is not to be confused with account expiration due to password aging.
Password aging is defined for groups only, not for individual users.

To disable a user account, follow these steps:

Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.
Step 2 In the User box, type the name of the user whose account is to be disabled.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-55
 Chapter 7 User Management
User Management

Step 3 Click Add/Edit.

The User Setup Edit page opens. The username being edited is at the top of the
page.
Step 4 Select the Account Disabled check box.
Step 5 Click Submit at the bottom of the page.
The specified user account is disabled.

Deleting a User Account

Caution If you are authenticating using the Unknown User policy, you must also delete the
user account from the external user database. This prevents the username from
being automatically re-added to the CiscoSecure user database the next time the
user attempts to log in.

To delete a user account, follow these steps:

Step 1 Click User Setup.

The User Setup Select page of the HTML interface opens.
Step 2 In the User box, type the complete username to be deleted.

Note Alternatively, you can click List All Users and then select the user from
the list that appears.

Step 3 Click Add/Edit.

Step 4 At the bottom of the User Setup page, click Delete.

Note The Delete button appears only when you are editing user information,
not when you are adding a username.

A popup window appears that asks you to confirm the user deletion.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-56 78-14698-02
 Chapter 7 User Management
User Management

Step 5 Click OK.

The user account is removed from the CiscoSecure user database.

Resetting User Session Quota Counters

You can reset the session quota counters for a user either before or after the user
exceeds a quota.
To reset user usage quota counters, follow these steps:

Step 1 Click User Setup.

The Select page of the HTML interface opens.
Step 2 In the User box, type the complete username of the user whose session quota
counters you are going to reset.

Note Alternatively, you can click List All Users and then select the user from
the list that appears.

Step 3 Click Add/Edit.

Step 4 In the Session Quotas section, select the Reset All Counters on submit check
box.
Step 5 Click Submit at the bottom of the browser page.
The session quota counters are reset for this user. The User Setup Select page
appears.

Resetting a User Account after Login Failure

Perform this procedure when an account is disabled because the failed attempts
count has been exceeded during an unsuccessful user attempt to log in.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-57
 Chapter 7 User Management
User Management

To reset a user account after login failure, follow these steps:

Step 1 Click User Setup.

The User Setup Select page of the HTML interface opens.
Step 2 In the User box, type the complete username of the account to be reset.

Note Alternatively, you can click List All Users and then select the user from
the list that appears.

Step 3 Click Add/Edit.

Step 4 In the Account Disable table, select the Reset current failed attempts count on
submit check box, and then click Submit.
The Failed attempts since last successful login: counter resets to 0 (zero) and the
system re-enables the account.

Note This counter shows the number of unsuccessful login attempts since the
last time this user logged in successfully.

Note If the user authenticates with a Windows user database, this expiration
information is in addition to the information in the Windows user account.
Changes here do not alter settings configured in Windows.

User Guide for Cisco Secure ACS Appliance, version 3.2

7-58 78-14698-02
 Chapter 7 User Management
User Management

Saving User Settings

After you have completed configuration for a user, be sure to save your work.
To save the configuration for the current user, follow these steps:

Step 1 To save the user account configuration, click Submit.

Step 2 To verify that your changes were applied, type the username in the User box and
click Add/Edit, and then review the settings.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 7-59
 Chapter 7 User Management
User Management

User Guide for Cisco Secure ACS Appliance, version 3.2

7-60 78-14698-02
 C H A P T E R 8
System Configuration: Basic

This chapter addresses the basic features found in the System Configuration
section of Cisco Secure ACS Appliance.
This chapter contains the following topics:
• Service Control, page 8-2
• Logging, page 8-3
• Date Format Control, page 8-3
• Local Password Management, page 8-5
• Cisco Secure ACS Backup, page 8-8
• Cisco Secure ACS System Restore, page 8-13
• Cisco Secure ACS Active Service Management, page 8-17
• VoIP Accounting Configuration, page 8-21
• Appliance Configuration, page 8-22
• Support, page 8-24
• Viewing or Downloading Diagnostic Logs, page 8-27
• Appliance Upgrade Status, page 8-27

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-1
 Chapter 8 System Configuration: Basic
Service Control

Service Control
Cisco Secure ACS uses several services. The Service Control page provides basic
status information about the services, and enables you to configure the service log
files and to stop or restart the services. For more information about Cisco Secure
ACS services, see Chapter 1, “Overview.”

Tip You can configure Cisco Secure ACS service logs. For more information, see
Configuring Service Log Detail, page 11-27.

This section contains the following topics:

• Determining the Status of Cisco Secure ACS Services, page 8-2
• Stopping, Starting, or Restarting Services, page 8-2

Determining the Status of Cisco Secure ACS Services

You can determine whether Cisco Secure ACS services are running or stopped by
accessing the Service Control page.
To determine the status of Cisco Secure ACS services, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Service Control.
The status of the services appears in the CiscoSecure ACS on hostname table,
where hostname is the name of the Cisco Secure ACS.

Stopping, Starting, or Restarting Services

You can stop, start, or restart Cisco Secure ACS services as needed. This achieves
the same result as starting and stopping Cisco Secure ACS services from the serial
console. This stops, starts, or restarts the Cisco Secure ACS services except for
CSAdmin, which is responsible for the HTML interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-2 78-14698-02
Chapter 8 System Configuration: Basic
Logging

Note If the CSAdmin service needs to be restarted, you can do so using stop and start
commands on the serial console; however, it is best to use the HTML interface to
restart services because there are dependencies in the order in which the services
are started.

To stop, start, or restart Cisco Secure ACS services, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Service Control.
The status of the services appears in the CiscoSecure ACS on hostname table,
where hostname is the name of the Cisco Secure ACS.
If the services are running, the Restart and Stop buttons appear at the bottom of
the page.
If the services are stopped, the Start button appears at the bottom of the page.
Step 3 Click Stop, Start, or Restart, as applicable.
The status of Cisco Secure ACS services changes to the state appropriate to the
button you clicked.

Logging
You can configure Cisco Secure ACS to generate logs for administrative and
accounting events, depending on the protocols and options you have enabled. For
more information, including configuration steps, see Chapter 1, “Overview”.

Date Format Control

Cisco Secure ACS allows for one of two possible date formats in its logs, reports,
and administrative interface. You can choose either a month/day/year format or a
day/month/year format.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-3
 Chapter 8 System Configuration: Basic
Date Format Control

Setting the Date Format

Note If you have reports that were generated before you changed the date format, be
sure to move or rename them to avoid conflicts. For example, if you are using the
month/day/year format, Cisco Secure ACS assigns the name 2001-07-12.csv to a
report generated on July 12, 2001. If you subsequently change to the
day/month/year format, on December 7, 2001, Cisco Secure ACS creates a file
also named 2001-07-12.csv and overwrites the existing file.

To set the date format, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Date Format Control.
Cisco Secure ACS displays the Date Format Selection table.
Step 3 Select a date format option.
Step 4 Click Submit & Restart.
Cisco Secure ACS restarts its services and implements the date format you
selected.

Note For the new date format to be seen in the HTML interface reports, you
must restart the connection to the Cisco Secure ACS. Click the Logoff
button (a button with an X) in the upper-right corner of the browser
window.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-4 78-14698-02
Chapter 8 System Configuration: Basic
Local Password Management

Local Password Management

The Local Password Management page enables you to configure settings that
apply to managing passwords stored in the CiscoSecure user database. It contains
the following two sections:
• Password Validation Options—These settings enable you to configure
validation parameters for user passwords. Cisco Secure ACS enforces these
rules when an administrator changes a user password in the CiscoSecure user
database and when a user attempts to change passwords using the
CiscoSecure Authentication Agent applet.

Note Password validation options apply only to user passwords stored in

the CiscoSecure user database. They do not apply to passwords in
user records kept in external user databases nor do they apply to
enable or admin passwords for Cisco IOS network devices.

The password validation options are listed below:

– Password length between X and Y characters—Enforces that password
lengths be between the values specified in the X and Y boxes, inclusive.
Cisco Secure ACS supports passwords up to 32 characters in length.
– Password may not contain the username—Requires that a user
password does not contain the username anywhere within it.
– Password is different from the previous value—Requires a new user
password to be different from the previous password.
– Password must be alphanumeric—Requires a user password to contain
both letters and numbers.
• Remote Change Password—These settings enable you to configure whether
Telnet password change is enabled and, if it is enabled, whether Cisco Secure
ACS immediately sends the updated user data to its replication partners.
The remote change password options are listed below:
– Disable TELNET Change Password against this ACS and return the
following message to the users telnet session—When selected, this
option disables the ability to perform password changes during a Telnet
session hosted by a TACACS+ AAA client. Users who submit a password
change receive the text message that you type in the corresponding box.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-5
 Chapter 8 System Configuration: Basic
Local Password Management

– Upon remote user password change, immediately propagate the

change to selected replication partners—This setting determines
whether Cisco Secure ACS sends to its replication partners any
passwords changed during a Telnet session hosted by a TACACS+ AAA
client, by the CiscoSecure Authentication Agent, or by the
User-Changeable Passwords web interface. The Cisco Secure ACSes
configured as this Cisco Secure ACS’s replication partners are listed
below this check box.
This feature depends upon having the CiscoSecure Database Replication
feature configured properly; however, replication scheduling does not
apply to propagation of changed password information. Cisco Secure
ACS sends changed password information immediately, regardless of
replication scheduling.
Changed password information is replicated only to Cisco Secure ACSes
that are properly configured to receive replication data from this
Cisco Secure ACS. The automatically triggered cascade setting for the
CiscoSecure Database Replication feature does not cause Cisco Secure
ACSes that receive changed password information to send it to their own
replication partners.
For more information about CiscoSecure Database Replication, see
CiscoSecure Database Replication, page 9-1.

Configuring Local Password Management

To configure password validation options, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Local Password Management.
The Local Password Management page appears.
Step 3 Under Password Validation Options, follow these steps:
a. In Password length between X and Y characters, type the minimum valid
number of characters for a password in the X box. While the X box accepts
two characters, passwords can only be between 1 and 32 characters in length.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-6 78-14698-02
Chapter 8 System Configuration: Basic
Local Password Management

b. In Password length between X and Y characters, type the maximum valid

number of characters for a password in the Y box. While the X box accepts
two characters, passwords can only be between 1 and 32 characters in length.
c. If you want to disallow passwords that contain the username, select the
Password may not contain the username check box.
d. If you want to require that a user password must be different than the previous
user password, select the Password is different from the previous value
check box.
e. If you want to require that passwords must contain both letters and numbers,
select the Password must be alphanumeric check box.
Step 4 Under Remote Change Password, follow these steps:
a. If you want to enable user password changes in Telnet sessions, clear the
Disable TELNET Change Password against this ACS and return the
following message to the users telnet session check box.
b. If you want to disable user password changes in Telnet sessions, select the
Disable TELNET Change Password against this ACS and return the
following message to the users telnet session check box.
c. In the box below the Disable TELNET Change Password against this ACS
and return the following message to the users telnet session check box,
type a message that users should see when attempting to change a password
in a Telnet session and when the Telnet password change feature has been
disabled in Step b.
d. If you want Cisco Secure ACS to send changed password information
immediately after a user has changed a password, select the Upon remote
user password change, immediately propagate the change to selected
replication partners check box.

Tip The Cisco Secure ACSes that receive the changed password information
are listed below the Upon remote user password change, immediately
propagate the change to selected replication partners check box.

Step 5 Click Submit.

Cisco Secure ACS restarts its services and implements the settings you specified.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-7
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Backup

Cisco Secure ACS Backup

This section provides information about the Cisco Secure ACS Backup feature,
including procedures for implementing this feature.
This section contains the following topics:
• About Cisco Secure ACS Backup, page 8-8
• Components Backed Up, page 8-9
• Reports of Cisco Secure ACS Backups, page 8-9
• Backup Options, page 8-9
• Performing a Manual Cisco Secure ACS Backup, page 8-10
• Scheduling Cisco Secure ACS Backups, page 8-11
• Disabling Scheduled Cisco Secure ACS Backups, page 8-13

About Cisco Secure ACS Backup

The Cisco Secure ACS Backup feature backs up Cisco Secure ACS system
information to a file that it sends to an FTP server you specify. You can manually
back up the Cisco Secure ACS system. You can also establish automated backups
that occur at regular intervals or at selected days of the week and times.
Maintaining backup files can minimize downtime if system information becomes
corrupt or is misconfigured. We recommend copying the files from the FTP server
to another computer in case the hardware fails on the FTP server.
The filename given to a backup is determined by Cisco Secure ACS. For more
information about filenames assigned to backup files generated by Cisco Secure
ACS, see Backup Filenames and Locations, page 8-14.
For information about using a backup file to restore Cisco Secure ACS, see
Cisco Secure ACS System Restore, page 8-13.

Components Backed Up
The Cisco Secure ACS Backup utility backs up the CiscoSecure user database and
other Cisco Secure ACS configuration data. The user database backup includes all
user information, such as username, password, and other authentication

User Guide for Cisco Secure ACS Appliance, version 3.2

8-8 78-14698-02
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Backup

information, including server certificates and the certificate trust list. The other
configuration data includes information such as NDG information, AAA client
configuration, and administrator accounts.

Reports of Cisco Secure ACS Backups

When a system backup takes place, whether it was manually generated or
scheduled, the event is logged in the Administration Audit report and the ACS
Backup and Restore report. You can view recent reports in the Reports and
Activity section of Cisco Secure ACS.
For more information about Cisco Secure ACS reports, see Chapter 1,
“Overview.”

Backup Options
The ACS System Backup Setup page contains the following configuration
options:
• Manually—Cisco Secure ACS does not perform automatic backups.
• Every X minutes—Cisco Secure ACS performs automatic backups on a set
frequency. The unit of measurement is minutes, with a default backup
frequency of 60 minutes.
• At specific times...—Cisco Secure ACS performs automatic backups at the
time specified in the day and hour graph. The minimum resolution is one
hour, and the backup takes place on the hour selected.
• FTP Server—The IP address or hostname of the FTP server that you want to
send backup files to. If you specify a hostname, DNS must be enabled on your
network.
• Login—A valid username to enable Cisco Secure ACS to access the FTP
server.
• Password—The password for the username provided in the Login box.
• Directory—The directory where Cisco Secure ACS writes the backup file.
The directory must be specified relative to the FTP root directory. To specify
the FTP root directory, enter a single period or “dot”.
• Encrypt backup file—Whether Cisco Secure ACS encrypts the backup file.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-9
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Backup

• Encryption Password—The password used to encrypt the backup file. If the

Encrypt backup file option is selected, you must provide a password.

Note If an encrypted backup file is used to restore Cisco Secure ACS data,
you must provide the exact password entered in the Encryption
Password box when the backup was created.

Performing a Manual Cisco Secure ACS Backup

You can back up Cisco Secure ACS whenever you want, without scheduling the
backup.
To perform an immediate backup of Cisco Secure ACS, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Backup.
The ACS System Backup Setup page appears. At the top of the page, information
about the last backup appears, including the following:
• Whether the last backup succeeded.
• The IP address of the FTP server used for the backup.
• The directory used to store the backup.
• The filename of the backup file created.
Step 3 In the FTP Server box under FTP Setup, type the IP address or hostname of the
FTP server that you want Cisco Secure ACS to send the backup file to.
Step 4 In the Login box under FTP Setup, type a valid username to enable Cisco Secure
ACS to access the FTP server.
Step 5 In the Password box under FTP Setup, type the password for the username
provided in the Login box.
Step 6 In the Directory box under FTP Setup, type the relative path to the directory on
the FTP server where you want the backup file to be written.
Step 7 If you want to encrypt the backup file, follow these steps:
a. Select the Encrypt backup file check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-10 78-14698-02
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Backup

b. In the Encryption Password box, type the password you want to use to encrypt
the backup file.

Note If an encrypted backup file is used to restore Cisco Secure ACS data,
you must provide the exact password entered in the Encryption
Password box when the backup was created.

Step 8 Click Backup Now.

Cisco Secure ACS immediately begins a backup. The filename given to a backup
is determined by Cisco Secure ACS. For more information about filenames
assigned to backup files generated by Cisco Secure ACS, see Backup Filenames
and Locations, page 8-14.

Scheduling Cisco Secure ACS Backups

You can schedule Cisco Secure ACS backups to occur at regular intervals or at
selected days of the week and times.
To schedule the times at which Cisco Secure ACS performs a backup, follow these
steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Backup.
The ACS System Backup Setup page appears.
Step 3 To schedule backups at regular intervals, under ACS Backup Scheduling, select
the Every X minutes option and in the X box type the length of the interval at
which Cisco Secure ACS should perform backups.

Note Because Cisco Secure ACS is momentarily shut down during backup, if
the backup interval is set too low, users might be unable to authenticate.

Step 4 To schedule backups at specific times, follow these steps:

a. Under ACS Backup Scheduling, select the At specific times option.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-11
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Backup

b. In the day and hour graph, click the times at which you want Cisco Secure
ACS to perform a backup.

Tip Clicking times of day on the graph selects those times; clicking again
clears them. At any time you can click Clear All to clear all hours, or you
can click Set All to select all hours.

Step 5 In the FTP box under FTP Setup, type the IP address or hostname of the FTP
server that you want Cisco Secure ACS to send the backup file to.
Step 6 In the Login box under FTP Setup, type a valid username to enable Cisco Secure
ACS to access the FTP server.
Step 7 In the Password box under FTP Setup, type the password for the username
provided in the Login box.
Step 8 In the Directory box under FTP Setup, type the relative path to the directory on
the FTP server where you want the backup file to be written.
Step 9 If you want to encrypt the backup file, follow these steps:
a. Select the Encrypt backup file check box.
b. In the Encryption Password box, type the password you want to use to encrypt
the backup file.

Note If an encrypted backup file is used to restore Cisco Secure ACS data,
you must provide the exact password entered in the Encryption
Password box when the backup was created.

Step 10 Click Submit.

Cisco Secure ACS implements the backup schedule you configured.

Disabling Scheduled Cisco Secure ACS Backups

You can disable scheduled Cisco Secure ACS backups without losing the
schedule itself. This allows you to end scheduled backups and resume them later
without having to re-create the schedule.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-12 78-14698-02
 Chapter 8 System Configuration: Basic
Cisco Secure ACS System Restore

To disable a scheduled backup, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Backup.
The ACS System Backup Setup page appears.
Step 3 Under ACS Backup Scheduling, select the Manual option.
Step 4 Click Submit.
Cisco Secure ACS does not continue any scheduled backups. You can still
perform manual backups as needed.

Cisco Secure ACS System Restore

This section provides information about the Cisco Secure ACS System Restore
feature, including procedures for restoring your Cisco Secure ACS from a backup
file.
This section contains the following topics:
• About Cisco Secure ACS System Restore, page 8-14
• Backup Filenames and Locations, page 8-14
• Components Restored, page 8-15
• Reports of Cisco Secure ACS Restorations, page 8-15
• Restoring Cisco Secure ACS from a Backup File, page 8-15

About Cisco Secure ACS System Restore

The ACS System Restore feature enables you to restore your system configuration
from backup files generated by the ACS Backup feature. This feature helps
minimize downtime if Cisco Secure ACS system information becomes corrupted
or is misconfigured.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-13
 Chapter 8 System Configuration: Basic
Cisco Secure ACS System Restore

The ACS System Restore feature only works with backup files generated by a
Cisco Secure ACS running an identical Cisco Secure ACS version and patch
level.

Backup Filenames and Locations

The ACS System Restore feature restores the Cisco Secure ACS user database and
other Cisco Secure ACS configuration data from a backup file that was created by
the ACS Backup feature. You can restore from a backup file on any FTP server.
You can restore from the latest backup file, or if you suspect that the latest backup
was incorrect, you can select an earlier backup file to restore from.
Cisco Secure ACS sends backup files to an FTP server specified on the ACS
System Backup Setup page. On the FTP server, backup files are written to the
directory specified when you schedule backups or perform a manual backup.
Cisco Secure ACS creates backup files using the date and time format:
dd -mmm-yyyy-hh-nn-ss .dmp
where:
• dd is the date the backup started
• mmm is the month, abbreviated in alphabetic characters
• yyyy is the year
• hh is the hour, in 24-hour format
• nn is the minute
• ss is the second at which the backup started
For example, if Cisco Secure ACS started a backup on October 13, 1999, 11:41:35
a.m., Cisco Secure ACS would generate a backup file named:
13-Oct-1999-11-41-35.dmp

If you chose to encrypt the backup file, the backup filename includes the
lowercase letter e just before the “.dmp” file extension. If the previous example
was an encrypted backup file, the file name would be:
13-Oct-1999-11-41-35e.dmp

User Guide for Cisco Secure ACS Appliance, version 3.2

8-14 78-14698-02
 Chapter 8 System Configuration: Basic
Cisco Secure ACS System Restore

If you are not sure of the FTP server and directory used to create the latest backup
file, check the ACS System Restore Setup page. Information about the most recent
backup and restore, if any, is displayed at the top of the page.

Components Restored
You can select the components to restore: the user and group databases, the
system configuration, or both.

Reports of Cisco Secure ACS Restorations

When a Cisco Secure ACS system restoration takes place, the event is logged in
the Administration Audit report and the ACS Backup and Restore report. You can
view recent reports in the Reports and Activity section of Cisco Secure ACS.
For more information about Cisco Secure ACS reports, see Chapter 1,
“Overview.”

Restoring Cisco Secure ACS from a Backup File

You can perform a system restoration of Cisco Secure ACS whenever needed.

Note Using the Cisco Secure ACS System Restore feature restarts all Cisco Secure
ACS services and logs out all administrators.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-15
 Chapter 8 System Configuration: Basic
Cisco Secure ACS System Restore

To restore Cisco Secure ACS from a backup file generated by the Cisco Secure
ACS Backup feature, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Restore.
The ACS System Restore Setup page appears.
With the exception of the Decryption Password box, the boxes under Select
Backup To Restore From contain the values used for the most recent successful
backup, as configured on the ACS System Backup Setup page.
Step 3 If you want to accept the default values for the FTP Server, Login, Password,
Directory, and File boxes, proceed to step 5.
Step 4 If you want to change any of the values in the FTP Server, Login, Password,
Directory, and File boxes, follow these steps:
a. In the FTP Server box under FTP Setup, type the IP address or hostname of
the FTP server that you want Cisco Secure ACS to get the backup file from.
b. In the Login box under FTP Setup, type a valid username to enable
Cisco Secure ACS to access the FTP server.
c. In the Password box under FTP Setup, type the password for the username
provided in the Login box.
d. In the Directory box under FTP Setup, type the relative path to the directory
on the FTP server where the backup file is.
e. Click Browse.
After a pause to retrieve a file list from the FTP server, a dialog box lists the
Cisco Secure ACS backup files found in the directory specified. Encrypted
backup files include the lowercase letter e before the “.dmp” filename
extension.

Tip If no files are found or the FTP server could not be accessed, click Cancel
to close the dialog box, and repeat Step a through d.

f. Click the filename of the backup file you want to use to restore Cisco Secure
ACS.
The filename you select appears in the File box. The dialog box closes.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-16 78-14698-02
Chapter 8 System Configuration: Basic
Cisco Secure ACS Active Service Management

Step 5 If the backup file specified the File box is encrypted, in the Decryption Password
box, type the same password used to encrypt the backup file.

Note The decryption password must exactly match the password specified in
the Encryption Password box on the ACS System Backup Setup page.

Step 6 If you want to restore user and group database information, select the User and
Group Database check box.
Step 7 If you want to restore system configuration information, select the CiscoSecure
ACS System Configuration check box.
Step 8 Click Restore Now.
Cisco Secure ACS displays a confirmation dialog box indicating that performing
the restoration will restart Cisco Secure ACS services and log out all
administrators.
Step 9 To continue with the restoration, click OK.
Cisco Secure ACS restores the system components specified using the backup file
you selected. The restoration should require several minutes to complete,
depending on which components you selected to restore and the size of your
database.
When the restoration is complete, you can log in again to Cisco Secure ACS.

Cisco Secure ACS Active Service Management

ACS Active Service Management is an application-specific service monitoring
tool that is tightly integrated with ACS. The two features that compose ACS
Active Service Management are described in this section.
This section contains the following topics:
• System Monitoring, page 8-18
• Event Logging, page 8-20

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-17
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Active Service Management

System Monitoring
Cisco Secure ACS system monitoring enables you to determine how often
Cisco Secure ACS tests its authentication and accounting processes, and what
automated actions it takes should tests detect a failure of these processes.
Cisco Secure ACS accomplishes system monitoring with the CSMon service. For
more information about the CSMon service, see CSMon, page F-4. For
information about monitoring the performance of system services, see Monitoring
System Information, page 8-26.

System Monitoring Options

You have the following options for configuring system monitoring:
• Test login process every X minutes—Controls whether or not Cisco Secure
ACS tests its login process. The value in the X box defines, in minutes, how
often Cisco Secure ACS tests its login process. The default frequency is once
per minute, which is also the most frequent testing interval possible.
When this option is enabled, at the interval defined, Cisco Secure ACS tests
authentication and accounting. If a test fails, after four unsuccessful retries
Cisco Secure ACS performs the action identified in the If no successful
authentications are recorded list and logs the event.
• If no successful authentications are recorded—Specifies what action
Cisco Secure ACS takes if it detects that its login process failed. This list
contains several built-in actions and reflects custom actions that you define.
The items beginning with asterisks (*) are built-in actions.
– *Restart All—Restart all Cisco Secure ACS services.
– *Restart RADIUS/TACACS+—Restart only the RADIUS and
TACACS+ services.
– *Reboot—Reboot the Cisco Secure ACS.
– Take No Action—Leave Cisco Secure ACS operating as is.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-18 78-14698-02
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Active Service Management

• Generate event when an attempt is made to log in to a disabled

account—Specifies whether Cisco Secure ACS generates a log entry when a
user attempts to log in to your network using a disabled account.
• Email notification of event—Specifies whether Cisco Secure ACS sends an
e-mail notification for each event.
– To—The e-mail address that notification e-mail is sent to. For example,
joeadmin@company.com.
– SMTP Mail Server—The simple mail transfer protocol (SMTP) server
that Cisco Secure ACS should use to send notification e-mail. You can
identify the SMTP server either by its hostname or by its IP address.

Setting Up System Monitoring

To setup Cisco Secure ACS System Monitoring, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Service Management.
The ACS Active Service Management Setup page appears.
Step 3 To have Cisco Secure ACS test the login process, follow these steps:
a. Select the Test login process every X minutes check box.
b. Type the number of minutes that should pass between each login process test
in the X box (up to 3 characters).
c. From the If no successful authentications are recorded list, select the
action Cisco Secure ACS should take when the login test fails.
Step 4 To have Cisco Secure ACS create a log entry when a user attempts to access your
network using a disabled account, select the Generate event when an attempt is
made to log in to a disabled account check box.
Step 5 If you want to setup event logging, proceed to Setting Up Event Logging,
page 8-20.
Step 6 If you are done setting up Cisco Secure ACS Service Management, click Submit.
Cisco Secure ACS implements the service management settings you made.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-19
 Chapter 8 System Configuration: Basic
Cisco Secure ACS Active Service Management

Event Logging
The Event Logging feature enables you to configure whether Cisco Secure ACS
generates an e-mail when an event occurs. Cisco Secure ACS detects events using
the System Monitoring feature. For more information about system monitoring,
see System Monitoring Options, page 8-18.

Setting Up Event Logging

To set up Cisco Secure ACS event logging, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Service Management.
The ACS Active Service Management Setup page appears.
Step 3 To have Cisco Secure ACS send an e-mail when an event occurs, follow these
steps:
a. Select the Email notification of event check box.
b. In the To box, type the e-mail address to which Cisco Secure ACS should
send event notification e-mail (up to 200 characters).

Note Do not use underscores in the e-mail addresses you type in this box.

c. In the SMTP Mail Server box, type the hostname of the sending email server
(up to 200 characters).

Note The SMTP mail server must be operational and must be available
from the Cisco Secure ACS.

Step 4 If you want to setup system monitoring, proceed to Setting Up System

Monitoring, page 8-19.
Step 5 If you are done setting up Cisco Secure ACS Service Management, click Submit.
Cisco Secure ACS implements the service management settings you made.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-20 78-14698-02
 Chapter 8 System Configuration: Basic
VoIP Accounting Configuration

VoIP Accounting Configuration

The VoIP Accounting Configuration feature enables you to specify which
accounting logs receive VoIP accounting data. There are three options for VoIP
accounting:
• Send to both RADIUS and VoIP Accounting Log Targets—Cisco Secure
ACS appends VoIP accounting data to the RADIUS accounting data and logs
it separately to a CSV file. To view the data, you can use either RADIUS
Accounting or VoIP Accounting under Reports and Activity.
• Send only to VoIP Accounting Log Targets—Cisco Secure ACS only logs
VoIP accounting data to a CSV file. To view the data, you can use VoIP
Accounting under Reports and Activity.
• Send only to RADIUS Accounting Log Targets—Cisco Secure ACS only
appends VoIP accounting data to the RADIUS accounting data. To view the
data, you can use RADIUS Accounting under Reports and Activity.

Configuring VoIP Accounting

Note The VoIP Accounting Configuration feature does not enable VoIP accounting. To
enable VoIP accounting, see Chapter 1, “Overview.”

To configure VoIP accounting, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click VoIP Accounting Configuration.

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and then select the Voice-over-IP (VoIP)
Accounting Configuration check box.

The VoIP Accounting Configuration page appears. The Voice-over-IP (VoIP)

Accounting Configuration table displays the options for VoIP accounting.
Step 3 Select the VoIP accounting option you want.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-21
 Chapter 8 System Configuration: Basic
Appliance Configuration

Step 4 Click Submit.

Cisco Secure ACS implements the VoIP accounting configuration you specified.

Appliance Configuration
Use the Appliance Configuration page to set the Cisco Secure ACS host and
domain names, as well as the system date and time.
This section contains the following topics:
• Setting the Cisco Secure ACS System Time and Date, page 8-22
• Setting the Cisco Secure ACS Host and Domain Names, page 8-23

Setting the Cisco Secure ACS System Time and Date

This procedure details how to set the Cisco Secure ACS system time and date
from within the HTML interface. This procedure also details how to maintain the
system date and time using a network time protocol (NTP) server with which the
system synchronizes its date and time.

Tip You can also perform this procedure using the serial console interface to the
Cisco Secure ACS. For details, see the Installation and Setup Guide for
Cisco Secure ACS Appliance.

To set the system date and time, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Appliance Configuration.
Cisco Secure ACS displays the Appliance Configuration page.

Note If the system does not display the Appliance Configuration page, check
your connectivity to the Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-22 78-14698-02
 Chapter 8 System Configuration: Basic
Appliance Configuration

Step 3 From the Time Zone list, select the system time zone.
Step 4 In the Time box, enter the system time in the format hh:mm:ss.
Step 5 From the Day list, select the day of the month.
Step 6 From the Month list, select the month.
Step 7 From the Year list, select the year.
Step 8 Perform the following substeps only if you want to set up the NTP server to
automatically synchronize date and time.
a. Click the NTP Synchronization Enabled check box.
b. In the NTP Server(s) box, type the IP address or addresses of the NTP
server(s) you want the system to use. If you enter more than one, separate the
IP addresses with a space.

Note Be sure that the IP addresses you specify are valid NTP servers.
Incorrect IP addresses or incorrectly operating NTP servers can
greatly slow the NTP synchronization process.

Step 9 Click Submit.

The system time and date are set as specified.

Setting the Cisco Secure ACS Host and Domain Names

Use this procedure to configure Cisco Secure ACS host and domain names.

Note This procedure requires that you reboot the Cisco Secure ACS and, therefore, you
should perform the procedure during off hours to minimize disruption of users.

To set the Cisco Secure ACS host and domain names, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Appliance Configuration.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-23
 Chapter 8 System Configuration: Basic
Support

Cisco Secure ACS displays the Appliance Configuration page.

Note If the system does not display the Appliance Configuration page, check
your connectivity to the Cisco Secure ACS.

Step 3 In the Host Name box, type the hostname.

Step 4 In the Domain Name box, type the domain name.
Step 5 At the bottom of the page, click Reboot.

Support
You use the Support page for two purposes:
• To package system state information into a file that can be forwarded for tech
support.
• To monitor the state of the Cisco Secure ACS services.
Each of these activities is detailed in the following procedures:
• Running Support, page 8-24
• Monitoring System Information, page 8-26

Running Support
You use the Support page to package system information that can be forwarded to
your Technical Assistance Center (TAC) representative. When you perform this
procedure, Cisco Secure ACS automatically packages all its current logs. You
also have the option to package either, or both, of the following:
• User database
• System logs for the number of preceding days that you specify.
Support information is packaged in a cabinet file, which has the file extension
.cab. Cabinet files are a compressed format, so that you can more easily send the
support information to TAC or other support personnel.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-24 78-14698-02
Chapter 8 System Configuration: Basic
Support

To package system state information into a file for tech support, follow these steps

Note The AAA services of the CiscoSecure Access Control Server ACS are briefly
suspended when you run this procedure. We recommend that you perform this
procedure during periods of least AAA activity to minimize user impact.

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Support.
The Support page appears.
Step 3 If you want to include the Cisco Secure ACS user database in the support file, in
the Details to collect table, select the Collect User Database check box.
Step 4 If you want to include archived system logs, in the Details to collect table, follow
these steps:
a. Select the Collect Previous X Days logs check box.
b. In the X box, type the number of preceding days whose logs you want
collected. The maximum number of preceding days is 9999.
Step 5 Click Run Support Now.
The File Download dialog box appears.
Step 6 On the File Download dialog box, click Save.
The Save As dialog box appears.
Step 7 Use the Save As dialog box to specify where and with what filename you want to
save the cabinet file. Then click Save.
Cisco Secure ACS briefly suspends normal services while a support file is
generated and saved as specified. When the download is complete, a Download
Complete dialog box appears.
Step 8 Make note of the name and location of the support file, and then click Close.
A current cabinet file of support information is written to the location you
specified. You can forward it as needed to a TAC representative or other Cisco
support personnel.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-25
 Chapter 8 System Configuration: Basic
Support

Monitoring System Information

You use this procedure to view the status and distribution of Cisco Secure ACS
resources.
The top row in the Resource Usage table displays CPU idle resource percentage
and available memory space.
The remainder of the Resource Usage table shows each service, profiled as having
allocated to it:
• CPU—A certain percentage of CPU cycles being used. In the System
category, Cisco Secure ACS numbers the CPUs, starting with zero. If there is
more than one CPU, the System category displays CPU information for each
CPU.
• Memory—The amount of memory allocated by each service.
• Handle count—The number of system handles (that is, resources) allocated
by each service.
• Thread count—The number of threads each service has spawned.
To monitor the status of the Cisco Secure ACS services, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Support.
Cisco Secure ACS displays the Support page.
Step 3 Read system information in the Resource Usage table.

Tip The first row of the Resource Usage table, marked System, displays the
percentage of CPU cycles that are idle. Other rows indicate the percentage
of CPU cycles used by each service. Taken together, these total 100
percent.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-26 78-14698-02
Chapter 8 System Configuration: Basic
Viewing or Downloading Diagnostic Logs

Viewing or Downloading Diagnostic Logs

Cisco Secure ACS records diagnostic logs whenever you apply upgrades or
patches to the software running on the appliance. It also creates a diagnostic log
if you use the recovery CD to restore the appliance to its original state.
To view or download an appliance diagnostic log,

Step 1 In the navigation bar, click System Configuration.

Step 2 Click View Diagnostic Logs.
Cisco Secure ACS displays the View Diagnostic Logs page. In the Log File
column, the log files are listed by name. In the File Size column, the size of each
log file appears, in kilobytes. If Cisco Secure ACS failed to create an expected log
file, “Log file is not created” appears in the File Size column.
Step 3 If you want to download a diagnostic log, right-click on the log filename and use
the applicable browser feature to save the log to the location you want.
A copy of the log file is available for viewing in a third-party application, such as
Microsoft Excel or a text editor. If it is requested, you can also send the diagnostic
log file to Cisco support technicians.
Step 4 If you want to view a diagnostic log, click on the log filename.
Cisco Secure ACS displays the contents of the diagnostic log.

Appliance Upgrade Status

This section contains the following topics:
• About Appliance Upgrades, page 8-28
• Distribution Server Requirements, page 8-29
• Upgrading an Appliance, page 8-30
• Transferring an Upgrade Package to an Appliance, page 8-32
• Applying an Upgrade, page 8-35

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-27
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

About Appliance Upgrades

Upgrading a Cisco Secure ACS Appliance is essentially a three-phase process.
See Figure 8-1.

Figure 8-1 Appliance Upgrade Process

Upgrade Phase 2
2. Unzip package, if necessary 6. Login to ACS
3. Run Autorun 7. Confirm Package Identity and Version
4. Browser Launches 8. Transfer Upgrade to Appliance
5. On Install Page, Identify Appliance

Distribution Cisco Secure

CD ROM
Server ACS Appliance
5
Upgrade Phase 3
Cisco.com 7
9. Apply Upgrade
8

Upgrade Phase 1

87848
1. Load Upgrade Package
to Distribution Server

• Phase One—In the first phase, you obtain an upgrade package and load it
onto a computer designated as a distribution server for Cisco Secure ACS
Appliance upgrade distribution. The upgrade package may be obtained either
as a CD ROM or as a file that you download from Cisco.com.
• Phase Two—In the second phase you transfer installation package files from
the distribution server to the appliance. File transfer is done by the HTTP
server that is part of the installation package. The upgrade files are signed and
the signature is verified after uploading to ensure that they have not been
corrupted.
• Phase Three—The final phase of upgrading the appliance is to apply the
upgrade. Before the upgrade files are applied to the appliance, Cisco Secure
ACS verifies the digital signature on the files to ensure their authenticity and
to verify that they are not corrupt.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-28 78-14698-02
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

Tip While you apply the upgrade, Cisco Secure ACS cannot provide AAA services. If
it is not critical to apply an upgrade package immediately, consider performing
this phase when Cisco Secure ACS downtime will have the least impact.

Distribution Server Requirements

The distribution server must meet the following requirements:
• The distribution server must be able to run Sun Java Runtime Environment
(JRE) 1.3.1. For system requirements of JRE 1.3.1, see http://java.sun.com.
Upgrade package support for JRE 1.3.1 varies with the operating system of
the distribution server, as follows:
– If the distribution server uses Microsoft Windows, the distribution server
need not have JRE 1.3.1 installed. The upgrade package includes JRE
1.3.1, which is used if the JRE is not found on the distribution server.

Note Using the JRE in the upgrade package does not install the JRE on
the distribution server.

– If the distribution server uses Solaris, the distribution server must have
JRE 1.3.1 installed.
• For support, the distribution server must use an English-language version of
one of the following operating systems:
– Windows 2000 Server with Service Pack 3 installed
– Windows XP Professional with Service Pack 1 installed
– Solaris 2.8

Note While the upgrade process may succeed using a different operating
system than those listed above, this list reflects the operating systems
we used to test the upgrade process. We do not support upgrades from
distribution servers that use untested operating systems.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-29
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

• If you acquire the upgrade package on CD, the distribution server must have
a CD ROM drive or be able to use the CD ROM drive on another computer
that you can access.
• TCP port 8080 should not be in use on the distribution server. The upgrade
process requires exclusive control of it.

Tip We recommend that no other web server runs on the distribution server.

• A supported web browser should be available on the distribution server. If

necessary, you can use a web browser on a different computer than the
distribution server. For a list of supported browsers, see the Release Notes.
The most recent revision to the Release Notes is posted on Cisco.com
(http://www.cisco.com).
Gateway devices between the distribution server and any appliance that you want
to upgrade must permit HTTP traffic to the distribution server on port 8080. They
must also permit a Cisco Secure ACS remote administrative session; therefore,
they must permit HTTP traffic to the appliance on port 2002 and the range of ports
allowed for administrative sessions. For more information, see HTTP Port
Allocation for Administrative Sessions, page 1-22.

Upgrading an Appliance
Before You Begin
Always back up Cisco Secure ACS before upgrading. For information about
backing up Cisco Secure ACS, see Cisco Secure ACS Backup, page 8-8.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-30 78-14698-02
Chapter 8 System Configuration: Basic
Appliance Upgrade Status

To upgrade an appliance, follow these steps:

Step 1 Acquire the upgrade package. Depending upon the type of upgrade package and
any applicable service agreement for Cisco Secure ACS, the way to acquire an
upgrade package differs.
• For commercial upgrade packages, contact your Cisco sales representative.
• If you have a maintenance contract, you may be able to download upgrade
packages from Cisco.com. Contact your Cisco sales representative.
• For upgrade packages that apply patches for specific issues, work with your
TAC representative to acquire the upgrade package.
Step 2 Pick a computer to use as the distribution server. The distribution server must
meet the requirements discussed in Distribution Server Requirements, page 8-29.
Step 3 If you have acquired the upgrade package in a compressed file format, such as a
.zip or .gz file, follow these steps:
a. If you have not already done so, copy the upgrade package file to a directory
available from the distribution server.
b. Use the applicable file decompression utility to extract the upgrade package.

Tip Consider extracting the upgrade package in a new directory created for
the contents of the upgrade package.

Step 4 If you have acquired the upgrade package on CD, do not insert the CD in a CD
ROM drive until instructed to do so. The CD contains autorun files, and if the
distribution server uses Microsoft Windows, the CD ROM drive may
automatically run the autorun files before you want.
Step 5 Transfer the upgrade package to an appliance. For detailed steps, see Transferring
an Upgrade Package to an Appliance, page 8-32.
The upgrade package is on the appliance and ready to be applied.
Step 6 Apply the upgrade package to the appliance. For detailed steps, see Applying an
Upgrade, page 8-35.
Cisco Secure ACS applies the upgrade and runs using the upgraded software.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-31
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

Transferring an Upgrade Package to an Appliance

Use this procedure to transfer an upgrade package from a distribution server to a
Cisco Secure ACS Appliance.
After you have performed this procedure to upload the upgrade files, you must
still apply the upgrade for it to become effective. For information on applying the
upgrade, see Applying an Upgrade, page 8-35. For more general information
about the upgrade process, see About Appliance Upgrades, page 8-28.
Before You Begin
You must have acquired the upgrade package and selected a distribution server.
For more information, see Upgrading an Appliance, page 8-30.
To transfer an upgrade to your Cisco Secure ACS appliance, follow these steps:

Step 1 If the distribution server uses Microsoft Windows, follow these steps:
a. If you have acquired the upgrade package on CD, insert the CD in a CD ROM
drive on the distribution server.

Tip You can also use a shared CD drive on a different computer. If you do so
and autorun is enabled on the shared CD drive, the HTTP server included
in the upgrade package starts on the other computer.

b. If either of the following conditions are true:

• You have acquired the upgrade package as a compressed file.
• Autorun is not enabled on the CD ROM drive.
then locate the autorun.bat file on the CD or in the directory that you
extracted the compressed upgrade package in and run it.
The HTTP server starts. Messages from autorun.bat appear in a console window.
Two web browser windows appear. The browser window titled Appliance
Upgrade contains the Enter appliance hostname or IP address box. You can use
the second browser window, titled New Desktop, to start transfers to other
appliances.
Step 2 If the distribution server uses Sun Solaris, follow these steps:
a. If you have acquired the upgrade package on CD, insert the CD in a CD ROM
drive on the distribution server.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-32 78-14698-02
Chapter 8 System Configuration: Basic
Appliance Upgrade Status

b. Locate the autorun.sh file on the CD or in the directory that you extracted
the compressed upgrade package in.
c. Run autorun.sh.
The HTTP server starts. Messages from autorun.sh appear in a console window.
Two web browser windows appear. The browser window titled Appliance
Upgrade contains the Enter appliance hostname or IP address box. You can use
the second browser window, titled New Desktop, to start transfers to other
appliances.
Step 3 If, after you have run the applicable autorun file, no web browser opens, start a
web browser on the distribution server and open the following URL:
http://127.0.0.1:8080/install/index.html

Tip You can access the HTTP server of the distribution server from a web
browser on a different computer using the following URL: http://IP
address :8080/install/index.html, where IP address is the IP address
of the distribution server.

Step 4 In the Appliance Upgrade browser window, type the appliance IP address or
hostname in the Enter appliance hostname or IP address box, and click Install.
The Cisco Secure ACS login page for the appliance specified appears.
Step 5 Log in to the Cisco Secure ACS HTML interface. To do so, follow these steps:
a. In the Username box, type a valid Cisco Secure ACS administrator name.
b. In the Password box, type the password for the administrator specified.
c. Click Login.
Step 6 In the navigation bar, click System Configuration.
Step 7 Click Appliance Upgrade Status.
Cisco Secure ACS displays the Appliance Upgrade page.
Step 8 Click Download.
Cisco Secure ACS displays the Appliance Upgrade Form page. This page
contains the Transfer Setup table, which enables you to identify the distribution
server.
Step 9 In the Install Server box, type the hostname or IP address of the distribution
server and click Connect.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-33
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

The Appliance Upgrade Form page displays the Software Install table, which
details the version and name of the upgrade available from the distribution server.
Step 10 Examine the table to confirm that the version, name, and condition of the upgrade
is satisfactory, and click Download Now.
The Appliance Upgrade page appears and the upgrade file is downloaded from the
distribution server to the appliance. Below the Appliance Versions table,
Cisco Secure ACS displays the status of the download.

Tip On the Appliance Upgrade page, the system displays the message
“Distribution Download in Progress”, followed by the number of
kilobytes downloaded.

Step 11 If you want to update the transfer status message, click Refresh.

Tip You can click Refresh as often as necessary to update the status message
until the transfer completes.

If you click Refresh while the transfer is in progress, Cisco Secure ACS displays
the number of kilobytes downloaded. If you click Refresh after the transfer is
complete, the Apply Upgrade button appears and the transfer progress text is
replaced with a message indicating that an upgrade package is available on the
appliance.
Step 12 To ensure that the upload was successful and the upgrade is ready to be applied,
confirm that the following message appears on the Appliance Upgrade page:
Ready to Upgrade to version, where version is the version of the upgrade
package you have transferred to the appliance.
The upgrade package is successfully transferred to the appliance.
Step 13 If you want to transfer the upgrade package to another appliance, access the
browser window titled New Desktop, click Install Next, and return to Step 4.

Tip If you know the URL for the HTML interface of another appliance, you
can type it in the browser location box and return to Step 5 to transfer the
upgrade package to that appliance.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-34 78-14698-02
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

Step 14 If are finished transferring upgrade packages to appliances, access the browser
window titled New Desktop and click Stop Distribution Server.
The HTTP server stops and the resources it used on the distribution server are
released.
Step 15 If you want to apply the upgrade, perform the steps in Applying an Upgrade,
page 8-35. Alternatively, you can apply the upgrade command using the serial
console. For more information about the upgrade command, see Installation and
Setup Guide for Cisco Secure ACS Appliance.

Applying an Upgrade
Perform this procedure to apply an upgrade package to a Cisco Secure ACS
Appliance.

Note As as alternative to this procedure, you can apply the upgrade by using the
upgrade command at the serial console for the Cisco Secure ACS Appliance. For
more information, see Installation and Setup Guide for Cisco Secure ACS
Appliance.

Before You Begin

Before performing this procedure, you must have transferred the upgrade package
to the appliance. For detailed steps, see Transferring an Upgrade Package to an
Appliance, page 8-32. For general steps required to upgrade an appliance, see
Upgrading an Appliance, page 8-30.
Always back up Cisco Secure ACS before upgrading. For information about
backing up Cisco Secure ACS, see Cisco Secure ACS Backup, page 8-8.
While you apply the upgrade, Cisco Secure ACS cannot provide AAA services. If
it is not critical to apply an upgrade package immediately, consider performing
this phase when Cisco Secure ACS downtime will have the least impact.
To apply an upgrade to a Cisco Secure ACS Appliance, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Appliance Upgrade Status.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-35
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

Cisco Secure ACS displays the Appliance Upgrade page.

Step 3 Verify that the message “Ready to Upgrade to version” appears, where version is
the version of the upgrade package available on the appliance.
Step 4 Click Apply Upgrade.
Cisco Secure ACS displays the Apply Upgrade Message table. This table displays
messages about the upgrade process.
Step 5 For each message that Cisco Secure ACS displays, read the message carefully and
click the applicable button.

Note You may receive a warning message that an upgrade package is not
verified. Before applying an upgrade or patch, Cisco Secure ACS
attempts to verify that the upgrade or patch is certified by Cisco. Some
valid upgrade packages may not pass this verification, such as patches
distributed for an urgent fix. Do not apply any upgrade package if you
have unresolved concerns about the validity of the upgrade package.

After you have answered all confirmation prompts, Cisco Secure ACS applies the
upgrade. Be aware of the following:
• While applying an upgrade, Cisco Secure ACS services are not available.
This usually includes the HTML interface. After the upgrade is complete, the
services and the HTML interface are available again.
• Applying an upgrade may take several minutes or more. A full upgrade of
Cisco Secure ACS takes longer if the CiscoSecure user database has many
user profiles.
• Upgrading Cisco Secure ACS usually requires the appliance to restart itself
once or twice. Only smaller patches may not require restarts.
• While services restart or the appliance restarts, the HTML interface is not
available. If this occurs, wait for the appliance to resume normal operation,
and then close the original browser window, open a new browser window, and
login to Cisco Secure ACS again.

Caution Do not reset the appliance while an upgrade is being applied, unless directed to
do so by TAC.

User Guide for Cisco Secure ACS Appliance, version 3.2

8-36 78-14698-02
Chapter 8 System Configuration: Basic
Appliance Upgrade Status

Step 6 After the upgrade is applied, go to the Appliance Upgrade page and verify that the
versions of software on the appliance are as expected.

Note The HTML interface is unavailable while services restart and while the
appliance restarts. When this occurs, the HTML interface is available
again after the upgrade process is complete. Close the original browser
window, open a new browser window, and log in to Cisco Secure ACS
again.

The Appliance Versions table lists the versions of software running on the
appliance. The table entries should reflect the upgrade package that you applied.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 8-37
 Chapter 8 System Configuration: Basic
Appliance Upgrade Status

User Guide for Cisco Secure ACS Appliance, version 3.2

8-38 78-14698-02
 C H A P T E R 9
System Configuration: Advanced

This chapter addresses the CiscoSecure Database Replication and RDBMS

Synchronization features found in the System Configuration section of
Cisco Secure ACS Appliance. It contains the following sections:
This chapter contains the following topics:
• CiscoSecure Database Replication, page 9-1
• RDBMS Synchronization, page 9-24
• IP Pools Server, page 9-37
• IP Pools Address Recovery, page 9-44

CiscoSecure Database Replication

This section provides information about the CiscoSecure Database Replication
feature, including procedures for implementing this feature and configuring the
Cisco Secure ACSes involved.
This section contains the following topics:
• About CiscoSecure Database Replication, page 9-2
• Important Implementation Considerations, page 9-8
• Database Replication Versus Database Backup, page 9-10
• Database Replication Logging, page 9-11
• Replication Options, page 9-11

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-1
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

• Implementing Primary and Secondary Replication Setups on Cisco Secure

ACSes, page 9-15
• Configuring a Secondary Cisco Secure ACS, page 9-16
• Replicating Immediately, page 9-18
• Scheduling Replication, page 9-20
• Disabling CiscoSecure Database Replication, page 9-23
• Database Replication Event Errors, page 9-23

About CiscoSecure Database Replication

Database replication helps make your AAA environment more fault tolerant.
Database replication helps create mirror systems of Cisco Secure ACSes by
duplicating parts of the primary Cisco Secure ACS setup to one or more
secondary Cisco Secure ACSes. You can configure your AAA clients to use these
secondary Cisco Secure ACSes if the primary Cisco Secure ACS fails or is
unreachable. With a secondary Cisco Secure ACS whose CiscoSecure database is
a replica of the CiscoSecure database on the primary Cisco Secure ACS, if the
primary Cisco Secure ACS goes out of service, incoming requests are
authenticated without network downtime, provided that your AAA clients are
configured to failover to the secondary Cisco Secure ACS.
Database replication allows you to do the following:
• Select the parts of the primary Cisco Secure ACS configuration to be
replicated.
• Control the timing of the replication process, including creating schedules.
• Export selected configuration items from the primary system.
• Securely transport selected configuration data from the primary Cisco Secure
ACS to one or more secondary Cisco Secure ACSes.
• Update the secondary Cisco Secure ACSes to create matching configurations.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-2 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Database replication does not support the following:

• IP pool definitions (for more information, see About IP Pools Server,
page 9-38). Replicating IP pool definitions would create the potential for
multiple Cisco Secure ACSes assigning the same IP address to different
clients. You must manually create IP pool definitions on each Cisco Secure
ACS. After you have done so, replication of user and group IP pools settings
is supported.
• Replication between different versions of Cisco Secure ACS. Only
replication between Cisco Secure ACSes using the same version is supported.
We strongly recommend that Cisco Secure ACSes involved in replication use
the same patch level, too.
• Cisco Secure ACS certificate and private key files. These must be installed
on each Cisco Secure ACS.
• User-defined RADIUS vendors and vendor-specific attributes (VSAs). You
must manually add user-defined RADIUS vendors and VSAs to each
Cisco Secure ACS. After you have done so, replication of settings using
user-defined RADIUS vendors and VSAs is supported.
With regard to database replication, we make the following distinctions about
Cisco Secure ACSes:
• Primary Cisco Secure ACS—A Cisco Secure ACS that sends replicated
CiscoSecure database components to other Cisco Secure ACSes.
• Secondary Cisco Secure ACS—A Cisco Secure ACS that receives
replicated CiscoSecure database components from a primary Cisco Secure
ACS. In the HTML interface, these are identified as replication partners.
A Cisco Secure ACS can be both a primary Cisco Secure ACS and a secondary
Cisco Secure ACS, provided that it is not configured to be a secondary
Cisco Secure ACS to a Cisco Secure ACS for which it performs as a primary
Cisco Secure ACS.

Note Bidirectional replication, wherein a Cisco Secure ACS both sends database
components to and receives database components from the same remote
Cisco Secure ACS, is not supported.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-3
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Note All Cisco Secure ACSes involved in replication must run the same release of the
Cisco Secure ACS software. For example, if the primary Cisco Secure ACS is
running Cisco Secure ACS version 3.2, all secondary Cisco Secure ACSes should
be running Cisco Secure ACS version 3.2. Because patch releases can introduce
significant changes to the CiscoSecure database, we strongly recommend that
Cisco Secure ACSes involved in replication use the same patch level, too.

Replication Process
This topic describes the process of database replication, including the interaction
between a primary Cisco Secure ACS and each of its secondary Cisco Secure
ACSes. The following steps occur in database replication:
1. The primary Cisco Secure ACS determines if its database has changed since
the last successful replication. If it has, replication proceeds. If it has not,
replication is aborted. No attempt is made to compare the databases of the
primary and secondary Cisco Secure ACSes.

Tip You can force replication to occur by making one change to a user or group
profile, such as changing a password or modifying a RADIUS attribute.

2. The primary Cisco Secure ACS contacts the secondary Cisco Secure ACS. In
this initial connection, the following four events occur:
a. The two Cisco Secure ACSes perform mutual authentication based upon
the shared secret of the primary Cisco Secure ACS. If authentication
fails, replication fails.

Note On the secondary Cisco Secure ACS, the AAA Servers table
entry for the primary Cisco Secure ACS must have the same
shared secret that the primary Cisco Secure ACS has for itself in
its own AAA Servers table entry. The secondary Cisco Secure
ACS’s shared secret is irrelevant.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-4 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

b. The secondary Cisco Secure ACS verifies that it is not configured to

replicate to the primary Cisco Secure ACS. If it is, replication is aborted.
Cisco Secure ACS does not support bidirectional replication, wherein a
Cisco Secure ACS can act as both a primary and a secondary
Cisco Secure ACS to the same remote Cisco Secure ACS.
c. The primary Cisco Secure ACS verifies that the version of Cisco Secure
ACS that the secondary Cisco Secure ACS is running is the same as its
own version of Cisco Secure ACS. If not, replication fails.
d. The primary Cisco Secure ACS compares the list of database
components it is configured to send with the list of database components
the secondary Cisco Secure ACS is configured to receive. If the
secondary Cisco Secure ACS is not configured to receive any of the
components that the primary Cisco Secure ACS is configured to send, the
database replication fails.
3. After the primary Cisco Secure ACS has determined which components to
send to the secondary Cisco Secure ACS, the replication process continues on
the primary Cisco Secure ACS as follows:
a. The primary Cisco Secure ACS stops its authentication and creates a
copy of the CiscoSecure database components that it is configured to
replicate. During this step, if AAA clients are configured properly, those
that usually use the primary Cisco Secure ACS failover to another
Cisco Secure ACS.
b. The primary Cisco Secure ACS resumes its authentication service. It also
compresses and encrypts the copy of its database components for
transmission to the secondary Cisco Secure ACS.
c. The primary Cisco Secure ACS transmits the compressed, encrypted
copy of its database components to the secondary Cisco Secure ACS.
This transmission occurs over a TCP connection, using port 2000. The
TCP session uses a 128-bit encrypted, Cisco-proprietary protocol.
4. After the preceding events on the primary Cisco Secure ACS, the database
replication process continues on the secondary Cisco Secure ACS as follows:
a. The secondary Cisco Secure ACS receives the compressed, encrypted
copy of the CiscoSecure database components from the primary
Cisco Secure ACS. After transmission of the database components is
complete, the secondary Cisco Secure ACS decompresses the database
components.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-5
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

b. The secondary Cisco Secure ACS stops its authentication service and
replaces its database components with the database components it
received from the primary Cisco Secure ACS. During this step, if AAA
clients are configured properly, those that usually use the secondary
Cisco Secure ACS failover to another Cisco Secure ACS.
c. The secondary Cisco Secure ACS resumes its authentication service.
Cisco Secure ACS can act as both a primary Cisco Secure ACS and a secondary
Cisco Secure ACS. Figure 9-1 shows a cascading replication scenario. Server 1
acts only as a primary Cisco Secure ACS, replicating to servers 2 and 3, which act
as secondary Cisco Secure ACSes. After replication from server 1 to server 2 has
completed, server 2 acts as a primary Cisco Secure ACS while replicating to
servers 4 and 5. Similarly, server 3 acts as a primary Cisco Secure ACS while
replicating to servers 6 and 7.

Note If you intend to use cascading replication to replicate network configuration

device tables, you must configure the primary Cisco Secure ACS with all
Cisco Secure ACSes that will receive replicated database components, regardless
of whether they receive replication directly or indirectly from the primary
Cisco Secure ACS. In Figure 9-1, server 1 must have an entry in its AAA Servers
table for each of the other six Cisco Secure ACSes. If this is not done, after
replication, servers 2 and 3 do not have servers 4 through 7 in their AAA Servers
tables and replication will fail.

If server 2 were configured to replicate to server 1 in addition to receiving

replication from server 1, replication to server 2 would fail. Cisco Secure ACS
cannot support such a configuration, known as bidirectional replication. To
safeguard against this, a secondary Cisco Secure ACS aborts replication when its
primary Cisco Secure ACS appears on its Replication list.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-6 78-14698-02
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Figure 9-1 Cascading Database Replication

Server 4

Server 5
Server 2

Server 1 Server 6

67473
Server 3
Server 7

Replication Frequency
The frequency with which your Cisco Secure ACSes replicate can have important
implications for overall AAA performance. With shorter replication frequencies,
a secondary Cisco Secure ACS is more up-to-date with the primary Cisco Secure
ACS. This allows for a more current secondary Cisco Secure ACS if the primary
Cisco Secure ACS fails.
There is a cost to having frequent replications. The more frequent the replication,
the higher the load on a multi-Cisco Secure ACS architecture and on your
network environment. If you schedule frequent replication, network traffic is
much higher. Also, processing load on the replicating systems is increased.
Replication consumes system resources and briefly interrupts authentication; thus
the more often replication is repeated, the greater the impact on the AAA
performance of the Cisco Secure ACS.

Note Regardless of how frequently replication is scheduled to occur, it only occurs

when the database of the primary Cisco Secure ACS has changed since the last
successful replication.

This issue is more apparent with databases that are large or that frequently change.
Database replication is a non-incremental, destructive backup. In other words, it
completely replaces the database and configuration on the secondary

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-7
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Cisco Secure ACS every time it runs. Therefore, a large database results in
substantial amounts of data being transferred, and the processing overhead can
also be large.

Important Implementation Considerations

You should consider several important points when you implement the
CiscoSecure Database Replication feature:
• Cisco Secure ACS only supports database replication to other Cisco Secure
ACSes. All Cisco Secure ACSes participating in CiscoSecure database
replication must run the same version of Cisco Secure ACS. We strongly
recommend that Cisco Secure ACSes involved in replication use the same
patch level, too.
• You must ensure correct configuration of the AAA Servers table in all
Cisco Secure ACSes involved in replication.
– In its AAA Servers table, a primary Cisco Secure ACS must have an
accurately configured entry for each secondary Cisco Secure ACS.

Note If you intend to use cascading replication to replicate network

configuration device tables, you must configure the primary
Cisco Secure ACS with all Cisco Secure ACSes that will receive
replicated database components, regardless of whether they
receive replication directly or indirectly from that primary
Cisco Secure ACS. For example, if the primary Cisco Secure
ACS replicates to two secondary Cisco Secure ACSes which, in
turn, each replicate to two more Cisco Secure ACSes, the
primary Cisco Secure ACS must have AAA server
configurations for all six Cisco Secure ACSes that will receive
replicated database components.

– In its AAA Servers table, a secondary Cisco Secure ACS must have an
accurately configured entry for each of its primary Cisco Secure ACSes.
– On a primary Cisco Secure ACS and all its secondary Cisco Secure
ACSes, the AAA Servers table entries for the primary Cisco Secure ACS
must have identical shared secrets.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-8 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

• Only suitably configured, valid Cisco Secure ACSes can be secondary

Cisco Secure ACSes. To configure a secondary Cisco Secure ACS for
database replication, see Configuring a Secondary Cisco Secure ACS,
page 9-16.
• Replication only occurs when the database of the primary Cisco Secure ACS
has changed since the last successful replication, regardless of how
frequently replication is scheduled to occur. When a scheduled or manually
started replication begins, the primary Cisco Secure ACS automatically
aborts replication if its database has not changed since the last successful
replication.

Tip You can force replication to occur by making one change to a user or group
profile, such as changing a password or modifying a RADIUS attribute.

• Replication to secondary Cisco Secure ACSes takes place sequentially in the

order listed in the Replication list under Replication Partners on the
CiscoSecure Database Replication page.
• A secondary Cisco Secure ACS receiving replicated components must be
configured to accept database replication from the primary Cisco Secure
ACS. To configure a secondary Cisco Secure ACS for database replication,
see Configuring a Secondary Cisco Secure ACS, page 9-16.
• Cisco Secure ACS does not support bidirectional database replication. The
secondary Cisco Secure ACS receiving the replicated components verifies
that the primary Cisco Secure ACS is not on its Replication list. If not, the
secondary Cisco Secure ACS accepts the replicated components. If so, it
rejects the components.
• To replicate user and group settings that use user-defined RADIUS vendor
and VSAs, you must manually add the user-defined RADIUS vendor and
VSA definitions on primary and secondary Cisco Secure ACSes, making sure
that the RADIUS vendor slots that the user-defined RADIUS vendors occupy
are identical on each Cisco Secure ACS. After you have done so, replication
of settings using user-defined RADIUS vendors and VSAs is supported. For
more information about user-defined RADIUS vendors and VSAs, see
Custom RADIUS Vendors and VSAs, page 9-27.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-9
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Database Replication Versus Database Backup

Do not confuse database replication with system backup. Database replication
does not replace System Backup. While both features provide protection from
partial or complete server loss, each feature addresses the issue in a different way.
System Backup archives data into a format that you can later use to restore the
configuration if the system fails or the data becomes corrupted. The backup data
is stored on the local hard drive and can be copied and removed from the system
for long-term storage. You can store several generations of database backup files.
CiscoSecure Database Replication offers the convenience of copying various
components of the CiscoSecure database to other Cisco Secure ACSes. This can
help you plan a failover AAA architecture and can help reduce the complexity of
your configuration and maintenance tasks. While it is unlikely, it is possible that
CiscoSecure Database Replication can propagate a corrupted database to the
Cisco Secure ACSes that generate your backup files.

Caution The possibility of backing up a corrupted database exists regardless of whether

you use CiscoSecure Database Replication. Because of this small risk, if you are
using Cisco Secure ACS in mission-critical environments, we strongly
recommend that you implement a backup plan that accounts for this possibility.
For more information about backing up the Cisco Secure ACS system or the
CiscoSecure database, see Cisco Secure ACS Backup, page 8-8.

Due to the necessity of local configuration, replication does not process IP pool
definitions (however, IP pool assignments are replicated as part of the user and
group profiles). Therefore, if applicable, common IP pool definitions must be
manually configured in a manner that uses common pool names while
establishing different address ranges. Certificate configuration is not replicated
either, because certificate information is specific to each Cisco Secure ACS.
Also, network device group (NDG) settings, if employed, must remain constant
between Cisco Secure ACSes. That is, you must guard against the primary
Cisco Secure ACS sending a user or group profile that invokes an NDG that is not
defined on the secondary Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-10 78-14698-02
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Database Replication Logging

Regardless of whether replication events are successful or not, Cisco Secure ACS
logs all replication events in the Database Replication report, available in the
Reports and Activity section of the HTML interface. For more information about
Cisco Secure ACS reports, see Chapter 1, “Overview.”

Replication Options
The Cisco Secure ACS HTML interface provides three sets of options for
configuring CiscoSecure Database Replication, documented in this section.
This section contains the following topics:
• Replication Components Options, page 9-11
• Outbound Replication Options, page 9-12
• Inbound Replication Options, page 9-14

Replication Components Options

You can specify both the CiscoSecure database components that a Cisco Secure
ACS sends as a primary Cisco Secure ACS and the components that it receives as
a secondary Cisco Secure ACS.

Note The CiscoSecure database components received by a secondary Cisco Secure

ACS overwrite the CiscoSecure database components on the secondary
Cisco Secure ACS. Any information unique to the overwritten database
component is lost.

The options that control the components replicated appear in the Replication
Components table on the CiscoSecure Database Replication page and are as
follows:
• User and group database—Replicate the information for groups and users.
• Network Configuration Device tables—Replicate the AAA Servers tables,
the AAA Clients tables, and the Remote Agent tables in the Network
Configuration section.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-11
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

• Distribution table—Replicate the Proxy Distribution Table in the Network

Configuration section.
• Interface configuration—Replicate most of the Advanced Options settings
from the Interface Configuration section.
• Interface security settings—Replicate the security information for the
Cisco Secure ACS HTML interface.
• Password validation settings—Replicate the password validation settings.
If mirroring the entire database might send confidential information to the
secondary Cisco Secure ACS, such as the Proxy Distribution Table, you can
configure the primary Cisco Secure ACS to send only a specific category of
database information.

Outbound Replication Options

In the Outbound Replication table on the CiscoSecure Database Replication page,
you can schedule outbound replication and you can specify the secondary
Cisco Secure ACSes for this primary Cisco Secure ACS.
• Scheduling Options—You can specify when CiscoSecure database
replication occurs. The options that control when replication occurs appear in
the Scheduling section of Outbound Replication table and are as follows:
– Manually—Cisco Secure ACS does not perform automatic database
replication.
– Automatically Triggered Cascade—Cisco Secure ACS performs
database replication to the configured list of secondary Cisco Secure
ACSes when database replication from a primary Cisco Secure ACS
completes. This enables you to build a propagation hierarchy of
Cisco Secure ACS, relieving a primary Cisco Secure ACS from the
burden of propagating the replicated components to every other
Cisco Secure ACS. For an illustration of cascade replication, see
Figure 9-1.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-12 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Note If you intend to use cascading replication to replicate network

configuration device tables, you must configure the primary
Cisco Secure ACS with all Cisco Secure ACSes that will receive
replicated database components, regardless of whether they
receive replication directly or indirectly from the primary
Cisco Secure ACS. For example, if the primary Cisco Secure
ACS replicates to two secondary Cisco Secure ACSes which, in
turn, each replicate to two more Cisco Secure ACSes, the
primary Cisco Secure ACS must have AAA server
configurations for all six Cisco Secure ACSes that will receive
replicated database components.

– Every X minutes—Cisco Secure ACS performs, on a set frequency,

database replication to the configured list of secondary Cisco Secure
ACSes. The unit of measurement is minutes, with a default update
frequency of 60 minutes.
– At specific times...—Cisco Secure ACS performs, at the time specified
in the day and hour graph, database replication to the configured list of
secondary Cisco Secure ACSes. The minimum interval is one hour, and
the replication takes place on the hour selected.
• Partner Options—You can specify the secondary Cisco Secure ACSes for
this primary Cisco Secure ACS. The options that control the secondary
Cisco Secure ACSes to which a primary Cisco Secure ACS replicates appear
in the Partners section of the Outbound Replication table.

Note The items in the AAA Server and Replication lists reflect the AAA
servers configured in the AAA Servers table in Network
Configuration. To make a particular Cisco Secure ACS available as a
secondary Cisco Secure ACS, you must first add that Cisco Secure
ACS to the AAA Servers table of the primary Cisco Secure ACS.

– AAA Server—This list represents the secondary Cisco Secure ACSes

that this primary Cisco Secure ACS does not send replicated components
to.
– Replication—This list represents the secondary Cisco Secure ACSes
that this primary Cisco Secure ACS does send replicated components to.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-13
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Note Cisco Secure ACS does not support bidirectional database replication. A
secondary Cisco Secure ACS receiving replicated components verifies that the
primary Cisco Secure ACS is not on its Replication list. If not, the secondary
Cisco Secure ACS accepts the replicated components. If so, it rejects the
components.

Inbound Replication Options

You can specify the primary Cisco Secure ACSes from which a secondary
Cisco Secure ACS accepts replication. This option appears in the Inbound
Replication table on the CiscoSecure Database Replication page.
The Accept replication from list controls which Cisco Secure ACSes the current
Cisco Secure ACS does accept replicated components from. The list contains the
following options:
• Any Known CiscoSecure ACS Server—If this option is selected,
Cisco Secure ACS accepts replicated components from any Cisco Secure
ACS configured in the AAA Servers table in Network Configuration.
• Other AAA servers—The list displays all the AAA servers configured in the
AAA Servers table in Network Configuration. If a specific AAA server name
is selected, Cisco Secure ACS accepts replicated components only from the
Cisco Secure ACS specified.

Note Cisco Secure ACS does not support bidirectional database replication. A
secondary Cisco Secure ACS receiving replicated components verifies that the
primary Cisco Secure ACS is not on its Replication list. If not, the secondary
Cisco Secure ACS accepts the replicated components. If so, it rejects the
components.

For more information about the AAA Servers table in Network Configuration, see
AAA Server Configuration, page 4-22.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-14 78-14698-02
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Implementing Primary and Secondary Replication Setups on

Cisco Secure ACSes
If you implement a replication scheme that uses cascading replication, the
Cisco Secure ACS configured to replicate only when it has received replicated
components from another Cisco Secure ACS acts both as a primary Cisco Secure
ACS and as a secondary Cisco Secure ACS. First, it acts as a secondary
Cisco Secure ACS while it receives replicated components, and then it acts as a
primary Cisco Secure ACS while it replicates components to other Cisco Secure
ACSes. For an illustration of cascade replication, see Figure 9-1.
To implement primary and secondary replication setups on Cisco Secure ACSes,
follow these steps:

Step 1 On each secondary Cisco Secure ACS, follow these steps:

a. In the Network Configuration section, add the primary Cisco Secure ACS to
the AAA Servers table.
For more information about adding entries to the AAA Servers table, see
AAA Server Configuration, page 4-22.
b. Configure the secondary Cisco Secure ACS to receive replicated
components. For instructions, see Configuring a Secondary Cisco Secure
ACS, page 9-16.
Step 2 On the primary Cisco Secure ACS, follow these steps:
a. In the Network Configuration section, add each secondary Cisco Secure ACS
to the AAA Servers table.

Note If you intend to use cascading replication to replicate network

configuration device tables, you must configure the primary
Cisco Secure ACS with all Cisco Secure ACSes that will receive
replicated database components, regardless of whether they receive
replication directly or indirectly from the primary Cisco Secure ACS.
For example, if the primary Cisco Secure ACS replicates to two
secondary Cisco Secure ACSes which, in turn, each replicate to two
more Cisco Secure ACSes, the primary Cisco Secure ACS must have
AAA server configurations for all six Cisco Secure ACSes that will
receive replicated database components.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-15
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

For more information about adding entries to the AAA Servers table, see
AAA Server Configuration, page 4-22.
b. If you want to replicate according to a schedule, at intervals, or whenever the
primary Cisco Secure ACS has received replicated components from another
Cisco Secure ACS, see Scheduling Replication, page 9-20.
c. If you want to initiate replication immediately, see Replicating Immediately,
page 9-18.

Configuring a Secondary Cisco Secure ACS

Note If this feature does not appear, click Interface Configuration, click Advanced
Options, and select the CiscoSecure ACS Database Replication check box.
Select the Distributed System Settings check box if not already selected.

The CiscoSecure Database Replication feature requires that you configure

specific Cisco Secure ACSes to act as secondary Cisco Secure ACSes. The
components that a secondary Cisco Secure ACS is to receive must be explicitly
specified, as must be its primary Cisco Secure ACS.
Replication is always initiated by the primary Cisco Secure ACS. For more
information about sending replication components, see Replicating Immediately,
page 9-18 or Scheduling Replication, page 9-20.

Caution The CiscoSecure database components received by a secondary Cisco Secure

ACS overwrite the CiscoSecure database components on the secondary
Cisco Secure ACS. Any information unique to the overwritten database
component is lost.

Before You Begin

Ensure correct configuration of the AAA Servers table in the secondary
Cisco Secure ACS. This secondary Cisco Secure ACS must have an entry in its
AAA Servers table for each of its primary Cisco Secure ACSes. Also, the AAA
Servers table entry for each primary Cisco Secure ACS must have the same shared

User Guide for Cisco Secure ACS Appliance, version 3.2

9-16 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

secret that the primary Cisco Secure ACS has for its own entry in its AAA Servers
table. For more information about the AAA Servers table, see AAA Server
Configuration, page 4-22.
To configure a Cisco Secure ACS to be a secondary Cisco Secure ACS, follow
these steps:

Step 1 Log in to the HTML interface on the secondary Cisco Secure ACS.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click CiscoSecure Database Replication.
The Database Replication Setup page appears.
Step 4 In the Replication Components table, select the Receive check box for each
database component to be received from a primary Cisco Secure ACS.
For more information about replication components, see Replication Components
Options, page 9-11.
Step 5 Make sure that no Cisco Secure ACS that the secondary Cisco Secure ACS is to
receive replicated components from is included in the Replication list. If so, select
the primary Cisco Secure ACS in the Replication list and click the <-- (left arrow)
to move it to the AAA Servers list.

Note Cisco Secure ACS does not support bidirectional database replication. A
secondary Cisco Secure ACS receiving replicated components verifies
that the primary Cisco Secure ACS is not on its Replication list. If not, the
secondary Cisco Secure ACS accepts the replicated components. If so, it
aborts replication.

Step 6 If the secondary Cisco Secure ACS is to receive replication components from only
one primary Cisco Secure ACS, from the Accept replication from list, select the
name of the primary Cisco Secure ACS.
The primary Cisco Secure ACSes available in the Accept replication from list are
determined by the AAA Servers table in the Network Configuration section. For
more information about the AAA Servers table, see AAA Server Configuration,
page 4-22.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-17
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Note On the primary Cisco Secure ACS and all secondary Cisco Secure
ACSes, the AAA Servers table entries for the primary Cisco Secure ACS
must have identical shared secrets.

Step 7 If the secondary Cisco Secure ACS is to receive replication components from
more than one primary Cisco Secure ACS, from the Accept replication from list,
select Any Known CiscoSecure ACS Server.
The Any Known CiscoSecure ACS Server option is limited to the Cisco Secure
ACSes listed in the AAA Servers table in Network Configuration.

Note For each primary Cisco Secure ACS for this secondary Cisco Secure
ACS, on both the primary and secondary Cisco Secure ACS, the AAA
Servers table entries for the primary Cisco Secure ACS must have
identical shared secrets.

Step 8 Click Submit.

Cisco Secure ACS saves the replication configuration, and at the frequency or
times you specified, Cisco Secure ACS begins accepting the replicated
components from the other Cisco Secure ACSes you specified.

Replicating Immediately
You can manually start database replication.

Note Replication cannot occur until you have configured at least one secondary
Cisco Secure ACS. For more information about configuring a secondary
Cisco Secure ACS, see Configuring a Secondary Cisco Secure ACS, page 9-16.

Before You Begin

Ensure correct configuration of the primary and secondary Cisco Secure ACSes.
For detailed steps, see Implementing Primary and Secondary Replication Setups
on Cisco Secure ACSes, page 9-15.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-18 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

For each secondary Cisco Secure ACS that this Cisco Secure ACS is to send
replicated components to, make sure that you have completed the steps in
Configuring a Secondary Cisco Secure ACS, page 9-16.
To initiate database replication immediately, follow these steps:

Step 1 Log in to the HTML interface on the primary Cisco Secure ACS.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click CiscoSecure Database Replication.

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and select the CiscoSecure ACS Database
Replication check box. Select the Distributed System Settings check
box if not already selected.

The Database Replication Setup page appears.

Step 4 For each CiscoSecure database component you want to replicate to a secondary
Cisco Secure ACS, under Replication Components, select the corresponding
Send check box.
Step 5 For each secondary Cisco Secure ACS that you want the primary Cisco Secure
ACS to replicate its select components to, select the secondary Cisco Secure ACS
from the AAA Servers list, and then click --> (right arrow button).

Tip If you want to remove a secondary Cisco Secure ACSes from the
Replication list, select the secondary Cisco Secure ACS in the
Replication list, and then click <-- (left arrow button).

Note Cisco Secure ACS does not support bidirectional database replication. A
secondary Cisco Secure ACS receiving replicated components verifies
that the primary Cisco Secure ACS is not on its Replication list. If not, the
secondary Cisco Secure ACS accepts the replicated components. If so, it
rejects the components.

Step 6 At the bottom of the browser window, click Replicate Now.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-19
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Cisco Secure ACS saves the replication configuration. Cisco Secure ACS
immediately begins sending replicated database components to the secondary
Cisco Secure ACSes you specified.

Note Replication only occurs when the database of the primary Cisco Secure
ACS has changed since the last successful replication. You can force
replication to occur by making one change to a user or group profile, such
as changing a password or RADIUS attribute.

Scheduling Replication
You can schedule when a primary Cisco Secure ACS sends its replicated database
components to a secondary Cisco Secure ACS. For more information about
replication scheduling options, see Outbound Replication Options, page 9-12.

Note Replication cannot occur until the secondary Cisco Secure ACSes are configured
properly. For more information, see Configuring a Secondary Cisco Secure ACS,
page 9-16.

Before You Begin

Ensure correct configuration of the primary and secondary Cisco Secure ACSes.
For detailed steps, see Implementing Primary and Secondary Replication Setups
on Cisco Secure ACSes, page 9-15.
For each secondary Cisco Secure ACS of this primary Cisco Secure ACS, ensure
that you have completed the steps in Configuring a Secondary Cisco Secure ACS,
page 9-16.
To schedule when a primary Cisco Secure ACS replicates to its secondary
Cisco Secure ACSes, follow these steps:

Step 1 Log in to the HTML interface on the primary Cisco Secure ACS.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click CiscoSecure Database Replication.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-20 78-14698-02
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and select the CiscoSecure ACS Database
Replication check box. Select the Distributed System Settings check
box if not already selected.

The Database Replication Setup page appears.

Step 4 To specify which CiscoSecure database components the primary Cisco Secure
ACS should send to its secondary Cisco Secure ACSes, under Replication
Components, select the corresponding Send check box for each database
component to be sent.
For more information about replicated database components, see Replication
Components Options, page 9-11.
Step 5 To have the primary Cisco Secure ACS send replicated database components to
its secondary Cisco Secure ACSes at regular intervals, under Replication
Scheduling, select the Every X minutes option and in the X box type the length
of the interval at which Cisco Secure ACS should perform replication (up to 7
characters).

Note Because Cisco Secure ACS is momentarily shut down during replication,
a short replication interval may cause frequent failover of your AAA
clients to other Cisco Secure ACSes. If AAA clients are not configured to
failover to other Cisco Secure ACSes, the brief interruption in
authentication service may prevent users from authenticating. For more
information, see Replication Frequency, page 9-7.

Step 6 If you want to schedule times at which the primary Cisco Secure ACS sends its
replicated database components to its secondary Cisco Secure ACSes, follow
these steps:
a. In the Outbound Replication table, select the At specific times option.
b. In the day and hour graph, click the times at which you want Cisco Secure
ACS to perform replication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-21
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

Tip Clicking times of day on the graph selects those times; clicking again
clears them. At any time you can click Clear All to clear all hours, or you
can click Set All to select all hours.

Step 7 If you want to have this Cisco Secure ACS send replicated database components
immediately upon receiving replicated database components from another
Cisco Secure ACS, select the Automatically triggered cascade option.

Note If you specify the Automatically triggered cascade option, you must
configure another Cisco Secure ACS to act as a primary Cisco Secure
ACS to this Cisco Secure ACS; otherwise, this Cisco Secure ACS never
replicates to its secondary Cisco Secure ACSes.

Step 8 You must specify the secondary Cisco Secure ACSes that this Cisco Secure ACS
should replicate to. To do so, follow these steps:

Note Cisco Secure ACS does not support bidirectional database replication. A
secondary Cisco Secure ACS receiving replicated database components
verifies that the primary Cisco Secure ACS is not on its Replication list.
If not, the secondary Cisco Secure ACS accepts the replicated database
components. If so, it rejects the components. For more information about
replication partners, see Inbound Replication Options, page 9-14.

a. In the Outbound Replication table, from the AAA Servers list, select the
name of a secondary Cisco Secure ACS to which you want the primary
Cisco Secure ACS to send its selected replicated database components.

Note The secondary Cisco Secure ACSes available in the AAA Servers list
are determined by the AAA Servers table in Network Configuration.
For more information about the AAA Servers table, see AAA Server
Configuration, page 4-22.

b. Click --> (right arrow button).

The selected secondary Cisco Secure ACS moves to the Replication list.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-22 78-14698-02
 Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication

c. Repeat Step a and Step b for each secondary Cisco Secure ACS to which you
want the primary Cisco Secure ACS to send its selected replicated database
components.
Step 9 Click Submit.
Cisco Secure ACS saves the replication configuration you created.

Disabling CiscoSecure Database Replication

You can disable scheduled CiscoSecure database replications without losing the
schedule itself. This allows you to cease scheduled replications temporarily and
later resume them without having to re-enter the schedule information.
To disable CiscoSecure database replication, follow these steps:

Step 1 Log in to the HTML interface on the primary Cisco Secure ACS.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click CiscoSecure Database Replication.
The Database Replication Setup page appears.
Step 4 In the Replication Components table, clear all check boxes.
Step 5 In the Outbound Replication table, select the Manually option.
Step 6 Click Submit.
Cisco Secure ACS does not permit any replication to or from this Cisco Secure
ACS server.

Database Replication Event Errors

The Database Replication report contains messages indicating errors that occur
during replication. For more information about the Database Replication report,
see Cisco Secure ACS System Logs, page 11-12.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-23
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

RDBMS Synchronization
This section provides information about the RDBMS Synchronization feature,
including procedures for implementing this feature, within both Cisco Secure
ACS and the external data source involved.
This section contains the following topics:
• About RDBMS Synchronization, page 9-24
– Users, page 9-25
– User Groups, page 9-26
– Network Configuration, page 9-26
– Custom RADIUS Vendors and VSAs, page 9-27
• RDBMS Synchronization Components, page 9-27
– About CSDBSync, page 9-28
– About the accountActions File, page 9-28
• Cisco Secure ACS Database Recovery Using the accountActions Table,
page 9-28
• Preparing to Use RDBMS Synchronization, page 9-29
• RDBMS Synchronization Options, page 9-31
– FTP Setup Options, page 9-31
– Synchronization Scheduling Options, page 9-32
– Synchronization Partners Options, page 9-32
• Performing RDBMS Synchronization Immediately, page 9-32
• Scheduling RDBMS Synchronization, page 9-34
• Disabling Scheduled RDBMS Synchronizations, page 9-37

About RDBMS Synchronization

The RDBMS Synchronization feature provides the ability to update the
CiscoSecure user database with information from a text file on an FTP server. The
text file can be generated by a third-party application. Cisco Secure ACS gets the
file from the FTP server, reads the file, and performs the configuration actions

User Guide for Cisco Secure ACS Appliance, version 3.2

9-24 78-14698-02
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

specified in the file. You can also regard RDBMS Synchronization as an

API—much of what you can configure for a user, group, or device through the
Cisco Secure ACS HTML interface, you can alternatively maintain through this
feature. RDBMS Synchronization supports addition, modification, and deletion
for all data items it can access.
You can configure synchronization to occur on a regular schedule. You can also
perform synchronizations manually, updating the CiscoSecure user database on
demand.
Synchronization performed by a single Cisco Secure ACS can update the internal
databases of other Cisco Secure ACSes, so that you only need configure RDBMS
Synchronization on one Cisco Secure ACS. Communication between
Cisco Secure ACSes for the purposes of RDBMS Synchronization occurs using
an encrypted, Cisco-proprietary protocol. Cisco Secure ACSes listen on TCP port
2000 for synchronization data.

Users
Among the user-related configuration actions that RDBMS Synchronization can
perform are the following:
• Adding users.
• Deleting users.
• Setting passwords.
• Setting user group memberships.
• Setting Max Sessions parameters.
• Setting network usage quota parameters.
• Configuring command authorizations.
• Configuring network access restrictions.
• Configuring time-of-day/day-of-week access restrictions.
• Assigning IP addresses.
• Specifying outbound RADIUS attribute values.
• Specifying outbound TACACS+ attribute values.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-25
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Note For specific information about all actions that RDBMS Synchronization can
perform, see Appendix E, “RDBMS Synchronization Import Definitions.”

User Groups
Among the group-related configuration actions that RDBMS Synchronization can
perform are the following:
• Setting Max Sessions parameters.
• Setting network usage quota parameters.
• Configuring command authorizations.
• Configuring network access restrictions.
• Configuring time-of-day/day-of-week access restrictions.
• Specifying outbound RADIUS attribute values.
• Specifying outbound TACACS+ attribute values.

Note For specific information about all actions that RDBMS Synchronization can
perform, see Appendix E, “RDBMS Synchronization Import Definitions.”

Network Configuration
Among the network device-related configuration actions that RDBMS
Synchronization can perform are the following:
• Adding AAA clients.
• Deleting AAA clients.
• Setting AAA client configuration details.
• Adding AAA servers.
• Deleting AAA servers.
• Setting AAA server configuration details.
• Adding and configuring Proxy Distribution Table entries.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-26 78-14698-02
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Note For specific information about all actions that RDBMS Synchronization can
perform, see Appendix E, “RDBMS Synchronization Import Definitions.”

Custom RADIUS Vendors and VSAs

RDBMS Synchronization enables you to configure custom RADIUS vendors and
VSAs. In addition to supporting a set of predefined RADIUS vendors and
vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors
and VSAs that you define. Vendors you add must be IETF-compliant; therefore,
all VSAs that you add must be sub-attributes of IETF RADIUS attribute
number 26.
You can define up to ten custom RADIUS vendors. Cisco Secure ACS allows
only one instance of any given vendor, as defined by the unique vendor IETF ID
number and by the vendor name.

Note If you intend to replicate user-defined RADIUS vendor and VSA configurations,
user-defined RADIUS vendor and VSA definitions to be replicated must be
identical on the primary and secondary Cisco Secure ACSes, including the
RADIUS vendor slots that the user-defined RADIUS vendors occupy. For more
information about database replication, see CiscoSecure Database Replication,
page 9-1.

For specific information about all actions that RDBMS Synchronization can
perform, see Appendix E, “RDBMS Synchronization Import Definitions.”

RDBMS Synchronization Components

The RDBMS Synchronization feature comprises two components:
• CSDBSync—A service that performs automated user and group account
management services for Cisco Secure ACS.
• accountActions File—The file that holds information used by CSDBSync to
update the CiscoSecure user database.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-27
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

About CSDBSync
The CSDBSync service reads the accountActions file. While
“accountActions.csv” is the default name for the accountActions file, you can
name the file however you like. Synchronization events fail if CSDBSync cannot
access the accountActions file.
CSDBSync reads each record from the accountActions file and updates the
CiscoSecure user database as specified by the action code in the record. For
example, a record could instruct CSDBSync to add a user or change a user
password.
For more information about CSDBSync or other Windows services used by
Cisco Secure ACS, see Chapter 1, “Overview.”

About the accountActions File

The accountActions file contains a set of rows that define actions CSDBSync is
to perform in the CiscoSecure user database. Each row in the accountActions file
holds user, user group, or AAA client information. Except for the first row (which
is used for field headers and thus is ignored during synchronization), each row
also contains an action field and several other fields. These fields provide
CSDBSync with the information it needs to update the CiscoSecure user database.
For full details of the accountActions file format and available actions, see
Appendix E, “RDBMS Synchronization Import Definitions.”

Cisco Secure ACS Database Recovery Using the accountActions

Table
Combining all instances of accountActions files in the order they were processed
by RDBMS Synchronization produces, in effect, a transaction queue. The
RDBMS Synchronization feature does not maintain a transaction log/audit trail.
If a log is required, the external system that generates accountActions files must
create it. Unless the external system can recreate the entire transaction history in
the accountActions file, we recommend that you construct a transaction log file
for recovery purposes. To do this, create a transaction log file that is stored in a
safe location and backed up on a regular basis. In that second file, mirror all the

User Guide for Cisco Secure ACS Appliance, version 3.2

9-28 78-14698-02
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

additions and updates to records in the accountActions file. The transaction log
file would therefore be a concatenation of all actions recorded in the many
instances of the accountActions file processed by RDBMS Synchronization.
If the database is large, it is not practical to recreate the CiscoSecure user database
by replaying the transaction log for the entire history of the system. Instead, create
regular backups of the CiscoSecure user database and replay the transaction logs
from the time of most recent backup to bring the CiscoSecure user database back
in synchronization with the external system. For information on creating backup
files, see Cisco Secure ACS Backup, page 8-8.
Replaying transaction logs that slightly predate the checkpoint does not damage
the CiscoSecure user database, although some transactions might be invalid and
reported as errors. As long as the entire transaction log is replayed, the
CiscoSecure user database is consistent with the database of the external system.

Preparing to Use RDBMS Synchronization

Synchronizing the CiscoSecure user database using data from a accountActions
file requires that you complete several significant steps external to Cisco Secure
ACS before configuring the RDBMS Synchronization feature within
Cisco Secure ACS.
To prepare to use RDBMS Synchronization, follow these steps:

Step 1 Determine the following items:

• How to create the accountActions file. For more information about the
accountActions file, see About the accountActions File, page 9-28. For
details on the format and content of the accountActions file, see Appendix E,
“RDBMS Synchronization Import Definitions.”
• The FTP server you want to use to make the accountActions file accessible to
Cisco Secure ACS.
• How to copy the accountActions file to the applicable directory on the FTP
server, if the accountActions file is generated in a directory different from the
directory that Cisco Secure ACS is to get it from on the FTP server.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-29
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Step 2 Configure your third-party system to generate the accountActions file

periodically. The mechanism for maintaining your accountActions file is unique
to your implementation. If the third-party system you are using to update the
accountActions file is a commercial product, for assistance, refer to the
documentation supplied by your third-party system vendor.
For information about the format and content of the accountActions file, see
Appendix E, “RDBMS Synchronization Import Definitions.”
Step 3 If needed, configure the mechanism that is to copy the accountAction file from
where it is generated to the applicable directory on the FTP server.
Step 4 Validate that your third-party system updates the accountActions file properly.
Rows generated in the accountActions file must be valid. For details on the format
and content of the accountActions file, see Appendix E, “RDBMS
Synchronization Import Definitions.”

Note After testing that the third-party system updates the accountActions file
properly, discontinue updating the accountActions file until after you
have completed Step 5.

Step 5 Schedule RDBMS synchronization in Cisco Secure ACS. For steps, see
Scheduling RDBMS Synchronization, page 9-34.
Step 6 Configure your third-party system to begin updating the accountActions file with
information to be imported into the CiscoSecure user database. If needed, activate
the mechanism that is to copy the accountActions file to the applicable directory
on the FTP server.
Step 7 Confirm that RDBMS synchronization is operating properly by monitoring the
RDBMS Synchronization report in the Reports and Activity section. For more
information about the RDBMS Synchronization log, see Cisco Secure ACS
System Logs, page 11-12.
Also, monitor the CSDBSync service log. For more information about the
CSDBSync service log, see Service Logs, page 11-25.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-30 78-14698-02
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

RDBMS Synchronization Options

The RDBMS Synchronization Setup page, available from System Configuration,
provides control of the RDBMS Synchronization feature. It contains three tables
whose options are described in this section.
This section contains the following topics:
• FTP Setup Options, page 9-31
• Synchronization Scheduling Options, page 9-32
• Synchronization Partners Options, page 9-32

FTP Setup Options

The FTP Setup For Account Actions Download table defines how Cisco Secure
ACS accesses the accountActions table. It contains the following options:
• Actions File—The name of the accountActions file. The default name is
“actions.csv”. The filename provided must match the name of the
accountActions file on the FTP server.
• FTP Server—The IP address or hostname of the FTP server that
Cisco Secure ACS is to get the accountActions file from. If you specify a
hostname, DNS must be enabled on your network.
• Directory—The relative path from the FTP server root directory to the
directory where the accountActions file is. To specify the FTP root directory,
enter a single period or “dot”.
• Username—A valid username to enable Cisco Secure ACS to access the FTP
server.
• Password—The password for the username provided in the Login box.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-31
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Synchronization Scheduling Options

The Synchronization Scheduling table defines when synchronization occurs. It
contains the following scheduling options:
• Manually—Cisco Secure ACS does not perform automatic RDBMS
synchronization.
• Every X minutes—Cisco Secure ACS performs synchronization on a set
frequency. The unit of measurement is minutes, with a default update
frequency of 60 minutes.
• At specific times...—Cisco Secure ACS performs synchronization at the
time specified in the day and hour graph. The minimum interval is one hour,
and the synchronization takes place on the hour selected.

Synchronization Partners Options

The Synchronization Partners table defines which Cisco Secure ACSes are
synchronized with data from the accountActions table. It provides the following
options:
• AAA Server—This list represents the AAA servers configured in the AAA
Servers table in Network Configuration for which the Cisco Secure
ACS does not perform RDBMS synchronization.
• Synchronize—This list represents the AAA servers configured in the AAA
Servers table in Network Configuration for which the Cisco Secure
ACS does perform RDBMS synchronization.
For more information about the AAA Servers table in Network Configuration, see
AAA Server Configuration, page 4-22.

Performing RDBMS Synchronization Immediately

You can manually start an RDBMS synchronization event.
To perform manual RDBMS synchronization, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click RDBMS Synchronization.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-32 78-14698-02
Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and then select the RDBMS Synchronization check
box.

The RDBMS Synchronization Setup page appears.

The status of the CSDBSync service appears below the page title.
Step 3 To specify options in the FTP Setup For Account Actions Download table, follow
these steps:

Note For more information about FTP setup, see FTP Setup Options,
page 9-31.

a. In the Actions Files box, type the name of the accountActions file that you
want to use to update Cisco Secure ACS.
b. In the FTP Server box, type the IP address or hostname of the FTP server that
you want Cisco Secure ACS to get the accountActions file from.
c. In the Directory box, type the relative path to the directory on the FTP server
where the accountActions file is.
d. In the Username box, type a valid username to enable Cisco Secure ACS to
access the FTP server.
e. In the Password box, type the password for the username provided in the
Login box.
Cisco Secure ACS has the information necessary to get the accountActions file
from the FTP server.

Note It is not necessary to select Manually under Replication Scheduling. For

more information, see Disabling Scheduled RDBMS Synchronizations,
page 9-37.

Step 4 For each Cisco Secure ACS that you want this Cisco Secure ACS to update using
the actions in the accountActions file, select the Cisco Secure ACS in the AAA
Servers list, and then click --> (right arrow button).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-33
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Note The Cisco Secure ACSes available in the AAA Servers list is determined
by the AAA Servers table in Network Configuration, with the addition of
the name of the current Cisco Secure ACS server. For more information
about the AAA Servers table, see AAA Server Configuration Options,
page 4-23.

The selected Cisco Secure ACS appears in the Synchronize list.

Note At least one Cisco Secure ACS must be in the Synchronize list. This
includes the Cisco Secure ACS on which you are configuring RDBMS
Synchronization. RDBMS Synchronization does not automatically
include the internal database of the current Cisco Secure ACS.

Step 5 To remove Cisco Secure ACSes from Synchronize list, select the Cisco Secure
ACS in the Synchronize list, and then click <-- (left arrow button).
The selected Cisco Secure ACS appears in the AAA Servers list.
Step 6 At the bottom of the browser window, click Synchronize Now.
Cisco Secure ACS immediately begins a synchronization event. To check on the
status of the synchronization, view the RDBMS Synchronization report in
Reports and Activity.

Scheduling RDBMS Synchronization

You can schedule when a Cisco Secure ACS performs RDBMS synchronization.
To schedule when a Cisco Secure ACS performs RDBMS synchronization,
follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click RDBMS Synchronization.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-34 78-14698-02
Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and then select the RDBMS Synchronization check
box.

The RDBMS Synchronization Setup page appears.

The status of the CSDBSync service appears below the page title.
Step 3 To specify options in the FTP Setup For Account Actions Download table, follow
these steps:

Note For more information about FTP setup, see FTP Setup Options,
page 9-31.

a. In the Actions Files box, type the name of the accountActions file that you
want to use to update Cisco Secure ACS.
b. In the FTP Server box, type the IP address or hostname of the FTP server that
you want Cisco Secure ACS to get the accountActions file from.
c. In the Directory box, type the relative path to the directory on the FTP server
where the accountActions file is.
d. In the Username box, type a valid username to enable Cisco Secure ACS to
access the FTP server.
e. In the Password box, type the password for the username provided in the
Login box.
Cisco Secure ACS has the information necessary to get the accountActions file
from the FTP server.
Step 4 To have this Cisco Secure ACS perform RDBMS synchronization at regular
intervals, under Synchronization Scheduling, select the Every X minutes option
and in the X box type the length of the interval at which Cisco Secure ACS should
perform synchronization (up to 7 characters).
Step 5 To schedule times at which this Cisco Secure ACS performs RDBMS
synchronization, follow these steps:
a. Under Synchronization Scheduling, select the At specific times option.
b. In the day and hour graph, click the times at which you want Cisco Secure
ACS to perform replication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-35
 Chapter 9 System Configuration: Advanced
RDBMS Synchronization

Tip Clicking times of day on the graph selects those times; clicking again
clears them. At any time you can click Clear All to clear all hours, or you
can click Set All to select all hours.

Step 6 For each Cisco Secure ACS you want to synchronize using the actions in the
accountActions file, follow these steps:

Note For more information about synchronization targets, see Inbound

Replication Options, page 9-14.

a. In the Synchronization Partners table, from the AAA Servers list, select the
name of a Cisco Secure ACS that you want this Cisco Secure ACS to update
with data from the accountActions file.

Note The Cisco Secure ACSes available in the AAA Servers list is
determined by the AAA Servers table in Network Configuration, with
the addition of the name of the current Cisco Secure ACS server. For
more information about the AAA Servers table, see AAA Server
Configuration Options, page 4-23.

b. Click --> (right arrow button).

The selected Cisco Secure ACS moves to the Synchronize list.

Note At least one Cisco Secure ACS must be in the Synchronize list. This
includes the Cisco Secure ACS on which you are configuring
RDBMS Synchronization. RDBMS Synchronization does not
automatically include the internal database of the current
Cisco Secure ACS.

Step 7 Click Submit.

Cisco Secure ACS saves the RDBMS synchronization schedule you created.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-36 78-14698-02
 Chapter 9 System Configuration: Advanced
IP Pools Server

Disabling Scheduled RDBMS Synchronizations

You can disable scheduled RDBMS synchronization events without losing the
schedule itself. This allows you to end scheduled synchronizations and resume
them later without having to re-create the schedule.
To disable scheduled RDBMS synchronizations, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click RDBMS Synchronization.
The RDBMS Synchronization Setup page appears.
Step 3 Under Synchronization Scheduling, select the Manually option.
Step 4 Click Submit.
Cisco Secure ACS does not perform scheduled RDBMS synchronizations.

IP Pools Server
This section provides information about the IP Pools feature, including
procedures for creating and maintaining IP pools.
This section contains the following topics:
• About IP Pools Server, page 9-38
• Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges,
page 9-39
• Refreshing the AAA Server IP Pools Table, page 9-40
• Adding a New IP Pool, page 9-40
• Editing an IP Pool Definition, page 9-41
• Resetting an IP Pool, page 9-42
• Deleting an IP Pool, page 9-43

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-37
 Chapter 9 System Configuration: Advanced
IP Pools Server

About IP Pools Server

If you are using VPNs you may have to overlap IP address assignments; that is, it
may be advantageous for a PPTP tunnel client within a given tunnel to use the
same IP address as that used by another PPTP tunnel client in a different tunnel.
The IP Pools Server feature enables you to assign the same IP address to multiple
users, provided that the users are being tunnelled to different home gateways for
routing beyond the boundaries of your own network. This means you can conserve
your IP address space without having to resort to using illegal addresses. When
you enable this feature, Cisco Secure ACS dynamically issues IP addresses from
the IP pools you have defined by number or name. You can configure up to 999 IP
pools, for approximately 255,000 users.
If you are using IP pooling and proxy, all accounting packets are proxied so that
the Cisco Secure ACS that is assigning the IP addresses can confirm whether an
IP address is already in use.

Note IP pool definitions are not replicated by the CiscoSecure Database Replication
feature; however, user and group assignments to IP pools are replicated. By not
replicating IP pool definitions, Cisco Secure ACS avoids inadvertently assigning
an IP address that a replication partner has already assigned to a different
workstation. To support IP pools in a AAA environment that uses replication, you
must manually configure each secondary Cisco Secure ACS to have IP pools with
names identical to the IP pools defined on the primary Cisco Secure ACS.

To use IP pools, the AAA client must have network authorization (in IOS, aaa
authorization network) and accounting (in IOS, aaa accounting) enabled.

Note To use the IP Pools feature, you must set up your AAA client to perform
authentication and accounting using the same protocol — either TACACS+ or
RADIUS.

For information on assigning a group or user to an IP pool, see Setting IP Address

Assignment Method for a User Group, page 6-27, or Assigning a User to a Client
IP Address, page 7-9.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-38 78-14698-02
 Chapter 9 System Configuration: Advanced
IP Pools Server

Allowing Overlapping IP Pools or Forcing Unique Pool Address

Ranges
Cisco Secure ACS provides automated detection of overlapping pools.

Note To use overlapping pools, you must be using RADIUS with VPN, and you cannot
be using Dynamic Host Configuration Protocol (DHCP).

You can determine whether overlapping IP pools are allowed by checking which
button appears below the AAA Server IP Pools table:
• Allow Overlapping Pool Address Ranges—Indicates that overlapping IP
pool address ranges are not allowed. Clicking this button allows IP address
ranges to overlap between pools.
• Force Unique Pool Address Range—Indicates that overlapping IP pool
address ranges are allowed. Clicking this button prevents IP address ranges
from overlapping between pools.
To allow overlapping IP pools or to force unique pool address ranges, follow
these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and then select the IP Pools check box.

The AAA Server IP Pools table lists any IP pools you have configured, their
address ranges, and the percentage of pooled addresses in use.
Step 3 If you want to allow overlapping IP pool address ranges, follow these steps:
a. If the Allow Overlapping Pool Address Ranges button appears, click that
button.
Cisco Secure ACS allows overlapping IP pool address ranges.
b. If the Force Unique Pool Address Range button appears, do nothing.
Cisco Secure ACS already allows overlapping IP pool address ranges.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-39
 Chapter 9 System Configuration: Advanced
IP Pools Server

Step 4 If you want to deny overlapping IP pool address ranges, follow these steps:
a. If the Allow Overlapping Pool Address Ranges button appears, do nothing.
Cisco Secure ACS already does not permit overlapping IP pool address
ranges.
b. If the Force Unique Pool Address Range button appears, click that button.
Cisco Secure ACS does not permit overlapping IP pool address ranges.

Refreshing the AAA Server IP Pools Table

You can refresh the AAA Server IP Pools table. This allows you to get the latest
usage statistics for your IP pools.
To refresh the AAA Server IP Pools table, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.
The AAA Server IP Pools table lists any IP pools you have configured, their
address ranges, and the percentage of pooled addresses in use.
Step 3 Click Refresh.
Cisco Secure ACS updates the percentages of pooled addresses in use.

Adding a New IP Pool

You can define up to 999 IP address pools.
To add an IP pool, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-40 78-14698-02
 Chapter 9 System Configuration: Advanced
IP Pools Server

The AAA Server IP Pools table lists any IP pools you have already configured,
their address ranges, and the percentage of pooled addresses in use.
Step 3 Click Add Entry.
The New Pool table appears.
Step 4 In the Name box, type the name (up to 31 characters) you want to assign to the
new IP pool.
Step 5 In the Start Address box, type the lowest IP address (up to 15 characters) of the
range of addresses for the new pool.

Note All addresses in an IP pool must be on the same Class C network, so the
first three octets of the start and end addresses must be the same. For
example, if the start address is 192.168.1.1, the end address must be
between 192.168.1.2 and 192.168.1.254.

Step 6 In the End Address box, type the highest IP address (up to 15 characters) of the
range of addresses for the new pool.
Step 7 Click Submit.
The new IP pool appears in the AAA Server IP Pools table.

Editing an IP Pool Definition

To edit an IP pool definition, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.
The AAA Server IP Pools table lists any IP pools you have configured, their
address ranges, and the percentage of pooled addresses in use.
Step 3 Click the name of the IP pool you need to edit.
The name pool table appears, where name is the name of the IP pool you selected.
The In Use field displays how many IP addresses in this pool are allocated to a
user. The Available field displays how many IP addresses are unallocated to
users.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-41
 Chapter 9 System Configuration: Advanced
IP Pools Server

Step 4 To change the name of the pool, in the Name box, type the name (up to 31
characters) to which you want to change the IP pool.
Step 5 To change the starting address of the pool range of IP addresses, in the Start
Address box, type the lowest IP address (up to 15 characters) of the new range of
addresses for the pool.

Note All addresses in an IP pool must be on the same Class C network, so the
first three octets of the start and end addresses must be the same. For
example, if the start address is 192.168.1.1, the end address must be
between 192.168.1.2 and 192.168.1.254.

Step 6 To change the ending address of the pool range of IP addresses, in the End
Address box, type the highest IP address (up to 15 characters) of the new range of
addresses for the pool.
Step 7 Click Submit.
The edited IP pool appears in the AAA Server IP Pools table.

Resetting an IP Pool
The Reset function recovers IP addresses within an IP pool when there are
“dangling” connections. A dangling connection occurs when a user disconnects
and Cisco Secure ACS does not receive an accounting stop packet from the
applicable AAA client. If the Failed Attempts log in Reports and Activity shows
a large number of “Failed to Allocate IP Address For User” messages, consider
using the Reset function to reclaim all allocated addresses in this IP pool.

Note Using the Reset function to reclaim all allocated IP addresses in a pool can result
in users being assigned addresses that are already in use.

To reset an IP pool and reclaim all its IP addresses, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-42 78-14698-02
 Chapter 9 System Configuration: Advanced
IP Pools Server

The AAA Server IP Pools table lists any IP pools you have configured, their
address ranges, and the percentage of pooled addresses in use.
Step 3 Click the name of the IP pool you need to reset.
The name pool table appears, where name is the name of the IP pool you selected.
The In Use field displays how many IP addresses in this pool are assigned to a
user. The Available field displays how many IP addresses are not assigned to
users.
Step 4 Click Reset.
Cisco Secure ACS displays a dialog box indicating the possibility of assigning
user addresses that are already in use.
Step 5 To continue resetting the IP pool, click OK.
The IP pool is reset. All its IP addresses are reclaimed. In the In Use column of
the AAA Server IP Pools table, zero percent of the IP pool addresses are assigned
to users.

Deleting an IP Pool

Note If you delete an IP pool that has users assigned to it, those users cannot
authenticate until you edit the user profile and change their IP assignment
settings. Alternatively, if the users receive their IP assignment based on group
membership, you can edit the user group profile and change the IP assignment
settings for the group.

To delete an IP pool, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Server.
The AAA Server IP Pools table lists any IP pools you have configured, their
address ranges, and the percentage of pooled addresses in use.
Step 3 Click the name of the IP pool you need to delete.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-43
 Chapter 9 System Configuration: Advanced
IP Pools Address Recovery

The name pool table appears, where name is the name of the IP pool you selected.
The In Use column displays how many IP addresses in this pool are assigned to a
user. The Available column displays how many IP addresses are not assigned to
users.
Step 4 Click Delete.
Cisco Secure ACS displays a dialog box to confirm that you want to delete the IP
pool.
Step 5 To delete the IP pool, click OK.
The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP
pool.

IP Pools Address Recovery

The IP Pools Address Recovery feature enables you to recover assigned IP
addresses that have not been used for a specified period of time. You must
configure an accounting network on the AAA client for Cisco Secure ACS to
reclaim the IP addresses correctly.

Enabling IP Pool Address Recovery

To enable IP pool address recovery, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click IP Pools Address Recovery.

Note If this feature does not appear, click Interface Configuration, click
Advanced Options, and then select the IP Pools check box.

The IP Address Recovery page appears.

Step 3 Select the Release address if allocated for longer than X hours check box and
in the X box type the number of hours (up to 4 characters) after which
Cisco Secure ACS should recover assigned, unused IP addresses.

User Guide for Cisco Secure ACS Appliance, version 3.2

9-44 78-14698-02
Chapter 9 System Configuration: Advanced
IP Pools Address Recovery

Step 4 Click Submit.

Cisco Secure ACS implements the IP pools address recovery settings you made.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 9-45
 Chapter 9 System Configuration: Advanced
IP Pools Address Recovery

User Guide for Cisco Secure ACS Appliance, version 3.2

9-46 78-14698-02
 C H A P T E R 10
System Configuration: Authentication
and Certificates

This chapter addresses authentication and certification features found in the

System Configuration section of Cisco Secure ACS Appliance.
This chapter contains the following topics:
• About Certification and EAP Protocols, page 10-1
• Global Authentication Setup, page 10-25
• Cisco Secure ACS Certificate Setup, page 10-33
• EAP-FAST PAC Files Generation, page 10-41

About Certification and EAP Protocols

Cisco Secure ACS uses EAP-TLS and PEAP authentication protocols in
combination with digital certification to ensure the protection and validity of
authentication information. Digital certification, EAP-TLS, PEAP, and machine
authentication are described in the topics that follow.
This section contains the following topics:
• Digital Certificates, page 10-2
• EAP-TLS Authentication, page 10-2
• PEAP Authentication, page 10-7
• EAP-FAST Authentication, page 10-11

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-1
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Digital Certificates
The ACS Certificate Setup pages enable you to install digital certificates to
support EAP-TLS and PEAP authentication, as well as to support HTTPS
protocol for secure access to the Cisco Secure ACS HTML interface.
Cisco Secure ACS uses the X.509 v3 digital certificate standard. Certificate files
must be in either Base64-encoded X.509 format or DER-encoded binary X.509
format. Also, Cisco Secure ACS supports manual certificate enrollment.
Digital certificates do not require the sharing of secrets nor stored database
credentials. They can be scaled and trusted over large deployments. If managed
properly, they can serve as a method of authentication that is stronger and more
secure than shared secret systems. Mutual trust requires that Cisco Secure ACS
have an installed certificate that can be verified by end-user clients.

EAP-TLS Authentication
This section contains the following topics:
• About the EAP-TLS Protocol, page 10-2
• EAP-TLS and Cisco Secure ACS, page 10-3
• EAP-TLS Limitations, page 10-5
• Enabling EAP-TLS Authentication, page 10-5

About the EAP-TLS Protocol

EAP and TLS are both IETF RFC standards. The EAP protocol carries initial
authentication information, specifically EAPOL (the encapsulation of EAP over
LANs as established by IEEE 802.1X). TLS uses certificates both for user
authentication and for dynamic ephemeral session key generation. The EAP-TLS
authentication protocol uses the certificates of Cisco Secure ACS and of the
end-user client, enforcing mutual authentication of the client and of Cisco Secure
ACS. For more detailed information on EAP, TLS, and EAP-TLS, refer to the
following IETF RFCs: PPP Extensible Authentication Protocol (EAP) RFC 2284,
The TLS Protocol RFC 2246, and PPP EAP TLS Authentication Protocol RFC
2716.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-2 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

EAP-TLS authentication involves two elements of trust. The first element of trust
is when the EAP-TLS negotiation establishes end-user trust by validating,
through RSA signature verifications, that the user possesses a keypair signed by
a certificate. This verifies that the end user is the legitimate keyholder for a given
digital certificate and the corresponding user identification contained in the
certificate. However, trusting that a user possesses a certificate only provides a
username/keypair binding. The second element of trust is to use a third-party
signature, usually from a certification authority (CA), that verifies the
information in a certificate. This third-party binding is similar to the real world
equivalent of the seal on a passport. You trust the passport because you trust the
preparation and identity checking that the particular country’s passport office
made when creating that passport. You trust digital certificates by installing the
root certificate CA signature.
EAP-TLS requires support from both the end client and the AAA client. An
example of an EAP-TLS client includes the Microsoft Windows XP operating
system; EAP-TLS-compliant AAA clients include Cisco 802.1x-enabled switch
platforms (such as the Catalyst 6500 product line) and Cisco Aironet Wireless
solutions. To accomplish secure Cisco Aironet connectivity, EAP-TLS generates
a dynamic, per-user, per-connection, unique session key.

EAP-TLS and Cisco Secure ACS

Cisco Secure ACS supports EAP-TLS with any end-user client that supports
EAP-TLS, such as Windows XP. To learn which user databases support
EAP-TLS, see Authentication Protocol-Database Compatibility, page 1-9. For
more information about deploying EAP-TLS authentication, see Extensible
Authentication Protocol Transport Layer Security Deployment Guide for
Wireless LAN Networks at
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm.
Cisco Secure ACS can use EAP-TLS to support machine authentication to
Microsoft Windows Active Directory. The end-user client may limit the protocol
used for user authentication to the same protocol used for machine authentication;
that is, use of EAP-TLS for machine authentication may require the use of
EAP-TLS for user authentication. For more information about machine
authentication, see Machine Authentication, page 13-13.
Cisco Secure ACS supports domain stripping for EAP-TLS authentication using
Windows Active Directory. For more information, see EAP-TLS Domain
Stripping, page 13-13.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-3
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Cisco Secure ACS also supports three methods of certificate comparison and a
session resume feature. This topic discusses these features.
To permit access to the network by a user or computer authenticating with
EAP-TLS, Cisco Secure ACS must verify that the claimed identity (presented in
the EAP Identity response) corresponds to the certificate presented by the user.
Cisco Secure ACS can accomplish this verification in three ways:
• Certificate SAN Comparison—Based on the name in the Subject
Alternative Name field in the user certificate.
• Certificate CN Comparison—Based on the name in the Subject Common
Name field in the user certificate.
• Certificate Binary Comparison—Based on a binary comparison between
the user certificate stored in the user object in the LDAP server or Active
Directory and the certificate presented by the user during EAP-TLS
authentication. This comparison method cannot be used to authenticate users
stored in an ODBC external user database.

Note If you use certificate binary comparison, the user certificate must be
stored in a binary format. Also, for generic LDAP and Active
Directory, the attribute storing the certificate must be the standard
LDAP attribute named “usercertificate”.

When you set up EAP-TLS, you can select the criterion (one, two, or all) that
Cisco Secure ACS uses. For more information, see Configuring Authentication
Options, page 10-32.
Cisco Secure ACS supports a session resume feature for EAP-TLS-authenticated
user sessions, a particularly useful feature for WLANs, wherein a user may move
the client computer so that a different wireless access point is in use. When this
feature is enabled, Cisco Secure ACS caches the TLS session created during
EAP-TLS authentication, provided that the user successfully authenticates. If a
user needs to reconnect and the original EAP-TLS session has not timed out,
Cisco Secure ACS uses the cached TLS session, resulting in faster EAP-TLS
performance and lessened AAA server load. When Cisco Secure ACS resumes an
EAP-TLS session, the user reauthenticates by SSL handshake only, without a
certificate comparison.
In effect, enabling EAP-TLS session resume allows Cisco Secure ACS to trust a
user based on the cached TLS session from the original EAP-TLS authentication.
Because Cisco Secure ACS only caches a TLS session when a new EAP-TLS

User Guide for Cisco Secure ACS Appliance, version 3.2

10-4 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

authentication succeeds, the existence of a cached TLS session is proof that the
user has successfully authenticated within the number of minutes defined by the
EAP-TLS session timeout option.

Note Session timeout is based on the time of the initial, full authentication of the
session. It is not dependent upon an accounting start message.

Changes to group assignment in an external user database are not enforced by the
session resume feature. This is because group mapping does not occur when a user
session is resumed. Instead, the user is mapped to the same Cisco Secure ACS
group that the user was mapped to upon the beginning of the session. Upon the
start of a new session, group mapping enforces the new group assignment.
To force an EAP-TLS session to end before the session timeout is reached, either
restart the CSAuth service or delete the user from the CiscoSecure user database
CiscoSecure user database. Disabling or deleting the user in an external user
database has no effect because the session resume feature does not involve the use
of external user databases.
You can enable the EAP-TLS session resume feature and configure the timeout
interval on the Global Authentication Setup page. For more information about
enabling this feature, see Global Authentication Setup, page 10-25.

EAP-TLS Limitations
The Cisco Secure ACS implementation of EAP-TLS has the following
limitations:
• Server certificate format—Server and CA certificates must be either in
Base64-encoded X.509 format or DER-encoded binary X.509 format.
• LDAP attribute for binary comparison—If you configure Cisco Secure
ACS to perform binary comparison of user certificates, the user certificate
must be stored in Active Directory or an LDAP server, using a binary format.
Also, the attribute storing the certificate must be named “usercertificate”.

Enabling EAP-TLS Authentication

This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support EAP-TLS authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-5
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Note End-user client computers must be configured to support EAP-TLS. This

procedure is specific to configuration of Cisco Secure ACS only. For more
information about deploying EAP-TLS authentication, see Extensible
Authentication Protocol Transport Layer Security Deployment Guide for
Wireless LAN Networks at
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm.

Before You Begin

For EAP-TLS machine authentication, if you have a Microsoft certification
authority server configured on the domain controller, you can configure a policy
in Active Directory to produce a client certificate automatically when a computer
is added to the domain. For more information, see Microsoft Knowledge Base
Article 313407, HOW TO: Create Automatic Certificate Requests with Group
Policy in Windows.
To enable EAP-TLS authentication, follow these steps:

Step 1 Install a server certificate in Cisco Secure ACS. EAP-TLS requires a server
certificate. For detailed steps, see Installing a Cisco Secure ACS Certificate,
page 10-33.

Note If you have previously installed a certificate to support EAP-TLS or

PEAP user authentication or to support HTTPS protection of remote
Cisco Secure ACS administration, you do not need to perform this step.
A single server certificate is sufficient to support all certificate-based
Cisco Secure ACS services and remote administration; however,
EAP-TLS and PEAP require that the certificate be suitable for server
authentication purposes.

Step 2 Edit the certification trust list so that the certification authority (CA) issuing
end-user client certificates is trusted. If you do not perform this step, Cisco Secure
ACS only trusts user certificates issued by the same CA that issued the certificate
installed in Cisco Secure ACS. For detailed steps, see Editing the Certificate Trust
List, page 10-38.
Step 3 Enable EAP-TLS on the Global Authentication Setup page. Cisco Secure ACS
allows you to complete this step only after you have successfully completed Step
1. For detailed steps, see Configuring Authentication Options, page 10-32.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-6 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Step 4 Configure a user database. To determine which user databases support EAP-TLS
authentication, see Authentication Protocol-Database Compatibility, page 1-9.
Cisco Secure ACS is ready to perform EAP-TLS authentication.

PEAP Authentication
This section contains the following topics:
• About the PEAP Protocol, page 10-7
• PEAP and Cisco Secure ACS, page 10-8
• PEAP and the Unknown User Policy, page 10-9
• Enabling PEAP Authentication, page 10-10

About the PEAP Protocol

The PEAP (Protected EAP) protocol is a client-server security architecture that
provides a means of encrypting EAP transactions, thereby protecting the contents
of EAP authentications. PEAP has been posted as an IETF Internet Draft by RSA,
Cisco, and Microsoft and is available at
http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt.
PEAP authentications always involve two phases. In the first phase, the end-user
client authenticates Cisco Secure ACS. This requires a server certificate and
authenticates Cisco Secure ACS to the end-user client, ensuring that the user or
machine credentials sent in phase two are sent to a AAA server that has a
certificate issued by a trusted CA. The first phase uses a TLS handshake to
establish an SSL tunnel.
In phase two, Cisco Secure ACS authenticates the user or machine credentials
using an EAP authentication protocol. The EAP authentication is protected by the
SSL tunnel created in phase one. The authentication type negotiated during the
second conversation may be any valid EAP type, such as EAP-GTC (for Generic
Token Card). Because PEAP can support any EAP authentication protocol,
individual combinations of PEAP and EAP protocols are denoted with the EAP
protocol within parentheses, such as PEAP(EAP-GTC). For the authentication
protocols that Cisco Secure ACS supports in phase two of PEAP, see
Authentication Protocol-Database Compatibility, page 1-9.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-7
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

One improvement in security offered by PEAP is identity protection. This is the

potential of protecting the username in all PEAP transactions. After phase one of
PEAP, all data is encrypted, including username information usually sent in clear
text. The Cisco Aironet PEAP client sends user identity through the SSL tunnel
only. The initial identity, used in phase one and which is sent in the clear, is MAC
address of the end-user client with “PEAP_” as a prefix. The Microsoft PEAP
client does not provide identity protection; the Microsoft PEAP client sends the
username in the clear in phase one of PEAP authentication.

PEAP and Cisco Secure ACS

Cisco Secure ACS supports PEAP authentication using either the Cisco Aironet
PEAP client or the Microsoft PEAP client included with Microsoft Windows XP
Service Pack 1. Cisco Secure ACS can support the Cisco Aironet PEAP client
with PEAP(EAP-GTC) only. For the Microsoft PEAP client included with
Windows XP Service Pack 1, Cisco Secure ACS supports only
PEAP(EAP-MSCHAPv2). For information about which user databases support
PEAP protocols, see Authentication Protocol-Database Compatibility, page 1-9.
When the end-user client is the Cisco Aironet PEAP client and both
PEAP(EAP-GTC) and PEAP(EAP-MSCHAPv2) are enabled on the Global
Authentication Setup page, Cisco Secure ACS first attempts PEAP(EAP-GTC)
authentication with the end-user client. If the client rejects this protocol (by
sending an EAP NAK message), Cisco Secure ACS attempts authentication with
PEAP(EAP-MSCHAPv2). For more information about enabling EAP protocols
supported within PEAP, see Global Authentication Setup, page 10-25.
Cisco Secure ACS can use PEAP(EAP-MSCHAPv2) to support machine
authentication to Microsoft Windows Active Directory. The end-user client may
limit the protocol used for user authentication to the same protocol used for
machine authentication; that is, use of PEAP for machine authentication requires
the use of PEAP for user authentication. For more information about machine
authentication, see Machine Authentication, page 13-13.
Cisco Secure ACS supports a session resume feature for PEAP-authenticated user
sessions. When this feature is enabled, Cisco Secure ACS caches the TLS session
created during phase one of PEAP authentication, provided that the user
successfully authenticates in phase two of PEAP. If a user needs to reconnect and
the original PEAP session has not timed out, Cisco Secure ACS uses the cached
TLS session, resulting in faster PEAP performance and lessened AAA server
load.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-8 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Note Session timeout is based on the time that authentication succeeds. It is not
dependent upon accounting.

You can enable the PEAP session resume feature and configure the timeout
interval on the Global Authentication Setup page. For more information about
enabling this feature, see Global Authentication Setup, page 10-25.
Cisco Secure ACS also supports a fast reconnect feature. When the session
resume feature is enabled, the fast reconnection feature causes Cisco Secure ACS
to allow a PEAP session to resume without checking user credentials. In effect,
enabling this feature allows Cisco Secure ACS to trust a user based on the cached
TLS session from the original PEAP authentication. Because Cisco Secure ACS
only caches a TLS session when phase two of PEAP authentication succeeds, the
existence of a cached TLS session is proof that the user has successfully
authenticated within the number of minutes defined by the PEAP session timeout
option.
Changes to group assignment in an external user database are not enforced by the
session resume feature. This is because group mapping does not occur when a user
session is extended by the session resume feature. Instead, the user is mapped to
the same Cisco Secure ACS group that the user was mapped to upon the beginning
of the session. Upon the start of a new session, group mapping enforces the new
group assignment.
The fast reconnect feature is particularly useful for wireless LANs, wherein a user
may move the client computer so that a different wireless access point is in use.
When Cisco Secure ACS resumes a PEAP session, the user reauthenticates
without entering a password, provided that the session has not timed out. If the
end-user client is restarted, the user must enter a password even if the session
timeout interval has not ended.
You can enable the PEAP fast reconnect feature on the Global Authentication
Setup page. For more information about enabling this feature, see Global
Authentication Setup, page 10-25.

PEAP and the Unknown User Policy

During PEAP authentication, the real username to be authenticated may not be
known by Cisco Secure ACS until phase two of authentication. While the
Microsoft PEAP client does reveal the actual username during phase one, the

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-9
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Cisco PEAP client does not; therefore, Cisco Secure ACS does not attempt to
lookup the username presented during phase one and the use of the Unknown User
Policy is irrelevant during phase one, regardless of the PEAP client used.
When phase two of PEAP authentication occurs and the username presented by
the PEAP client is unknown to Cisco Secure ACS, Cisco Secure ACS processes
the username in the same way that it processes usernames presented in other
authentication protocols. If the username is unknown and the Unknown User
Policy is disabled, authentication fails. If the username is unknown and the
Unknown User Policy is enabled, Cisco Secure ACS attempts to authenticate the
PEAP user with unknown user processing.
For more information about unknown user processing, see Unknown User
Processing, page 14-2.

Enabling PEAP Authentication

This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support PEAP authentication.

Note End-user client computers must be configured to support PEAP. This procedure
is specific to configuration of Cisco Secure ACS only.

To enable PEAP authentication, follow these steps:

Step 1 Install a server certificate in Cisco Secure ACS. PEAP requires a server
certificate. For detailed steps, see Installing a Cisco Secure ACS Certificate,
page 10-33.

Note If you have previously installed a certificate to support EAP-TLS or

PEAP user authentication or to support HTTPS protection of remote
Cisco Secure ACS administration, you do not need to perform this step.
A single server certificate is sufficient to support all certificate-based
Cisco Secure ACS services and remote administration; however,
EAP-TLS and PEAP require that the certificate be suitable for server
authentication purposes.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-10 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Step 2 Enable PEAP on the Global Authentication Setup page. Cisco Secure ACS allows
you to complete this step only after you have successfully completed Step 1. For
detailed steps, see Configuring Authentication Options, page 10-32.
Step 3 Configure a user database. To determine which user databases support PEAP
authentication, see Authentication Protocol-Database Compatibility, page 1-9.
Cisco Secure ACS is ready to perform PEAP authentication for most users. For
more information, see PEAP and the Unknown User Policy, page 10-9.
Step 4 Consider enabling the Unknown User Policy to simplify PEAP authentication.
For more information, see PEAP and the Unknown User Policy, page 10-9. For
detailed steps, see Configuring the Unknown User Policy, page 14-10.

EAP-FAST Authentication

Note EAP-FAST support is available beginning in Cisco Secure ACS version 3.2.3.
Earlier versions of Cisco Secure ACS do not include this feature.

This section contains the following topics:

• About EAP-FAST, page 10-12
• About Master Keys, page 10-13
• About PACs, page 10-15
– Automatic PAC Provisioning, page 10-17
– Manual PAC Provisioning, page 10-18
• Master Key and PAC TTLs, page 10-19
• Replication and EAP-FAST, page 10-20
• Enabling EAP-FAST, page 10-23

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-11
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

About EAP-FAST
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a
client-server security architecture that encrypts EAP transactions with a TLS
tunnel. While similar to PEAP in this respect, it differs significantly in that
EAP-FAST tunnel establishment is based upon strong secrets that are unique to
users. These secrets are called Protected Access Credentials (PACs), which
Cisco Secure ACS generates using a master key known only to Cisco Secure ACS.
Because handshakes based upon shared secrets are intrinsically faster than
handshakes based upon PKI, EAP-FAST is the significantly faster of the two
solutions that provide encrypted EAP transactions. No certificate management is
required to implement EAP-FAST.
EAP-FAST occurs in three phases:
• Phase zero—Unique to EAP-FAST, phase zero is a tunnel-secured means of
providing an EAP-FAST end-user client with a PAC for the user requesting
network access (see Automatic PAC Provisioning, page 10-17). Providing a
PAC to the end-user client is the sole purpose of phase zero. The tunnel is
established based on an anonymous Diffie-Hellman key exchange. If
EAP-MSCHAPv2 authentication succeeds, Cisco Secure ACS provides the
user a PAC. To determine which databases support EAP-FAST phase zero,
see Authentication Protocol-Database Compatibility, page 1-9.

Note Phase zero is optional and PACs can be manually provided to

end-user clients (see Manual PAC Provisioning, page 10-18). You
control whether Cisco Secure ACS supports phase zero by selecting
the Allow automatic PAC provisioning check box in the Global
Authentication Configuration page.

No network service is enabled by phase zero of EAP-FAST; therefore, even a

successful EAP-FAST phase zero transaction is recorded in the Cisco Secure
ACS Failed Attempts log.
• Phase one—In phase one, Cisco Secure ACS and the end-user client
establish a TLS tunnel based upon the PAC presented by the end-user client.
This requires that the end-user client has been provided a PAC for the user
attempting to gain network access and that the PAC is based on a master key
that has not expired. The means by which PAC provisioning has occurred is
irrelevant; either automatic or manual provisioning may be used.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-12 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

No network service is enabled by phase one of EAP-FAST.

• Phase two—In phase two, Cisco Secure ACS authenticates the user
credentials with EAP-GTC, which is protected by the TLS tunnel created in
phase one. No other EAP types are supported for EAP-FAST. To determine
which databases support EAP-FAST phase two, see Authentication
Protocol-Database Compatibility, page 1-9.
Cisco Secure ACS authorizes network service with a successful user
authentication in phase two of EAP-FAST and logs the authentication in the
Passed Authentications log, if it is enabled. Also, if necessary, Cisco Secure
ACS may refresh the end-user client PAC, which creates a second entry in the
Passed Authentication log for the same phase two transaction.
EAP-FAST can protect the username in all EAP-FAST transactions. Cisco Secure
ACS does not perform user authentication based on a username presented in phase
one; however, whether the username is protected during phase one depends upon
the end-user client. If the end-user client does not send the real username in phase
one, the username is protected. The Cisco Aironet EAP-FAST client protects the
username in phase one by sending FAST_MAC address in place of the username.
After phase one of EAP-FAST, all data is encrypted, including username
information usually sent in clear text.
Cisco Secure ACS supports password aging with EAP-FAST for users
authenticated by Windows user databases. Password aging can work with either
phase zero or phase two of EAP-FAST. If password aging requires a user to
change passwords during phase zero, the new password would be effective in
phase two. For more information about password aging for Windows user
databases, see Enabling Password Aging for Users in Windows Databases,
page 6-25.

About Master Keys

EAP-FAST master keys are strong secrets that Cisco Secure ACS automatically
generates and that only Cisco Secure ACS is aware of. Master keys are never sent
to an end-user client. EAP-FAST requires master keys for two purposes:
• PAC generation—Cisco Secure ACS generates PACs using the active
master key. For details about PACs, see About PACs, page 10-15.
• EAP-FAST phase one—Cisco Secure ACS determines whether the PAC
presented by the end-user client was generated by one of the master keys it is
aware of, either the active master key or a retired master key.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-13
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

To increase the security of EAP-FAST, Cisco Secure ACS changes the master key
that it uses to generate PACs. Cisco Secure ACS uses time-to-live (TTL) values
you define to determine when it generates a new master key and to determine the
age of all master keys. Based on TTL values, Cisco Secure ACS assigns master
keys one of the three following states:
• Active—An active master key is the master key used by Cisco Secure ACS
to generate PACs. The duration that a master key remains active is
determined by the Master key TTL setting. At any time, only one master key
is active. When you define TTLs for master keys and PACs, Cisco Secure
ACS permits only a PAC TTL that is shorter than the active master key TTL.
This limitation ensures that a PAC is refreshed at least once before the
expiration of the master key used to generate the PAC, provided that
EAP-FAST users log in to the network at least once before the master key
expires. For more information about how TTL values determine whether
PAC refreshing or provisioning is required, see Master Key and PAC TTLs,
page 10-19.
When Cisco Secure ACS is configured to receive replicated EAP-FAST
policies and master keys, a backup master key is among the master keys
received. The backup master key is used only if the active master key retires
before the next successful master key replication. If the backup master key
also retires before the next successful master key replication, EAP-FAST
authentication fails for all users requesting network access with EAP-FAST.

Tip If EAP-FAST authentication fails because the active and backup master keys have
retired and Cisco Secure ACS has not received new master keys in replication,
you can force Cisco Secure ACS to generate its own master keys by selecting the
EAP-FAST Master Server check box and clicking Submit.

Cisco Secure ACS records the generation of master keys in the logs for the
CSAuth service.
• Retired—When a master key becomes older than the Master key TTL
settings, it is considered retired for as long as specified by the Retired master
key TTL settings. Cisco Secure ACS can store up to 255 retired master keys.
While a retired master key is not used to generate new PACs, Cisco Secure
ACS needs it to authenticate PACs that were generated using it. When you
define TTLs for master keys and retired master keys, Cisco Secure ACS
permits only TTL settings that require storing 255 or fewer retired master
keys. For example, if the master key TTL is 1 hour and the retired master key

User Guide for Cisco Secure ACS Appliance, version 3.2

10-14 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

TTL is 4 weeks, this would require storing up to 671 retired master keys;
therefore, Cisco Secure ACS presents an error message and does not allow
these settings.
When a user gains network access using a PAC generated with a retired
master key, Cisco Secure ACS provides the end-user client a new PAC
generated with the active master key. For more information about
Cisco Secure ACS with respect to the states of master keys and PACs, see
Master Key and PAC TTLs, page 10-19.
• Expired—When a master key becomes older than the sum of the master key
TTL and retired master TTL settings, it is considered expired and
Cisco Secure ACS deletes it from its records of master keys. For example, if
the master key TTL is one hour and the retired master key TTL is one week,
a master key expires when it becomes greater than one week and one hour old.
PACs generated by an expired master key cannot be used to access your
network. An end-user client presenting a PAC that was generated with an
expired master key must be provided a new PAC using automatic or manual
provisioning before phase one of EAP-FAST can succeed.

About PACs
PACs are strong shared secrets that enable Cisco Secure ACS and an EAP-FAST
end-user client to authenticate each other and establish a TLS tunnel for use in
EAP-FAST phase two. Cisco Secure ACS generates PACs using the active master
key and a username. An EAP-FAST end-user client stores PACs for each user
accessing the network with the client. Additionally, a AAA server that supports
EAP-FAST has a unique Authority ID. An end-user client associates a user’s
PACs with the Authority ID of the AAA server that generated them.
During EAP-FAST phase one, the end-user client presents the PAC that it has for
the current user and for the Authority ID sent by Cisco Secure ACS at the
beginning of the EAP-FAST transaction. Cisco Secure ACS determines whether
the PAC was generated using one of the master keys it is aware of, either active
or retired (a PAC generated using an expired master key can never be used to gain
network access). When an end-user client has a PAC generated with an expired
master key, the end-user client must receive a new PAC before EAP-FAST phase
one can succeed. The means of providing PACs to end-user clients, known as
PAC provisioning, are discussed in Automatic PAC Provisioning, page 10-17, and
Manual PAC Provisioning, page 10-18.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-15
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

After end-user clients are provided PACs, Cisco Secure ACS refreshes them as
dictated by master key and PAC TTL values. Cisco Secure ACS generates and
sends a new PAC as needed at the end of phase two of EAP-FAST; however, if
you shorten the master key TTL, you may in effect be requiring PAC provisioning
to occur. For more information about how master key and PAC states determine
whether Cisco Secure ACS sends a new PAC to the end-user client at the end of
phase two, see Master Key and PAC TTLs, page 10-19.
Regardless of the master key TTL values you define, a user will require PAC
provisioning when the user does not use EAP-FAST to access the network before
the master key used to generate the user’s PAC has expired. For example, if the
master key TTL is one week and the retired master key TTL is one week, each
EAP-FAST end-user client used by someone who goes on vacation for two weeks
will require PAC provisioning.
The following list contrasts the various means by which an end-user client can
receive PACs:
• PAC provisioning—Required when an end-user client has no PAC or has a
PAC that is based on an expired master key. For more information about how
master key and PAC states determine whether PAC provisioning is required,
see Master Key and PAC TTLs, page 10-19.
Two means of PAC provisioning are supported:
– Automatic provision—Sends a PAC using a secure network connection.
For more information, see Automatic PAC Provisioning, page 10-17.
– Manual provision—Requires that you use Cisco Secure ACS to
generate a PAC file for the user, copy the PAC file to the computer
running the end-user client, and import the PAC file into the end-user
client. For more information, see Manual PAC Provisioning, page 10-18.
• PAC refresh—Occurs automatically when EAP-FAST phase two
authentication has succeeded and master key and PAC TTLs dictate that the
PAC must be refreshed. For more information about how master key and PAC
states determine whether a PAC is refreshed, see Master Key and PAC TTLs,
page 10-19.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-16 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

PACs have the following two states, determined by the PAC TTL setting:
• Active—A PAC younger than the PAC TTL is considered active and can be
used to complete EAP-FAST phase one, provided that the master key used to
generate it has not expired. Regardless of whether a PAC is active, if it is
based on an expired master key, PAC provisioning must occur before
EAP-FAST phase one can succeed.
• Expired—A PAC older than the PAC TTL is considered expired. Provided
that the master key used to generate the PAC has not expired, an expired PAC
can be used to complete EAP-FAST phase one and, at the end of EAP-FAST
phase two, Cisco Secure ACS will generate a new PAC for the user and
provide it to the end-user client.

Automatic PAC Provisioning

Automatic PAC provisioning sends a new PAC to an end-user client over a

secured network connection. Automatic PAC provisioning requires no
intervention of the network user or a Cisco Secure ACS administrator, provided
that both Cisco Secure ACS and the end-user client are configured to support
automatic provisioning.
EAP-FAST phase zero requires EAP-MSCHAPv2 authentication of the user.
Upon successful user authentication, Cisco Secure ACS establishes a
Diffie-Hellman tunnel with the end-user client. Cisco Secure ACS generates a
PAC for the user and sends it to the end-user client within this tunnel, along with
the Authority ID and Authority ID information about this Cisco Secure ACS.

Note Because EAP-FAST phase zero and phase two use different authentication
methods (EAP-MSCHAPv2 in phase zero versus EAP-GTC in phase two), some
databases that support phase two cannot support phase zero. Given that
Cisco Secure ACS associates each user with a single user database, the use of
automatic PAC provisioning requires that EAP-FAST users are authenticated
with a database that is compatible with EAP-FAST phase zero. For the databases
with which Cisco Secure ACS can support EAP-FAST phase zero and phase two,
see Authentication Protocol-Database Compatibility, page 1-9.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-17
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

No network service is enabled by phase zero of EAP-FAST; therefore,

Cisco Secure ACS logs a EAP-FAST phase zero transaction in the Failed
Attempts log, including an entry that PAC provisioning occurred. After the
end-user client has received a PAC through a successful phase zero, it sends a new
EAP-FAST request to begin phase one.

Note Because transmission of PACs in phase zero is secured by MS-CHAPv2

authentication and MS-CHAPv2 is vulnerable to dictionary attacks, we
recommend that you limit use of automatic provisioning to initial deployment of
EAP-FAST. After a large EAP-FAST deployment, PAC provisioning should be
performed manually to ensure the highest security for PACs. For more
information about manual PAC provisioning, see Manual PAC Provisioning,
page 10-18.

To control whether Cisco Secure ACS performs automatic PAC provisioning, you
use the options on the Global Authentication Setup page in the System
Configuration section. For more information, see Authentication Configuration
Options, page 10-25.

Manual PAC Provisioning

Manual PAC provisioning requires a Cisco Secure ACS administrator to generate

PAC files, which must then be distributed to the applicable network users. Users
must configure end-user clients with their PAC files. For example, if your
EAP-FAST end-user client is the Cisco Aironet Client Utility (ACU), configuring
the ACU to support EAP-FAST requires that you import a PAC file. For more
information about configuring a Cisco ACU, see the applicable configuration
guide for your ACU.
You can use manual PAC provisioning to control who can use EAP-FAST to
access your network. If you disable automatic PAC provisioning, any EAP-FAST
user denied a PAC cannot access the network. If your Cisco Secure ACS
deployment includes network segmentation wherein access to each network
segment is controlled by a separate Cisco Secure ACS, manual PAC provisioning
enables you to grant EAP-FAST access on a per-segment basis. For example, if
your company uses EAP-FAST for wireless access in its Chicago and Boston
offices and the Cisco Aironet Access Points at each of these two offices are
configured to use different Cisco Secure ACSes, you can determine, on a
per-employee basis, whether Boston employees visiting the Chicago office can
have wireless access.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-18 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Note Replicating EAP-FAST master keys and policies affects the ability to require
different PACs per Cisco Secure ACS. For more information, see Table 10-2.

While the administrative overhead of manual PAC provisioning is much greater

than automatic PAC provisioning, it does not include the risk of sending the PAC
over the network. When you first deploy EAP-FAST, using manual PAC
provisioning would require a lot of manual configuration of end-user clients;
however, it is the most secure means for distributing PACs. We recommend that,
after a large EAP-FAST deployment, PAC provisioning should be performed
manually to ensure the highest security for PACs.
You can generate PAC files for specific users, groups of users, lists of users, or
all users. When you generate PAC files for groups of users or all users, the users
must be known or discovered users and cannot be unknown users. Cisco Secure
ACS Appliance supports the generation of PAC files in its HTML interface. For
more information about generating PAC files, see EAP-FAST PAC Files
Generation, page 10-41.

Master Key and PAC TTLs

The TTL values for master keys and PACs determine their states, as described in
About Master Keys, page 10-13 and About PACs, page 10-15. Master key and
PAC states determine whether someone requesting network access with
EAP-FAST requires PAC provisioning or PAC refreshing. Table 10-1 summarizes
Cisco Secure ACS behavior with respect to PAC and master key states.

Table 10-1 Master Key versus PAC States

Master key state PAC active PAC expired

Phase one succeeds. Phase one succeeds.
PAC is not refreshed at end of phase PAC is refreshed at end of phase two.
Master key active two.
Phase one succeeds. Phase one succeeds.
Master key retired PAC is refreshed at end of phase two. PAC is refreshed at end of phase two.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-19
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Table 10-1 Master Key versus PAC States (continued)

Master key state PAC active PAC expired

PAC provisioning is required. PAC provisioning is required.
If automatic provisioning is enabled, If automatic provisioning is enabled,
phase zero occurs and a new PAC is phase zero occurs and a new PAC is
sent. The end-user client initiates a new sent. The end-user client initiates a new
EAP-FAST authentication request EAP-FAST authentication request
using the new PAC. using the new PAC.
If automatic provisioning is disabled, If automatic provisioning is disabled,
phase zero does not occur and phase phase zero does not occur and phase
one fails. You must use manual one fails. You must use manual
provisioning to give the user a new provisioning to give the user a new
Master key expired PAC. PAC.

Replication and EAP-FAST

The CiscoSecure Database Replication feature supports the replication of
EAP-FAST settings, Authority ID, and master keys. Replication of EAP-FAST
data occurs only if the following are true:
• On the Database Replication Setup page of the primary Cisco Secure ACS,
under Send, you have selected the EAP-FAST master keys and policies
check box.
• On the Global Authentication Setup page of the primary Cisco Secure ACS,
you have enabled EAP-FAST and selected the EAP-FAST master server
check box.
• On the Database Replication Setup page of the secondary Cisco Secure ACS,
under Receive, you have selected the EAP-FAST master keys and policies
check box.
• On the Global Authentication Setup page of the secondary Cisco Secure
ACS, you have enabled EAP-FAST and deselected the EAP-FAST master
server check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-20 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

EAP-FAST-related replication occurs for three events:

• Generation of master keys—A primary Cisco Secure ACS sends newly
generated active and backup master keys to secondary Cisco Secure ACSes.
This occurs immediately after master key generation, provided that
replication is configured properly and is not affected by replication
scheduling on the Database Replication Setup page.
• Manual replication—All EAP-FAST components that can be replicated are
replicated if you click Replicate Now on the Database Replication Setup page
of the primary Cisco Secure ACS. Some of the replicated components are
configurable in the HTML interface. Whether an EAP-FAST component is
replicated or configurable is detailed in Table 10-2.

Note EAP-FAST replication is not included in scheduled replication

events.

• Changes to EAP-FAST settings—If, on a primary Cisco Secure ACS, you

change any EAP-FAST configurable components that are replicated,
Cisco Secure ACS begins EAP-FAST replication. Whether an EAP-FAST
component is replicated or configurable is detailed in Table 10-2.
The Database Replication log on the primary Cisco Secure ACS records
replication of master keys. Entries related to master key replication contain the
text “MKEYReplicate”.

Table 10-2 EAP-FAST Components and Replication

EAP-FAST Component Replicated? Configurable?

EAP-FAST Enable No Yes, on the Global Authentication Setup page.
Master key TTL Yes Yes, on the Global Authentication Setup page.
Retired master key TTL Yes Yes, on the Global Authentication Setup page.
PAC TTL Yes Yes, on the Global Authentication Setup page.
Authority ID Yes No, generated by Cisco Secure ACS.
Authority ID info Yes Yes, on the Global Authentication Setup page.
Client initial message Yes Yes, on the Global Authentication Setup page.
Master keys Yes No, generated by Cisco Secure ACS when TTL
settings dictate.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-21
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Table 10-2 EAP-FAST Components and Replication (continued)

EAP-FAST Component Replicated? Configurable?

EAP-FAST master server No Yes, on the Global Authentication Setup page.
Actual EAP-FAST server status No No, determined by Cisco Secure ACS.

The EAP-FAST master server setting has a significant effect upon EAP-FAST
authentication and replication, as follows:
• Enabled—When the EAP-FAST master server check box is selected, the
“Actual EAP-FAST server status” is Master and Cisco Secure ACS ignores
the EAP-FAST settings, Authority ID, and master keys it receives from a
primary Cisco Secure ACS during replication, preferring instead to use
master keys it generates, its unique Authority ID, and the EAP-FAST settings
configured in its HTML interface.
Enabling the EAP-FAST master server setting requires providing for the
end-user client a PAC from the primary Cisco Secure ACS that is different
than the PAC from the secondary Cisco Secure ACS. Because the primary
and secondary Cisco Secure ACSes send different Authority IDs at the
beginning of the EAP-FAST transaction, the end-user client must have a PAC
for each Authority ID. A PAC generated by the primary Cisco Secure ACS is
not accepted by the secondary Cisco Secure ACS in a replication scheme
where the EAP-FAST master server setting is enabled on the secondary
Cisco Secure ACS.

Tip In a replicated Cisco Secure ACS environment, use the EAP-FAST master server
feature in conjunction with disallowing automatic PAC provisioning to control
EAP-FAST access to different segments of your network. Without automatic
PAC provisioning, users must request PACs for each network segment.

• Disabled—When the EAP-FAST master server check box is not selected,

Cisco Secure ACS continues to operate as a EAP-FAST master server until
the first time it receives replicated EAP-FAST components from the primary
Cisco Secure ACS. When “Actual EAP-FAST server status” displays the text
Slave , Cisco Secure ACS uses the EAP-FAST settings, Authority ID, and
master keys it receives from a primary Cisco Secure ACS during replication,
rather than using master keys it generates and its unique Authority ID.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-22 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

Note When you deselect the EAP-FAST master server check box, the
“Actual EAP-FAST server status” remains Master until Cisco Secure
ACS receives replicated EAP-FAST components and then the
“Actual EAP-FAST server status” changes to Slave. Until “Actual
EAP-FAST server status” changes to Slave, Cisco Secure ACS acts
as a master EAP-FAST server, using master keys it generates, its
unique Authority ID, and the EAP-FAST settings configured in its
HTML interface.

Disabling the EAP-FAST master server setting eliminates the need for
providing a different PAC from the primary and secondary Cisco Secure
ACSes. This is because the primary and secondary Cisco Secure ACSes send
the end-user client the same Authority ID at the beginning of the EAP-FAST
transaction; therefore, the end-user client uses the same PAC in its response
to either Cisco Secure ACS. Also, a PAC generated for a user by one
Cisco Secure ACS in a replication scheme where the EAP-FAST master
server setting is disabled is accepted by all other Cisco Secure ACSes in the
same replication scheme.
For more information about replication, see CiscoSecure Database Replication,
page 9-1.

Enabling EAP-FAST
This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support EAP-FAST authentication.

Note End-user clients must be configured to support EAP-FAST. This procedure is

specific to configuring Cisco Secure ACS only.

Before You Begin

The steps in this procedure are a suggested order only. Enabling EAP-FAST at
your site may require recursion of these steps or performing these steps in a
different order. For example, in this procedure, determining how you want to
support PAC provisioning comes after configuring a user database to support
EAP-FAST; however, choosing automatic PAC provisioning places different
limits upon user database support.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-23
 Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols

To enable Cisco Secure ACS to perform EAP-FAST authentication, follow these

steps:

Step 1 Configure a user database that supports EAP-FAST authentication. To determine

which user databases support EAP-FAST authentication, see Authentication
Protocol-Database Compatibility, page 1-9. For user database configuration, see
Chapter 13, “User Databases.”

Note User database support differs for EAP-FAST phase zero and phase two.

Cisco Secure ACS supports use of the Unknown User Policy and group mapping
with EAP-FAST, as well as password aging with Windows external user
databases.
Step 2 Determine master key and PAC TTL values. While changing keys and PACs more
frequently could be considered more secure, it also increases the likelihood that
PAC provisioning will be needed for machines left offline so long that the PACs
on them are based on expired master keys.
Also, keep in mind that if you reduce the TTL values that you initially deploy
EAP-FAST with, you may force PAC provisioning to occur because users would
be more likely to have PACs based on expired master keys.
For information about how master key and PAC TTL values determine whether
PAC provisioning or PAC refreshing is required, see Master Key and PAC TTLs,
page 10-19.
Step 3 Determine whether you want to use automatic or manual PAC provisioning. For
more information about the two means of PAC provisioning, see Automatic PAC
Provisioning, page 10-17, and Manual PAC Provisioning, page 10-18.

Note We recommend limiting the use of automatic PAC provisioning to initial

deployments of EAP-FAST, followed by using manual PAC provisioning
for adding small numbers of new end-user clients to your network and for
replacing PACs based on expired master keys.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-24 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

Step 4 Using the decisions during Step 2 and Step 3, enable EAP-FAST on the Global
Authentication Setup page. For detailed steps, see Configuring Authentication
Options, page 10-32.
Cisco Secure ACS is ready to perform EAP-FAST authentication.

Global Authentication Setup

The Global Authentication Setup page provides a means to enable or disable some
of the authentication protocols supported by Cisco Secure ACS. You can also
configure other options for some of the protocols represented on the Global
Authentication Setup page.
This section contains the following topics:
• Authentication Configuration Options, page 10-25
• Configuring Authentication Options, page 10-32

Authentication Configuration Options

The Global Authentication Setup page contains the following configuration
options:
• PEAP—You can configure the following options for PEAP:
– Allow EAP-MSCHAPv2—Whether Cisco Secure ACS attempts
EAP-MSCHAPv2 authentication with PEAP clients.

Note If both the Allow EAP-MSCHAPv2 and the Allow

EAP-MSCHAPv2 check boxes are selected, Cisco Secure ACS
negotiates the EAP type with the end-user PEAP client.

– Allow EAP-GTC—Whether Cisco Secure ACS attempts EAP-GTC

authentication with PEAP clients.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-25
 Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

– Cisco client initial message—The message you want displayed during

PEAP authentication. The PEAP client initial display message is the first
challenge a user of a Cisco Aironet PEAP client sees when attempting
authentication. It should direct the user on what to do next, for example,
“Enter your passcode.” The message is limited to 60 characters.
– PEAP session timeout (minutes)—The maximum PEAP session length
you want to allow users, in minutes. A session timeout value greater than
0 (zero) enables the PEAP session resume feature, which caches the TLS
session created in phase one of PEAP authentication. When a PEAP
client reconnects, Cisco Secure ACS uses the cached TLS session to
restore the session, which improves PEAP performance. Cisco Secure
ACS deletes cached TLS sessions when they time out. The default
timeout value is 120 minutes. To disable the session resume feature, set
the timeout value to 0 (zero).
– Enable Fast Reconnect—Whether Cisco Secure ACS resumes sessions
for PEAP clients without performing phase two of PEAP authentication.
Deselecting the Enable Fast Reconnect check box causes Cisco Secure
ACS to always perform phase two of PEAP authentication, even when
the PEAP session has not timed out.
Fast reconnection can occur only when Cisco Secure ACS allows the
session to resume because the session has not timed out. If you disable
the PEAP session resume feature by entering 0 (zero) in the PEAP
session timeout (minutes) box, selecting the Enable Fast Reconnect
check box has no effect on PEAP authentication and phase two of PEAP
authentication always occurs.
• EAP-FAST—You can configure the following options for EAP-FAST:
– Allow EAP-FAST—Whether Cisco Secure ACS permits EAP-FAST
authentication.

Note If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet)
device, one or more of the LEAP, EAP-TLS, or EAP-FAST
protocols must be enabled on the Global Authentication Setup
page; otherwise, Cisco Aironet users cannot authenticate.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-26 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

– Master Key TTL—The duration that a master key is used to generate

new PACs. When the master key becomes older than the master key TTL,
Cisco Secure ACS retires the master key and generates a new master key.
The default master key TTL is one month.

Note Decreasing the master key TTL can cause retired master keys to
expire because a master key expires when it is older than the sum
of the master key TTL and the retired master key TTL; therefore,
decreasing the master key TTL requires PAC provisioning for
end-user clients with PACs based on the newly expired master
keys.

For more information about master keys, see About Master Keys,
page 10-13.
– Retired master key TTL—The duration that PACs generated using a
retired master key are acceptable for EAP-FAST authentication. In other
words, the retired master key TTL defines the length of the grace period
during which PACs generated with a master key that is no longer active
are acceptable. When an end-user client gains network access using a
PAC based on a retired master key, Cisco Secure ACS sends a new PAC
to the end-user client. The default retired master key TTL is three
months.
When a retired master key ages past the retired master key TTL, it
expires and Cisco Secure ACS deletes it.

Note Decreasing the retired master key TTL is likely to cause some
retired master keys to expire; therefore, end-user clients with
PACs based on the newly expired master keys require PAC
provisioning.

Note Decreasing the retired master key TTL can cause retired master
keys to expire; therefore, decreasing the retired master key TTL
requires PAC provisioning for end-user clients with PACs based
on the newly expired master keys.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-27
 Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

For more information about master keys, see About Master Keys,
page 10-13.
– PAC TTL—The duration that a PAC is used before it expires and must
be replaced. If the master key used to generate it has not expired, new
PAC creation and assignment are automatic. If the master key used to
generate it has expired, in-band or out-of-band provisioning must be used
to provide the end-user client with a new PAC. The default PAC TTL is
one month.
For more information about PACs, see About PACs, page 10-15.
– Client initial display message—Specifies a message to be sent to users
who authenticate with an EAP-FAST client. Maximum length is 40
characters.

Note A user will see the initial display message only if the end-user
client supports its display.

– Authority ID Info—A short description of this Cisco Secure ACS, sent

along with PACs issued by Cisco Secure ACS. EAP-FAST end-user
clients use it to describe the AAA server that issued the PAC. Maximum
length is 64 characters.

Note Authority ID information is not the same as the Authority ID,

which is generated automatically by Cisco Secure ACS and is not
configurable. While the Authority ID is used by end-user clients
to determine which PAC to send to Cisco Secure ACS, the
Authority ID information is strictly the human-readable label
associated with the Authority ID.

– Allow automatic PAC provisioning—Whether Cisco Secure ACS will

provision an end-user client with a PAC using EAP-FAST phase 0. If this
check box is selected, Cisco Secure ACS establishes a secured
connection with the end-user client for providing a new PAC. If the
check box is not selected, Cisco Secure ACS denies the user access and
PAC provisioning must be performed out of band (manually).

User Guide for Cisco Secure ACS Appliance, version 3.2

10-28 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

– EAP-FAST Master Server—When this check box is not selected and

when Cisco Secure ACS receives replicated EAP-FAST policies,
Authority ID, and master keys, Cisco Secure ACS uses them rather than
its own EAP-FAST policies, Authority ID, and master keys.
When this check box is selected, Cisco Secure ACS uses its own
EAP-FAST policies, Authority ID, and master keys. For more
information, see Table 10-2.

Note Click Submit + Restart if you change the EAP-FAST master

server setting.

– Actual EAP-FAST server status—This read-only option displays the

state of Cisco Secure ACS with respect to EAP-FAST. If this option
displays “Master”, Cisco Secure ACS generates its own master keys and
Authority ID. If this option displays “Slave”, Cisco Secure ACS uses
master keys and the Authority ID it receives during replication. For more
information, see Table 10-2.

Tip If you deselect the EAP-FAST Master Server check box, EAP-FAST server status
remains “Master” until Cisco Secure ACS receives replicated EAP-FAST
components.

• EAP-TLS—You can configure the following options for EAP-TLS:

– Allow EAP-TLS—Whether Cisco Secure ACS permits EAP-TLS
authentication.

Note If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet)
device, one or more of the LEAP, EAP-TLS, or EAP-FAST
protocols must be enabled on the Global Authentication Setup
page; otherwise, Cisco Aironet users cannot authenticate.

– Certificate SAN comparison—Whether authentication is performed by

comparing the Subject Alternative Name (SAN) of the end-user client
certificate to the username in the applicable user database.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-29
 Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

Note If you select more than one comparison type, Cisco Secure ACS
performs the comparisons in the order listed. If the one
comparison type fails, Cisco Secure ACS attempts the next
enabled comparison type. Comparison stops after the first
successful comparison.

– Certificate CN comparison—Whether authentication is performed by

comparing the Common Name of the end-user client certificate to the
username in the applicable user database.
– Certificate Binary comparison—Whether authentication is performed
by a binary comparison of the end-user client certificate to the user
certificate stored in the applicable user database. This comparison
method cannot be used to authenticate users stored in an ODBC external
user database.
– EAP-TLS session timeout (minutes)—The maximum EAP-TLS
session length you want to allow users, in minutes. A session timeout
value greater than 0 (zero) enables the EAP-TLS session resume feature.
The session resume feature allows users to reauthenticate without a user
lookup or certificate comparison provided that the session has not timed
out. If the end-user client is restarted, authentication requires a certificate
lookup even if the session timeout interval has not ended. The default
timeout value is 120 minutes. To disable the session timeout feature, set
the timeout value to 0 (zero).
• LEAP—The Allow LEAP (For Aironet only) check box controls whether
Cisco Secure ACS performs LEAP authentication. LEAP is currently used
only for Cisco Aironet wireless networking. If you disable this option, Cisco
Aironet end-user clients configured to perform LEAP authentication cannot
access the network. If all Cisco Aironet end-user clients use a different
authentication protocol, such as EAP-TLS, we recommend that you disable
this option.

Note If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet) device,
either LEAP, EAP-TLS, or both must be enabled on the Global
Authentication Setup page; otherwise, Cisco Aironet users cannot
authenticate.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-30 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

• EAP-MD5—The Allow EAP-MD5 check box controls whether Cisco Secure

ACS performs EAP-MD5 authentication. If you disable this option, end-user
clients configured to perform EAP-MD5 authentication cannot access the
network. If no end-user clients use EAP-MD5, we recommend that you
disable this option.
• AP EAP request timeout (seconds)—Whether Cisco Secure ACS instructs
Cisco Aironet Access Points (APs) to use the specified timeout value during
EAP conversations. The value specified must be the number of seconds after
which Cisco Aironet APs should assume that an EAP transaction with
Cisco Secure ACS has been lost and should be restarted. A value of 0 (zero)
disables this feature.

Note The AP EAP request timeout feature is available beginning in Cisco

Secure ACS version 3.2.3. Earlier versions of Cisco Secure ACS do
not include this feature.

During EAP conversations, Cisco Secure ACS sends the value defined in the
AP EAP request timeout box using the IETF RADIUS Session-Timeout (27)
attribute; however, in the RADIUS Access-Accept packet at the end of the
conversation, the value that Cisco Secure ACS sends in the IETF RADIUS
Session-Timeout (27) attribute is the value specified in the Cisco Aironet
RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not
enabled, the IETF RADIUS Session-Timeout (27) attribute.

Note Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is

not a true RADIUS VSA; instead, it represents the value that
Cisco Secure ACS sends in the IETF RADIUS Session-Timeout
attribute when the AAA client sending the RADIUS request is
defined in the Network Configuration as authenticating with
RADIUS (Cisco Aironet).

• MS-CHAP Configuration—The Allow MS-CHAP Version 1

Authentication and Allow MS-CHAP Version 2 Authentication check boxes
control whether Cisco Secure ACS performs MS-CHAP authentication for
RADIUS requests. The two check boxes allow you to further control which
versions of MS-CHAP are permitted in RADIUS requests. If you disable a
particular version of MS-CHAP, end-user clients configured to authenticate

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-31
 Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup

with that version using RADIUS cannot access the network. If no end-user
clients are configured to use a specific version of MS-CHAP with RADIUS,
we recommend that you disable that version of MS-CHAP.

Note For TACACS+, Cisco Secure ACS supports only MS-CHAP version
1. TACACS+ support for MS-CHAP version 1 is always enabled and
is not configurable.

Configuring Authentication Options

Use this procedure to select and configure how Cisco Secure ACS handles options
for authentication. In particular, use this procedure to specify and configure the
varieties of EAP that you allow, and to specify whether you allow either
MS-CHAP Version 1 or MS-CHAP Version 2, or both.
For more information on the EAP-TLS Protocol, see EAP-TLS Authentication,
page 10-2. For more information on the PEAP protocol, see PEAP
Authentication, page 10-7. For more information on the PEAP protocol, see
EAP-FAST Authentication, page 10-11. For details regarding how various
password protocols are supported by the various databases, see Authentication
Protocol-Database Compatibility, page 1-9.
Before You Begin
For information about the options on the Global Authentication Setup page, see
Authentication Configuration Options, page 10-25.
To configure authentication options, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Global Authentication Setup.
Cisco Secure ACS displays the Global Authentication Setup page.
Step 3 Configure options, as applicable. For more information about the significance of
the options, see Authentication Configuration Options, page 10-25.
Step 4 If you want to immediately implement the settings you have made, click Submit
+ Restart.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-32 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Cisco Secure ACS restarts its services and implements the authentication
configuration options you selected.
Step 5 If you want to save the settings you have made but implement them later, click
Submit.

Tip You can restart Cisco Secure ACS services at any time by using the
Service Control page in the System Configuration section.

Cisco Secure ACS saves the authentication configuration options you selected.

Cisco Secure ACS Certificate Setup

This section contains the following topics:
• Installing a Cisco Secure ACS Certificate, page 10-33
• Adding a Certificate Authority Certificate, page 10-36
• Editing the Certificate Trust List, page 10-38
• Generating a Certificate Signing Request, page 10-39
• Updating or Replacing a Cisco Secure ACS Certificate, page 10-40

Installing a Cisco Secure ACS Certificate

Perform this procedure to install (that is, enroll) a Cisco Secure ACS certificate.
You can perform certificate enrollment to support EAP-TLS and PEAP
authentication, as well as HTTPS protocol for GUI access to Cisco Secure ACS.
Before You Begin
You must have a server certificate for your Cisco Secure ACS before you can
install it. With Cisco Secure ACS, certificate files must be in Base64-encoded
X.509. You can use the procedure in Generating a Certificate Signing Request,
page 10-39, or any other means to obtain a certificate for installation.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-33
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

To install an existing certificate for use on Cisco Secure ACS, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Certificate Setup.
Step 3 Click Install ACS Certificate.
Cisco Secure ACS displays the Install new certificate table on the Install ACS
Certificate page.
Step 4 To install a new certificate, select the Read certificate from file option and then
click the Download certificate file link.
The Download Certificate File page appears.
Step 5 To download the certificate file to Cisco Secure ACS, in the Download File table,
follow these steps:
a. In the FTP Server box, type the IP address or hostname of the FTP server
that has the certificate file you want to download.

Tip If you specify the hostname, DNS must be working correctly on your
network.

b. In the Login box, type a valid username that Cisco Secure ACS can use to
access the FTP server.
c. In the Password box, type the password for the username you specified in the
Login box.
d. In the Remote FTP Directory box, type relative path from the FTP server
root directory to the directory containing the certificate file you want
Cisco Secure ACS to download from the FTP server.
e. In the Remote FTP File Name box, type the name of the certificate file you
want Cisco Secure ACS to download from the FTP server.
f. Click Submit.
The system downloads the certificate file and displays the file name in Certificate
file box of the Install ACS Certificate page.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-34 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Tip If the file transfer encounters errors, they appear in the window on the
right.

Step 6 If you generated the request using Cisco Secure ACS, click the Download
private key file link.
The Download Private Key File page appears.
Step 7 To download the private key file to the Cisco Secure ACS, in the Download File
table follow these steps:
a. In the FTP Server box, type the IP address or hostname of the FTP server
that has the private key file you want to download.

Tip If you specify the hostname, DNS must be working correctly on your
network.

b. In the Login box, type a valid username that Cisco Secure ACS can use to
access the FTP server.
c. In the Password box, type the password for the username you specified in the
Login box.
d. In the Remote FTP Directory box, type the relative path from the FTP server
root directory to the directory containing the private key file you want
Cisco Secure ACS to download from the FTP server.
e. In the Remote FTP File Name box, type the name of the private key file you
want Cisco Secure ACS to download from the FTP server.
f. Click Submit.
The system downloads the private key file and displays the filename in Private
key file box of the Install ACS Certificate page.

Tip If the file transfer encounters errors, they appear in the window on the
right.

Step 8 In the Private key password box, type the private key password.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-35
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Tip If you used Cisco Secure ACS to generate the certificate signing request,
this is the value you entered in Private key password under Generate
certificate signing request (CSR). If the private key file is unencrypted,
leave this box empty.

Step 9 Click Submit.

To show that the certificate setup is complete, Cisco Secure ACS displays the
Installed Certificate Information table, which contains the following certificate
information:
• Issued to: certificate subject
• Issued by: CA common name
• Valid from:
• Valid to:
• Validity

Adding a Certificate Authority Certificate

Use this procedure to add new certification authority (CA) certificates to
Cisco Secure ACS local certificate storage.

Note If the clients and Cisco Secure ACS are getting their certificates from the same
CA, you do not need to perform this procedure because Cisco Secure ACS
automatically trusts the CA that issued its certificate.

When a user certificate is from an unknown CA (that is, one that is different from
the CA that certifies the Cisco Secure ACS), you must specifically configure
Cisco Secure ACS to trust that CA or authentication fails. Until you perform this
procedure to explicitly extend trust by adding another CA, Cisco Secure ACS
only recognizes certificates from the CA that issued its own certificate.
Configuring Cisco Secure ACS to trust a specific CA is a two-step process that
comprises both this procedure of adding a CA certificate and the procedure in
Editing the Certificate Trust List, page 10-38, where you signify that the

User Guide for Cisco Secure ACS Appliance, version 3.2

10-36 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

particular CA is to be trusted. (Cisco Secure ACS comes preconfigured with a list

of popular CAs, none of which are enabled until you explicitly signify
trustworthiness.)
To add a certificate authority certificate to your local storage, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Certificate Setup.
Step 3 Click ACS Certification Authority Setup.
Cisco Secure ACS displays the CA Operations table on the ACS Certification
Authority Setup page.
Step 4 Click on the Download CA certificate file link.
The Download CA Certificate File page appears.
Step 5 To download the private CA certificate file to the Cisco Secure ACS, in the
Download File table, follow these steps:
a. In the FTP Server box, type the IP address or hostname of the FTP server
that has the CA certificate file you want to download.
b. In the Login box, type a valid username that Cisco Secure ACS can use to
access the FTP server.
c. In the Password box, type the password for the username you specified in the
Login box.
d. In the Remote FTP Directory box, type the relative path from the FTP server
root directory to the directory containing the CA certificate file you want
Cisco Secure ACS to download from the FTP server.
e. In the Remote FTP File Name box, type the name of the CA certificate file
you want Cisco Secure ACS to download from the FTP server.
f. Click Submit.
The system downloads the CA certificate file and displays the filename in the CA
certificate box of the Install ACS Certificate page.

Tip If the file transfer encounters errors, they appear in the window on the
right.

Step 6 In the Private key password box, type the private key password.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-37
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Step 7 Click Submit.

The new CA certificate is added to local certificate storage.

Editing the Certificate Trust List

Cisco Secure ACS uses the CTL to verify the client certificates. For a CA to be
trusted by Cisco Secure ACS, its certificate must be installed, and the
Cisco Secure ACS administrator must explicitly configure the CA as trusted by
editing the CTL. If the Cisco Secure ACS server certificate is replaced, the CTL
is erased; you must configure the CTL explicitly each time you install or replace
a Cisco Secure ACS server certificate.

Note The single exception to the requirement that a CA must be explicitly signified as
trustworthy occurs when the clients and Cisco Secure ACS are getting their
certificates from the same CA. You do not need to add this CA to the CTL because
Cisco Secure ACS automatically trusts the CA that issued its certificate.

How you edit your CTL determines the type of trust model you have. Many use a
restricted trust model wherein very few, privately controlled CAs are trusted. This
model provides the highest level of security but restricts adaptability and
scalability. The alternative, an open trust model, allows for more CAs or public
CAs. This open trust model trades off increased security for greater adaptability
and scalability.
We recommend that you fully understand the implications of your trust model
before editing the CTL in Cisco Secure ACS.
Use this procedure to configure CAs on your CTL as trusted or not trusted. Before
a CA can be configured as trusted on the CTL, you must have added the CA to the
local certificate storage; for more information, see Adding a Certificate Authority
Certificate, page 10-36. If a user’s certificate is from a CA that you have not
specifically configured Cisco Secure ACS to trust, authentication fails.
To edit the CTL, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Cisco Secure ACS Certificate Setup.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-38 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Step 3 Click Edit Certificate Trust List.

The Edit the Certificate Trust List (CTL) table appears.

Warning Adding a public CA, which you do not control, to your CTL, may reduce your
system security.

Step 4 To configure a CA on your CTL as trusted, select the corresponding check box.

Tip You can select, or deselect, as many CAs as you want. Deselecting a CA’s
check box configures the CA as not trusted.

Step 5 Click Submit.

Cisco Secure ACS configures the specified CA (or CAs) as trusted or not trusted
in accordance with selecting or deselecting check boxes.

Generating a Certificate Signing Request

You can use Cisco Secure ACS to generate a certificate signing request (CSR).
After you generate a CSR, you can submit it to a CA to obtain your certificate.
You perform this procedure to generate the CSR for future use with a certificate
enrollment tool.

Note If you already have a server certificate, you do not need to use this portion of the
ACS Certificate Setup page.

To generate a certificate signing request, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Certificate Setup.
Step 3 Click Generate Certificate Signing Request.
Cisco Secure ACS displays the Generate new request table on the Generate
Certificate Signing Request page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-39
 Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup

Step 4 In the Certificate subject box, type cn= followed by the name that you would like
to use as subject name in this ACS certificate, for example, cn=ACSWireless.
Step 5 In the Private key file box, type the full directory path and name of the file in
which the private key is saved, for example, c:\privateKeyFile.pem.
Step 6 In the Private key password box, type the private key password (that you have
invented).
Step 7 In the Retype private key password box, retype the private key password.
Step 8 From the Key length list, select the length of the key to be used.

Tip The choices for Key length are 512 or 1024 bits. The default and more
secure choice is 1024 bits.

Step 9 From the Digest to sign with list, select the digest (or hashing algorithm).

Tip The choices for Digest to sign with are MD2, MD5, SHA, and SHA1. The
default is SHA1.

Step 10 Click Submit.

Cisco Secure ACS displays a CSR in the display area, on the right, under a banner
that reads: “Now your certificate signing request is ready. You can copy
and paste it into any certification authority enrollment tool.”

Tip You can copy and paste this certificate to the online enrollment tool of
any CA.

Updating or Replacing a Cisco Secure ACS Certificate

Use this procedure to update or replace an existing Cisco Secure ACS certificate
that is out-of-date or out-of-order.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-40 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

Caution This procedure eliminates your existing Cisco Secure ACS certificate and erases
your Certificate Trust List configuration.

To install a new ACS certificate, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click ACS Certificate Setup.
Cisco Secure ACS displays the Installed Certificate Information table on the ACS
Certificate Setup page.

Note If your Cisco Secure ACS has not already been enrolled with a certificate,
you do not see the Installed Certificate Information table. Rather, you see
the Install new certificate table. If this is the case, you can proceed to
Step 5.

Step 3 Click Enroll New Certificate.

A confirmation dialog box appears.
Step 4 To confirm that you intend to enroll a new certificate, click OK.
The existing Cisco Secure ACS certificate is removed and your Certificate Trust
List configuration is erased.
Step 5 You can now install the replacement certificate in the same manner as an original
certificate. For detailed steps, see Installing a Cisco Secure ACS Certificate,
page 10-33.

EAP-FAST PAC Files Generation

You can use the EAP-FAST PAC Files Generation page to create PAC files for
manual PAC provisioning.
For more information about PACs, see EAP-FAST Authentication, page 10-11.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-41
 Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

This section contains the following topics:

• PAC File Generation Options, page 10-42
• Generating PAC Files, page 10-45

PAC File Generation Options

You have the following options when generating PAC files:
• Specific user—Cisco Secure ACS generates a PAC file for the username
typed in the User Name box. For example, if you selected this option and
typed seaniemop in the User Name box, Cisco Secure ACS would generate
a single PAC file, named seaniemop.pac.

Tip You can also specify a domain-qualified username, using the format
DOMAIN\username. For example, if you specify ENIGINEERING\augustin,
Cisco Secure ACS generates a PAC file name ENGINEERING_augustin.pac.

• Users from specific ACS group—Cisco Secure ACS generates a PAC file
for each user in the user group specified by the ACS Group list. Cisco Secure
ACS has 500 groups, numbered from 0 (zero) to 499. For example, assume
group 7 has 43 users. If you selected this option and selected <Group 7> from
the ACS Group list, Cisco Secure ACS would generate 43 PAC files, one for
each user who is a member of group 7. Each PAC file is named in the
following format:

username.pac

Note Generating PAC files for users in a specific group restarts the CSAuth
service. No users are authenticated while CSAuth is unavailable.

Tip To generate PAC files for more than one group of users, generate PAC files for
each group separately. For example, to generate PAC files for users in groups 7
through 10, generate PAC files four times, once each for groups 7, 8, 9, and 10.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-42 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

• All users in ACS internal DB—Cisco Secure ACS generates a PAC file for
each user in the CiscoSecure user database. For example, if you have 3278
users in the CiscoSecure user database and select this option, Cisco Secure
ACS would generate 3278 PAC files, one for each user. Each PAC file is
named in the following format:
username.pac

Note Generating PAC files for all users in the CiscoSecure user database
restarts the CSAuth service. No users are authenticated while CSAuth
is unavailable.

• Users from list—Cisco Secure ACS generates a PAC file for each username
contained in the file retrieved from the FTP server you specify.
Lists of usernames should contain one username per line with no additional
spaces or other characters.
For example, if a list retrieved from an FTP server contains the following
usernames:
seaniemop
jwiedman
echamberlain

Cisco Secure ACS generates three PAC files: seaniemop.pac, jwiedman.pac,

and echamberlain.pac.

Tip You can also specify domain-qualified usernames, using the format
DOMAIN\username. For example, if you specify ENIGINEERING\augustin,
Cisco Secure ACS generates a PAC file name ENGINEERING_augustin.pac.

The options for retrieving a username list are as follows:

– FTP Server—The IP address or hostname of the FTP server where the
file specified in the User list file box is. If you specify a hostname, DNS
must be enabled on your network and must be configured correctly on the
Cisco Secure ACS Appliance console. For more information about IP
configuration of Cisco Secure ACS, see Installation and Setup Guide for
Cisco Secure ACS Appliance.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-43
 Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

– Login—A valid username to enable Cisco Secure ACS to access the FTP
server.

Tip The Login box accepts domain-qualified usernames in the format

DOMAIN\username, which may be required if you are using a Microsoft FTP
server.

– Password—The password for the username provided in the Login box.

– Remote Directory—The directory containing the file of usernames
specified in the Users list file box. The directory must be specified
relative to the FTP root directory. For example, if the username file is in
a directory named paclist, which is a subdirectory of the FTP root
directory, you should type paclist in the Remote Directory box.

Tip To specify the FTP root directory, enter a single period or “dot”.

– Users list file—The filename of the username list. For example, if the
name of the username file is eapfastusers.txt, type eapfastusers.txt in
the User list filebox.
• Encrypt PAC file(s) with—Each PAC file is always encrypted using a
password, either the default password known to Cisco Secure ACS and the
end-user clients or a password that you specify. Encrypting PAC files helps
prevent use of stolen PAC files for access to your network by unauthorized
persons. Although the default password is a strong password, it is used by all
Cisco Secure ACSes and all EAP-FAST end-user clients.

Note We recommend that you use a password that you devise rather than
the default password.

– Default password—Cisco Secure ACS uses the default password to

protect the PAC files it generates.

Note We recommend that you use a password you devise rather than
the default password.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-44 78-14698-02
 Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

– This password—Cisco Secure ACS uses the password specified, rather

than the default password, to protect the PAC files it generates. The
password you specify is required when the PACs that Cisco Secure ACS
protects are loaded into an EAP-FAST end-user client.
PAC passwords are alphanumeric, between four and 128 characters long,
and case sensitive. While Cisco Secure ACS does not enforce strong
password rules, we recommend that you use a strong password, that is,
your PAC password should:
– Be very long.
– Contain uppercase and lowercase letters.
– Contain numbers in addition to letters.
– Contain no common words or names.

Generating PAC Files

Each time you instruct Cisco Secure ACS to generate PAC files, Cisco Secure
ACS produces a single cabinet file named PACFiles.cab that you download to a
location available to the browser you use to access the HTML interface. Use the
file compression utility of your choice to extract the .pac files from the
PACFiles.cab file. For example, WinZip can extract files from cabinet files.

Before You Begin

Cisco Secure ACS allows you to generate PAC files only if EAP-FAST is
enabled. For information about enabling EAP-FAST, see Enabling EAP-FAST,
page 10-23.
Determine which users you want to generate PAC files for. If you want to specify
the users in a text file, create the text file and place it in a directory under the FTP
root directory on an FTP server accessible from Cisco Secure ACS Appliance.
For information about using a username list, see PAC File Generation Options,
page 10-42.
For information about the options on the EAP-FAST PAC Generation page, see
PAC File Generation Options, page 10-42.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-45
 Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

To generate PAC files, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click EAP-FAST PAC Files Generation.
Cisco Secure ACS displays the EAP-FAST PAC Files Generation page.
Step 3 Use one of the four options to specify which users Cisco Secure ACS should
generate PAC files for. For more information about the significance of the
options, see PAC File Generation Options, page 10-42.

Note If you choose to generate PAC files for all users in the CiscoSecure user
database in a specific group, the CSAuth service restarts. No user
authentication occurs while CSAuth is unavailable.

Step 4 Click Submit.

Cisco Secure ACS begins generating PAC files for the user or users specified. If
you use the Users from list option, Cisco Secure ACS first retrieves the list from
the FTP server specified.
On the EAP-FAST PAC Files Generation page, Cisco Secure ACS displays a
“Current PAC CAB file generation status” message.
Step 5 If the “Current PAC CAB file generation status” display is:
CAB file generation is in progress

click Refresh occasionally until the “Current PAC CAB file generation status”
display is:
CAB file is ready. Press ’Download’ to retrieve the file.

Depending upon how many users you specified, Cisco Secure ACS requires from
a few seconds to a few minutes to generate PAC files.
Step 6 When the “Current PAC CAB file generation status” display is
CAB file is ready. Press ’Download’ to retrieve the file.

click Download.

User Guide for Cisco Secure ACS Appliance, version 3.2

10-46 78-14698-02
Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

Note The file download options provided by your web browser may differ;
however, the fundamental process should be similar to these steps.

The File Download dialog box appears.

Step 7 On the File Download dialog box, click Save.
The Save As dialog box appears.
Step 8 Use the Save As dialog box to specify where and with what filename you want to
save the PACFiles.cab file. Then click Save.
Cisco Secure ACS sends the PACFiles.cab file to your web browser, which saves
the file where you specified. When the download is complete, a Download
Complete dialog box appears.
Step 9 Make note of the location of the PACFiles.cab file, and then click Close.
Step 10 You can use the file compression utility of your choice to extract the PAC files
from the PACFiles.cab file.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 10-47
 Chapter 10 System Configuration: Authentication and Certificates
EAP-FAST PAC Files Generation

User Guide for Cisco Secure ACS Appliance, version 3.2

10-48 78-14698-02
 C H A P T E R 11
Logs and Reports

Cisco Secure ACS Appliance produces a variety of logs and provides a way to
view most of these logs in the Cisco Secure ACS HTML interface as HTML
reports.
This chapter contains the following topics:
• Logging Formats, page 11-1
• Special Logging Attributes, page 11-2
• Update Packets in Accounting Logs, page 11-3
• About Cisco Secure ACS Logs and Reports, page 11-4
• Working with CSV Logs, page 11-13
• Remote Logging, page 11-17
• Service Logs, page 11-25

Logging Formats
Cisco Secure ACS logs a variety of user and system activities. Regardless of the
content, a Cisco Secure ACS Appliance writes all logs in comma-separated (CSV)
files. The CSV format records data in columns separated by commas.
Files in a CSV format are easily imported into a variety of third-party
applications, such as Microsoft Excel or Microsoft Access. After data from a CSV
file is imported into such applications, you can prepare charts or perform queries,
such as determining how many hours a user was logged in to the network during

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-1
 Chapter 11 Logs and Reports
Special Logging Attributes

a given period. For information about how to use a CSV file in a third-party
application such as Microsoft Excel, please see the documentation supplied by the
third-party vendor.
You can access the CSV files by downloading the CSV file from the HTML
interface. For more information about downloading the CSV file from the HTML
interface, see Viewing a CSV Report, page 11-14.

Special Logging Attributes

Among the many attributes that Cisco Secure ACS can record in its logs, a few
are of special importance. The following list explains the special logging
attributes provided by Cisco Secure ACS.
• User Attributes—These logging attributes appear in the Attributes list for
any log configuration page. Cisco Secure ACS lists them using their default
names: Real Name, Description, User Field 3, User Field 4, and User Field 5.
If you change the name of a user-defined attribute, the default name rather
than the new name still appears in the Attributes list.
The content of these attributes is determined by the values entered in the
corresponding fields in the user account. For more information about user
attributes, see User Data Configuration Options, page 3-3.
• ExtDB Info—If the user is authenticated with an external user database, this
attribute contains a value returned by the database. In the case of a Windows
user database, this attribute contains the name of the domain that
authenticated the user.
In entries in the Failed Attempts log, this attribute contains the database that
last successfully authenticated the user. It does not list the database that failed
the user authentication attempt.
• Access Device—The name of the AAA client sending the logging data to
Cisco Secure ACS.
• Network Device Group—The network device group to which the access
device (AAA client) belongs.
• Filter Information—The result of network access restrictions (NARs)
applied to the user, if any. The message in this field indicates whether all
applicable NARs permitted the user access, all applicable NARs denied the

User Guide for Cisco Secure ACS Appliance, version 3.2

11-2 78-14698-02
Chapter 11 Logs and Reports
Update Packets in Accounting Logs

user access, or more specific information about which NAR denied the user
access. If no NARs apply to the user, this logging attribute notes that no
NARs were applied.
The Filter Information attribute is available for Passed Authentication and
Failed Attempts logs.
• Device Command Set—The name of the device command set, if any, that
was used to satisfy a command authorization request.
The Device Command Set attribute is available for Failed Attempts logs.
• Remote Logging Result—Whether a forwarded accounting packet is
successfully processed by a remote logging service. This attribute is useful
for determining which accounting packets, if any, may not have been logged
by a central logging service. It is dependent upon the receipt of an
acknowledgment message from the remote logging service. The
acknowledgment message indicates that the remote logging service properly
processed the accounting packet in the manner that the remote logging
service is configured to do. A value of Remote-logging-successful
indicates that the remote logging service successfully processed the
accounting packet. A value of Remote-logging-failed indicates that the
remote logging service did not process the accounting packet successfully.

Note Cisco Secure ACS cannot determine how a remote logging service is
configured to process accounting packets that it is forwarded. For
example, if a remote logging service is configured to discard
accounting packets, it discards a forwarded accounting packet and
responds to Cisco Secure ACS with an acknowledgment message,
causing Cisco Secure ACS to write a value of
Remote-logging-successful in the Remote Logging Result attribute
in the local log that records the account packet.

Update Packets in Accounting Logs

Whenever you configure Cisco Secure ACS to record accounting data for user
sessions, Cisco Secure ACS records start and stop packets. If you want, you can
configure Cisco Secure ACS to record update packets, too. In addition to

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-3
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

providing interim accounting information during a user session, update packets

drive password expiry messages via CiscoSecure Authentication Agent. In this
use, the update packets are referred to as watchdog packets.

Note To record update packets in Cisco Secure ACS accounting logs, you must
configure your AAA clients to send the update packets. For more information
about configuring your AAA client to send update packets, refer to the
documentation for your AAA clients.

• Logging Update Packets Locally—To log update packets according to local

Cisco Secure ACS logging configuration, enable the Log Update/Watchdog
Packets from this Access Server option for each AAA client in Network
Configuration.
For more information on setting this option for a AAA client, see Adding a
AAA Client, page 4-17.
• Logging Update Packets Remotely—To log update packets on a remote
logging server, enable the Log Update/Watchdog Packets from this remote
AAA Server option for the remote server AAA Server table entry on the local
Cisco Secure ACS.
For more information on setting this option for a AAA server, see Adding a
AAA Server, page 4-25.

About Cisco Secure ACS Logs and Reports

The logs that Cisco Secure ACS provides can be divided into four types:
• Accounting logs
• Dynamic Cisco Secure ACS administration reports
• Cisco Secure ACS system logs
• Service logs
This section contains information about the first three types of logs. For
information about service logs, see Service Logs, page 11-25.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-4 78-14698-02
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

This section contains the following topics:

• Accounting Logs, page 11-5
• Dynamic Administration Reports, page 11-7
• Cisco Secure ACS System Logs, page 11-12

Accounting Logs
Accounting logs contain information about the use of remote access services by
users. They are available in CSV format. Table 11-1 contains descriptions of all
accounting logs.
In the HTML interface, all accounting logs can be enabled, configured, and
viewed. Table 11-2 contains information about what you can do in the
Cisco Secure ACS HTML interface regarding accounting logs.

Table 11-1 Accounting Log Descriptions

Log Description
TACACS+ Accounting Contains the following information:
• User sessions stop and start times
• AAA client messages with username
• Caller line identification (CLID) information
• Session duration
TACACS+ Administration Lists configuration commands entered on a AAA client using
TACACS+ (Cisco IOS). Particularly if you use Cisco Secure ACS to
perform command authorization, we recommend that you use this log.
Note To use the TACACS+ Administration log, you must configure
TACACS+ AAA clients to perform command accounting with
Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-5
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Table 11-1 Accounting Log Descriptions (continued)

Log Description
RADIUS Accounting Contains the following information:
• User sessions stop and start times
• AAA client messages with username
• CLID information
• Session duration
You can configure Cisco Secure ACS to include accounting for
Voice-over-IP (VoIP) in the RADIUS Accounting log, in a separate
VoIP accounting log, or in both places.
VoIP Accounting Contains the following information:
• VoIP session stop and start times
• AAA client messages with username
• CLID information
• VoIP session duration
You can configure Cisco Secure ACS to include accounting for VoIP in
this separate VoIP accounting log, in the RADIUS Accounting log, or
in both places.
Failed Attempts Lists authentication and authorization failures with an indication of the
cause.
Passed Authentications Lists successful authentication requests. This log is not dependent upon
accounting packets from your AAA clients, so it is available even if
your AAA clients do not support RADIUS accounting or if you have
disabled accounting on your AAA clients.

Table 11-2 What You Can Do with Accounting Logs

What You Can Do Description and Related Topics

Enable an accounting log For instructions, see Enabling or Disabling a CSV Log, page 11-13.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-6 78-14698-02
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Table 11-2 What You Can Do with Accounting Logs (continued)

What You Can Do Description and Related Topics

View an accounting report For instructions, see Viewing a CSV Report, page 11-14.
Configure an accounting log For instructions, see Configuring a CSV Log, page 11-15.

Dynamic Administration Reports

These reports show the status of user accounts at the moment you access them in
the Cisco Secure ACS HTML interface. They are available only in the HTML
interface, are always enabled, and require no configuration.
Table 11-3 contains descriptions of all dynamic administration reports and
information about what you can do regarding dynamic administration reports.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-7
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Table 11-3 Dynamic Administration Report Descriptions and Related Topics

Report Description and Related Topics

Logged-In Users Lists all users receiving services for a single AAA client or all AAA clients.
Users accessing the network with Cisco Aironet equipment appear on the list
for the access point that they are currently associated with, provided that the
firmware image on the Cisco Aironet Access Point supports sending the
RADIUS Service-Type attribute for rekey authentications.
On a computer configured to perform machine authentication, machine
authentication occurs when the computer started. When a computer is started
and before a user logs in on that computer, the computer appears on the
Logged-In Users List in the Reports and Activity section. Once user
authentication begins, the computer no longer appears on the Logged-In Users
List. For more information about machine authentication, see EAP and
Windows Authentication, page 13-12.
Note To use the logged-in user list feature, you must configure AAA client to
perform authentication and accounting using the same protocol—either
TACACS+ or RADIUS.

For instructions on viewing the Logged-in User report in the HTML interface,
see Viewing the Logged-in Users Report, page 11-9.
For instructions about deleting logged-in users from specific AAA clients or
from all AAA clients, see Deleting Logged-in Users, page 11-10.
Disabled Accounts Lists all user accounts that are currently disabled and the reason they were
disabled.
For instructions on viewing the Disabled Accounts report in the HTML
interface, see Viewing the Disabled Accounts Report, page 11-11.
Appliance Status Lists statistics about resource utilization on the Cisco Secure ACS Appliance
and provides details about IP configuration, including the MAC address for the
network interface card.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-8 78-14698-02
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Viewing the Logged-in Users Report

To view the Logged-in Users report, follow these steps:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Logged-in Users.
The Select a AAA Client page displays the name of each AAA client, its IP
address, and the number of users logged in through the AAA client. At the bottom
of the table, the All AAA Clients entry shows the total number of users logged in.

Tip You can sort the table by any column’s entries, in either ascending or
descending order. Click a column title once to sort the table by the entries
in that column in ascending order. Click the column a second time to sort
the table by the entries in that column in descending order.

Step 3 Do one of the following:

• To see a list of all users logged in, click All AAA Clients.
• To see a list of users logged in through a particular AAA client, click the
name of the AAA client.
Cisco Secure ACS displays a table of users logged in, including the following
information:
• Date and Time
• User
• Group
• Assigned IP
• Port
• Source AAA Client

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-9
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Tip You can sort the table by the entries in any column, in either ascending or
descending order. Click a column title once to sort the table by the entries
in that column, in ascending order. Click the column a second time to sort
the table by the entries that column in descending order.

Deleting Logged-in Users

From a Logged-in Users Report, you can instruct Cisco Secure ACS to delete
users logged into a specific AAA client. When a user session terminates without
a AAA client sending an accounting stop packet to Cisco Secure ACS, the
Logged-in Users Report continues to show the user. Deleting logged-in users
from a AAA client ends the accounting for those user sessions.

Note Deleting logged-in users only ends the Cisco Secure ACS accounting record of
users logged in to a particular AAA client. It does not terminate active user
sessions, nor does it affect user records.

To delete logged-in users, follow these steps:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Logged-in Users.
The Select a AAA Client page displays the name of each AAA client, its IP
address, and the number of users logged in through the AAA client. At the bottom
of the table, the All AAA Clients entry shows the total number of users logged in.
Step 3 Click the name of the AAA client whose users you want to delete from the
Logged-in Users report.
Cisco Secure ACS displays a table of all users logged in through the AAA client.
The Purge Logged in Users button appears below the table.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-10 78-14698-02
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Step 4 Click Purge Logged in Users.

Cisco Secure ACS displays a message, indicating the number of users purged
from the report and the IP address of the AAA client.

Viewing the Disabled Accounts Report

To view the Disabled Accounts report, follow these steps:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Disabled Accounts.
The Select a user account to edit page displays disabled user accounts, the account
status, and the group to which the user account is assigned.
Step 3 To edit a user account listed, in the User column, click the username.
Cisco Secure ACS opens the user account for editing.
For more information about editing a user account, see Basic User Setup Options,
page 7-2.

Viewing the Appliance Status Report

To view the Appliance Status report, follow these steps:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Appliance Status.
Cisco Secure ACS displays information about resource utilization on the
Cisco Secure ACS Appliance. Also displayed is information about the IP
configuration for the Cisco Secure ACS Appliance and the MAC address of its
network interface card.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-11
 Chapter 11 Logs and Reports
About Cisco Secure ACS Logs and Reports

Tip Click Refresh to update the information displayed on the Appliance

Status report page.

Cisco Secure ACS System Logs

The system logs are logs about the Cisco Secure ACS system and therefore record
system-related events. These logs are useful for troubleshooting or audits. They
are always enabled and are available in CSV format. For information about each
system log, see Table 11-4.
For instructions on viewing a CSV report in the HTML interface, see Viewing a
CSV Report, page 11-14.

Table 11-4 System Log Descriptions and Related Topics

Log Description and Related Topics

ACS Backup and Restore Lists Cisco Secure ACS backup and restore activity. This log
cannot be configured.
RDBMS Synchronization Lists RDBMS Synchronization activity. This log cannot be
configured.
Database Replication Lists database replication activity. This log cannot be configured.
Administration Audit Lists actions taken by each system administrator, such as adding
users, editing groups, configuring a AAA client, or viewing reports.
User Password Changes Lists user password changes initiated by users, regardless of which
password change mechanism used to change the password. Thus,
this log contains records of password changes accomplished by the
CiscoSecure Authentication Agent, by the User Changeable
Password HTML interface, or by Telnet session on a network
device using TACACS+. It does not list password changes made by
an administrator in the Cisco Secure ACS HTML interface.
ACS Service Monitoring Lists when Cisco Secure ACS services start and stop.
Appliance Administration Audit Lists administrator activity on the serial console, including logins,
logouts, and commands executed.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-12 78-14698-02
 Chapter 11 Logs and Reports
Working with CSV Logs

Working with CSV Logs

This section contains the following topics:
• CSV Log Size and Retention, page 11-13
• Enabling or Disabling a CSV Log, page 11-13
• Viewing a CSV Report, page 11-14
• Configuring a CSV Log, page 11-15

CSV Log Size and Retention

For each CSV log, Cisco Secure ACS writes a separate log file. When a log file
reaches 10 MB in size, Cisco Secure ACS starts a new log file. Cisco Secure ACS
retains the most recent 7 log files for each CSV log.

Enabling or Disabling a CSV Log

This procedure describes how to enable or disable a CSV log. For instructions
about configuring the content of a CSV log, see Configuring a CSV Log,
page 11-15.

Note Some CSV logs are always enabled. For information about specific logs,
including whether you can disable them, see About Cisco Secure ACS Logs and
Reports, page 11-4.

To enable or disable a CSV log, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Logging.
Step 3 Click the name of the CSV log you want to enable.
The CSV log Comma-Separated Values File Configuration page appears, where
log is the name of the CSV log you selected.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-13
 Chapter 11 Logs and Reports
Working with CSV Logs

Step 4 To enable the log, under Enable Logging, select the Log to CSV log report check
box, where log is the name of the CSV log you selected in Step 3.
Step 5 To disable the log, under Enable Logging, clear the Log to CSV report log check
box, where log is the name of the CSV log you selected in Step 3.
Step 6 Click Submit.
If you enabled the log, Cisco Secure ACS begins logging information for the log
selected. If you disabled the log, Cisco Secure ACS stops logging information for
the log selected.

Viewing a CSV Report

When you select Logged-in Users or Disabled Accounts, a list of logged-in users
or disabled accounts appears in the display area, which is the frame on the right
side of the web browser. For all other types of reports, a list of applicable reports
appears. Files are listed in chronological order, with the most recent file at the top
of the list. The reports are named and listed by the date on which they were
created; for example, a report ending with 2002-10-13.csv was created on
October 13, 2002.
Files in CSV format can be imported into spreadsheets using most popular
spreadsheet application software. Refer to your spreadsheet software
documentation for instructions. You can also use a third-party reporting tool to
manage report data. For example, aaa-reports! by Extraxi supports Cisco Secure
ACS (http://www.extraxi.com).
You can download the CSV file for any CSV report you view in Cisco Secure
ACS. The procedure below includes steps for doing so.
To view a CSV report, follow these steps:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click the name of the CSV report you want to view.
On the right side of the browser, Cisco Secure ACS lists the current CSV report
filename and the filenames of any old CSV report files.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-14 78-14698-02
 Chapter 11 Logs and Reports
Working with CSV Logs

Tip You can configure how Cisco Secure ACS handles old CSV report files.
For more information, see Configuring a CSV Log, page 11-15.

Step 3 Click the CSV report filename whose contents you want to view.
If the CSV report file contains information, the information appears in the display
area.

Tip You can sort the table by any entries in the column, in either ascending or
descending order. Click a column title once to sort the table by that
column’s entries in ascending order. Click the column a second time to
sort the table by the entries in that column in descending order.

Tip To check for newer information in the current CSV report, click Refresh.

Step 4 If you want to download the CSV log file for the report you are viewing, follow
these steps:
a. Click Download.
Your browser displays a dialog box for accepting and saving the CSV file.
b. Choose a location to save the CSV file and save the file.

Configuring a CSV Log

This procedure describes how to configure the data attributes that make up the
content of a CSV log. For instructions about enabling or disabling a CSV log, see
Enabling or Disabling a CSV Log, page 11-13.
The logs to which this procedure applies are:
• TACACS+ Accounting
• TACACS+ Administration
• RADIUS Accounting

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-15
 Chapter 11 Logs and Reports
Working with CSV Logs

• VoIP Accounting
• Failed Attempts
• Passed Authentications

Note The ACS Backup and Restore, RDBMS Synchronization, and Database
Replication CSV logs cannot be configured.

To configure a CSV log, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Logging.
Step 3 Click the name of the CSV log you want to enable.
The CSV log Comma-Separated Values File Configuration page appears, where
log is the name of the CSV log you selected.
The Select Columns To Log table contains two lists, Attributes and Logged
Attributes. The attributes in the Logged Attributes list appear on the log selected.
Step 4 To add an attribute to the log, select the attribute in the Attributes list, and then
click --> (right arrow button).
The attribute moves to the Logged Attributes list.

Tip Use the vertical scroll bar to find attributes not visible in the list box.

Step 5 To remove an attribute from the log, select the attribute in the Logged Attributes
list, then click <-- (left arrow button).
The attribute moves to the Attributes list.

Tip Use the vertical scroll bar to find attributes not visible in the list.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-16 78-14698-02
 Chapter 11 Logs and Reports
Remote Logging

Step 6 To set the attributes in the Logged Attributes list back to the default selections, at
the bottom of the browser window, click Reset Columns.
Step 7 Click Submit.
Cisco Secure ACS implements the CSV log configuration that you specified.

Remote Logging
This section discusses remote logging capabilities of Cisco Secure ACS.
This section contains the following topics:
• About Remote Logging, page 11-17
• Implementing Centralized Remote Logging, page 11-18
• Local Configuration of Remote Logging, page 11-19
• Remote Agent Logging Configuration, page 11-22

About Remote Logging

The Remote Logging feature enables Cisco Secure ACS to send accounting data
received from AAA clients to a Cisco Secure ACS Remote Agent. The remote
agent runs on a computer on your network. It writes the accounting data sent to it
by Cisco Secure ACS into CSV files. You can configure many Cisco Secure ACS
Appliances to point to a single remote agent, thus making the computer that runs
the remote agent a central logging server. For more information about
Cisco Secure ACS accounting logs, see Accounting Logs, page 11-5. For more
information about installing and configuring a Cisco Secure ACS Remote Agent,
see Installation and Configuration Guide for Cisco Secure ACS Remote Agent.

Note The Remote Logging feature does not affect the forwarding of accounting data for
proxied authentication requests. Cisco Secure ACS only applies Remote Logging
settings to accounting data for sessions authenticated by proxy when accounting

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-17
 Chapter 11 Logs and Reports
Remote Logging

data for sessions authenticated by proxy is logged locally. For more information
about proxied authentication requests and accounting data for sessions
authenticated by proxy, see Proxy Distribution Table Configuration, page 4-41.

The Remote Logging Setup page, available from the Logging Configuration page
in the System Configuration section, is where you configure Cisco Secure ACS to
perform remote logging of accounting data. You can specify that account data is
sent to a single remote agent or that it is sent to many remote agents. For more
information about enabling remote logging, see Local Configuration of Remote
Logging, page 11-19.
Regardless of how many Cisco Secure ACSes send their accounting data to the
central logging server, the remote agent receives its configuration from a single
Cisco Secure ACS Appliance. That Cisco Secure ACS is the configuration
provider for the remote agent. In the HTML interface of the configuration
provider Cisco Secure ACS, you determine the remote agent configuration. By
using the links found under Remote Agent Logging Configuration on the Logging
Configuration page, you determine what logs the remote agent keeps, what data
is recorded for each log kept, and how the remote agent manages the log files. For
more information about configuring remote agent logging, see Remote Agent
Logging Configuration, page 11-22.

Implementing Centralized Remote Logging

To implement centralized remote logging, follow these steps:

Step 1 Install and configure a Cisco Secure ACS Remote Agent on a computer that you
want to use to store centralized logging data. For more information about
installing and configuring a Cisco Secure ACS Remote Agent, see Installation
and Configuration Guide for Cisco Secure ACS Remote Agent.
Step 2 On each Cisco Secure ACS Appliance, add the remote agent. For more
information, see Remote Agent Configuration, page 4-29.
Step 3 On each Cisco Secure ACS Appliance, enable remote logging. For more
information, see Local Configuration of Remote Logging, page 11-19.
Step 4 On the Cisco Secure ACS Appliance that the remote agent is configured to use as
its configuration provider, configure remote agent logging. For more information,
see Remote Agent Logging Configuration, page 11-22.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-18 78-14698-02
 Chapter 11 Logs and Reports
Remote Logging

Step 5 If you want to create another central logging server, for use either as a secondary
server or as a mirror server, perform Step 1 through Step 4 for the additional
server.

Local Configuration of Remote Logging

Local configuration of remote logging consists of enabling the Cisco Secure ACS
Appliance to send accounting data to remote agents and specifying which remote
agents the accounting data is to be sent to.
Local configuration of remote logging is performed on the Remote Logging Setup
page, accessed by the Remote Logging link, which is under Local Logging
Configuration on the Logging Configuration page.

Note Local configuration of remote logging does not affect the types of logs sent to
remote agents or the configuration of the data included in logs sent to remote
agents. For information about configuring which logs are sent to remote agents
and the data the logs contain, see Remote Agent Logging Configuration,
page 11-22.

Remote Logging Options

Cisco Secure ACS provides the remote logging options listed below. These
options appear on the Remote Logging Setup page.
• Do not log Remotely—When selected, this option limits Cisco Secure ACS
to writing accounting data for locally authenticated sessions only to the local
logs that are enabled.
• Log to all selected remote log services—When selected, this option enables
Cisco Secure ACS to send accounting data for locally authenticated sessions
to all remote agents in the Selected Log Services list.
• Log to subsequent remote log services on failure—When selected, this
option enables Cisco Secure ACS to send accounting data for locally
authenticated sessions to the first remote agent in the Selected Log Services
list that is available to provide logging services. This enables you to configure

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-19
 Chapter 11 Logs and Reports
Remote Logging

one or more backup central logging servers so that no accounting data is lost
if the first central logging server fails or is otherwise unavailable to
Cisco Secure ACS.
• Remote Log Services—The remote agents configured in the Remote Agents
table in Network Configuration to which Cisco Secure ACS does not send
accounting data for locally authenticated sessions.
• Selected Log Services—The remote agents configured in the Remote Agents
table in Network Configuration to which Cisco Secure ACS does send
accounting data for locally authenticated sessions.

Enabling and Configuring Remote Logging

Before You Begin
Make sure that you have configured your central logging server. For more
information, see Implementing Centralized Remote Logging, page 11-18.
To enable and configure remote logging, follow these steps:

Step 1 To enable remote logging, follow these steps:

a. Click Interface Configuration.
b. Click Advanced Options.
c. Select the Remote Logging check box.
d. Click Submit.
Cisco Secure ACS displays the Remote Logging link on the Logging page in
the System Configuration section.
Step 2 Click System Configuration.
Step 3 Click Logging.
The Logging Configuration page appears.
Step 4 Under Local Logging Configuration, click Remote Logging.
Step 5 Select the applicable remote logging option:
a. To send the accounting information for this Cisco Secure ACS to more than
one remote agent, select the Log to all selected remote log services option.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-20 78-14698-02
Chapter 11 Logs and Reports
Remote Logging

b. To send the accounting information for this Cisco Secure ACS to a single
remote agent, select the Log to subsequent remote log services on failure
option.

Note Use the “Log to subsequent remote log services on failure” option
when you want to configure Cisco Secure ACS to send accounting
data to a second remote agent if the first remote fails.

Step 6 For each remote agent you want to have in the Selected Log Services list, follow
these steps:
a. In the Remote Log Services list, select the name of a remote agent to which
you want to send accounting data for locally authenticated sessions.

Note The remote agents available in the Remote Log Services list is
determined by the Remote Agents table in Network Configuration.
For more information about the Remote Agents table, see Remote
Agent Configuration, page 4-29.

b. Click --> (right arrow button) to move the selected remote agent to the
Selected Log Services list.
Step 7 To assign an order to the remote agents in the Selected Log Services list, click Up
and Down to move selected remote agents until you have created the order you
need.

Note If the “Log to subsequent remote log services on failure” option is

selected, Cisco Secure ACS logs to the first accessible remote agent in the
Selected Log Services list.

Step 8 Click Submit.

Cisco Secure ACS saves and implements the remote logging configuration you
specified.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-21
 Chapter 11 Logs and Reports
Remote Logging

Disabling Remote Logging

You can prevent Cisco Secure ACS from sending its accounting information to
remote agents by disabling the Remote Logging feature.
To disable remote logging, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Logging.
Step 3 Under Local Logging Configuration, click Remote Logging.
Step 4 Select the Do not log Remotely option.
Step 5 Click Submit.
Cisco Secure ACS no longer sends its accounting information for locally
authenticated sessions to remote agents.

Remote Agent Logging Configuration

Remote agent logging configuration consists of enabling logs that you want a
remote agent to keep and configuring which logging attributes are sent to remote
agents. On the Logging Configuration page, the Remote Agent Logging
Configuration table lists the CSV logs that you can configure Cisco Secure ACS
to send to a remote agent. You can configure each log separately.
For information about configuring which remote agents Cisco Secure ACS sends
log data to, see Local Configuration of Remote Logging, page 11-19.

Remote Agent Logging Options

For each log that a remote agent can keep, you have the following configuration
options:
• Log to log name report—Defines whether the remote log is enabled.
• Attributes—The available attributes whose data is not sent to the remote
agent for logging.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-22 78-14698-02
 Chapter 11 Logs and Reports
Remote Logging

• Logged Attributes—The attributes whose data is sent to the remote agent for
logging.
• Generate New File—The frequency with which the remote agent starts a new
CSV file for the log. You have the following options:
– Every day—The remote agent starts a new CSV log file at 12 A.M. every
day.
– Every week—The remote agent starts a new CSV log file at 12:00 A.M.
every Sunday.
– Every month—The remote agent starts a new CSV log file at 12:00 A.M
on the first day of every month.
– When size is greater than X KB—The remote agent starts a new CSV
log file when the current log file grows to the number of kilobytes
specified in the box.
• Directory—The directory where the remote agent writes the CSV log file.
The directory must be specified by its full path on the server that runs the
remote agent. If the server uses Microsoft Windows, the path must begin with
the drive letter, such as c:/acs-logs. If the server uses Sun Solaris, the path
must begin at the root directory, such as /usr/data/acs-logs.
• Manage Directory—Defines whether the remote agent deletes older log
files. Using the following options, you can specify how the remote agent
determines which log files to delete:
– Keep only the last X files—The remote agent retains the most recent log
files, up to the number of files specified. When the number of files
specified is exceeded, the remote agent deletes the oldest files.
– Delete files older than X days—The remote agent deletes log files that
are older than the number of days specified. When a log file grows older
than the number of days specified, the remote agent deletes it.

Configuring Remote Agent Logs

This procedure describes how to configure the content of a remote agent CSV log.
For instructions about enabling or disabling all remote agent logging, see Local
Configuration of Remote Logging, page 11-19.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-23
 Chapter 11 Logs and Reports
Remote Logging

This procedure applies to all logs recorded by a remote agent, that is, all logs
listed in the Remote Agent Logging Configuration table on the Logging
Configuration page.
Before You Begin
For information about the options available for remote agent log configuration,
see Remote Agent Logging Options, page 11-22.
To configure a CSV log for a remote agent, follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Logging.
Step 3 Under Remote Agent Logging Configuration, click the name of the remote agent
log you want to configure.
The CSV log File Configuration page appears, where log is the name of the
remote agent log you selected.
Step 4 To enable the log, select the Log to CSV log name report check box.

Note If the Log to CSV log name report check box is not selected, Cisco Secure
ACS does not send data for this log to remote agents.

Step 5 For each attribute that you want to include in the remote agent log, select the
attribute in the Attributes list and click --> (right arrow button).
The attribute moves to the Logged Attributes list.

Tip Use the vertical scroll bar to find attributes not visible in the list box.

Step 6 If you need to remove an attribute from the remote agent log, select the attribute
in the Logged Attributes list and click <-- (left arrow button).
The attribute moves to the Attributes list.

Tip Use the vertical scroll bar to find attributes not visible in the list.

Step 7 If you want to set the attributes in the Logged Attributes list back to the default
selections, at the bottom of the browser window, click Reset Columns.

User Guide for Cisco Secure ACS Appliance, version 3.2

11-24 78-14698-02
Chapter 11 Logs and Reports
Service Logs

Step 8 Under Generate New File, specify when the remote agent should begin a new log
file.
Step 9 If you want to manage which CSV files the remote agent keeps, follow these
steps:
a. Select the Manage Directory check box.
b. To limit the number of CSV files Cisco Secure ACS retains, select the Keep
only the last X files option and type the number of files you want
Cisco Secure ACS to retain in the X box.
c. To limit how old CSV files retained by Cisco Secure ACS can be, select the
Delete files older than X days option and type the number of days for which
Cisco Secure ACS should retain a CSV file before deleting it.
Step 10 Click Submit.
Cisco Secure ACS implements the remote agent log configuration that you
specified.

Service Logs
The service logs may be considered diagnostic logs and are used for
troubleshooting or debugging purposes only. These logs are not intended for
general use by Cisco Secure ACS administrators; instead, they are mainly sources
of information for Cisco support personnel. Service logs contain a record of all
Cisco Secure ACS service actions and activities. When service logging is
enabled, each service generates a log whenever the service is running, whether or
not you are using the service. For example, Cisco Secure ACS generates RADIUS
service logs even if you are not using RADIUS to communicate with AAA clients
or other AAA servers.
The Support feature in the System Configuration section includes service logs in
the package.cab file that it generates if you click Run Support Now. For more
information about this feature, see Support, page 8-24.
For more information about Cisco Secure ACS services, see Chapter 1,
“Overview.”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-25
 Chapter 11 Logs and Reports
Service Logs

Services Logged
Cisco Secure ACS generates logs for the following services:
• CSAdmin
• CSAuth
• CSDBSync
• CSLog
• CSMon
• CSRadius
• CSTacacs
These files can be retrieved from the appliance using the Support feature in the
System Configuration section or using the support command at the serial
console.
For each service, Cisco Secure ACS writes separate log files. When a log file
reaches 10 MB in size, Cisco Secure ACS starts a new log file. Cisco Secure ACS
retains the most recent 30 log files for each service.
The most recent debug log is named as follows:
SERVICE.log
where SERVICE is the name of the applicable service.
Older debug logs are named with the year, month, and date they were created. For
example, a file created on July 13, 2003, would be named as follows:
SERVICE 2003-07-13.log

where SERVICE is the name of the applicable service.

If you selected the Day/Month/Year format, the file would be named as follows:
SERVICE 13-07-2003.log

User Guide for Cisco Secure ACS Appliance, version 3.2

11-26 78-14698-02
 Chapter 11 Logs and Reports
Service Logs

Configuring Service Log Detail

You can configure the level of detail with which Cisco Secure ACS generates
service log files. You can set the service log file to contain one of three levels of
detail:
• None—No log file is generated.
• Low—Only start and stop actions are logged. This is the default setting.
• Full—All services actions are logged.
To configure how Cisco Secure ACS generates and manages the service log file,
follow these steps:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Service Control.
The status of the services appears in the CiscoSecure ACS on hostname table,
where hostname is the name of the Cisco Secure ACS appliance.
Step 3 If you want to disable the service log file, under Level of detail, select the None
option.
After you click Restart, Cisco Secure ACS does not generate new service logs
file.
Step 4 If you want to enable service logging, under Level of detail, select the Low or Full
option, as applicable.
After you click Restart, Cisco Secure ACS generates service logs with the level
of detail you specified.
Step 5 Click Restart.
Cisco Secure ACS restarts its services and implements the service log settings
you specified.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 11-27
 Chapter 11 Logs and Reports
Service Logs

User Guide for Cisco Secure ACS Appliance, version 3.2

11-28 78-14698-02
 C H A P T E R 12
Administrators and Administrative
Policy

This chapter addresses the Cisco Secure ACS Appliance features found in the
Administration Control section of the HTML interface.
This chapter contains the following topics:
• Administrator Accounts, page 12-1
• Access Policy, page 12-11
• Session Policy, page 12-16

Administrator Accounts
This section provides details about Cisco Secure ACS administrators.
This section contains the following topics:
• About Administrator Accounts, page 12-2
• Administrator Privileges, page 12-3
• Adding an Administrator Account, page 12-6
• Editing an Administrator Account, page 12-8
• Unlocking a Locked Out Administrator Account, page 12-10
• Deleting an Administrator Account, page 12-11

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-1
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

About Administrator Accounts

Administrators are the only users of the Cisco Secure ACS HTML interface. To
access the Cisco Secure ACS HTML interface from a browser, you must log in to
Cisco Secure ACS using an administrator account.

Note Cisco Secure ACS administrator accounts are unique to Cisco Secure ACS. They
are not related to administrator accounts for your network, operating systems, or
other software.

In the HTML interface, an administrator can configure any of the features

provided in Cisco Secure ACS; however, the ability to access various parts of the
HTML interface can be limited by revoking privileges to those parts of the HTML
interface that a given administrator is not permitted to access.
For example, you may want to limit access to the Network Configuration section
of the HTML interface to the administrators whose responsibilities include
network management. To do so, you would select only the Network Configuration
privilege for the applicable administrator accounts. For more information about
administrator privileges, see Administrator Privileges, page 12-3.
Cisco Secure ACS administrator accounts have no correlation with Cisco Secure
ACS user accounts or network user authentication. Cisco Secure ACS stores
accounts created for authentication of network service requests and those created
for Cisco Secure ACS administrative access in separate internal databases.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-2 78-14698-02
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

Administrator Privileges
You can grant appropriate privileges to each Cisco Secure ACS administrator by
assigning privileges on an administrator-by-administrator basis. You control
privileges by selecting the options in the Administrator Privileges table on the
Add Administrator or Edit Administrator pages. These options are listed below:
• User and Group Setup—Contains the following privilege options for the
User Setup and Group Setup sections of the HTML interface:
– Add/Edit users in these groups—Enables the administrator to add or
edit users and to assign users to groups in the Editable groups list.
– Setup of these groups—Enables the administrator to edit the settings for
the groups in the Editable groups list.
– Available Groups—Lists the user groups for which the administrator
does not have edit privileges and to which the administrator cannot add
users.
– Editable Groups—Lists the user groups for which the administrator
does have edit privileges and to which the administrator account can add
users.
• Shared Profile Components—Contains the following privilege options for
the Shared Profile Components section of the HTML interface:
– Network Access Restriction Sets—Allows the administrator full access
to the Network Access Restriction Sets feature.
– Downloadable ACLs—Allows the administrator full access to the
Downloadable PIX ACLs feature.
– Create New Device Command Set Type—Allows the administrator
account to be used as valid credentials by another Cisco application for
adding new device command set types. New device command set types
that are added to Cisco Secure ACS using this privilege appear in the
Shared Profile Components section of the HTML interface.
– Shell Command Authorization Sets—Allows the administrator full
access to the Shell Command Authorization Sets feature.
– PIX Command Authorization Sets—Allows the administrator full
access to the PIX Command Authorization Sets feature.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-3
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

Note Additional command authorization set privilege options may appear,

if other Cisco network management applications, such as
CiscoWorks2000, have updated the configuration of Cisco Secure
ACS.

• Network Configuration—Allows the administrator full access to the

features in the Network Configuration section of the HTML interface.
• System Configuration...—Contains the privilege options for the features
found in the System Configuration section of the HTML interface. For each
of the following features, enabling the option allows the administrator full
access to the feature.
– Service Control—For more information about this feature, see Service
Control, page 8-2.
– Date/Time Format Control—For more information about this feature,
see Date Format Control, page 8-3.
– Logging Control—For more information about this feature, see
Logging, page 8-3.
– Local Password Management—For more information about this
feature, see Local Password Management, page 8-5.
– DB Replication—For more information about this feature, see
CiscoSecure Database Replication, page 9-1.
– RDBMS Synchronization—For more information about this feature,
see RDBMS Synchronization, page 9-24.
– IP Pool Address Recovery—For more information about this feature,
see IP Pools Address Recovery, page 9-44.
– IP Pool Server Configuration—For more information about this
feature, see IP Pools Server, page 9-37.
– ACS Backup—For more information about this feature, see
Cisco Secure ACS Backup, page 8-8.
– ACS Restore—For more information about this feature, see
Cisco Secure ACS System Restore, page 8-13.
– ACS Service Management—For more information about this feature,
see Cisco Secure ACS Active Service Management, page 8-17.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-4 78-14698-02
Chapter 12 Administrators and Administrative Policy
Administrator Accounts

– VoIP Accounting Configuration—For more information about this

feature, see VoIP Accounting Configuration, page 8-21.
– ACS Certificate Setup—For more information about this feature, see
Cisco Secure ACS Certificate Setup, page 10-33.
– Global Authentication Setup—For more information about this feature,
see Global Authentication Setup, page 10-25.
– Appliance Configuration—For more information about this feature, see
Appliance Configuration, page 8-22.
– Support Operations—For more information about this feature, see
Support, page 8-24.
– View Diagnostic Logs—For more information about this feature, see
Viewing or Downloading Diagnostic Logs, page 8-27.
– Appliance Upgrade Status—For more information about this feature,
see Appliance Upgrade Status, page 8-27.
• Interface Configuration—Allows the administrator full access to the
features in the Interface Configuration section of the HTML interface.
• Administration Control—Allows the administrator full access to the
features in the Administration Control section of the HTML interface.
• External User Databases—Allows the administrator full access to the
features in the External User Databases section of the HTML interface.
• Reports & Activity—Contains the privilege options for the reports and
features found in the Reports and Activity section of the HTML interface. For
each of the following features, enabling the option allows the administrator
full access to the feature.
– TACACS+ Accounting—For more information about this report, see
Accounting Logs, page 11-5.
– TACACS+ Administration—For more information about this report,
see Accounting Logs, page 11-5.
– RADIUS Accounting—For more information about this report, see
Accounting Logs, page 11-5.
– VoIP Accounting—For more information about this report, see
Accounting Logs, page 11-5.
– Passed Authentications—For more information about this report, see
Accounting Logs, page 11-5.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-5
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

– Failed Attempts—For more information about this report, see

Accounting Logs, page 11-5.
– Logged-in Users—For more information about this report, see
Accounting Logs, page 11-5.
– Purge of Logged-in Users—For more information about this feature,
see Deleting Logged-in Users, page 11-10.
– Disabled Accounts—For more information about this report, see
Dynamic Administration Reports, page 11-7.
– ACS Backup and Restore—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– DB Replication—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– RDBMS Synchronization—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– Administration Audit—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– ACS Service Monitor—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– User Change Password—For more information about this report, see
Cisco Secure ACS System Logs, page 11-12.
– Appliance Status—For more information about this report, see Dynamic
Administration Reports, page 11-7.
– Appliance Administration Audit—For more information about this
report, see Cisco Secure ACS System Logs, page 11-12.

Adding an Administrator Account

Before You Begin
For descriptions of the options available while adding an administrator account,
see Administrator Privileges, page 12-3.
To add a Cisco Secure ACS administrator account, follow these steps:

Step 1 In the navigation bar, click Administration Control.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-6 78-14698-02
Chapter 12 Administrators and Administrative Policy
Administrator Accounts

Step 2 Click Add Administrator.

The Add Administrator page appears.
Step 3 Complete the boxes in the Administrator Details table:
a. In the Administrator Name box, type the login name (up to 32 characters) for
the new Cisco Secure ACS administrator account.
b. In the Password box, type the password (up to 32 characters) for the new
Cisco Secure ACS administrator account.
c. In the Confirm Password box, type the password a second time.
Step 4 To select all privileges, including user group editing privileges for all user groups,
click Grant All.
All privilege options are selected. All user groups move to the Editable groups
list.

Tip To clear all privileges, including user group editing privileges for all user
groups, click Revoke All.

Step 5 To grant user and user group editing privileges, follow these steps:
a. Select the desired check boxes under User & Group Setup.
b. To move a user group to the Editable groups list, select the group in the
Available groups list, and then click --> (right arrow button).
The selected group moves to the Editable groups list.
c. To remove a user group from the Editable groups list, select the group in the
Editable groups list, and then click <-- (left arrow button).
The selected group moves to the Available groups list.
d. To move all user groups to the Editable groups list, click >>.
The user groups in the Available groups list move to the Editable groups list.
e. To remove all user groups from the Editable groups list, click <<.
The user groups in the Editable groups list move to the Available groups list.
Step 6 To grant any of the remaining privilege options, in the Administrator Privileges
table, select the applicable check boxes.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-7
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

Step 7 Click Submit.

Cisco Secure ACS saves the new administrator account. The new account appears
in the list of administrator accounts on the Administration Control page.

Editing an Administrator Account

You can edit a Cisco Secure ACS administrator account to change the privileges
granted to the administrator. You can effectively disable an administrator account
by revoking all privileges.

Note You cannot change the name of an administrator account; however, you can delete
an administrator account and then create an account with the new name. For
information about deleting an administrator account, see Deleting an
Administrator Account, page 12-11. For information about creating an
administrator account, see Adding an Administrator Account, page 12-6.

For information about administrator privilege options, see Administrator

Privileges, page 12-3.
Before You Begin
For descriptions of the options available while editing an administrator account,
see Administrator Privileges, page 12-3.
To edit Cisco Secure ACS administrator account privileges, follow these steps:

Step 1 In the navigation bar, click Administration Control.

Cisco Secure ACS displays the Administration Control page.
Step 2 Click the name of the administrator account whose privileges you want to edit.
The Edit Administrator name page appears, where name is the name of the
administrator account you just selected.
Step 3 To change the administrator password, follow these steps:
a. In the Password box, double-click the asterisks, and then type the new
password (up to 32 characters) for the administrator.
The new password replaces the existing, masked password.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-8 78-14698-02
Chapter 12 Administrators and Administrative Policy
Administrator Accounts

b. In the Confirm Password box, double-click the asterisks, and then type the
new administrator password a second time.
The new password is effective immediately after you click Submit in Step 9.
Step 4 If the Reset current failed attempts count check box appears below the Confirm
Password box and you want to allow the administrator whose account you are
editing to access the Cisco Secure ACS HTML interface, select the Reset current
failed attempts count check box.

Note If the Reset current failed attempts count check box appears below the
Confirm Password box, the administrator cannot access Cisco Secure
ACS unless you complete Step 4. For more information about re-enabling
an administrator account, see Unlocking a Locked Out Administrator
Account, page 12-10.

Step 5 To select all privileges, including user group editing privileges for all user groups,
click Grant All.
All privilege options are selected. All user groups move to the Editable groups
list.
Step 6 To clear all privileges, including user group editing privileges for all user groups,
click Revoke All.
All privileges options are cleared. All user groups move to the Available groups
list.
Step 7 To grant user and user group editing privileges, follow these steps:
a. Under User & Group Setup, select the applicable check boxes.
b. To move all user groups to the Editable groups list, click >>.
The user groups in the Available groups list move to the Editable groups list.
c. To move a user group to the Editable groups list, select the group in the
Available groups list, and then click --> (right arrow button).
The selected group moves to the Editable groups list.
d. To remove all user groups from the Editable groups list, click <<.
The user groups in the Editable groups list move to the Available groups list.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-9
 Chapter 12 Administrators and Administrative Policy
Administrator Accounts

e. To remove a user group from the Editable groups list, select the group in the
Editable groups list, and then click <-- (left arrow button).
The selected group moves to the Available groups list.
Step 8 To grant any remaining privilege options, select the applicable check boxes in the
Administrator Privileges table.
Step 9 To revoke any remaining privilege options, clear the applicable check boxes in the
Administrator Privileges table.
Step 10 Click Submit.
Cisco Secure ACS saves the changes to the administrator account.

Unlocking a Locked Out Administrator Account

Cisco Secure ACS disables the accounts of administrators who have attempted to
access the Cisco Secure ACS HTML interface and have provided an incorrect
password in more successive attempts than is specified on the Session Policy
Setup page. Until the failed attempts counter for a disabled administrator account
is reset, the administrator cannot access the HTML interface.
For more information about configuring how many successive failed login
attempts can occur before Cisco Secure ACS disables an administrator account,
see Session Policy, page 12-16.
To reset the failed attempts count for an administrator, follow these steps:

Step 1 In the navigation bar, click Administration Control.

Cisco Secure ACS displays the Administration Control page.
Step 2 Click the name of the administrator account whose account you want to re-enable.
The Edit Administrator name page appears, where name is the name of the
administrator account you just selected.
If the Reset current failed attempts count check box appears below the Confirm
Password box, the administrator account cannot access the HTML interface.
Step 3 Select the Reset current failed attempts count check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-10 78-14698-02
 Chapter 12 Administrators and Administrative Policy
Access Policy

Step 4 Click Submit.

Cisco Secure ACS saves the changes to the administrator account.

Deleting an Administrator Account

You can delete a Cisco Secure ACS administrator account when you no longer
need it. We recommend deleting any unused administrator accounts.
To delete a Cisco Secure ACS administrator account, follow these steps:

Step 1 In the navigation bar, click Administration Control.

Cisco Secure ACS displays the Administration Control page.
Step 2 In the Administrators table, click the name of the administrator account that you
want to delete.
The Edit Administrator name page appears, where name is the name of the
administrator account you just selected.
Step 3 Click Delete.
Cisco Secure ACS displays a confirmation dialog box.
Step 4 Click OK.
Cisco Secure ACS deletes the administrator account. The Administrators table on
the Administration Control page no longer lists the administrator account that you
deleted.

Access Policy
The Access Policy feature affects access to the Cisco Secure ACS HTML
interface. You can limit access by IP address and by the TCP port range used for
administrative sessions. You can also enable secure socket layer (SSL) for access
to the HTML interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-11
 Chapter 12 Administrators and Administrative Policy
Access Policy

This section contains the following topics:

• Access Policy Options, page 12-12
• Setting Up Access Policy, page 12-14

Access Policy Options

You can configure the following options on the Access Policy Setup page:
• IP Address Filtering—Contains the following IP address filtering options:
– Allow all IP addresses to connect—Allow access to the HTML
interface from any IP address.
– Allow only listed IP addresses to connect—Allow access to the HTML
interface only from IP addresses inside the address range(s) specified in
the IP Address Ranges table.
– Reject connections from listed IP addresses—Allow access to the
HTML interface only from IP addresses outside the address range(s)
specified in the IP Address Ranges table.
• IP Address Ranges—The IP Address Ranges table contains ten rows for
configuring IP address ranges. The ranges are always inclusive; that is, the
range includes the start and end IP addresses. The IP addresses entered to
define a range must differ only in the last octet (Class C format).
The IP Address Ranges table contains one column of each of the following
boxes:
– Start IP Address—Defines the lowest IP address of the range specified
in the current row.
– End IP Address—Defines the highest IP address of the range specified
in the current row.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-12 78-14698-02
Chapter 12 Administrators and Administrative Policy
Access Policy

• HTTP Port Allocation—Contains the following options for configuring

TCP ports used for remote access to the HTML interface.
– Allow any TCP ports to be used for Administration HTTP
Access—Allow the ports used by administrative HTTP sessions to
include the full range of TCP ports.
– Restrict Administration Sessions to the following port range From
Port X to Port Y—Restrict the ports used by administrative HTTP
sessions to the range specified in the X and Y boxes, inclusive. The size
of the range specified determines the maximum number of concurrent
administrative sessions.
Cisco Secure ACS uses port 2002 to start all administrative sessions.
You do not need to include port 2002 in the port range. Also,
Cisco Secure ACS does not allow you to define an HTTP port range that
consists only of port 2002. Your port range must consist of at least one
port other than port 2002.
A firewall configured to permit HTTP traffic over the Cisco Secure ACS
administrative port range must also permit HTTP traffic through port
2002, because this is the port a web browser must address to initiate an
administrative session.

Note We do not recommend allowing administration of Cisco Secure

ACS from outside a firewall. If you do choose to allow access to
the HTML interface from outside a firewall, keep the HTTP port
range as narrow as possible. This can help prevent accidental
discovery of an active administrative port by unauthorized users.
An unauthorized user would have to impersonate, or “spoof,” the
IP address of a legitimate host to make use of the active
administrative session HTTP port.

– Secure Socket Layer Setup—The Use HTTPS Transport for

Administration Access check box defines whether Cisco Secure ACS
uses secure socket layer protocol to encrypt HTTP traffic between the
CSAdmin service and a web browser used to access the HTML interface.
When this option is enabled, all HTTP traffic between the browser and
Cisco Secure ACS is encrypted, as reflected by the URLs, which begin
with HTTPS. Additionally, most browsers include an indicator for when
a connection is SSL-encrypted.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-13
 Chapter 12 Administrators and Administrative Policy
Access Policy

To enable SSL, you must have completed the steps in Installing a Cisco
Secure ACS Certificate, page 10-33, and Adding a Certificate Authority
Certificate, page 10-36.

Setting Up Access Policy

For information about access policy options, see Access Policy Options,
page 12-12.
Before You Begin
If you want to enable SSL for administrative access, before completing this
procedure, you must have completed the steps in Installing a Cisco Secure ACS
Certificate, page 10-33, and Adding a Certificate Authority Certificate,
page 10-36.
To set up Cisco Secure ACS Access Policy, follow these steps:

Step 1 In the navigation bar, click Administration Control.

Cisco Secure ACS displays the Administration Control page.
Step 2 Click Access Policy.
The Access Policy Setup page appears.
Step 3 To allow remote access to the HTML interface from any IP address, in the IP
Address Filtering table, select the Allow all IP addresses to connect option.
Step 4 To allow remote access to the HTML interface only from IP addresses within a
range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Allow only listed IP addresses
to connect option.
b. For each IP address range from within which you want to allow remote access
to the HTML interface, complete one row of the IP Address Ranges table. In
the Start IP Address box, type the lowest IP address (up to 16 characters) in
the range. In the End IP Address box, type the highest IP address (up to 16
characters) in the range. Use dotted decimal format.

Note The IP addresses entered to define a range must differ only in the last
octet.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-14 78-14698-02
Chapter 12 Administrators and Administrative Policy
Access Policy

Step 5 To allow remote access to the HTML interface only from IP addresses outside a
range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Reject connections from listed
IP addresses option.
b. For each IP address range from outside which you want to allow remote
access to the HTML interface, complete one row of the IP Address Ranges
table. Type the lowest IP address (up to 16 characters) in the range in the Start
IP Address box. Type the highest IP address (up to 16 characters) in the range
in the End IP Address box.

Note The IP addresses entered to define a range must differ only in the last
octet.

Step 6 If you want to allow Cisco Secure ACS to use any valid TCP port for
administrative sessions, under HTTP Port Allocation, select the Allow any TCP
ports to be used for Administration HTTP Access option.
Step 7 If you want to allow Cisco Secure ACS to use only a specified range of TCP ports
for administrative sessions, follow these steps:
a. Under HTTP Port Allocation, select the Restrict Administration Sessions to
the following port range From Port X to Port Y option.
b. In the X box type the lowest TCP port (up to 5 characters) in the range.
c. In the Y box type the highest TCP port (up to 5 characters) in the range.
Step 8 If you want to enable SSL encryption of administrator access to the HTML
interface, under Secure Socket Layer Setup, select the Use HTTPS Transport
for Administration Access check box.

Note To enable SSL, you must have completed the steps in Installing a Cisco
Secure ACS Certificate, page 10-33, and Adding a Certificate Authority
Certificate, page 10-36.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-15
 Chapter 12 Administrators and Administrative Policy
Session Policy

Step 9 Click Submit.

Cisco Secure ACS saves and begins enforcing the access policy settings.
If you have enabled SSL, at the next administrator login, Cisco Secure ACS
begins using HTTPS. Any current administrator sessions are unaffected.

Session Policy
The Session Policy feature controls various aspects of Cisco Secure ACS
administrative sessions.
This section contains the following topics:
• Session Policy Options, page 12-16
• Setting Up Session Policy, page 12-17

Session Policy Options

You can configure the following options on the Session Policy Setup page:
• Session idle timeout (minutes)—Defines the time in minutes that an
administrative session must remain idle before Cisco Secure ACS terminates
the connection. This parameter applies to the Cisco Secure ACS
administrative session in the browser only. It does not apply to an
administrator dial-up session.
An administrator whose administrative session is terminated receives a
dialog box asking whether or not the administrator wants to continue. If the
administrator chooses to continue, Cisco Secure ACS starts a new
administrative session.
• Respond to Invalid IP Address Connections—Enables an error message in
response to attempts to start a remote administrative session using an IP
address that is invalid according to the IP address ranges configured in
Access Policy. Disabling this option can help prevent unauthorized users
from discovering Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-16 78-14698-02
 Chapter 12 Administrators and Administrative Policy
Session Policy

• Lock out Administrator after X successive failed attempts —Enables

Cisco Secure ACS to lock out an administrator after the number of successive
failed login attempts specified in the X box. A value of 0 (zero) in the X box
allows unlimited successive administrative login failures. If this check box is
selected, the X box cannot be set to zero.

Setting Up Session Policy

For information about session policy options, see Session Policy Options,
page 12-16.
To setup Cisco Secure ACS Session Policy, follow these steps:

Step 1 In the navigation bar, click Administration Control.

Cisco Secure ACS displays the Administration Control page.
Step 2 Click Session Policy.
The Session Policy Setup page appears.
Step 3 To define the number of minutes of inactivity after which Cisco Secure ACS ends
an administrative session, in the Session idle timeout (minutes) box, type the
number of minutes (up to 4 characters).
Step 4 Set the invalid IP address response policy:
a. To configure Cisco Secure ACS to respond with a message when an
administrative session is requested from an invalid IP address, select the
Respond to invalid IP address connections check box.
b. To configure Cisco Secure ACS to send no message when an administrative
session is requested from an invalid IP address, clear the Respond to invalid
IP address connections check box.
Step 5 Set the failed administrative login attempts policy:
a. To enable Cisco Secure ACS to lock out an administrator after a number of
successive failed administrative login attempts, select the Lock out
Administrator after X successive failed attempts check box.
b. In the X box, type the number of successive failed login attempts after which
Cisco Secure ACS locks out an administrator. The X box accepts up to 4
characters.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 12-17
 Chapter 12 Administrators and Administrative Policy
Session Policy

Step 6 Click Submit.

Cisco Secure ACS saves and begins enforcing the session policy settings you
made.

User Guide for Cisco Secure ACS Appliance, version 3.2

12-18 78-14698-02
 C H A P T E R 13
User Databases

Cisco Secure Access Control Server (ACS) Appliance authenticates users against
one of several possible databases, including its internal database. You can
configure Cisco Secure ACS to authenticate users with more than one type of
database. This flexibility enables you to use user accounts data collected in
different locations without having to explicitly import the users from each
external user database into the CiscoSecure user database. It also enables you to
apply different databases to different types of users, depending on the security
requirements associated with user authorizations on your network. For example,
a common configuration is to use a Windows user database for standard network
users and a token server for network administrators.

Note For information about the Unknown User Policy and group mapping features, see
Chapter 14, “Unknown User Policy,” and Chapter 15, “User Group Mapping and
Specification.”

This chapter contains the following topics:

• CiscoSecure User Database, page 13-2
• About External User Databases, page 13-3
• Windows User Database, page 13-6
• Generic LDAP, page 13-30
• Novell NDS Database, page 13-49
• LEAP Proxy RADIUS Server Database, page 13-55

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-1
 Chapter 13 User Databases
CiscoSecure User Database

• Token Server User Databases, page 13-58

• Deleting an External User Database Configuration, page 13-64

CiscoSecure User Database

The CiscoSecure user database is the database internal to Cisco Secure ACS. It
supports authentication using ASCII, PAP, CHAP, MS-CHAP, ARAP, LEAP,
EAP-MD5, EAP-TLS, PEAP(EAP-GTC), PEAP(EAP-MSCHAPv2), and
EAP-FAST (phase zero and phase two).
The CiscoSecure user database is crucial for the authorization process. Regardless
of whether a user is authenticated by the internal user database or by an external
user database, Cisco Secure ACS authorizes network services for users based
upon group membership and specific user settings found in the CiscoSecure user
database. Thus, all users authenticated by Cisco Secure ACS, even those
authenticated by an external user database, have an account in the CiscoSecure
user database.
The CiscoSecure user database uses an index and tree structure, so searches can
occur logarithmically rather than linearly, thus yielding very fast lookup times.
This enables the CiscoSecure user database to authenticate users quickly.
Unless you have configured Cisco Secure ACS to authenticate users with an
external user database, Cisco Secure ACS uses usernames and passwords in the
CiscoSecure user database during authentication. For more information about
specifying an external user database for authentication of a user, see Adding a
Basic User Account, page 7-3.

User Import and Creation

There are four ways to create user accounts in the in Cisco Secure ACS
Appliance. Of these, only RDBMS Synchronization supports importing user
accounts from external sources.
• Cisco Secure ACS HTML interface—The HTML interface provides the
ability to create user accounts manually, one user at a time. Regardless of how
a user account was created, you can edit a user account by using the HTML
interface. For detailed steps, see Adding a Basic User Account, page 7-3.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-2 78-14698-02
Chapter 13 User Databases
About External User Databases

• Unknown User Policy—The Unknown User Policy enables Cisco Secure

ACS to add users automatically when a user without an account in the is
found in an external user database. The creation of a user account in the
occurs only when the user attempts to access the network and is successfully
authenticated by an external user database. For more information, see
Chapter 14, “Unknown User Policy.”
If you use Unknown User Policy, you can also configure group mappings so
that each time a user added to the by Unknown User Policy is authenticated,
the user group assignment is made dynamically. For some external user
database types, user group assignment is based on group membership in the
external user database. For other database types, all users authenticated by a
given database are assigned to a single Cisco Secure ACS user group. For
more information about group mapping, see Chapter 15, “User Group
Mapping and Specification.”
• RDBMS Synchronization—RDBMS Synchronization enables you to create
large numbers of user accounts and to configure many settings for user
accounts. We recommend using this feature whenever you need to import
users by bulk; however, setting up RDBMS Synchronization for the first time
requires several important decisions and time to implement them. For more
information, see RDBMS Synchronization, page 9-24.
• Database Replication—Database Replication creates user accounts on a
secondary Cisco Secure ACS by overwriting all existing user accounts on a
secondary Cisco Secure ACS with the user accounts from the primary
Cisco Secure ACS. Any user accounts unique to a secondary Cisco Secure
ACS are lost in the replication. For more information, see CiscoSecure
Database Replication, page 9-1.

About External User Databases

You can configure Cisco Secure ACS to forward authentication of users to one
external user database or more. Support for external user databases means that
Cisco Secure ACS does not require that you create duplicate user entries in the
CiscoSecure user database. In organizations in which a substantial user database
already exists, Cisco Secure ACS can leverage the work already invested in
building the database without any additional input. This eliminates the need for
separate databases.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-3
 Chapter 13 User Databases
About External User Databases

In addition to authentication for network access, Cisco Secure ACS can perform
authentication for TACACS+ enable privileges using external user databases. For
more information about TACACS+ enable passwords, see Setting TACACS+
Enable Password Options for a User, page 7-34.

Note You can only use external users databases to authenticate users and to determine
which group Cisco Secure ACS assigns a user to. The CiscoSecure user database,
internal to Cisco Secure ACS, provides all authorization services. With few
exceptions, Cisco Secure ACS cannot retrieve authorization data from external
user databases. Exceptions are noted where applicable in the discussions of
specific databases in this chapter. For more information about group mapping for
unknown users, see Chapter 15, “User Group Mapping and Specification.”

Users can be authenticated using the following databases.

• Windows User Database
• Generic LDAP
• Novell NetWare Directory Services (NDS)
• LEAP Proxy RADIUS servers
• RSA SecurID token servers
• RADIUS-based token servers, including:
– ActivCard token servers
– CRYPTOCard token servers
– Vasco token servers
– PassGo token servers
– SafeWord token servers
– Generic RADIUS token servers
For Cisco Secure ACS to interact with an external user database, Cisco Secure
ACS requires an API for the third-party authentication source. The Cisco Secure
ACS communicates with the external user database using the API. For Windows,
you must have installed and configured Cisco Secure ACS Remote Agent for
Windows. The Windows remote agent interacts with the Windows operating
system to provide authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-4 78-14698-02
 Chapter 13 User Databases
About External User Databases

For Generic LDAP and Novell NDS authentication, the interface for the external
authentication is provided by the Cisco Secure ACS Appliance.
For RADIUS-based token servers, such as ActivCard, CRYPTOCard, PassGo,
SafeWord, and Vasco, the standard RADIUS interface serves as the third-party
API.

Authenticating with External User Databases

Authenticating users with an external user database requires more than
configuring Cisco Secure ACS to communicate with an external user database.
Performing one of the configuration procedures for an external database that are
provided in this chapter does not on its own instruct Cisco Secure ACS to
authenticate any users with that database.
After you have configured Cisco Secure ACS to communicate with an external
user database, you can configure Cisco Secure ACS to authenticate users with the
external user database in one of two ways:
• By Specific User Assignment—You can configure Cisco Secure ACS to
authenticate specific users with an external user database. To do this, the user
must exist in the CiscoSecure user database and the Password Authentication
list in User Setup must be set to the external user database that Cisco Secure
ACS should use to authenticate the user.
While setting the Password Authentication for every user account is time
consuming, this method of determining which users are authenticated with an
external user database is secure because it requires explicit definition of who
should authenticate using the external user database. In addition, the users
may be placed in the desired Cisco Secure ACS group and thereby receive the
applicable access profile.
• By Unknown User Policy—You can configure Cisco Secure ACS to attempt
authentication of users not found in the CiscoSecure user database by using
an external user database. Users do not need to be defined in the CiscoSecure
user database for this method. For more information about the Unknown User
Policy, see Unknown User Processing, page 14-2.
You can also configure Cisco Secure ACS with both methods above; these two
methods are not mutually exclusive.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-5
 Chapter 13 User Databases
Windows User Database

External User Database Authentication Process

When Cisco Secure ACS attempts user authentication with an external user
database, it forwards the user credentials to the external user database. The
external user database either passes or fails the authentication request from
Cisco Secure ACS. Upon receiving the response from the external user database,
Cisco Secure ACS instructs the requesting AAA client to grant or deny the user
access, depending upon the response from the external user database. Figure 13-1
shows a AAA configuration with an external user database.

Figure 13-1 A Simple AAA Scenario

Cisco Secure
Access Control Server

End-user client AAA client External user

67472
database

The specifics of the method used to communicate with the external user database
vary with the database type. For LDAP and Novell NDS, Cisco Secure ACS uses
TCP connections. For Windows user databases, Cisco Secure ACS uses the
authentication API provided in the Windows operating system. With the exception
of RSA token servers, Cisco Secure ACS communicates with token servers using
RADIUS. For RSA token servers, Cisco Secure ACS acts an RSA client in order
to use the RSA proprietary interface.
For more information, see the section regarding the database type you are
interested in.

Windows User Database

You can configure Cisco Secure ACS to use a Windows user database to
authenticate users.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-6 78-14698-02
 Chapter 13 User Databases
Windows User Database

This section contains the following topics:

• What’s Supported with Windows User Databases, page 13-7
• Authentication Process with Windows User Databases, page 13-8
• Trust Relationships, page 13-9
• Windows Dial-up Networking Clients, page 13-9
– Windows Dial-up Networking Clients with a Domain Field, page 13-10
– Windows Dial-up Networking Clients without a Domain Field,
page 13-10
• Windows Authentication, page 13-10
• EAP and Windows Authentication, page 13-12
– EAP-TLS Domain Stripping, page 13-13
– Machine Authentication, page 13-13
– Microsoft Windows and Machine Authentication, page 13-16
– Machine Access Restrictions, page 13-18
– Enabling Machine Authentication, page 13-19
• User-Changeable Passwords with Windows User Databases, page 13-22
• Preparing Users for Authenticating with Windows, page 13-23
• Selecting Remote Agents for Windows Authentication, page 13-23
• Windows Authentication Configuration Options, page 13-25
• Configuring Windows Authentication, page 13-29

What’s Supported with Windows User Databases

Cisco Secure ACS supports the use of Windows external user databases for the
following features:
• User Authentication—Cisco Secure ACS supports ASCII, PAP, MS-CHAP
(versions 1 and 2), LEAP, PEAP(EAP-GTC), PEAP(EAP-MSCHAPv2), and
EAP-FAST (phase zero and phase two) authentication with Windows
Security Accounts Manager (SAM) database or a Windows Active Directory

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-7
 Chapter 13 User Databases
Windows User Database

database. Cisco Secure ACS also supports EAP-TLS authentication with a

Windows Active Directory database. Other authentication protocols are not
supported with Windows external user databases.

Note Authentication protocols not supported with Windows external user

databases may be supported by a different external user database. For
more information about authentication protocols and the external
database types that support them, see Authentication
Protocol-Database Compatibility, page 1-9.

• Machine Authentication—Cisco Secure ACS supports machine

authentication with EAP-TLS and PEAP(EAP-MSCHAPv2). For more
information, see EAP and Windows Authentication, page 13-12.
• Group Mapping for Unknown Users—Cisco Secure ACS supports group
mapping for unknown users by requesting group membership information
from Windows user databases. For more information about group mapping
for users authenticated with a Windows user database, see Group Mapping by
Group Set Membership, page 15-4.
• Password-Aging—Cisco Secure ACS supports password aging for users
authenticated by a Windows user database. For more information, see
User-Changeable Passwords with Windows User Databases, page 13-22.
• Dial-in Permissions—Cisco Secure ACS supports use of dial-in permissions
from Windows user databases. For more information, see Preparing Users for
Authenticating with Windows, page 13-23.
• Callback Settings—Cisco Secure ACS supports use of callback settings
from Windows user databases. For information about configuring
Cisco Secure ACS to use Windows callback settings, see Setting User
Callback Option, page 7-8.

Authentication Process with Windows User Databases

Cisco Secure ACS forwards user credentials to a Windows user database by
passing the user credentials to a remote agent. In turn, the remote agent passes the
user credentials to the Windows operating system of the computer running the
remote agent. The Windows user database either passes or fails the authentication
request from Cisco Secure ACS. Upon receiving the response from the Windows

User Guide for Cisco Secure ACS Appliance, version 3.2

13-8 78-14698-02
 Chapter 13 User Databases
Windows User Database

user database, the remote agent forwards the response to Cisco Secure ACS,
which instructs the requesting AAA client to grant or deny the user access,
depending upon the response from the Windows user database.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the Windows user database, it is Cisco Secure
ACS that grants authorization privileges.
To further control access by a user from within the Windows User Manager or
Active Directory Users and Computers, you can configure Cisco Secure ACS to
also check the setting for granting dialin permission to user. If this feature is
disabled for the user, access is denied, even if the username and password are
typed correctly.

Trust Relationships
Cisco Secure ACS can take advantage of trust relationships that have been
established between Windows domains. If the domain containing the computer
running the Windows remote agent trusts another domain, Cisco Secure ACS can
authenticate users whose accounts reside in the other domain. Cisco Secure ACS
can also reference the “Grant dialin permission to user” setting across trusted
domains.
If your domains are Windows 2000 domains, Cisco Secure ACS can take
advantage of indirect trusts for Windows authentication. Consider the example of
Windows 2000 domains A, B, and C, where the remote agent runs on a Windows
2000 server in domain A. Domain A trusts domain B, but no trust relationship is
established between domain A and domain C. If domain B trusts domain C, the
remote agent in domain A can authenticate users whose accounts reside in domain
C, making use of the indirect trust of domain C.
For more information on trust relationships, refer to your Microsoft Windows
documentation.

Windows Dial-up Networking Clients

The dial-up networking clients for Windows NT/2000/XP Professional and
Windows 95/98/Millennium Edition (ME)/XP Home enable users to connect to
your network remotely, but the fields provided differ.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-9
 Chapter 13 User Databases
Windows User Database

Windows Dial-up Networking Clients with a Domain Field

If users dial in to your network using the dial-up networking client provided with
Windows NT, Windows 2000, or Windows XP Professional, three fields appear:
• username—Type your username.
• password—Type your password.
• domain—Type your valid domain name.

Note For more information about the implications of completing or leaving

the domain box blank, see Windows Authentication, page 13-10.

Windows Dial-up Networking Clients without a Domain Field

If users access your network using the dial-up networking client provided with
Windows 95, Windows 98, Windows ME, or Windows XP Home, two fields
appear:
• username—Type your username.

Note You can also prefix your username with the name of the domain you
want to log in to. For more information about the implications of
prefixing or not prefixing the domain name before the username, see
Windows Authentication, page 13-10.

• password—Type your password.

Windows Authentication
While different versions of Windows provide different methods of specifying a
domain name, the effect of providing or not providing the domain name while
logging in is the same. The most reliable method of authenticating users against
a specific domain is to require users to submit the domains they should be
authenticated against along with their usernames.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-10 78-14698-02
Chapter 13 User Databases
Windows User Database

With the dial-up networking client provided with Windows NT, Windows 2000,
and Windows XP Professional, submitting a domain name is accomplished by
typing the domain name in the domain field (or selecting it from the drop-down
list). With the dial-up networking client provided with Windows 95, Windows 98,
Windows ME, and Windows XP Home, this is accomplished by submitting the
username in the fully qualified format. Users submitting a fully qualified
username must enter the domain name before their username in the following
format:
DOMAIN_NAME\username

For example, user Mary Smith (msmith) in Domain10 would enter the following:
Domain10\msmith

Another reason to provide the username in the format shown above is if a user is
included in more than one domain. In this case, the privileges assigned upon
authentication will be those associated with the account in the first domain with a
matching username and password. This also illustrates the importance of
removing usernames from a domain when the privileges associated with the user
are no longer required.

Tip Entering the domain name can speed up authentication, because authentication is
directed to a specific domain rather than depending upon Windows to search
through the local domain and all trusted domains until it finds the username.

Note Except in EAP-TLS authentication against Active Directory, Cisco Secure ACS
does not support the user@domain (UPN) format of qualified usernames when
authenticating users with Windows user databases of any type, including local and
domain SAM databases and Active Directory databases. With Active Directory,
EAP-TLS authentication with user certificates using UPN format is supported.

If you do not specify a domain name when typing the username, Cisco Secure
ACS submits the username to the Windows by way of the Windows remote agent.
If Windows does not find the username in its local domain database, it then checks
all trusted domains. If the Windows remote agent runs on a member server and the
username is not found in trusted domains, Windows also checks its local accounts
database. Windows attempts to authenticate a user with the first occurrence of the
username that it finds.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-11
 Chapter 13 User Databases
Windows User Database

Note If the credentials submitted by the user do not match the credentials associated
with the first matching username that Windows finds, authentication fails. Thus,
if different users in different domains share the same exact username, logging in
with a non-domain-qualified username can result in inadvertent authentication
failure.

Use of the Domain List is not required to support Windows authentication, but it
can alleviate authentication failures caused by non-domain-qualified usernames.
If you have configured the Domain List in the Windows User Database
Configuration page of the External User Databases section, Cisco Secure ACS
submits the username and password to each domain in the list in a fully qualified
format until it successfully authenticates the user. If Cisco Secure ACS has tried
each domain listed in the Domain List or if no trusted domains have been
configured in the Domain List, Cisco Secure ACS stops attempting to
authenticate the user and does not grant that user access.

Note If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.

EAP and Windows Authentication

This section provides information about Windows-specific EAP features that you
can configure on the Windows User Database Configuration page.
This section contains the following topics:
• EAP-TLS Domain Stripping, page 13-13
• Machine Authentication, page 13-13
• Microsoft Windows and Machine Authentication, page 13-16

User Guide for Cisco Secure ACS Appliance, version 3.2

13-12 78-14698-02
 Chapter 13 User Databases
Windows User Database

• Machine Access Restrictions, page 13-18

• Enabling Machine Authentication, page 13-19

EAP-TLS Domain Stripping

If you use Windows Active Directory to authenticate users with EAP-TLS,
Cisco Secure ACS enables you to strip the domain name from the username stored
in the Subject Alternative Name field of the user certificate. Performing domain
name stripping can speed EAP-TLS authentication when the domain that must
authenticate a user is not the domain represented in the SAN field.
For example, a user’s SAN field may contain “jsmith@corporation.com” but
jsmith may need to authenticate using the domain controller for a subdomain
named “engineering”. Stripping “@corporation.com” from the username
eliminates the needless attempt at authenticating jsmith against the
corporation.com domain controller. Without stripping the domain name, only
after jsmith cannot be found in corporation.com will Cisco Secure ACS use the
Domain List and find the user in the engineering domain. The additional delay
could be several seconds. For more information about the Domain List, see
Windows Authentication, page 13-10.
You can enable EAP-TLS domain name stripping on the Windows User Database
Configuration page.

Machine Authentication
Cisco Secure ACS supports the authentication of computers running Microsoft
Windows operating systems that support EAP computer authentication, such as
Windows XP with Service Pack 1. Machine authentication, also called computer
authentication, allows networks services only for computers known to Active
Directory. This is especially useful for wireless networks, where unauthorized
users outside the physical premises of your workplace can access your wireless
access points.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-13
 Chapter 13 User Databases
Windows User Database

When machine authentication is enabled, there are three different types of

authentications. Upon starting up a computer, the authentications occur in the
following order:
1. Machine authentication—The computer is authenticated by Cisco Secure
ACS prior to user authentication. Cisco Secure ACS checks the credentials
provided by the computer against the Windows user database. If you use
Active Directory and the matching computer account in Active Directory has
the same credentials, the computer gains access to Windows domain services.
2. User domain authentication—If machine authentication succeeded, the
user is authenticated by the Windows domain. If machine authentication
failed, the computer does not have access to Windows domain services and
the user credentials are authenticated using cached credentials kept by the
local operating system. When a user is authenticated by cached credentials
instead of the domain, the computer does not enforce domain policies, such
as running login scripts dictated by the domain.

Tip If a computer fails machine authentication and the user hasn’t

successfully logged in to the domain using the computer since the most
recent user password change, the cached credentials on the computer will
not match the new password. Instead, the cached credentials will match
an older password of the user, provided that the user once logged in to the
domain successfully from this computer.

3. User network authentication—The user is authenticated by Cisco Secure

ACS, allowing the user to have network connectivity. If the user profile exists,
the user database specified is used to authenticate the user. While the user
database is not required to be the Windows user database, most Microsoft
clients can be configured to automatically perform network authentication
using the same credentials used for user domain authentication. This allows
for a single sign-on.

Note Microsoft PEAP clients also initiate machine authentication whenever a user logs
off. This prepares the network connection for the next user login. Microsoft PEAP
clients may also initiate machine authentication when a user has selected to
shutdown or restart the computer rather than just logging off.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-14 78-14698-02
Chapter 13 User Databases
Windows User Database

Cisco Secure ACS supports both EAP-TLS and PEAP(EAP-MSCHAPv2) for

machine authentication. You can enable each separately on the Windows User
Database Configuration page, which allows a mix of computers authenticating
with EAP-TLS or with PEAP(EAP-MSCHAPv2). Microsoft operating systems
that perform machine authentication may limit the user authentication protocol to
the same protocol used for machine authentication. For more information about
Microsoft operating systems and machine authentication, see Microsoft Windows
and Machine Authentication, page 13-16.
The Unknown User Policy supports machine authentication. Computers
previously unknown to Cisco Secure ACS are handled similarly to users. If the
Unknown User Policy is enabled and an Active Directory external user database
is included on the Selected Databases list on the Configure Unknown User Policy
page, machine authentication succeeds, provided that the machine credentials
presented to Active Directory are valid.
On a computer configured to perform machine authentication, machine
authentication occurs when the computer started. Provided that the AAA client
sends RADIUS accounting data to Cisco Secure ACS, when a computer is started
and before a user logs in on that computer, the computer appears on the Logged-In
Users List in the Reports and Activity section. Once user authentication begins,
the computer no longer appears on the Logged-In Users List.
PEAP-based machine authentication uses PEAP(EAP-MSCHAPv2) and the
password for the computer established automatically when it was added to the
Microsoft Windows domain. The computer sends its name as the username and
the format is:
host/computer.domain

where computer is the name of the computer and domain is the domain the
computer belongs to. The domain segment may include subdomains, too, if they
are used, so that the format may be:
host/computer.subdomain.domain

The usernames of computers authenticated must appear in the CiscoSecure user

database. If you enable unknown user processing, Cisco Secure ACS adds them
automatically once they authenticate successfully. During authentication, the
domain name is not used.
EAP-TLS-based machine authentication uses EAP-TLS to authenticate the
computer using a client certificate. The certificate used by the computer can be
one installed automatically when the computer was added to the domain or one

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-15
 Chapter 13 User Databases
Windows User Database

that was added to the local machine storage later. As with PEAP-based machine
authentication, the computer name must appear in the CiscoSecure user database
in the format contained in the computer client certificate and the user profile
corresponding to the computer name must be configured to authenticate using the
Windows external user database. If you enable unknown user processing,
Cisco Secure ACS adds the computer names to the CiscoSecure user database
automatically once they authenticate successfully. It also automatically
configures the user profiles created to use the external user database that the user
was found in. For machine authentication, this will always be the Windows
external user database.

Microsoft Windows and Machine Authentication

Cisco Secure ACS supports machine authentication with Active Directory in
Windows 2000. To enable machine authentication support in Windows 2000
Active Directory you must:
• Apply Service Pack 4 to the computer running Active Directory.
• Complete the steps in Microsoft Knowledge Base Article 306260: Cannot
Modify Dial-In Permissions for Computers That Use Wireless Networking.
Client operating systems supporting machine authentication are:
• Microsoft Windows XP with Service Pack 1 applied.
• Microsoft Windows 2000 with the following:
– Service Pack 4 applied.
– Patch Q313664 applied (available from Microsoft.com).
The following list describes the essential details of enabling machine
authentication on a client computer with a Cisco Aironet 350 wireless adapter. For
more information about enabling machine authentication in Microsoft Windows
operating systems, please refer to Microsoft documentation.
1. Make sure the wireless network adapter is installed correctly. For more
information, see the documentation provided with the wireless network
adapter.
2. Make sure the certification authority (CA) certificate of the CA that issued
the Cisco Secure ACS server certificate is stored in machine storage on client
computers. User storage is not available during machine authentication;
therefore, if the CA certificate is in user storage, machine authentication fails.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-16 78-14698-02
Chapter 13 User Databases
Windows User Database

3. Select the wireless network:

– In Windows XP, you can select the network on the Wireless Networks tab
of the wireless network connection properties.
– In Windows 2000, you can enter the SSID of the wireless network
manually. This is done on the Advanced tab of the properties dialog box
for the wireless network adapter.
4. To enable PEAP machine authentication, configure the Authentication tab. In
Windows XP, the Authentication tab is available from the properties of the
wireless network. In Windows 2000, it is available from the properties of the
wireless network connection.
a. Select the Enable network access control using IEEE 802.1X check
box.
b. Select the Authenticate as computer when computer information is
available check box.
c. From the EAP type list, select Protected EAP (PEAP).
d. On the Protected EAP Properties dialog box, you can enforce that
Cisco Secure ACS has a valid server certificate by selecting the Validate
server certificate check box. If you do select this check box, you must
also select the applicable Trusted Root Certification Authorities.
e. Also open the PEAP properties dialog box, from the Select
Authentication Method list, select Secured password (EAP-MSCHAP
v2).
5. To enable EAP-TLS machine authentication, configure the Authentication
tab. In Windows XP, the Authentication tab is available from the properties of
the wireless network. In Windows 2000, it is available from the properties of
the wireless network connection.
a. Select the Enable network access control using IEEE 802.1X check
box.
b. Select the Authenticate as computer when computer information is
available check box.
c. From the EAP type list, select Smart Card or other Certificate.
d. On the Smart Card or other Certificate Properties dialog box, select the
Use a certificate on this computer option.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-17
 Chapter 13 User Databases
Windows User Database

e. Also on the Smart Card or other Certificate Properties dialog box, you
can enforce that Cisco Secure ACS has a valid server certificate by
selecting the Validate server certificate check box. If you do select this
check box, you must also select the applicable Trusted Root Certification
Authorities.
If you have a Microsoft certification authority server configured on the domain
controller, you can configure a policy in Active Directory to produce a client
certificate automatically when a computer is added to the domain. For more
information, see Microsoft Knowledge Base Article 313407, HOW TO: Create
Automatic Certificate Requests with Group Policy in Windows.

Machine Access Restrictions

You can use the machine access restrictions (MAR) feature as an additional means
of controlling authorization for Windows-authenticated EAP-TLS and Microsoft
PEAP users, based upon machine authentication of the computer used to access
the network.

Note The MAR feature is available beginning in Cisco Secure ACS version 3.2.3.
Earlier versions of Cisco Secure ACS do not include this feature.

When you enable the MAR feature, Cisco Secure ACS does the following:
• For every successful machine authentication, Cisco Secure ACS caches the
value received in IETF RADIUS Calling-Station-Id attribute (31) as evidence
of the successful machine authentication. Cisco Secure ACS stores each
Calling-Station-Id attribute value for the number of hours specified on the
Windows User Database Configuration page before deleting it from the
cache.
• When a user authenticates with an EAP-TLS or Microsoft PEAP end-user
client, Cisco Secure ACS searches the cache of Calling-Station-Id values
from successful machine authentications for the Calling-Station-Id value
received in the user authentication request. Whether Cisco Secure ACS finds
the user-authentication Calling-Station-Id value in the cache affects how
Cisco Secure ACS assigns the user requesting authentication to a user group.
– Calling-Station-Id value found in the cache—Cisco Secure ACS
assigns the user to a user group by normal methods, which include
manual specification of a group in the user profile, group mapping, or

User Guide for Cisco Secure ACS Appliance, version 3.2

13-18 78-14698-02
 Chapter 13 User Databases
Windows User Database

RADIUS-based group specification. For example, if a user logs in with a

computer that was successfully authenticated and the user profile
indicates that the user is a member of group 137, Cisco Secure ACS
applies to the user session the authorization settings specified in
group 137.
– Calling-Station-Id value not found in the cache—Cisco Secure ACS
assigns the user to the user group specified by “Group map for successful
user authentication without machine authentication” list. This can
include the <No Access> group.

Note User profile settings always override group profile settings. If a

user profile grants an authorization that is denied by the group
specified in the “Group map for successful user authentication
without machine authentication” list, Cisco Secure ACS grants
the authorization.

The MAR feature supports full EAP-TLS and Microsoft PEAP authentication, as
well as resumed sessions for EAP-TLS and Microsoft PEAP and fast
reconnections for Microsoft PEAP.
The MAR feature has the following limitations and requirements:
• Machine authentication must be enabled.
• Users must authenticate with EAP-TLS or a Microsoft PEAP client. MAR
does not apply to users authenticated by other protocols, such as EAP-FAST,
LEAP, or MS-CHAP.
• The AAA client must send a value in the IETF RADIUS Calling-Station-Id
attribute (31).
• Cisco Secure ACS does not replicate the cache of Calling-Station-Id attribute
values from successful machine authentications.

Enabling Machine Authentication

This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support machine authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-19
 Chapter 13 User Databases
Windows User Database

Note End-user client computers and the applicable Active Directory must be configured
to support machine authentication. This procedure is specific to configuration of
Cisco Secure ACS only. For information about configuring Microsoft Windows
operating systems to support machine authentication, see Microsoft Windows and
Machine Authentication, page 13-16.

Before You Begin

Windows authentication requires that you install at least one Cisco Secure ACS
Remote Agent for Windows and complete the steps in Adding a Remote Agent,
page 4-32. For information about installing Cisco Secure ACS Remote Agent for
Windows, see Installation and Configuration Guide for Cisco Secure ACS Remote
Agents.
To enable Cisco Secure ACS to perform machine authentication, follow these
steps:

Step 1 Install a server certificate in Cisco Secure ACS. PEAP(EAP-MSCHAPv2) and

EAP-TLS require a server certificate. Cisco Secure ACS uses a single certificate
to support both protocols. For detailed steps, see Installing a Cisco Secure ACS
Certificate, page 10-33.

Note If you have installed a certificate to support EAP-TLS or PEAP user

authentication or to support HTTPS protection of remote Cisco Secure
ACS administration, you do not need to perform this step. A single server
certificate will support all certificate-based Cisco Secure ACS services
and remote administration.

Step 2 For EAP-TLS machine authentication, if certificates on end-user clients are

issued by a different certification authority (CA) than the CA that issued the
server certificate on Cisco Secure ACS, you must edit the certification trust list so
that CAs issuing end-user client certificates are trusted. If you do not perform this
step and the CA of the server certificate is not the same as the CA of an end-user
client certificate CA, EAP-TLS will operate normally but reject the EAP-TLS
machine authentication because it does not trust the correct CA. For detailed
steps, see Editing the Certificate Trust List, page 10-38.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-20 78-14698-02
Chapter 13 User Databases
Windows User Database

Step 3 Enable the applicable protocols on the Global Authentication Setup page:
• To support machine authentication with PEAP, enable the
PEAP(EAP-MSCHAPv2) protocol.
• To support machine authentication with EAP-TLS, enable the EAP-TLS
protocol.
Cisco Secure ACS allows you to complete this step only after you have
successfully completed Step 1. For detailed steps, see Configuring Authentication
Options, page 10-32.
Step 4 Configure a Windows external user database and enable the applicable types of
machine authentication on the Windows User Database Configuration page:
• To support machine authentication with PEAP, select the Permit PEAP
machine authentication check box.
• To support machine authentication with EAP-TLS, select the Permit
EAP-TLS machine authentication check box.
• To require machine authentication in addition to user authentication, select
the Enable machine access restrictions check box.

Note If you already have a Windows external user database configured, modify
its configuration to enable the applicable machine authentication types.

For detailed steps, see Configuring Windows Authentication, page 13-29.

Note Windows authentication requires a Cisco Secure ACS Remote Agent for
Windows.

Cisco Secure ACS is ready to perform machine authentication for computers

whose names exist in the CiscoSecure user database.
Step 5 If you have not already enabled the Unknown User Policy and added the Windows
external user database to the Selected Databases list, consider doing so to allow
computers that are not known to Cisco Secure ACS to authenticate. For detailed
steps, see Configuring the Unknown User Policy, page 14-10.
We strongly recommend that you use the Unknown User Policy. Most other means
of adding all computer names in precisely the format required would be labor
intensive and prone to human error.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-21
 Chapter 13 User Databases
Windows User Database

Note Enabling the Unknown User Policy to support machine authentication

also enables the Unknown User Policy for user authentication.
Cisco Secure ACS makes no distinction in unknown user support between
computers and users.

Cisco Secure ACS is ready to perform machine authentication for computers,

regardless of whether the computer names exist in CiscoSecure user database.

User-Changeable Passwords with Windows User Databases

For network users who are authenticated by a Windows user database,
Cisco Secure ACS supports user-changeable passwords upon password
expiration. You can enable this feature in the MS-CHAP Settings and Windows
EAP Settings tables on the Windows User Database Configuration page in the
External User Databases section. Using this feature in your network requires the
following:
• Users must be present in the Windows Active Directory or SAM user
database.
• User accounts in Cisco Secure ACS must specify the Windows user database
for authentication.
• End-user clients must be compatible with MS-CHAP, PEAP(EAP-GTC),
PEAP(EAP-MSCHAPv2), or EAP-FAST.
• The AAA client that the end-user clients connect to must support the
applicable protocols:
– For MS-CHAP password aging, the AAA client must support
RADIUS-based MS-CHAP authentication.
– For PEAP(EAP-MSCHAPv2), PEAP(EAP-GTC), and EAP-FAST
password aging, the AAA client must support EAP.
When the conditions above are met and this feature is enabled, users receive a
dialog box prompting them to change their passwords upon their first successful
authentication after their passwords have expired. The dialog box is the same as
presented to users by Windows when a user with an expired password accesses a
network via a remote access server.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-22 78-14698-02
 Chapter 13 User Databases
Windows User Database

For more information about password aging support in Cisco Secure ACS, see
Enabling Password Aging for Users in Windows Databases, page 6-25.

Preparing Users for Authenticating with Windows

Before using the Windows user database for authentication, follow these steps:

Step 1 Make sure the username exists in the Windows user database.
Step 2 In Windows, for each user account, clear the following User Properties check
boxes:
• User must change password at next logon
• Account disabled
Step 3 If you want to control dial-in access from within Windows NT, click Dial-in and
select Grant dialin permission to user. In Windows 2000, access the User
Properties dialog box, select the Dial-In tab, and in the Remote Access area, click
Allow access. You must also configure the option to reference this feature under
Database Group Mappings in the External User Databases section of Cisco Secure
ACS.

Selecting Remote Agents for Windows Authentication

Before you can configure Cisco Secure ACS to authenticate users with a Windows
external user database, you must select a primary remote agent that is to deliver
authentication requests to the Windows operating system. You may also select a
secondary remote agent that Cisco Secure ACS is to use if the primary remote
agent is unavailable.
Before You Begin
To complete this procedure, you must have already installed at least one
Cisco Secure ACS Remote Agent for Windows and completed the steps in Adding
a Remote Agent, page 4-32.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-23
 Chapter 13 User Databases
Windows User Database

To select remote agents for Windows authentication, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS displays a list of all possible external user database types.
Step 3 Click Windows Database.
The External User Database Configuration page appears.
Step 4 Click Configure.
The Windows User Database Configuration page appears.
Step 5 Click Windows Remote Agent Selection.
The Windows Remote Agent Selection appears.
Step 6 From the Primary list, select the remote agent that Cisco Secure ACS should
always use to authenticate users, provided that the remote agent is available.
Step 7 From the Secondary list, select the remote agent that Cisco Secure ACS should
use to authenticate users when the remote agent selected in the Primary list is
unavailable.

Note If you do not want to use a secondary remote agent, from the Secondary
list, select None.

Step 8 Click Submit.

Cisco Secure ACS saves the remote agent selections you made. The Windows
User Database Configuration page appears.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-24 78-14698-02
 Chapter 13 User Databases
Windows User Database

Windows Authentication Configuration Options

The Windows Authentication Configuration page contains the following
configuration options:
• Dialin Permission—You can restrict network access to users whose
Windows accounts have Windows dialin permission. The Grant dialin
permission to user check box controls this feature.

Note This feature applies to all users authenticated by Cisco Secure ACS
with a Windows external user database; despite the name of the
feature, it is not limited to users who access the network with a dialup
client but is applied regardless of client type. For example, if you have
configured a PIX Firewall to authenticate Telnet sessions using
Cisco Secure ACS as a RADIUS server, a user authenticated by a
Windows external user database would be denied Telnet access to the
PIX Firewall if the Dialin Permission feature is enabled and the
Windows user account does not have dialin permission.

Tip Windows dialin permission is enabled in the Dialin section of user

properties in Windows NT and on the Dial-In tab of the user properties in
Windows 2000.

• Configure Domain List—The Domain List controls what Cisco Secure ACS
does when user authentication is requested for a username that is not
domain-qualified. If no domains are in the Domain List and the initial user
authentication request is rejected by Windows, Cisco Secure ACS stops
attempting to authenticate the user. If domains are in the Domain List,
Cisco Secure ACS qualifies the username with a domain from the list and
submits the domain-qualified username to Windows, once for each domain in
the Domain List, until each domain has rejected the user or until one of the
domains authenticates the user.

Note Configuring the Domain List list is optional. For more information
about the Domain List, see Windows Authentication, page 13-10.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-25
 Chapter 13 User Databases
Windows User Database

Caution If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.

– Available Domains—This list represents the domains that Cisco Secure

ACS does not send domain-qualified authentication requests to.
– Domain List—This list represents the domains that Cisco Secure
ACS does send domain-qualified authentication requests to.
• MS CHAP Settings—You can control whether Cisco Secure ACS supports
MS-CHAP-based password changes for Windows user accounts. The Permit
password changes using MS-CHAP version N check boxes enable you to
specify which versions of MS CHAP Cisco Secure ACS supports password
changes using.

Note The check boxes under MS CHAP Settings do no affect password

aging for Microsoft PEAP, EAP-FAST, or machine authentication.

For more information about Windows password changes, see Enabling

Password Aging for Users in Windows Databases, page 6-25.
• Enable password change inside PEAP or EAP-FAST—The Permit
password change inside PEAP or EAP-FAST check box controls whether
Cisco Secure ACS supports PEAP-based or EAP-FAST-based password
changes for Windows user accounts. PEAP password changes are supported
only when the end-user client uses PEAP(EAP-MSCHAPv2) for user
authentication. For EAP-FAST, Cisco Secure ACS supports password
changes in phase zero and phase two.
• EAP-TLS Strip Domain Name—The EAP-TLS Strip Domain Name check
box controls whether Cisco Secure ACS removes the domain name from a
username derived from the Subject Alternative Name (SAN) field in an
end-user certificate.
Performing domain name stripping can speed EAP-TLS authentication when
the domain that must authenticate a user is not the domain represented in the
SAN field. For example, a user’s SAN field may contain

User Guide for Cisco Secure ACS Appliance, version 3.2

13-26 78-14698-02
Chapter 13 User Databases
Windows User Database

“jsmith@corporation.com” but jsmith may need to authenticate using the

domain controller for a subdomain named “engineering”. Stripping
“@corporation.com” from the username eliminates the needless attempt at
authenticating jsmith against the corporation.com domain controller. Without
stripping the domain name, only after jsmith cannot be found in
corporation.com will Cisco Secure ACS use the Domain List and find the user
in the engineering domain. The additional delay could be several seconds.
• Enable PEAP machine authentication—This check box controls whether
Cisco Secure ACS performs machine authentication using machine name and
password with PEAP(EAP-MSCHAPv2). For more information about
machine authentication, see Machine Authentication, page 13-13.
• Enable EAP-TLS machine authentication—This check box controls
whether Cisco Secure ACS performs machine authentication using machine
name and password with EAP-TLS. For more information about machine
authentication, see Machine Authentication, page 13-13.
• EAP-TLS and PEAP machine authentication name prefix—This box
defines the string of characters that Cisco Secure ACS adds to the beginning
of any machine name being authenticated. By default, the end-user client
prefixes machine names with “host/”. If any text is present in the PEAP
machine authentication name prefix box, Cisco Secure ACS prefixes the
machine name with this instead.

Note If you configure the EAP-TLS and PEAP machine authentication

name prefix box with a string other than “host/”, authentication may
fail.

• Enable machine access restrictions—If you enable PEAP or EAP-TLS

machine authentication, the “Enable machine access restrictions” check box
controls whether Cisco Secure ACS restricts network access of users who
access the network with computer that fail machine authentication. For more
information about the MAR feature, see Machine Access Restrictions,
page 13-18.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-27
 Chapter 13 User Databases
Windows User Database

Note Be sure you have enabled the types of machine authentication that
your Windows computers are configured to use—either PEAP
machine authentication or EAP-TLS authentication, or both. If the
MAR feature is enabled but Cisco Secure ACS does not perform
machine authentication for a computer, EAP-TLS and Microsoft
PEAP users accessing the network with that computer will be
assigned to the group specified in the “Group map for successful user
authentication without machine authentication” list.

• Aging time (hours)—This box specifies the number of hours that

Cisco Secure ACS caches IETF RADIUS Calling-Station-Id attribute values
from successful machine authentications, for use with the MAR feature. The
default value is zero hours, which means that Cisco Secure ACS does not
cache Calling-Station-Id values.

Note If you do not change the value of the Aging time (hours) box to
something other than zero, all EAP-TLS and Microsoft PEAP users
whose computers perform machine authentication are assigned to the
group specified in the “Group map for successful user authentication
without machine authentication” list.

Tip To enable machine access restrictions, you must specify a number greater
than zero in the Aging time (hours) box.

Tip To clear the cache of Calling-Station-Id values, type 0 in the Aging time
(hours) box and click Submit.

• Group map for successful user authentication without machine

authentication—This list specifies the group profile that Cisco Secure ACS
applies to a user accessing the network from a computer that has not passed
machine authentication for longer than the number of hours specified in the
Aging time (hours) box. To deny such users any access to the network, select
<No Access> (which is the default setting).

User Guide for Cisco Secure ACS Appliance, version 3.2

13-28 78-14698-02
 Chapter 13 User Databases
Windows User Database

Note User profile settings always override group profile settings. If a user
profile grants an authorization that is denied by the group specified in
the “Group map for successful user authentication without machine
authentication” list, Cisco Secure ACS grants the authorization.

Configuring Windows Authentication

Before You Begin
To complete this procedure, you must have completed the steps in Selecting
Remote Agents for Windows Authentication, page 13-23.
To configure Windows authentication, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS displays a list of all possible external user database types.
Step 3 Click Windows Database.
The External User Database Configuration page appears.
Step 4 Click Configure.
The Windows User Database Configuration page appears.
Step 5 Click Windows Authentication Configuration.
The Windows Authentication Configuration page appears.
Step 6 As needed, configure the options in the following tables:
• Dialin Permission
• Domain List
• MS CHAP Settings
• EAP Settings
For information about the options on the Windows User Database Configuration
page, see Windows Authentication Configuration Options, page 13-25.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-29
 Chapter 13 User Databases
Generic LDAP

Note All the settings on the Windows User Database Configuration page are
optional and need not be enabled unless you want to permit and configure
the specific features they support.

Step 7 Click Submit.

Cisco Secure ACS saves the Windows user database configuration you created.
You can now add it to your Unknown User Policy or assign specific user accounts
to use this database for authentication. For more information about the Unknown
User Policy, see Unknown User Processing, page 14-2. For more information
about configuring user accounts to authenticate using this database, see
Chapter 7, “User Management.”

Generic LDAP
Cisco Secure ACS supports ASCII, PAP, EAP-TLS, PEAP(EAP-GTC), and
EAP-FAST (phase two only) authentication via generic Lightweight Directory
Access Protocol (LDAP) databases, such as Netscape Directory Services. Other
authentication protocols are not supported with LDAP external user databases.

Note Authentication protocols not supported with LDAP databases may be supported
by another type of external user database. For more information about
authentication protocols and the external database types that support them, see
Authentication Protocol-Database Compatibility, page 1-9.

Cisco Secure ACS supports group mapping for unknown users by requesting
group membership information from LDAP user databases. For more information
about group mapping for users authenticated with an LDAP user database, see
Group Mapping by Group Set Membership, page 15-4.
Configuring Cisco Secure ACS to authenticate against an LDAP database has no
effect on the configuration of the LDAP database. To manage your LDAP
database, see your LDAP database documentation.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-30 78-14698-02
 Chapter 13 User Databases
Generic LDAP

This section contains the following topics:

• Cisco Secure ACS Authentication Process with a Generic LDAP User
Database, page 13-31
• Multiple LDAP Instances, page 13-31
• LDAP Organizational Units and Groups, page 13-32
• Domain Filtering, page 13-32
• LDAP Failover, page 13-34
• LDAP Configuration Options, page 13-36
• Configuring a Generic LDAP External User Database, page 13-42
• Downloading a Certificate Database, page 13-47

Cisco Secure ACS Authentication Process with a Generic LDAP

User Database
Cisco Secure ACS forwards the username and password to an LDAP database
using a TCP connection on a port that you specify. The LDAP database either
passes or fails the authentication request from Cisco Secure ACS. Upon receiving
the response from the LDAP database, Cisco Secure ACS instructs the requesting
AAA client to grant or deny the user access, depending upon the response from
the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges.

Multiple LDAP Instances

You can create more than one LDAP configuration in Cisco Secure ACS. By
creating more than one LDAP configuration with different IP address or port
settings, you can configure Cisco Secure ACS to authenticate using different
LDAP servers or using different databases on the same LDAP server. Each

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-31
 Chapter 13 User Databases
Generic LDAP

primary server IP address and port configuration, along with the secondary server
IP address and port configuration, forms an LDAP instance that corresponds to
one Cisco Secure ACS LDAP configuration instance.
Cisco Secure ACS does not require that each LDAP instance corresponds to a
unique LDAP database. You can have more than one LDAP configuration set to
access the same database. This is useful when your LDAP database contains more
than one subtree for users or groups. Because each LDAP configuration supports
only one subtree directory for users and one subtree directory for groups, you
must configure separate LDAP instances for each user directory subtree and group
directory subtree combination for which Cisco Secure ACS should submit
authentication requests.
For each LDAP instance, you can add or leave it out of the Unknown User Policy.
For more information, see Unknown User Processing, page 14-2.
For each LDAP instance, you can establish unique group mapping. For more
information, see Group Mapping by Group Set Membership, page 15-4.
Multiple LDAP instances is also important when you use domain filtering. For
more information, see Domain Filtering, page 13-32.

LDAP Organizational Units and Groups

LDAP groups do not need to have the same name as their corresponding
Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure
ACS group with any name you want to assign. For more information about how
your LDAP database handles group membership, see your LDAP database
documentation. For more information on LDAP group mappings and
Cisco Secure ACS, see Chapter 15, “User Group Mapping and Specification.”

Domain Filtering
Using domain filtering, you can control which LDAP instance is used to
authenticate a user based on domain-qualified usernames. Domain filtering is
based on parsing the characters either at the beginning or end of a username
submitted for authentication. Domain filtering provides you with greater control
over the LDAP instance that Cisco Secure ACS submits any given user
authentication request to. You also have control of whether usernames are
submitted to an LDAP server with their domain qualifiers intact.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-32 78-14698-02
Chapter 13 User Databases
Generic LDAP

For example, when EAP-TLS authentication is initiated by a Windows XP client,

Cisco Secure ACS receives the username in username@domainname format. When
PEAP authentication is initiated by a Cisco Aironet end-user client, Cisco Secure
ACS receives the username without a domain qualifier. If both clients are to be
authenticated with an LDAP database that stores usernames without domain
qualifiers, Cisco Secure ACS can strip the domain qualifier. If separate user
accounts are maintained in the LDAP database—both domain-qualified and
non-domain-qualified user accounts—Cisco Secure ACS can pass usernames to
the LDAP database without domain filtering.
If you choose to make use of domain filtering, each LDAP configuration you
create in Cisco Secure ACS can perform domain filtering in one of two ways:
• Limiting users to one domain—Per each LDAP configuration in
Cisco Secure ACS, you can require that Cisco Secure ACS only attempts to
authenticate usernames that are qualified with a specific domain name. This
corresponds to the “Only process usernames that are domain qualified”
option on the LDAP Configuration page. For more information about this
option, see LDAP Configuration Options, page 13-36.
With this option, each LDAP configuration is limited to one domain and to
one type of domain qualification. You can specify whether Cisco Secure ACS
strips the domain qualification before submitting the username to an LDAP
server. If the LDAP server stores usernames in a domain-qualified format,
you should not configure Cisco Secure ACS to strip domain qualifiers.
Limiting users to one domain is useful when the LDAP server stores
usernames differently per domain, either by user context or by how the
username is stored in Cisco Secure ACS—domain qualified or non-domain
qualified. The end-user client or AAA client must submit the username to
Cisco Secure ACS in a domain-qualified format, otherwise Cisco Secure
ACS cannot determine the user’s domain and does not attempt to authenticate
the user with the LDAP configuration that uses this form of domain filtering.
• Allowing any domain but stripping domain qualifiers—Per each LDAP
configuration in Cisco Secure ACS, you can configure Cisco Secure ACS to
attempt to strip domain qualifiers based on common domain-qualifier
delimiting characters. This corresponds to the “Process all usernames after
stripping domain name and delimiter” option on the LDAP Configuration
page. For more information about this option, see LDAP Configuration
Options, page 13-36.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-33
 Chapter 13 User Databases
Generic LDAP

Cisco Secure ACS supports both prefixed and suffixed domain qualifiers. A
single LDAP configuration can attempt to strip both prefixed and suffixed
domain qualifiers; however, you can only specify one delimiting character
each for prefixed and suffixed domain qualifiers. To support more than one
type of domain-qualifier delimiting character, you can create more than one
LDAP configuration in Cisco Secure ACS.
Allowing usernames of any domain but stripping domain qualifiers is useful
when the LDAP server stores usernames in a non-domain qualified format but
the AAA client or end-user client submits the username to Cisco Secure ACS
in a domain-qualified format.

Note With this option, Cisco Secure ACS submits usernames that are
non-domain qualified, too. Usernames are not required to be domain
qualified to be submitted to an LDAP server.

LDAP Failover
Cisco Secure ACS supports failover between a primary LDAP server and
secondary LDAP server. In the context of LDAP authentication with Cisco Secure
ACS, failover applies when an authentication request fails because Cisco Secure
ACS could not connect to an LDAP server, such as when the server is down or is
otherwise unreachable by Cisco Secure ACS. To use this feature, you must define
the primary and secondary LDAP servers on the LDAP Database Configuration
page. Also, you must select the On Timeout Use Secondary check box. For more
information about configuring an LDAP external user database, see Configuring
a Generic LDAP External User Database, page 13-42.
If the On Timeout Use Secondary check box is selected, and if the first LDAP
server that Cisco Secure ACS attempts to contact cannot be reached, Cisco Secure
ACS always attempts to contact the other LDAP server. The first server
Cisco Secure ACS attempts to contact may not always be the primary LDAP
server. Instead, the first LDAP server that Cisco Secure ACS attempts to contact
depends on the previous LDAP authentication attempt and on the value specified
in the Failback Retry Delay box.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-34 78-14698-02
 Chapter 13 User Databases
Generic LDAP

Successful Previous Authentication with the Primary LDAP Server

If, on the previous LDAP authentication attempt, Cisco Secure ACS successfully
connected to the primary LDAP server, Cisco Secure ACS attempts to connect to
the primary LDAP server. If Cisco Secure ACS cannot connect to the primary
LDAP server, Cisco Secure ACS attempts to connect to the secondary LDAP
server.
If Cisco Secure ACS cannot connect with either LDAP server, Cisco Secure ACS
stops attempting LDAP authentication for the user. If the user is an unknown user,
Cisco Secure ACS tries the next external user database listed in the Unknown
User Policy list. For more information about the Unknown User Policy list, see
Unknown User Processing, page 14-2.

Unsuccessful Previous Authentication with the Primary LDAP Server

If, on the previous LDAP authentication attempt, Cisco Secure ACS could not
connect to the primary LDAP server, whether Cisco Secure ACS first attempts to
connect to the primary server or secondary LDAP server for the current
authentication attempt depends on the value in the Failback Retry Delay box. If
the Failback Retry Delay box is set to 0 (zero), Cisco Secure ACS always attempts
to connect to the primary LDAP server first. And if Cisco Secure ACS cannot
connect to the primary LDAP server, Cisco Secure ACS then attempts to connect
to the secondary LDAP server.
If the Failback Retry Delay box is set to a number other than zero, Cisco Secure
ACS determines how many minutes have passed since the last authentication
attempt using the primary LDAP server occurred. If more minutes have passed
than the value specified in the Failback Retry Delay box, Cisco Secure ACS
attempts to connect to the primary LDAP server first. And if Cisco Secure ACS
cannot connect to the primary LDAP server, Cisco Secure ACS then attempts to
connect to the secondary LDAP server.
If fewer minutes have passed than the value specified in the Failback Retry Delay
box, Cisco Secure ACS attempts to connect to the secondary LDAP server first.
And if Cisco Secure ACS cannot connect to the secondary LDAP server,
Cisco Secure ACS then attempts to connect to the primary LDAP server.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-35
 Chapter 13 User Databases
Generic LDAP

If Cisco Secure ACS cannot connect to either LDAP server, Cisco Secure ACS
stops attempting LDAP authentication for the user. If the user is an unknown user,
Cisco Secure ACS tries the next external user database listed in the Unknown
User Policy list. For more information about the Unknown User Policy list, see
Unknown User Processing, page 14-2.

LDAP Configuration Options

The LDAP Database Configuration page contains many options, presented in
three tables:
• Domain Filtering—This table contains options for domain filtering. The
settings in this table affect all LDAP authentication performed using this
configuration, regardless of whether the authentication is handled by the
primary or secondary LDAP server. For more information about domain
filtering, see Domain Filtering, page 13-32.
This table contains the following options:
– Process all usernames—When this option is selected, Cisco Secure
ACS does not perform domain filtering on usernames before submitting
them to the LDAP server for authentication.
– Only process usernames that are domain qualified—When this option
is selected, Cisco Secure ACS only attempts authentication for
usernames that are domain qualified for a single domain. You must
specify the type of domain qualifier and the domain in the “Qualified by”
and Domain options. Cisco Secure ACS only submits usernames that are
qualified in the method specified in by the “Qualified by” option and that
are qualified with the username specified in the Domain option. You can
also specify whether Cisco Secure ACS removes the domain qualifier
from usernames before submitting them to an LDAP server.
– Qualified by—When “Only process usernames that are domain
qualified” is selected, this option specifies the type of domain
qualification. If you select Prefix, Cisco Secure ACS only processes
usernames that begin with the characters specified in the Domain box. If
you select Suffix, Cisco Secure ACS only processes usernames that end
in the characters specified in the Domain box.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-36 78-14698-02
Chapter 13 User Databases
Generic LDAP

Note Regardless of the domain qualifier type selected, the domain

name must match the domain specified in the Domain box.

– Domain—When “Only process usernames that are domain qualified” is

selected, this option specifies the domain name and delimiting character
that must qualify usernames in order for Cisco Secure ACS to submit the
username to an LDAP server. The Domain box accepts up to 512
characters; however, only one domain name and its delimiting character
are permitted.
For example, if the domain name is “mydomain”, the delimiting
character is “@”, and Suffix is selected in the “Qualified by” list, the
Domain box should contain “@mydomain”. If the domain name is
“yourdomain”, the delimiting character is “\”, and Prefix is selected in
the “Qualified by” list, the Domain box should contain “yourdomain\”
– Strip domain before submitting username to LDAP server—When
“Only process usernames that are domain qualified” is selected, this
option specifies whether Cisco Secure ACS removes the domain qualifier
before submitting a username to an LDAP server. Cisco Secure ACS also
removes the delimiter between the domain qualifier and the username.
For example, if the username is “jwiedman@domain.com”, the stripped
username is “jwiedman”.
– Process all usernames after stripping domain name and
delimiter—When this option is selected, Cisco Secure ACS submits all
usernames to an LDAP server after attempting to strip domain names.
Usernames that are not domain qualified are processed, too. Domain
name stripping occurs as specified by the following two options.
– Strip starting characters through the last X character—When
“Process all usernames after stripping domain name and delimiter” is
selected, this option specifies that Cisco Secure ACS attempts to strip a
prefixed domain qualifier. If, in the username, Cisco Secure ACS finds
the delimiter character specified in the X box, it strips all characters from
the beginning of the username through the delimiter character. If the
username contains more than one of the characters specified in the X box,
Cisco Secure ACS strips characters through the last occurrence of the
delimiter character.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-37
 Chapter 13 User Databases
Generic LDAP

For example, if the delimiter character is “\” and the username is

“DOMAIN\jwiedman”, Cisco Secure ACS submits “jwiedman” to an
LDAP server.
– Strip ending characters through the first Y character—When
“Process all usernames after stripping domain name and delimiter” is
selected, this option specifies that Cisco Secure ACS attempts to strip a
suffixed domain qualifier. If, in the username, Cisco Secure ACS finds
the delimiter character specified in the Y box, it strips all characters from
the delimiter character through the end of the user name. If the username
contains more than one of the characters specified in the Y box,
Cisco Secure ACS strips characters starting with the first occurrence of
the delimiter character.
For example, if the delimiter character is “@” and the username is
“jwiedman@domain”, Cisco Secure ACS submits “jwiedman” to an
LDAP server.
• Common LDAP Configuration—This table contains options that apply to
all LDAP authentication performed using this configuration. Cisco Secure
ACS uses the settings in this section regardless of whether the authentication
is handled by the primary or secondary LDAP server. This table contains the
following options:
– User Directory Subtree—The distinguished name (DN) for the subtree
that contains all users. For example:
ou=organizational unit[,ou=next organizational unit]o=corporation.com

If the tree containing users is the base DN, type:

o=corporation.com

or
dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to

your LDAP database documentation.
– Group Directory Subtree—The distinguished name (DN) for the
subtree that contains all groups. For example:
ou=organizational unit[,ou=next organizational unit]o=corporation.com

User Guide for Cisco Secure ACS Appliance, version 3.2

13-38 78-14698-02
Chapter 13 User Databases
Generic LDAP

If the tree containing groups is the base DN, type:

o=corporation.com

or
dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to

your LDAP database documentation.
– UserObjectType—The name of the attribute in the user record that
contains the username. You can obtain this attribute name from your
Directory Server. For more information, refer to your LDAP database
documentation. Cisco Secure ACS provides default values that reflect the
default configuration of a Netscape Directory Server. Confirm all values
for these fields with your LDAP server configuration and documentation.
– UserObjectClass—The value of the LDAP “objectType” attribute that
identifies the record as a user. Often, user records have several values for
the objectType attribute, some of which are unique to the user, some of
which are shared with other object types. This box should contain a value
that is not shared.
– GroupObjectType—The name of the attribute in the group record that
contains the group name.
– GroupObjectClass—A value of the LDAP “objectType” attribute in the
group record that identifies the record as a group.
– Group Attribute Name—The name of the attribute of the group record
that contains the list of user records that are a member of that group.
– Server Timeout—The number of seconds Cisco Secure ACS waits for a
response from an LDAP server before determining that the connection
with that server has failed.
– On Timeout Use Secondary—Whether Cisco Secure ACS performs
failover of LDAP authentication attempts. For more information about
the LDAP failover feature, see LDAP Failover, page 13-34.
– Failback Retry Delay—The number of minutes after the primary LDAP
server fails to authenticate a user that Cisco Secure ACS resumes sending
authentication requests to the primary LDAP server first. A value of 0
(zero) causes Cisco Secure ACS to always use the primary LDAP server
first.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-39
 Chapter 13 User Databases
Generic LDAP

• Primary and Secondary LDAP Servers—The Primary LDAP Server table

and the Secondary LDAP Server table enable you to identify the LDAP
servers and make settings that are unique to each. The Secondary LDAP
Server table does not need to be completed if you do not intend to use LDAP
failover. These tables contain the following options:
– Hostname—The name or IP address of the machine that is running the
LDAP software. If you are using DNS on your network, you can type the
hostname instead of the IP address.
– Port—The TCP/IP port number on which the LDAP server is listening.
The default is 389, as stated in the LDAP specification. If you do not
know the port number, you can find this information by viewing those
properties on the LDAP server. If you want to use secure authentication,
port number 636 is usually used.
– LDAP Version—Whether Cisco Secure ACS uses LDAP version 3 or
version 2 to communicate with your LDAP database. If this check box is
selected, Cisco Secure ACS uses LDAP version 3. If it is not selected,
Cisco Secure ACS uses LDAP version 2.
– Security—Whether Cisco Secure ACS uses secure socket layer (SSL) to
provide more secure communication with the LDAP server. If you do not
enable SSL, user credentials are passed to the LDAP server in cleartext.
– Download Certificate database—A link to the Download Certificate
Database page, on which you can download a cert7.db certificate
database file to Cisco Secure ACS. The cert7.db file must contain the
certificates for the server to be queried and the trusted CA. You can
generate cert7.db files using a Netscape web browser. For information
about generating a cert7.db file, refer to Netscape documentation. For
information about the Download Certificate Database page, see
Downloading a Certificate Database, page 13-47.
To perform secure authentication using SSL, you must provide a cert7.db
certificate database file. Cisco Secure ACS requires a certificate database
so that it can establish the SSL connection. Since the certificate database
must be local to the Cisco Secure ACS Appliance, you must use FTP to
transfer the certificate database to Cisco Secure ACS.
Cisco Secure ACS requires a cert7.db certificate database file for each
LDAP server you configure. For example, to support users distributed in
multiple LDAP trees, you could configure two LDAP instances in
Cisco Secure ACS that would communicate with the same LDAP servers.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-40 78-14698-02
Chapter 13 User Databases
Generic LDAP

Each LDAP instance would have a primary and a secondary LDAP

server. Even though the two LDAP configurations share the same
primary server, each LDAP configuration requires that you download a
certificate database file to Cisco Secure ACS.

Note The database must be a cert7.db certificate database file. No other

filename is supported.

– Admin DN—The fully qualified (DN) of the administrator; that is, the
LDAP account which, if bound to, permits searches for all required users
under the User Directory Subtree. It must contain the following
information about your LDAP server:
uid=user id,[ou=organizational unit,][ou=next organizational
unit]o=organization
where user id is the username, organizational unit is the last level of the
tree, and next organizational unit is the next level up the tree.
For example:
uid=joesmith,ou=members,ou=administrators,o=cisco

You can use anonymous credentials for the administrator username if the
LDAP server is configured to make the group name attribute visible in
searches by anonymous credentials. Otherwise, you must specify an
administrator username that permits the group name attribute to be
visible to searches.

Note If the administrator username specified does not have permission

to see the group name attribute in searches, group mapping fails
for users authenticated by LDAP.

– Password—The password for the administrator account specified in the

Admin DN box. Password case sensitivity is determined by the LDAP
server.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-41
 Chapter 13 User Databases
Generic LDAP

Configuring a Generic LDAP External User Database

Creating a generic LDAP configuration provides Cisco Secure ACS information
that enables it to pass authentication requests to an LDAP database. This
information reflects the way you have implemented your LDAP database and does
not dictate how your LDAP database is configured or functions. For information
about your LDAP database, refer to your LDAP documentation.
To configure Cisco Secure ACS to use the LDAP User Database, follow these
steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS displays a list of all possible external user database types.
Step 3 Click Generic LDAP.

Note The user authenticates against only one LDAP database.

If no LDAP database configuration exists, only the Database Configuration

Creation table appears. Otherwise, in addition to the Database Configuration
Creation table, the External User Database Configuration table appears.
Step 4 If you are creating a configuration, follow these steps:
a. Click Create New Configuration.
b. Type a name for the new configuration for generic LDAP in the box provided.
c. Click Submit.
Cisco Secure ACS lists the new configuration in the External User Database
Configuration table.
Step 5 Under External User Database Configuration, select the name of the LDAP
database you need to configure.

Note If only one LDAP configuration exists, the name of that configuration
appears instead of the list. Proceed to the next step.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-42 78-14698-02
Chapter 13 User Databases
Generic LDAP

Step 6 Click Configure.

Caution If you click Delete, the configuration of the selected LDAP database is deleted.

Step 7 If you do not want Cisco Secure ACS to filter LDAP authentication requests by
username, under Domain Filtering, select Process all usernames.
Step 8 If you want to limit authentications processed by this LDAP configuration to
usernames with a specific domain qualification, follow these steps:

Note For information about domain filtering, see Domain Filtering,

page 13-32.

a. Under Domain Filtering, select Only process usernames that are domain
qualified.
b. From the “Qualified by” list, select the applicable type of domain
qualification, either Suffix or Prefix. Only one type of domain qualification
is supported per LDAP configuration.
For example, if you want this LDAP configuration to authenticate usernames
that begin with a specific domain name, select Prefix. If you want this LDAP
configuration to authenticate usernames that end with a specific domain
name, select Suffix.
c. In the Domain box, type the name of the domain that you want this LDAP
configuration to authenticate usernames for. Include the delimiting character
that separates the user ID from the domain name. Be sure that the delimiting
character appears in the applicable position: at the end of the domain name if
Prefix is selected on the “Qualified by” list; at the beginning of the domain
name if Suffix is selected on the “Qualified by” list.
Only one domain name is supported per LDAP configuration. You can type
up to 512 characters.
d. If you want Cisco Secure ACS to remove the domain qualifier before
submitting it to the LDAP database, select the Strip domain before
submitting username to LDAP server check box.
e. If you want Cisco Secure ACS to pass the username to the LDAP database
without removing the domain qualifier, clear the Strip domain before
submitting username to LDAP server check box.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-43
 Chapter 13 User Databases
Generic LDAP

Step 9 If you want to enable Cisco Secure ACS to strip domain qualifiers from
usernames prior to submitting them to an LDAP server, follow these steps:

Note For information about domain filtering, see Domain Filtering,

page 13-32.

a. Under Domain Filtering, select Process all usernames after stripping

domain name and delimiter.
b. If you want Cisco Secure ACS to strip prefixed domain qualifiers, select the
Strip starting characters through the last X character check box, and then
type the domain-qualifier delimiting character in the X box.
c. If you want Cisco Secure ACS to strip suffixed domain qualifiers, select the
Strip ending characters from the first X character check box, and then
type the domain-qualifier delimiting character in the X box.
Step 10 Under Common LDAP Configuration, in the User Directory Subtree box, type the
DN of the tree containing all your users.
Step 11 In the Group Directory Subtree box, type the DN of the subtree containing all your
groups.
Step 12 In the User Object Type box, type the name of the attribute in the user record that
contains the user name.

Note The default values in the UserObjectType and following fields reflect the
default configuration of the Netscape Directory Server. Confirm all values
for these fields with your LDAP server configuration and documentation.

Step 13 In the User Object Class box, type the value of the LDAP “objectType” attribute
that identifies the record as a user.

Note User records often have several values for the objectType attribute, some
of which are unique to the user, some of which are shared with other
object types. Make sure that the value you provide in the User Object
Class box is a value that is not shared.

Step 14 In the GroupObjectType box, type the name of the attribute in the group record
that contains the group name.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-44 78-14698-02
Chapter 13 User Databases
Generic LDAP

Step 15 In the GroupObjectClass box, type a value of the LDAP “objectType” attribute in
the group record that identifies the record as a group.
Step 16 In the GroupAttributeName box, type the name of the attribute of the group record
that contains the list of user records who are a member of that group.
Step 17 In the Server Timeout box, type the number of seconds Cisco Secure ACS waits
for a response from an LDAP server before determining that the connection with
that server has failed.
Step 18 To enable failover of LDAP authentication attempts, select the On Timeout Use
Secondary check box. For more information about the LDAP failover feature, see
LDAP Failover, page 13-34.
Step 19 In the Failback Retry Delay box, type the number of minutes after the primary
LDAP server fails to authenticate a user that Cisco Secure ACS resumes sending
authentication requests to the primary LDAP server first.

Note To specify that Cisco Secure ACS should always use the primary LDAP
server first, type 0 (zero) in the Failback Retry Delay box.

Step 20 For the Primary LDAP Server and Secondary LDAP Server tables, follow these
steps:

Note If you did not select the On Timeout Use Secondary check box, you do
not need to complete the options in the Secondary LDAP Server table.

a. In the Hostname box, type the name or IP address of the machine that is
running the LDAP software. If you are using DNS on your network, you can
type the hostname instead of the IP address.
b. In the Port box, type the TCP/IP port number on which the LDAP server is
listening. The default is 389, as stated in the LDAP specification. If you do
not know the port number, you can find this information by viewing those
properties on the LDAP server. If you want to use secure authentication, port
number 636 is usually used.
c. To specify that Cisco Secure ACS should use LDAP version 3 to
communicate with your LDAP database, select the LDAP Version check box.
If the LDAP Version check box is not selected, Cisco Secure ACS uses LDAP
version 2.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-45
 Chapter 13 User Databases
Generic LDAP

d. If you want Cisco Secure ACS to use SSL to connect to the LDAP server,
select the Use secure authentication check box and complete the next three
steps.

Note If you do not use SSL, the username and password credentials are
passed over the network to the LDAP directory in clear text.

e. To download a cert7.db certificate database file to Cisco Secure ACS now,

complete the steps in Downloading a Certificate Database, page 13-47, and
then continue with step F.

Note You can download a certificate database later. Until a certificate

database is downloaded for the current LDAP server, secure
authentication to this LDAP server fails.

f. In the Admin DN box, type the following information about an LDAP account
that permits searches for all required users under the User Directory Subtree:
uid=user id ,[ou=organizational unit,]
[ou=next organizational unit]o=organization

where user id is the username

organizational unit is the last level of the tree
next organizational unit is the next level up the tree.

Tip If you are using Netscape DS, you can copy this information from the
Netscape Console.

For more information, refer to your LDAP database documentation.

g. In the Password box, type the password for the administrator account
specified in the Admin DN box. Password case sensitivity is determined by
the LDAP server.
Step 21 Click Submit.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-46 78-14698-02
 Chapter 13 User Databases
Generic LDAP

Cisco Secure ACS saves the generic LDAP configuration you created. You can
now add it to your Unknown User Policy or assign specific user accounts to use
this database for authentication. For more information about the Unknown User
Policy, see Unknown User Processing, page 14-2. For more information about
configuring user accounts to authenticate using this database, see Chapter 7,
“User Management.”

Downloading a Certificate Database

Before You Begin
The database must be a cert7.db certificate database file generated by a Netscape
web browser. No other filename is supported. For information about generating a
cert7.db file, refer to Netscape documentation.
To download a certificate database for a primary or a secondary LDAP server,
follow these steps:

Note Downloading a certificate database is a part of the larger process of configuring

an LDAP external user database. For more information, see Configuring a Generic
LDAP External User Database, page 13-42.

Step 1 To access the Download Certificate Database page, follow these steps:
a. Open the LDAP Database Configuration page that contains the information
for the LDAP server whose certificate database file you want to download.

Note If you are already on the applicable LDAP Database Configuration

page, proceed to Step b.

b. For the LDAP server whose certificate database file you want to download,
click Download Certificate database.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-47
 Chapter 13 User Databases
Novell NDS Database

Note Cisco Secure ACS lists a primary and secondary LDAP server for
each LDAP database configuration. To support secure authentication
to both servers, you must download a certificate database file twice,
once for the primary LDAP server and once for the secondary LDAP
server.

Step 2 In the FTP Server box, type the IP address or hostname of the FTP server. The
FTP Server box accepts a maximum of 512 characters.

Note Providing the hostname requires that DNS is operating correctly on your
network.

Step 3 In the Login box, type a valid username to enable Cisco Secure ACS to access the
FTP server. The Login box accepts a maximum of 512 characters.
Step 4 In the Password box, type the password for the username provided in the Login
box. The Password box accepts a maximum of 512 characters.
Step 5 In the Directory box, type the path to the cert7.db file. The path is relative to the
starting directory at login to the FTP server.
For example, if the cert7.db file is located in c:\ACS-files\LDAPcertdb and the
user provided in the Login box starts its FTP sessions in c:\, you would type
ACS-files\LDAPcertdb.

The Directory box accepts a maximum of 512 characters.

Step 6 Click Download.
Cisco Secure ACS downloads the cert7.db file from the FTP server. The LDAP
Database Configuration page appears.

Novell NDS Database

Cisco Secure ACS supports user authentication with Novell NetWare Directory
Services (NDS) servers.
This section contains the following topics:

User Guide for Cisco Secure ACS Appliance, version 3.2

13-48 78-14698-02
 Chapter 13 User Databases
Novell NDS Database

• About Novell NDS User Databases, page 13-49

• User Contexts, page 13-50
• Novell NDS External User Database Options, page 13-51
• Configuring a Novell NDS External User Database, page 13-53

About Novell NDS User Databases

To use NDS authentication with a Cisco Secure ACS Appliance, you must have a
Novell NDS database that is configured to use standard LDAP.

Note Cisco Secure ACS Appliance only supports NDS servers that are configured to
use standard LDAP.

Cisco Secure ACS Appliance supports ASCII, PAP, EAP-TLS,

PEAP(EAP-GTC), and EAP-FAST (phase two only) authentication with Novell
NetWare Directory Services (NDS) servers. Other authentication protocols are
not supported with Novell NDS external user databases.

Note Authentication protocols not supported with Novell NDS external user databases
may be supported by another type of external user database. For more information
about authentication protocols and the external database types that support them,
see Authentication Protocol-Database Compatibility, page 1-9.

For users to authenticate against a Novell NDS database, Cisco Secure ACS must
be correctly configured to recognize the Novell NDS structure. Cisco Secure ACS
supports up to twenty NDS servers. For a user to authenticate against a Novell
NDS context, the applicable user object must exist in one of the contexts provided
and the user password must be able to log the name into the tree. If you enable
subtree searching, authentication can succeed if the user object is in a subtree of
one of the contexts provided.
Cisco Secure ACS supports group mapping for unknown users by requesting
group membership information from Novell NDS user databases. For more
information about group mapping for users authenticated with a Novell NDS user
database, see Group Mapping by Group Set Membership, page 15-4.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-49
 Chapter 13 User Databases
Novell NDS Database

Note Aside from user group membership information, Cisco Secure ACS retrieves no
user settings from Novell NDS databases; however, authentication responses from
a Novell NDS database may reflect user settings applied to the authentication
response by the Novell NDS database. For example, Cisco Secure ACS does not
fetch and process network access restrictions but the Novell NDS database may
fail an authentication request based on network access restrictions stored in the
Novell NDS database.

Configuring Cisco Secure ACS to authenticate against an NDS database does not
affect the configuration of the NDS database. To manage your NDS database,
refer to your NDS database documentation.

User Contexts
You must supply one or more contexts when you configure Cisco Secure ACS to
authenticate with an NDS database; however, users can supply an additional
portion of the full context that defines their fully qualified usernames. In other
words, if none of the contexts in the list of contexts contains a username submitted
for authentication, the username must specify exactly how they are subordinate to
the contexts in the list of contexts. The user specifies the manner in which a
username is subordinate to a context by providing the additional context
information needed to uniquely identify the user in the NDS database.
Consider the following example tree:
[Root] whose treename=ABC
OU=ABC-Company
OU=sales
CN=Agamemnon
OU=marketing
CN=Odysseus
OU=marketing-research
CN=Penelope
OU=marketing-product
CN=Telemachus

If the context list configured in Cisco Secure ACS were:

o=ABC-Company,ou=sales.o=ABC-Company

User Guide for Cisco Secure ACS Appliance, version 3.2

13-50 78-14698-02
 Chapter 13 User Databases
Novell NDS Database

Agamemnon would successfully authenticate if he submitted “Agamemnon” as

his username. If he submitted “Agamemnon.sales”, authentication would fail.
Table 13-1 lists the users given in the example tree and the username with context
that would allow each user to authenticate successfully.

Table 13-1 Example Usernames with Contexts

User Valid Username With Context

Agamemnon Agamemnon
Odysseus Odysseus.marketing
Penelope Penelope.marketing-research.marketing
Telemachus Telemachus.marketing-product.marketing

Novell NDS External User Database Options

You create and maintain configurations for Novell NDS database authentication
on the NDS Authentication Support page in Cisco Secure ACS. This page enables
you to add a configuration for a Novell NDS host, change existing host
configurations, and delete existing host configurations in a single submission to
the Cisco Secure ACS web server. Cisco Secure ACS displays information for
each host configured, plus a blank form for creating a host. The configuration
items presented for each host are as follows:
• Add New NDS Host—Appears only on the blank form for a new NDS host.
Selecting this check box confirms that you want to add a new NDS host.
• Delete NDS Host—Appears only on existing NDS host configurations.
Selecting this check box indicates that you want to delete the NDS host
configuration when you click Submit.
• Test Login—Selecting this check box causes Cisco Secure ACS to test the
administrative login to the NDS host when you click Submit. If the login fails,
either because the credentials specified are incorrect or because Cisco Secure
ACS could not connect to the NDS host, Cisco Secure ACS displays an error
message.
• NDS Host—Appears only on the blank form for a new NDS host. The name
of the Novell NDS host configuration you are creating.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-51
 Chapter 13 User Databases
Novell NDS Database

Note The name specified in the NDS Host box is an arbitrary name and
does not affect connectivity to the actual computer running Novell
NDS.

• Host IP—The hostname or IP address of the Novell NDS host against which
Cisco Secure ACS should authenticate users. If you specify a hostname, be
sure DNS is operating correctly on your network.
• Administrator Username—The fully qualified, typed username for the
administrator of the Novell server. For example:
uid=admin.ou=Chicago.o=Corporation

You can use anonymous credentials for the administrator username if the
Novell NDS server is configured to make the group name attribute visible in
searches by anonymous credentials. Otherwise, you must specify an
administrator username that permits the group name attribute to be visible to
searches.

Note If the administrator username specified does not have permission to

see the group name attribute in searches, group mapping fails for
users authenticated by Novell NDS.

• Administrator Password—The password for the administrator of the Novell

server.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-52 78-14698-02
 Chapter 13 User Databases
Novell NDS Database

• Context List—The full context list with each context specified in canonical,
typed form; that is, include the o= and ou= and separate each part of the
context using a period (.). You can enter more than one context list. If you do,
separate them with a comma. For example, if your Organization is
Corporation, your Organization Name is Chicago, and you want to enter two
Context names, Marketing and Engineering, you would type:
ou=Engineering.ou=Chicago.o=Corporation,ou=Marketing.ou=Chicago.o=Corporation

You do not need to add users in the Context List box.

Note Users can provide a portion of their context when they login. For
more information, see User Contexts, page 13-50.

• Context Subtree—Selecting this check box causes Cisco Secure ACS to

search subtrees for users during authentication. The subtrees searched are
those of the contexts specified in the Context List box.

Configuring a Novell NDS External User Database

Creating an Novell NDS database configuration is a process that provides
Cisco Secure ACS information that enables it to pass authentication requests to
an NDS database. This information reflects the way you have implemented your
NDS database and does not dictate how your NDS database is configured or
functions. For information about your NDS database, refer to your Novell NDS
documentation.

Tip You can allow users to enter their own context as part of the login process. For
more information, see User Contexts, page 13-50.

To configure Novell NDS authentication, follow these steps:

Step 1 See your Novell NetWare administrator to get the names and other information on
the Tree, Container, and Context.
Step 2 In the navigation bar, click External User Databases.
Step 3 Click Database Configuration.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-53
 Chapter 13 User Databases
Novell NDS Database

Cisco Secure ACS lists all possible external user database types.
Step 4 Click Novell NDS.
If no Novell NDS database has yet been configured, the Database Configuration
Creation page appears. Otherwise, the External User Database Configuration
page appears.
Step 5 If you are creating a configuration, follow these steps:
a. Click Create New Configuration.
b. Type a name for the new configuration for Novell NDS Authentication in the
box provided.
c. Click Submit.
Cisco Secure ACS lists the new configuration in the External User Database
Configuration table.
Step 6 Click Configure.

Caution If you click Delete, the Cisco Secure ACS configuration for your Novell NDS
database is deleted.

The NDS Authentication Support page appears. The NDS Authentication Support
page enables you to add a configuration for a Novell NDS host, change existing
host configurations, and delete existing host configurations.
For more information about the content of the NDS Authentication Support page,
see Novell NDS External User Database Options, page 13-51.
Step 7 If you want to add a new host configuration, complete the fields in the blank form
at the bottom of the NDS Authentication Support page.

Note You must select the Add New NDS Host check box to confirm that you
want to create a host configuration.

Step 8 If you want to change an existing host configuration, edit the values you need to
change.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-54 78-14698-02
Chapter 13 User Databases
LEAP Proxy RADIUS Server Database

Note The name of a host is not changeable. If you need to change a hostname,
click Delete NDS Host? on the misnamed host section and click Submit.
Then, add a new host with the same configuration data as the deleted,
misnamed host, making sure the hostname is correct before clicking
Submit.

Step 9 If you want to delete an existing host configuration, select the Delete Tree check
box.
Step 10 Click Submit.
Cisco Secure ACS saves the NDS configuration you created. You can add it to
your Unknown User Policy or assign specific user accounts to use this database
for authentication. For more information about the Unknown User Policy, see
Unknown User Processing, page 14-2. For more information about configuring
user accounts to authenticate using this database, see Chapter 7, “User
Management.”

LEAP Proxy RADIUS Server Database

For Cisco Secure ACS-authenticated users accessing your network via Cisco
Aironet devices, Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1
and 2), LEAP, and EAP-FAST (phase zero and phase two) authentication with a
proxy RADIUS server. Other authentication protocols are not supported with
LEAP Proxy RADIUS Server databases.

Note Authentication protocols not supported with LEAP Proxy RADIUS Server
databases may be supported by another type of external user database. For more
information about authentication protocols and the external database types that
support them, see Authentication Protocol-Database Compatibility, page 1-9.

Cisco Secure ACS uses MS-CHAP version 1 for LEAP Proxy RADIUS Server
authentication. To manage your proxy RADIUS database, refer to your RADIUS
database documentation.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-55
 Chapter 13 User Databases
LEAP Proxy RADIUS Server Database

Lightweight extensible authentication protocol (LEAP) proxy RADIUS server

authentication allows you to authenticate users against existing Kerberos
databases that support MS-CHAP authentication. You can use the LEAP Proxy
RADIUS Server database to authenticate users with any third-party RADIUS
server that supports MS-CHAP authentication.

Note The third-party RADIUS server must return Microsoft Point-to-Point Encryption
(MPPE) keys in the Microsoft RADIUS vendor-specific attribute (VSA)
MSCHAP-MPPE-Keys (VSA 12). If the third-party RADIUS server does not
return the MPPE keys, the authentication fails and is logged in the Failed
Attempts log.

Cisco Secure ACS supports RADIUS-based group specification for users

authenticated by LEAP Proxy RADIUS Server databases. RADIUS-based group
specification overrides group mapping. For more information, see
RADIUS-Based Group Specification, page 15-13.
Cisco Secure ACS supports group mapping for unknown users authenticated by
LEAP Proxy RADIUS Server databases. Group mapping is only applied to an
unknown user if RADIUS-based group specification did not occur. For more
information about group mapping users authenticated by a LEAP Proxy RADIUS
Server database, see Group Mapping by External User Database, page 15-2.

Configuring a LEAP Proxy RADIUS Server External User Database

You should install and configure your proxy RADIUS server before configuring
Cisco Secure ACS to authenticate users with it. For information about installing
the proxy RADIUS server, refer to the documentation included with your
RADIUS server.
To configure LEAP proxy RADIUS authentication, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS displays a list of all possible external user database types.
Step 3 Click LEAP Proxy RADIUS Server.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-56 78-14698-02
Chapter 13 User Databases
LEAP Proxy RADIUS Server Database

If no LEAP Proxy RADIUS Server configuration exists, only the Database

Configuration Creation table appears. Otherwise, in addition to the Database
Configuration Creation table, the External User Database Configuration table
appears.
Step 4 If you are creating a configuration, follow these steps:
a. Click Create New Configuration.
b. Type a name for the new configuration for the LEAP Proxy RADIUS Server
in the box provided, or accept the default name in the box.
c. Click Submit.
Cisco Secure ACS lists the new configuration in the External User Database
Configuration table.
Step 5 Under External User Database Configuration, select the name of the LEAP Proxy
RADIUS Server database you need to configure.

Note If only one LEAP Proxy RADIUS Server configuration exists, the name
of that configuration appears instead of the list. Proceed to the next step.

Step 6 Click Configure.

Step 7 In the following boxes, type the required information:
• Primary Server Name/IP—IP address of the primary proxy RADIUS server.
• Secondary Server Name/IP—IP address of the secondary proxy RADIUS
server.
• Shared Secret—The shared secret of the proxy RADIUS server. This must
be identical to the shared secret with which the proxy RADIUS server is
configured.
• Authentication Port—The UDP port over which the proxy RADIUS server
conducts authentication sessions.
• Timeout (seconds):—The number of seconds Cisco Secure ACS waits
before sending notification to the user that the authentication attempt has
timed out.
• Retries—The number of authentication attempts Cisco Secure ACS makes
before failing over to the secondary proxy RADIUS server.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-57
 Chapter 13 User Databases
Token Server User Databases

• Failback Retry Delay (minutes)—The number of minutes after which

Cisco Secure ACS attempts authentications using a failed primary proxy
RADIUS server.

Note If both the primary and the secondary servers fail, Cisco Secure
ACS alternates between both servers until one responds.

Step 8 Click Submit.

Cisco Secure ACS saves the proxy RADIUS token server database configuration
you created. You can add it to your Unknown User Policy or assign specific user
accounts to use this database for authentication. For more information about the
Unknown User Policy, see Unknown User Processing, page 14-2. For more
information about configuring user accounts to authenticate using this database,
see Chapter 7, “User Management.”

Token Server User Databases

Cisco Secure ACS supports the use of token servers for the increased security
provided by one-time passwords (OTPs).
This section contains the following topics:
• About Token Servers and Cisco Secure ACS, page 13-58
• Token Server RADIUS Authentication Request and Response Contents,
page 13-60
• Configuring a RADIUS Token Server External User Database, page 13-61

About Token Servers and Cisco Secure ACS

Cisco Secure ACS provides ASCII, PAP, and PEAP(EAP-GTC) authentication
using token servers. Other authentication protocols are not supported with token
server databases.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-58 78-14698-02
 Chapter 13 User Databases
Token Server User Databases

Note Authentication protocols not supported with token server databases may be
supported by another type of external user database. For more information about
authentication protocols and the external database types that support them, see
Authentication Protocol-Database Compatibility, page 1-9.

Requests from the AAA client are first sent to Cisco Secure ACS. Cisco Secure
ACS then acts as a RADIUS client to the token server. Rather than using the
proprietary API of the vendor, Cisco Secure ACS sends standard RADIUS
authentication requests to the RADIUS authentication port on the token server.
The token servers that Cisco Secure ACS Appliance supports by means of their
RADIUS interface are as follows:
• RSA SecureID
• ActivCard
• CRYPTOCard
• Vasco
• SafeWord
• PassGo
• Any IETF RFC 2865-compliant token server
Cisco Secure ACS provides a means for specifying a user group assignment in the
RADIUS response from the RADIUS-enabled token server. Group specification
always takes precedence over group mapping. For more information, see
RADIUS-Based Group Specification, page 15-13.
Cisco Secure ACS also supports mapping users authenticated by a
RADIUS-enabled token server to a single group. Group mapping only occurs if
group specification does not occur. For more information, see Group Mapping by
External User Database, page 15-2.

Token Servers and ISDN

Cisco Secure ACS supports token caching for ISDN terminal adapters and
routers. One inconvenience of using token cards for OTP authentication with
ISDN is that each B channel requires its own OTP. Therefore, a user must enter at
least 2 OTPs, plus any other login passwords, such as those for Windows

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-59
 Chapter 13 User Databases
Token Server User Databases

networking. If the terminal adapter supports the ability to turn on and off the
second B channel, users might have to enter many OTPs each time the second
B channel comes into service.
Cisco Secure ACS caches the token to help make the OTPs easier for users. This
means that if a token card is being used to authenticate a user on the first
B channel, a specified period can be set during which the second B channel can
come into service without requiring the user to enter another OTP. To lessen the
risk of unauthorized access to the second B channel, you can limit the time the
second B channel is up. Furthermore, you can configure the second B channel to
use the CHAP password specified during the first login to further lessen the
chance of a security problem. When the first B channel is dropped, the cached
token is erased.

Token Server RADIUS Authentication Request and Response

Contents
When Cisco Secure ACS forwards an authentication request to a
RADIUS-enabled token server, the RADIUS authentication request contains the
following attributes:
• User-Name (RADIUS attribute 1)
• User-Password (RADIUS attribute 2)
• NAS-IP-Address (RADIUS attribute 4)
• NAS-Port (RADIUS attribute 5)
• NAS-Identifier (RADIUS attribute 32)
Cisco Secure ACS expects to receive one of the following three responses:
• access-accept—No attributes are required; however, the response can
indicate the Cisco Secure ACS group to which the user should be assigned.
For more information, see RADIUS-Based Group Specification, page 15-13.
• access-reject—No attributes required.
• access-challenge—Attributes required, per IETF RFC, are as follows:
– State (RADIUS attribute 24)
– Reply-Message (RADIUS attribute 18)

User Guide for Cisco Secure ACS Appliance, version 3.2

13-60 78-14698-02
 Chapter 13 User Databases
Token Server User Databases

Configuring a RADIUS Token Server External User Database

Use this procedure to configure a token server external user databases in
Cisco Secure ACS.
Before You Begin
You should install and configure your RADIUS-enabled token server before
configuring Cisco Secure ACS to authenticate users with it. For information about
installing the RADIUS-enabled token server, refer to the documentation included
with your token server.
To configure Cisco Secure ACS to authenticate users with a token server, follow
these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS displays a list of all possible external user database types.
Step 3 Click the link for the applicable token server.

Note If you are using a token server from a vendor other than those listed in the
HTML interface, select RADIUS Token Server.

The Database Configuration Creation table appears. If at least one configuration

exists for the selected external user database type, the External User Database
Configuration table also appears.
Step 4 If you are creating a configuration, follow these steps:
a. Click Create New Configuration.
b. Type a name for the new configuration for the token server in the box
provided, or accept the default name in the box.
c. Click Submit.
Cisco Secure ACS lists the new configuration in the External User Database
Configuration table.
Step 5 Under External User Database Configuration, select the name of the
RADIUS-enabled token server you need to configure.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-61
 Chapter 13 User Databases
Token Server User Databases

Note If only one token server configuration exists, the name of that
configuration appears instead of the list. Continue with Step 6.

Step 6 Click Configure.

Step 7 In the following boxes, type the required information:
• Primary Server Name/IP—The hostname or IP address of the primary token
server. If you provide the hostname, the hostname must be resolvable by
DNS.
• Secondary Server Name/IP—The hostname or IP address of the secondary
token server. If you provide the hostname, the hostname must be resolvable
by DNS.
• Shared Secret—The shared secret of the token server. This must be identical
to the shared secret with which the token server is configured.
• Authentication Port—The UDP port over which the token server conducts
RADIUS authentication sessions.

Note For Cisco Secure ACS to send RADIUS OTP messages to a token
server, you must ensure that gateway devices between the token
server and Cisco Secure ACS allow communication over the
UDP port specified in the Authentication Port box.

• Timeout (seconds):—The number of seconds Cisco Secure ACS waits for a

response from the token server before retrying the authentication request.
• Retries—The number of authentication attempts Cisco Secure ACS makes
before failing over to the secondary token server.
• Failback Retry Delay (minutes)—The number of minutes that Cisco Secure
ACS sends authentication requests to the secondary server when the primary
server has failed. When this duration is ended, Cisco Secure ACS reverts to
sending authentication requests to the primary server.

Note If both the primary and the secondary servers fail, Cisco Secure
ACS alternates between both servers until one responds.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-62 78-14698-02
Chapter 13 User Databases
Token Server User Databases

Step 8 If you want to support token users performing a shell login to a TACACS+ AAA
Client, you must configure the options in the TACACS+ Shell Configuration
table. Do one of the following:
a. If you want Cisco Secure ACS to present a custom prompt for tokens, select
Static (sync and async tokens), and then type the prompt that Cisco Secure
ACS will present in the Prompt box.
For example, if you type “Enter your PassGo token” in the Prompt box, users
receive an “Enter your PassGo token” prompt rather than a password prompt.

Note If some tokens submitted to this server are synchronous tokens, you
must use the Static (sync and async tokens) option.

b. If you want Cisco Secure ACS to send the token server a password to trigger
a challenge, select From Token Server (async tokens only), and then, in the
Password box, type the password that Cisco Secure ACS will forward to the
token server.
For example, if the token server requires the string “challengeme” in order to
evoke a challenge, you should type “challengeme” in the Password box. Users
receive a username prompt and a challenge prompt.

Tip Most token servers vendor accept a blank password as the trigger to send
a challenge prompt.

Note You should only use the From Token Server (async tokens only)
option if all tokens submitted to this token server are asynchronous
tokens.

Step 9 Click Submit.

Cisco Secure ACS saves the token server database configuration you created. You
can add it to your Unknown User Policy or assign specific user accounts to use
this database for authentication. For more information about the Unknown User

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 13-63
 Chapter 13 User Databases
Deleting an External User Database Configuration

Policy, see Unknown User Processing, page 14-2. For more information about
configuring user accounts to authenticate using this database, see Chapter 7,
“User Management.”

Deleting an External User Database Configuration

If you no longer need a particular external user database configuration, you can
delete it from Cisco Secure ACS.
To delete an external user database configuration, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.
Cisco Secure ACS lists all possible external user database types.
Step 3 Click the external user database type for which you want to delete a configuration.
The External User Database Configuration table appears.
Step 4 If a list appears in the External User Database Configuration table, select the
configuration you want to delete. Otherwise, proceed to Step 5.
Step 5 Click Delete.
A confirmation dialog box appears.
Step 6 Click OK to confirm that you want to delete the selected external user database
configuration.
The external user database configuration you selected is deleted from
Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

13-64 78-14698-02
 C H A P T E R 14
Unknown User Policy

After you have configured Cisco Secure Access Control Server (ACS) Appliance
to communicate with an external user database, you can decide how to implement
other Cisco Secure ACS features related to external user databases. These features
are the Unknown User Policy and user group mapping. This chapter addresses the
Unknown User Policy feature, found in the External User Databases section of
Cisco Secure ACS.
For information about user group mapping, see Chapter 15, “User Group
Mapping and Specification.”
For information about the databases supported by Cisco Secure ACS and how to
configure Cisco Secure ACS to communicate with an external user database, see
Chapter 13, “User Databases.”
This chapter contains the following topics:
• Unknown User Processing, page 14-2
• Known, Unknown, and Discovered Users, page 14-2
• General Authentication Request Handling and Rejection Mode, page 14-4
• Authentication Request Handling and Rejection Mode with the Windows
User Database, page 14-5
• Performance of Unknown User Authentication, page 14-8
• Network Access Authorization, page 14-9
• Unknown User Policy, page 14-9

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-1
 Chapter 14 Unknown User Policy
Unknown User Processing

Unknown User Processing

Unknown users are users who are not listed in the Cisco Secure ACS database.
The Unknown User feature is a form of authentication forwarding. In essence, this
feature is an extra step in the authentication process. In this additional step of the
authentication process, if the username does not exist in the Cisco Secure ACS
database, Cisco Secure ACS forwards the authentication request of an incoming
username and password to external databases with which it is configured to
communicate.
The Unknown User feature enables Cisco Secure ACS to use a variety of external
databases in addition to its own internal database to authenticate incoming user
requests. With this feature, Cisco Secure ACS provides the foundation for a basic
single sign-on capability by integrating network and host-level access control.
Because the incoming usernames and passwords of users dialing in can be
authenticated with external user databases, there is no need for the network
administrator to maintain a duplicate list within Cisco Secure ACS. This provides
two advantages to the Cisco Secure ACS administrator:
• Eliminates the necessity of entering every user multiple times.
• Prevents data-entry errors that are inherent to manual procedures.
The Unknown User feature also enables phase one of PEAP authentication to
succeed when the username provided in phase one is unknown. For more
information, see PEAP and the Unknown User Policy, page 10-9.

Known, Unknown, and Discovered Users

The Unknown User feature implements three categories of users in Cisco Secure
ACS. Each category is treated differently:
• Known Users—Users explicitly added, either manually or automatically,
into the Cisco Secure ACS database.
These are users added through User Setup in the HTML interface, by the
RDBMS Synchronization feature, or by the Database Replication feature. In
the CiscoSecure user database, each user must have an assigned password and
must be explicitly associated with a particular authentication database.
• Unknown Users—Users who have no account entry in the CiscoSecure user
database.

User Guide for Cisco Secure ACS Appliance, version 3.2

14-2 78-14698-02
Chapter 14 Unknown User Policy
Known, Unknown, and Discovered Users

Such users never have previously authenticated with Cisco Secure ACS. If
the Unknown User Policy is configured in Cisco Secure ACS, Cisco Secure
ACS attempts to authenticate these users with external user databases.
• Discovered Users—Users whose accounts were created in the Cisco Secure
ACS database when Cisco Secure ACS successfully authenticated them using
the Unknown User Policy. When Cisco Secure ACS creates a discovered
user, the user account contains only the username, a Password Authentication
list setting that reflects the external user database that authenticated the user,
and a “Group to which the user is assigned” list setting of Mapped By
External Authenticator, which enables group mapping. Using the
Cisco Secure ACS HTML interface, you can further configure the user
account as needed. For example, after a discovered user is created in
Cisco Secure ACS, you can assign user-specific network access restrictions
to the discovered user.

Note Cisco Secure ACS does not import passwords for a discovered user;
rather, Cisco Secure ACS creates the user account with the Password
Authentication list set to the external user database that originally
authenticated the user.

All discovered users were once unknown users. The authentication process
for discovered users is identical to the authentication process for known
users.

Note We recommend removing a username from a database when the privileges

associated with that username are no longer required.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-3
 Chapter 14 Unknown User Policy
General Authentication Request Handling and Rejection Mode

General Authentication Request Handling and

Rejection Mode
If you have configured the Unknown User Policy in Cisco Secure ACS,
Cisco Secure ACS attempts to authenticate users as follows:
1. Cisco Secure ACS checks its internal user database. If the user exists in the
CiscoSecure user database (that is, is a known or discovered user),
Cisco Secure ACS tries to authenticate the user with the specified password
type against the specified database. Authentication for that user either passes
or fails, depending on other procedures in the normal authentication process.
2. If the user does not exist in the CiscoSecure user database (that is, is an
unknown user), Cisco Secure ACS tries each configured external database in
the order specified in the Selected Databases list. If the user passes
authentication against one of the external databases, Cisco Secure ACS
automatically adds the user to the CiscoSecure user database, with a pointer
to use the password type and database that succeeded on this authentication
attempt. Users added by unknown user processing are flagged as such within
the CiscoSecure user database and are called discovered users.
The next time the discovered user tries to authenticate, Cisco Secure ACS
authenticates the user against the database that was successful the first time.
Discovered users are treated the same as known users.
3. If the unknown user fails authentication with all configured external
databases, the user is not added to the CiscoSecure user database, and the
authentication request is rejected.
Because usernames in the CiscoSecure user database must be unique,
Cisco Secure ACS supports a single instance of any given username across all the
databases it is configured to use. For example, assume every external user
database contains a user account with the username John. Each account is for a
different user, but they each, coincidentally, have the same username. After the
first John attempts to access the network and has authenticated through the
unknown user process, Cisco Secure ACS retains a discovered user account for
that John and only that John. Now, Cisco Secure ACS tries to authenticate
subsequent attempts by any user named John using the same external user
database that originally authenticated John. Assuming their passwords are
different than the password for the John who authenticated first, the other Johns
are unable to access the network.

User Guide for Cisco Secure ACS Appliance, version 3.2

14-4 78-14698-02
 Chapter 14 Unknown User Policy
Authentication Request Handling and Rejection Mode with the Windows User Database

Note The scenario given above is handled differently if the user accounts with identical
usernames exist in separate Windows domains. For more information, see
Authentication Request Handling and Rejection Mode with the Windows User
Database, page 14-5.

Authentication Request Handling and Rejection

Mode with the Windows User Database
Cisco Secure ACS treats authentication with a Windows user database as a special
case. Windows can provide added functionality to the remote access
authentication process. Perhaps the most important aspect of this added
functionality is support for multiple occurrences of the same username across the
trusted domains against which Cisco Secure ACS authenticates access requests.
To perform Windows authentication, a Cisco Secure ACS Appliance must use
Cisco Secure ACS Remote Agent for Windows to communicate with Windows
SAM or Active Directory user databases. On the computer running the remote
agent, Windows uses its built-in facilities to forward the authentication requests
to the appropriate domain controller. There are two possible scenarios to consider,
as discussed in this section.
For more information about remote agents, see Installation and Configuration
Guide for Cisco Secure ACS Remote Agents.
This section contains the following topics:
• Windows Authentication with a Domain Specified, page 14-5
• Windows Authentication with Domain Omitted, page 14-6

Windows Authentication with a Domain Specified

When a domain name is supplied as part of a authentication request, Cisco Secure
ACS detects that a domain name was supplied and tries the authentication
credentials against the specified domain. The dial-up networking clients provided

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-5
 Chapter 14 Unknown User Policy
Authentication Request Handling and Rejection Mode with the Windows User Database

with various Windows versions differ in the method by which users can specify
their domains. For more information, see Windows Dial-up Networking Clients,
page 13-9.
If the domain controller rejects the authentication request, Cisco Secure ACS logs
the request as a failed attempt.
For Windows 95, Windows 98, Windows ME, and Windows XP Home, the
dial-up networking client provided with Windows only allows users to specify
their domains by submitting the usernames in a domain-qualified format, that is,
DOMAIN \username. Using a domain-qualified username allows Cisco Secure
ACS to differentiate a user from multiple instances of the same username in
different domains. For unknown users who provide domain-qualified usernames
and who are authenticated by a Windows user database, Cisco Secure ACS
creates their user accounts in the CiscoSecure user database in the form
DOMAIN \username. The combination of username and domain makes this user
unique in the Cisco Secure ACS database.

Note Cisco Secure ACS does not support the user@domain form of qualified
usernames.

It is possible for unknown user processing to create more than one user account
for the same network user. For example, if a user provides a domain-qualified
username and successfully authenticates, Cisco Secure ACS creates an account in
the format DOMAIN \username. If the same user successfully authenticates
without prefixing the domain name to the username, Cisco Secure ACS creates an
account in the format username. If you rely on groups rather than individual user
settings, both accounts should receive the same privileges. Regardless of whether
the user prefixes the domain name, group mapping will assign the user to the same
Cisco Secure ACS user group, because both Cisco Secure ACS user accounts
correspond to a single Windows user account.

Windows Authentication with Domain Omitted

If a domain identifier is not supplied as part of the authentication process, the
Windows operating system of the computer running the remote agent follows a
more complex authentication order that neither the Cisco Secure ACS Appliance

User Guide for Cisco Secure ACS Appliance, version 3.2

14-6 78-14698-02
Chapter 14 Unknown User Policy
Authentication Request Handling and Rejection Mode with the Windows User Database

nor the remote agent cannot control. Though the order of resources used can
differ, when searching for a non-domain qualified username, Windows usually
follows the order in the list below
• The local domain controller.
• The domain controllers in any trusted domains.
• If the remote agent runs on a member server, the local accounts database.
Windows attempts to authenticate the user with the first account it finds whose
username matches the one passed to Windows by the remote agent. Whether
authentication fails or succeeds, Windows does not search for other accounts with
the same username; therefore, Windows can fail to authenticate a user who
supplies valid credentials because Windows may check the supplied credentials
against the wrong account that coincidentally has an identical username.
You can circumvent this difficulty by using the Domain List in the Cisco Secure
ACS configuration for the Windows user database. If you have configured the
Domain List with a list of trusted domains, Cisco Secure ACS submits the
username and password to each domain in the list, using a domain-qualified
format, until Cisco Secure ACS successfully authenticates the user or until
Cisco Secure ACS has tried each domain listed in the Domain List.

Note If your network has multiple occurrences of a username across domains (for
example, every domain has a user called Administrator) or if users dialing in do
not provide their domains as part of their authentication credentials, be sure to
configure the Domain List for the Windows user database in the External User
Databases section. If not, only the user whose account Windows happens to check
first authenticates successfully. The Domain List is the only way that
Cisco Secure ACS controls the order in which Windows checks domains. The
most reliable method of supporting multiple instances of a username across
domains is to require users to supply their domain memberships as part of the
authentication request.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-7
 Chapter 14 Unknown User Policy
Performance of Unknown User Authentication

Performance of Unknown User Authentication

Processing authentication requests for unknown users requires slightly more time
than processing authentication requests for known users. This small delay may
require additional configuration on the AAA clients through which unknown
users may attempt to access your network.

Added Latency
Adding external databases against which to process unknown users can
significantly increase the time needed for each individual authentication. At best,
the time needed for each authentication is the time taken by the external database
to authenticate, plus some latency for Cisco Secure ACS processing. In some
circumstances (for example, when using a Windows user database), the extra
latency introduced by an external database can be as much as tens of seconds. If
you have configured multiple databases, this number is multiplied by the time
taken for each one to complete.
You can account for added latency by setting the order of databases. If you are
using an authentication protocol that is particularly time sensitive, such as PEAP,
we recommend configuring unknown user processing to attempt authentication
first with the database most likely to contain unknown users using the
time-sensitive protocol. For more information, see Database Search Order,
page 14-10.

Authentication Timeout Value on AAA clients

Be sure to increase the AAA client timeout to accommodate the longer
authentication time required for Cisco Secure ACS to pass the authentication
request to the external databases. If the AAA client timeout value is not set high
enough to account for the delay required by unknown user authentication, the
AAA client times out the request and every unknown user authentication fails.
The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS
configured to search through several databases or if your databases are large, you
might need to increase this value in your AAA client configuration file. For more
information, refer to your Cisco IOS documentation.

User Guide for Cisco Secure ACS Appliance, version 3.2

14-8 78-14698-02
Chapter 14 Unknown User Policy
Network Access Authorization

Network Access Authorization

While the Unknown User Policy allows authentication requests to be forwarded
to external user databases, all responsibility for the authorization parameters
provided to the AAA client remains with Cisco Secure ACS. External user
databases provide authentication services, and Cisco Secure ACS then provides
the additional authorization information that is sent to the AAA client in the
RADIUS or TACACS+ response packet. For more information about assignment
of user authorization, see Chapter 15, “User Group Mapping and Specification.”

Unknown User Policy

You can configure how Cisco Secure ACS processes unknown users on the
Configure Unknown User Policy page, in the External User Databases section of
the HTML interface. The Configure Unknown User Policy page contains the
following fields:
• Unknown User Policy—Defines what action Cisco Secure ACS takes if it
does not find a matching username in its database. There are two options for
controlling the Unknown User Policy:
– Fail the attempt—Disables unknown user processing. Cisco Secure
ACS rejects authentication requests for any user not found in the
CiscoSecure user database.
– Check the following external user databases—Enables unknown user
processing. Cisco Secure ACS uses databases in the Selected Databases
list to authenticate users that are not found in the CiscoSecure user
database.
• External Databases—Lists the external user databases that Cisco Secure
ACS does not use to authenticate unknown users.
• Selected Databases—Lists the external user databases that Cisco Secure
ACS uses to authenticate an unknown user (if the Check the following
external user databases option is selected). Cisco Secure ACS attempts
authentication using the selected databases one at a time in the order
specified. For more information about the significance of the order of
selected databases, see Database Search Order, page 14-10.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-9
 Chapter 14 Unknown User Policy
Unknown User Policy

For more information about configuring your Unknown User Policy, see
Configuring the Unknown User Policy, page 14-10.

Database Search Order

You can configure the order in which Cisco Secure ACS checks the selected
external databases when Cisco Secure ACS attempts to authenticate unknown
users. If the first database in the Selected Databases list fails the authentication
request for the unknown user, Cisco Secure ACS checks the next database listed,
and so on down the Selected Databases list, in the order listed, until the user
authenticates or until Cisco Secure ACS has tried all the databases listed.
Authentication with a Windows user database is more complex. (For more
information about Windows authentication, see Authentication Process with
Windows User Databases, page 13-8.) If Cisco Secure ACS does not find the user
in any of the listed databases, authentication fails.
The order in which the databases appear in the Selected Databases list is
important. To determine how to order databases in the Selected Databases list,
follow these recommendations:
• Place databases that will allow most authentications to succeed as near to the
top of the list as possible.
• Place databases associated with particularly time-sensitive AAA clients or
authentication protocols as near to the top of the list as possible.
For example, if wireless LAN users access your network with PEAP, arrange
the databases in the Selected Databases list so that unknown user processing
takes less than the timeout value specified on the Cisco Aironet Access Point.

Configuring the Unknown User Policy

In Cisco Secure ACS, an unknown user is defined as a user for whom no account
has been created within the CiscoSecure user database.
To specify how Cisco Secure ACS should handle users who are not in the
CiscoSecure user database, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Unknown User Policy.

User Guide for Cisco Secure ACS Appliance, version 3.2

14-10 78-14698-02
 Chapter 14 Unknown User Policy
Unknown User Policy

Step 3 To deny authentication requests for any unknown user, select the Fail the
attempt option.
Step 4 To allow authentication requests for unknown users, follow these steps:
a. Select the Check the following external user databases option.
b. For each database you need Cisco Secure ACS to use when attempting to
authenticate unknown users, select the database in the External Databases list
and click -->(right arrow button) to move it to the Selected Databases list. To
remove a database from the Selected Databases list, select the database, and
then click <-- (left arrow button) to move it back to the External Databases
list.
c. To assign the order in which Cisco Secure ACS should use the selected
external databases when attempting to authenticate an unknown user, select
a database name from the Selected Databases list and click Up or Down to
move it into the position you want.

Tip Place at the top of the list databases that are most likely to authenticate
unknown users or those databases that are associated with AAA clients or
authentication protocols that are particularly time-sensitive, such as
PEAP.

d. Repeat Step a through Step c until the selected databases are in the order
needed.
Step 5 Click Submit.
Cisco Secure ACS saves and implements the Unknown User Policy configuration
you created. Cisco Secure ACS attempts to authenticate unknown users using the
databases in the order listed in the Selected Databases list.

Turning off External User Database Authentication

You can configure Cisco Secure ACS so that users who are not in the CiscoSecure
user database are not permitted to authenticate.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 14-11
 Chapter 14 Unknown User Policy
Unknown User Policy

To turn off external user database authentication, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Unknown User Policy.
Step 3 Select the Fail the attempt option.
Step 4 Click Submit.
Unknown user processing is halted. Cisco Secure ACS does not allow unknown
users to authenticate with external user databases.

User Guide for Cisco Secure ACS Appliance, version 3.2

14-12 78-14698-02
 C H A P T E R 15
User Group Mapping and
Specification

This chapter provides information about group mapping and specification.

Cisco Secure Access Control Server (ACS) Appliance uses these features to
assign users authenticated by an external user database to a single Cisco Secure
ACS group.
This chapter contains the following topics:
• About User Group Mapping and Specification, page 15-1
• Group Mapping by External User Database, page 15-2
• Group Mapping by Group Set Membership, page 15-4
• RADIUS-Based Group Specification, page 15-13

About User Group Mapping and Specification

The Database Group Mapping feature in the External User Databases section
enables you to associate unknown users with a Cisco Secure ACS group for
assigning authorization profiles. For external user databases from which
Cisco Secure ACS can derive group information, you can associate the group
memberships defined for the users in the external user database to specific
Cisco Secure ACS groups. For Windows user databases, group mapping is further
specified by domain, because each domain maintains its own user database. For
Novell NDS user databases, group mapping is further specified by trees, because
Cisco Secure ACS supports multiple trees in a single Novell NDS user database.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-1
 Chapter 15 User Group Mapping and Specification
Group Mapping by External User Database

In addition to the Database Group Mapping feature, for some database types,
Cisco Secure ACS supports RADIUS-based group specification.

Group Mapping by External User Database

You can map an external database to a Cisco Secure ACS group. Unknown users
who authenticate using the specified database automatically belong to, and inherit
the authorizations of, the group. For example, you could configure Cisco Secure
ACS so that all unknown users who authenticate with a certain token server
database belong to a group called Telecommuters. You could then assign a group
setup that is appropriate for users who are working away from home, such as
MaxSessions=1. Or you could configure restricted hours for other groups, but
give unrestricted access to Telecommuters group members.
While you can configure Cisco Secure ACS to map all unknown users found in
any external user database type to a single Cisco Secure ACS group, the following
external user database types are the external user database types whose users you
can only map to a single Cisco Secure ACS group:
• LEAP Proxy RADIUS server
• ActivCard token server
• PassGo token server
• CRYPTOCard token server
• RADIUS token server
• RSA SecurID token server
• SafeWord token server
• Vasco token server
For a subset of the external user database types listed above, group mapping by
external database type is overridden on a user-by-user basis when the external
user database specifies a Cisco Secure ACS group with its authentication
response. Cisco Secure ACS supports specification of group membership for the
following external user database types:
• LEAP Proxy RADIUS server
• ActivCard token server
• CRYPTOCard token server

User Guide for Cisco Secure ACS Appliance, version 3.2

15-2 78-14698-02
 Chapter 15 User Group Mapping and Specification
Group Mapping by External User Database

• RADIUS token server

• Vasco token server
For more information about specifying group membership for users authenticated
with one of these database types, see RADIUS-Based Group Specification,
page 15-13.

Creating a Cisco Secure ACS Group Mapping for a Token Server

or LEAP Proxy RADIUS Server Database
To set or change a token server or LEAP Proxy RADIUS Server database group
mapping, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.
Step 3 Click the name of the token server or LEAP Proxy RADIUS Server database
configuration for which you want to configure a group mapping.
The Define Group Mapping table appears.
Step 4 From the Select a default group for database list, click the group to which users
authenticated with this database should be assigned.

Tip The Select a default group for database list displays the number of users
assigned to each group.

Step 5 Click Submit.

Cisco Secure ACS assigns unknown and discovered users authenticated by the
external database type you selected in Step 3 to the Cisco Secure ACS group
selected in Step 4. For users authenticated by an ActivCard, CRYPTOCard,
Safeword, Vasco, PassGo, RADIUS Token Server, or LEAP Proxy RADIUS
Server database, the mapping is only applied as a default if those databases did
not specify a Cisco Secure ACS group for the user.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-3
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Note For more information about group specification for RADIUS token
servers, see RADIUS-Based Group Specification, page 15-13.

Group Mapping by Group Set Membership

You can create group mappings for some external user databases based on the
combination of external user database groups to which users belong. The
following are the external user database types for which you can create group
mappings based on group set membership:
• Windows Database
• Novell NDS
• Generic LDAP

Note Windows user databases are defined by domain name.

When you configure a Cisco Secure ACS group mapping based on group set
membership, you can add one or many external user database groups to the set.
For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the
user must match all external user database groups in the set.
As an example, you could configure a group mapping for users who belong to
both the Engineering and Tokyo groups and a separate one for users who belong
to both Engineering and London. You could then configure separate group
mappings for the combinations of Engineering-Tokyo and Engineering-London
and configure different access times for the Cisco Secure ACS groups to which
they map. You could also configure a group mapping that only included the
Engineering group that would map other members of the Engineering group who
were not members of Tokyo or London.

User Guide for Cisco Secure ACS Appliance, version 3.2

15-4 78-14698-02
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Group Mapping Order

Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a
user can belong to more than one group set mapping. For example, a user, John,
could be a member of the group combination Engineering and California, and at
the same time be a member of the group combination Engineering and Managers.
If there are Cisco Secure ACS group set mappings for both these combinations,
Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning a
mapping order to the group set mappings. When a user authenticated by an
external user database is to be assigned to a Cisco Secure ACS group,
Cisco Secure ACS starts at the top of the list of group mappings for that database.
Cisco Secure ACS checks the user group memberships in the external user
database against each group mapping in the list sequentially. Upon finding the
first group set mapping that matches the external user database group
memberships of the user, Cisco Secure ACS assigns the user to the Cisco Secure
ACS group of that group mapping and terminates the mapping process.
Clearly, the order of group mappings is important because it affects the network
access and services allowed to users. When defining mappings for users who
belong to multiple groups, make sure they are in the correct order so that users are
granted the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of
Engineering, Marketing, and Managers. Mary should be granted the privileges of
a manager rather than an engineer. Mapping A assigns users who belong to all
three groups Mary is in to Cisco Secure ACS Group 2. Mapping B assigns users
who belong to the Engineering and Marketing groups to Cisco Secure ACS
Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a
user of Group 1, and she is be assigned to Group 1, rather than Group 2 like
managers should be.

No Access Group for Group Set Mappings

To prevent remote access for users assigned a group by a particular group set
mapping, assign the group to the Cisco Secure ACS No Access group. For
example, you could assign all members of an external user database group
“Contractors” to the No Access group so they could not dial in to the network
remotely.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-5
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Default Group Mapping for Windows

For Windows user databases, Cisco Secure ACS includes the ability to define a
default group mapping. If no other group mapping matches an unknown user
authenticated by a Windows user database, Cisco Secure ACS assigns the user to
a group based on the default group mapping.
Configuring the default group mapping for Windows user databases is the same
as editing an existing group mapping, with one exception. When editing the
default group mapping for Windows, instead of selecting a valid domain name on
the Domain Configurations page, select \DEFAULT.
For more information about editing an existing group mapping, see Editing a
Windows, Novell NDS, or Generic LDAP Group Set Mapping, page 15-8.

Creating a Cisco Secure ACS Group Mapping for Windows,

Novell NDS, or Generic LDAP Groups
To map a Windows, Novell NDS, or generic LDAP group to a Cisco Secure ACS
group, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.
Step 3 Click the external user database name for which you want to configure a group
mapping.
If you are mapping a Windows group set, the Domain Configurations table
appears. If you are mapping an NDS group set, the NDS Trees table appears.
Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are mapping a Windows group set for a new domain, follow these steps:
a. Click New configuration.
The Define New Domain Configuration page appears.
b. If the Windows domain for which you want to create a group set mapping
configuration appears in the Detected domains list, select the name of the
domain.

User Guide for Cisco Secure ACS Appliance, version 3.2

15-6 78-14698-02
Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Tip To clear your domain selection, click Clear Selection.

c. If the Windows domain for which you want to create a group set mapping
does not appear in the Detected domains list, type the name of a trusted
Windows domain in the Domain box.
d. Click Submit.
The new Windows domain appears in the list of domains in the Domain
Configurations page.
Step 5 If you are mapping a Windows group set, click the domain name for which you
want to configure a group set mapping.
The Group Mappings for Domain: domainname table appears.
Step 6 If you are mapping a Novell NDS group set, click the name of the Novell NDS
tree for which you want to configure group set mappings.
The Group Mappings for NDS Users table appears.
Step 7 Click Add Mapping.
The Create new group mapping for database page opens. The group list displays
group names derived from the external user database.
Step 8 For each group to be added to the group set mapping, select the name of the
applicable external user database group in the group list, and then click Add to
selected.

Note A user must match all the groups in the Selected list so that Cisco Secure
ACS can use this group set mapping to map the user to a Cisco Secure
ACS group; however, a user can also belong to other groups (in addition
to the groups listed) and still be mapped to a Cisco Secure ACS group.

Tip To remove a group from the mapping, select the name of the group in the
Selected list, and then click Remove from selected.

The Selected list shows all the groups that a user must belong to in order to be
mapped to a Cisco Secure ACS group.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-7
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Step 9 In the CiscoSecure group list, select the name of the Cisco Secure ACS group to
which you want to map users who belong to all the external user database groups
in the Selected list.

Note You can also select <No Access>. For more information about the <No
Access> group, see No Access Group for Group Set Mappings,
page 15-5.

Step 10 Click Submit.

The group set you mapped to the Cisco Secure ACS list appears at the bottom of
the database groups column.

Note The asterisk at the end of each set of groups indicates that users
authenticated with the external user database can belong to other groups
besides those in the set.

Editing a Windows, Novell NDS, or Generic LDAP Group Set

Mapping
You can change the Cisco Secure ACS group to which a group set mapping is
mapped.

Note The external user database groups of an existing group set mapping cannot be
edited. If you want to add or remove external user database groups from the group
set mapping, delete the group set mapping and create one with the revised set of
groups.

To edit a Windows, Novell NDS, or generic LDAP group mapping, follow these
steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.

User Guide for Cisco Secure ACS Appliance, version 3.2

15-8 78-14698-02
Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Step 3 Click the external user database name for which you want to edit a group set
mapping.
If you are editing a Windows group set mapping, the Domain Configurations table
appears. If you are editing an NDS group set mapping, the NDS Trees table
appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are editing a Windows group set mapping, click the domain name for which
you want to edit a group set mapping.
The Group Mappings for Domain: domainname table appears.
Step 5 If you are editing a Novell NDS group set mapping, click the name of the Novell
NDS tree for which you want to edit a group set mapping.
The Group Mappings for NDS Users table appears.
Step 6 Click the group set mapping to be edited.
The Edit mapping for database page opens. The external user database group or
groups included in the group set mapping appear above the CiscoSecure group
list.
Step 7 From the CiscoSecure group list, select the name of the group to which the set of
external database groups should be mapped, and then click Submit.

Note You can also select <No Access>. For more information about the <No
Access> group, see No Access Group for Group Set Mappings,
page 15-5.

Step 8 Click Submit.

The Group Mappings for database page opens again with the changed group set
mapping listed.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-9
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Deleting a Windows, Novell NDS, or Generic LDAP Group Set

Mapping
You can delete individual group set mappings.
To delete a Windows, Novell NDS, or generic LDAP group mapping, follow these
steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.
Step 3 Click the external user database configuration whose group set mapping you need
to delete.
If you are deleting a Windows group set mapping, the Domain Configurations
table appears. If you are deleting an NDS group set mapping, the NDS Trees table
appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are deleting a Windows group set mapping, click the domain name whose
group set mapping you want to delete.
The Group Mappings for Domain: domainname table appears.
Step 5 If you are deleting a Novell NDS group set mapping, click the name of the Novell
NDS tree whose group set mapping you want to delete.
The Group Mappings for NDS Users table appears.
Step 6 Click the group set mapping you want to delete.
Step 7 Click Delete.
Cisco Secure ACS displays a confirmation dialog box.
Step 8 Click OK in the confirmation dialog box.
Cisco Secure ACS deletes the selected external user database group set mapping.

User Guide for Cisco Secure ACS Appliance, version 3.2

15-10 78-14698-02
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

Deleting a Windows Domain Group Mapping Configuration

You can delete an entire group mapping configuration for a Windows domain.
When you delete a Windows domain group mapping configuration, all group set
mappings in the configuration are deleted.
To delete a Windows group mapping, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.
Step 3 Click the name of the Windows external user database.
Step 4 Click the domain name whose group set mapping you want to delete.
Step 5 Click Delete Configuration.
Cisco Secure ACS displays a confirmation dialog box.
Step 6 Click OK in the confirmation dialog box.
Cisco Secure ACS deletes the selected external user database group mapping
configuration.

Changing Group Set Mapping Order

You can change the order in which Cisco Secure ACS checks group set mappings
for users authenticated by Windows, Novell NDS, and generic LDAP databases.
To order group mappings, you must have already mapped them. For more
information about creating group mappings, see Creating a Cisco Secure ACS
Group Mapping for Windows, Novell NDS, or Generic LDAP Groups, page 15-6.
To change the order of group mappings for a Windows, Novell NDS, or generic
LDAP group mapping, follow these steps:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Group Mappings.
Step 3 Click the external user database name for which you want to configure group set
mapping order.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-11
 Chapter 15 User Group Mapping and Specification
Group Mapping by Group Set Membership

If you are ordering Windows group set mappings, the Domain Configurations
table appears. If you are ordering NDS group set mappings, the NDS Trees table
appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are configuring Windows group mapping order, click the domain name for
which you want to configure group set mapping order.
The Group Mappings for Domain: domainname table appears.
Step 5 If you are configuring Novell NDS group set mapping order, click the name of the
Novell NDS tree for which you want to configure group set mapping order.
The Group Mappings for NDS Users table appears.
Step 6 Click Order mappings.

Note The Order mappings button appears only if more than one group set
mapping exists for the current database.

The Order mappings for database page appears. The group mappings for the
current database appear in the Order list.
Step 7 Select the name of a group set mapping you want to move, and then click Up or
Down until it is in the position you want.
Step 8 Repeat Step 7 until the group mappings are in the order you need.
Step 9 Click Submit.
The Group Mappings for database page displays the group set mappings in the
order you defined.

User Guide for Cisco Secure ACS Appliance, version 3.2

15-12 78-14698-02
Chapter 15 User Group Mapping and Specification
RADIUS-Based Group Specification

RADIUS-Based Group Specification

For some types of external user databases, Cisco Secure ACS supports the
assignment of users to specific Cisco Secure ACS groups based upon the
RADIUS authentication response from the external user database. This is
provided in addition to the unknown user group mapping described in Group
Mapping by External User Database, page 15-2. RADIUS-based group
specification overrides group mapping. The database types that support
RADIUS-based group specification are as follows:
• LEAP Proxy RADIUS server
• CRYPTOCard token server
• PassGo token server
• Safeword token server
• ActivCard token server
• Vasco token server
• RADIUS token server
Cisco Secure ACS supports per-user group mapping for users authenticated with
a LEAP Proxy RADIUS Server database. This is provided in addition to the
default group mapping described in Group Mapping by External User Database,
page 15-2.
To enable per-user group mapping, configure the external user database to return
authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1,
[009\001] cisco-av-pair with the following value:
ACS:CiscoSecure-Group-Id = N

where N is the Cisco Secure ACS group number (0 through 499) to which
Cisco Secure ACS should assign the user. For example, if the LEAP Proxy
RADIUS Server authenticated a user and included the following value for the
Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:
ACS:CiscoSecure-Group-Id = 37

Cisco Secure ACS assigns the user to group 37 and applies authorization
associated with group 37.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 15-13
 Chapter 15 User Group Mapping and Specification
RADIUS-Based Group Specification

User Guide for Cisco Secure ACS Appliance, version 3.2

15-14 78-14698-02
 A P P E N D I X A
Troubleshooting

This appendix provides information about certain basic problems and describes
how to resolve them.
Scan the column on the left to identify the condition that you are trying to resolve,
and then carefully go through each corresponding recovery action offered in the
column on the right.
This chapter contains the following topics:
• Administration Issues, page A-2
• Browser Issues, page A-4
• Cisco IOS Issues, page A-5
• Database Issues, page A-6
• Dial-in Connection Issues, page A-8
• Debug Issues, page A-12
• Proxy Issues, page A-13
• Installation and Upgrade Issues, page A-13
• MaxSessions Issues, page A-14
• Report Issues, page A-14
• Third-Party Server Issues, page A-16
• PIX Firewall Issues, page A-16
• User Authentication Issues, page A-17
• TACACS+ and RADIUS Attribute Issues, page A-18

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-1
 Appendix A Troubleshooting
Administration Issues

Administration Issues
Note For information on using the command line interface to execute administrative
commands, see the “Administering the ACS Appliance” chapter of the
Installation and Setup Guide for Cisco Secure ACS Appliance.

Condition Recovery Action

Administrator cannot bring up • Verify that you are using a supported browser. Refer to the Release
the Cisco Secure ACS HTML Notes for Cisco Secure Access Control Server Appliance Version
interface in a browser or 3.2 for a list of supported browsers.
receives a warning that access • Confirm that Cisco Secure ACS is powered up.
is not permitted.
• Ping Cisco Secure ACS to confirm connectivity.
• Verify that the administrator is using a valid administrator name
and password that has already been added in Administration
Control.
• Verify that Java functionality is enabled in the browser.
• Determine whether the administrator is trying to administer
Cisco Secure ACS through a firewall, through a device
performing Network Address Translation, or from a browser
configured to use an HTTP proxy server. For more information
about accessing the HTML interface in these networking
scenarios, see Network Environments and Administrative
Sessions, page 1-27.
The Cisco Secure ACS Perform the “Recovering from Loss of All Administrator Passwords”
Appliance administrator procedure that is found in the “Administering the ACS Appliance”
credentials have been lost. chapter of the Installation and Setup Guide for Cisco Secure ACS
Appliance.
Unauthorized users can log in. The option Reject listed IP addresses is selected, but no start or stop
IP addresses are listed. Go to Administrator Control: Access Policy
and specify the Start IP Address and Stop IP Address.
Remote Administrator Restart the CSADMIN service. To restart the CSADMIN service, from
receives “Logon failed . . . the CLI type the restart command with CSAdmin as the argument.
protocol error” message, when If necessary, reboot the appliance.
browsing.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-2 78-14698-02
 Appendix A Troubleshooting
Administration Issues

Condition Recovery Action

Administrator cannot bring up If Network Address Translation is enabled on the PIX Firewall,
Cisco Secure ACS from his or administration through the firewall cannot work.
her browser, or receives a
To administer Cisco Secure ACS through a firewall, you must
warning that access is not
configure an HTTP port range in Administrator Control > Access
permitted.
Policy. The PIX Firewall must be configured to permit HTTP traffic
over all ports included in the range specified in Cisco Secure ACS. For
more information, see Access Policy, page 12-11.
Restart Services does not The system is not responding to the Restart command on the System
work. Configuration > Service Control page.
Ping Cisco Secure ACS to confirm connectivity.
To manually restart services, log in to the Cisco Secure ACS console
and type the restart command followed by a single space and the name
of the ACS service you want to restart.
No administrators can log in. The option Allow only listed IP addresses to connect is selected, but
no start or stop IP addresses are listed. Go to Administrator Control:
Access Policy and specify the Start IP Address and Stop IP Address.
Administrator configured for Make sure that the SMTP server name is correct. If the name is correct,
event notification is not make sure that the Cisco Secure ACS can ping the SMTP server or can
receiving e-mail. send e-mail via a third-party e-mail software package. Make sure you
have not used underscores in the e-mail address.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-3
 Appendix A Troubleshooting
Browser Issues

Browser Issues
Condition Recovery Action
The browser cannot bring up the Open Internet Explorer or Netscape Navigator and choose Help >
Cisco Secure ACS HTML About to determine the version of the browser. See System
interface. Installation Requirements, page 2-2, for a list of browsers
supported by Cisco Secure ACS and the release notes for known
issues with a particular browser version.
For information about various network scenarios that affect remote
administrative sessions, see Network Environments and
Administrative Sessions, page 1-27.
The browser displays the Java Check the Session idle timeout value for remote administrators.
message that your session This is on the Session Policy Setup page of the Administration
connection is lost. Control section. Increase the value as needed.
Administrator database appears The remote Netscape client is caching the password. If you specify
corrupted. an incorrect password, it is cached. When you attempt to
re-authenticate with the correct password, the incorrect password is
sent. Clear the cache before attempting to re-authenticate or close
the browser and open a new session.
Remote administrator Make sure that the client browser does not have proxy server
intermittently can’t browse the configured. Cisco Secure ACS does not support HTTP proxy for
Cisco Secure ACS HTML remote administrative sessions. Disable proxy server settings.
interface.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-4 78-14698-02
 Appendix A Troubleshooting
Cisco IOS Issues

Cisco IOS Issues

Condition Recovery Action
Under EXEC Commands, Examine the Cisco IOS configuration at the AAA client. If it is not already
Cisco IOS commands are present, add the following Cisco IOS command to the AAA client
not being denied when configuration:
checked. aaa authorization command <0-15> default group TACACS+

The correct syntax for the arguments in the text box is permit argument or
deny argument.
Administrator has been If you have a fallback method configured on your AAA client, disable
locked out of the AAA connectivity to the AAA server and log in using local/line username and
client because of an password.
incorrect configuration
Try to connect directly to the AAA client at the console port. If that is not
set up in the AAA client.
successful, consult your AAA client documentation or see the Password
Recovery Procedures page on Cisco.com for information regarding your
particular AAA client.
IETF RADIUS attributes Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1.
not supported in However, there are a few attributes that are not yet supported or that require
Cisco IOS 12.0.5.T a later version of the Cisco IOS software. For more information, see the
RADIUS Attributes page on Cisco.com.
Unable to enter Enable Check the failed attempts log in the ACS. If the log reads “CS password
Mode after doing aaa invalid,” it may be that the user has no enable password set up. Set the
authentication enable TACACS+ Enable Password within the Advanced TACACS+ Settings
default tacacs+. section.
Getting error message If you do not see the Advanced TACACS+ Settings section among the user
“Error in authentication setup options, go to Interface Configuration > Advanced Configuration
on the router.” Options > Advanced TACACS+ Features and select that option to have
the TACACS+ settings appear in the user settings. Then select Max
privilege for any AAA Client (this will typically be 15) and enter the
TACACS+ Enable Password that you want the user to have for enable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-5
 Appendix A Troubleshooting
Database Issues

Database Issues
Condition Recovery Action
RDBMS Synchronization Make sure the correct server is listed in the Partners list.
is not operating properly.
Database Replication not • Make sure you have set the server correctly as either Send or Receive.
operating properly. • On the sending server, make sure the receiving server is in the
Replication list.
• On the receiving server, make sure the sending server is selected in the
Accept Replication from list.
• Make sure that the replication schedule on the sending Cisco Secure
ACS is not conflicting with the replication schedule on the receiving
Cisco Secure ACS.
• If the receiving server has dual network cards, on the sending server
add a AAA server to the AAA Servers table in Network Configuration
for every IP address of the receiving server. If the sending server has
dual network cards, on the receiving server add a AAA server to the
AAA Servers table in Network Configuration for every IP address of
the receiving server.
The external user database The external database has not been configured in External User Databases
is not available in the or the username and password have been typed incorrectly. Make sure the
Group Mapping section. username and password are correct. Click the applicable external database
to configure.
External databases not Make sure a two-way trust (for dial-in check) has been established
operating properly. between the Cisco Secure ACS domain and the other domains. Check the
csauth service log file for any debug messages beginning with [External
DB]. See Setting Up Event Logging, page 8-20.

Unknown users are not Go to External User Databases > Unknown User Policy. Select the
authenticated. Check the following external user databases option. From the External
Databases list, select the database(s) against which to authenticate
unknown users. Click —> (right arrow button) to add the database to the
Selected Databases list. Click Up or Down to move the selected database
into the desired position in the authentication hierarchy.
If you are using the Cisco Secure ACS Unknown User feature, external
databases can only authenticate using PAP.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-6 78-14698-02
 Appendix A Troubleshooting
Database Issues

Condition Recovery Action

Novell NDS or Generic Make sure that you have correctly configured Group Mapping for the
LDAP Group Mapping not applicable database.
working correctly.
For more information, see Chapter 15, “User Group Mapping and
Specification.”
Unable to authenticate Make sure that the tree name, context name, and container name are all
against the Novell NDS specified correctly. Start with one container where users are present; then
database. you can add more containers later, if needed.
If you are successful, check on the AAA client to see if you can
authenticate the shell user (Telnet user). Also make sure that for PPP you
have PAP authentication configured on the asynchronous interface.
Same user appears in Use the dbcompact command from the CLI to clean up the database. For
multiple groups or information on the command see the Installation and Setup Guide for
duplicate users exist in the Cisco Secure ACS Appliance.
Cisco Secure ACS
database. Unable to delete
user from database.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-7
 Appendix A Troubleshooting
Dial-in Connection Issues

Dial-in Connection Issues

Condition Recovery Action
A dial-in user Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow
cannot connect to the problem to a system error or a user error. Confirm the following:
the AAA client.
• LAN connections for both the AAA client and the Cisco Secure ACS are
No record of the physically connected.
attempt appears in • IP address of the AAA client in the Cisco Secure ACS configuration is
either the correct.
TACACS+ or
RADIUS • IP address of Cisco Secure ACS in AAA client configuration is correct.
Accounting Report • TACACS+ or RADIUS key in both AAA client and Cisco Secure ACS are
(in the Reports & identical (case sensitive).
Activity section,
click TACACS+ • The command ppp authentication pap is entered for each interface, if the
Accounting or Windows user database is being used.
RADIUS • The command ppp authentication chap pap is entered for each interface, if
Accounting or the Cisco Secure ACS database is being used.
Failed Attempts).
• The AAA and TACACS+ or RADIUS commands are correct in the AAA
client.
• The Cisco Secure ACS services are running (CSAdmin, CSAuth, CSDBSync
CSLog, CSRadius, CSTacacs).

User Guide for Cisco Secure ACS Appliance, version 3.2

A-8 78-14698-02
 Appendix A Troubleshooting
Dial-in Connection Issues

Condition Recovery Action

A dial-in user The user information is not properly configured for authentication in
cannot connect to Windows Database or Cisco Secure ACS.
the AAA client.
From the Windows User Manager or Active Directory Users and Computers,
The Windows user confirm the following:
database is being
• The username and password are configured in the Windows User Manager or
used for
Active Directory Users and Computers.
authentication.
• The User Properties window does not have User Must Change Password at
A record of a failed Login enabled.
attempt appears in
the Failed Attempts • The User Properties window does not have Account Disabled selected.
Report (in the • The User Properties for the dial-in window does not have Grant dial-in
Reports & Activity permission to user disabled, if Cisco Secure ACS is using this option for
section, click authenticating.
Failed Attempts).
From within the Cisco Secure ACS confirm the following:
• If the username has already been entered into Cisco Secure ACS, a Windows
database configuration is selected in the Password Authentication list in User
Setup for the user.
• If the username has already been entered into Cisco Secure ACS, the
Cisco Secure ACS group to which the user is assigned has the correct
authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to
click Submit + Restart if a change has been made.
• The user expiration information in the Windows database has not caused
failed authentication. For troubleshooting purposes, disable password expiry
for the user in the Windows database.
Click External User Databases, and then Database Configuration and click List
all database configurations, and then make sure that the database configuration
for Windows Database is listed.
CheckUnknown User Policy to make sure that the Fail the Attempt option is not
selected. (You should have the Check the following external user databases
option selected.)
Verify that Windows Database appears in the Selected Databases box on the
Configure Unknown User Policy page in the External User Databases section.
Verify that the Windows Database group that the user belongs to has not been
mapped to No Access on the Unknown User Group Mappings page.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-9
 Appendix A Troubleshooting
Dial-in Connection Issues

Condition Recovery Action

A dial-in user From within Cisco Secure ACS confirm the following:
cannot connect to
• The username has been entered into Cisco Secure ACS.
the AAA client.
• CiscoSecure user database is selected from the Password Authentication list
The CiscoSecure
and a password has been entered in User Setup for the user.
user database is
being used for • The Cisco Secure ACS group to which the user is assigned has the correct
authentication. authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to
click Submit + Restart if a change has been made.
A record of a failed
attempt is • Expiration information has not caused failed authentication. Set to
displayed in the Expiration: Never for troubleshooting.
Failed Attempts
Report (in the
Reports & Activity
section, click
Failed Attempts).
A dial-in user The problem is isolated to one of three areas:
cannot connect to
• Line/modem configuration problem. Review the documentation that came
the AAA client;
with your modem and verify that the modem is properly configured.
however, a Telnet
connection can be • The user is not assigned to a group that has the correct authorization rights.
authenticated Authorization rights can be modified under Group Setup or User Setup. User
across the LAN. settings override group settings.
• The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct
in the AAA client.
Additionally, you can verify Cisco Secure ACS connectivity from the CLI by
pinging a workstation connected to the LAN. A successful ping confirms that
Cisco Secure ACS has network connectivity.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-10 78-14698-02
 Appendix A Troubleshooting
Dial-in Connection Issues

Condition Recovery Action

A dial-in user Determine whether the Cisco Secure ACS is receiving the request. This can be
cannot connect to done by viewing the Cisco Secure ACS reports. Based on what does not appear
the AAA client, and in the reports and which database is being used, troubleshoot the problem based
a Telnet connection on one of the following:
cannot be
• Line/modem configuration problem. Review the documentation that came
authenticated
with your modem and verify that the modem is properly configured.
across the LAN.
• The user does not exist in the Windows user database or the CiscoSecure
user database and might not have the correct password. Authentication
parameters can be modified under User Setup.
• The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct
in the AAA client.
Callback is not Make sure that callback works on the AAA client when using local
working. authentication. Then add AAA authentication.
User authentication Outbound PAP is not enabled. If the Failed Attempts report shows that you are
fails when using using outbound PAP, go to the Interface Configuration section and select the
PAP. Per-User Advanced TACACS+ Features check box. Then, go to the TACACS+
Outbound Password section of the Advanced TACACS+ Settings table on the
User Setup page and type and confirm the password in the boxes provided.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-11
 Appendix A Troubleshooting
Debug Issues

Debug Issues
Condition Recovery Action
When you run The configurations of the AAA client or Cisco Secure ACS are likely to be at
debug aaa fault.
authentication on
From within Cisco Secure ACS confirm the following:
the AAA client,
Cisco Secure ACS • Cisco Secure ACS is receiving the request. This can be done by viewing the
returns a failure Cisco Secure ACS reports. What does or does not appear in the reports may
message. provide indications that your Cisco Secure ACS is misconfigured.
From the AAA client, confirm the following:
• The command ppp authentication pap is entered for each interface if
authentication against the Windows User Database is being used.
• The command ppp authentication chap pap is entered for each interface if
authentication against the CiscoSecure user database is being used.
• The AAA and TACACS+ or RADIUS configuration is correct in the AAA
client.
When you run This problem occurs because authorization rights are not correctly assigned.
debug aaa From Cisco Secure ACS User Setup, confirm that the user is assigned to a group
authentication and that has the correct authorization rights. Authorization rights can be modified
debug aaa under Group Setup or User Setup. User settings override group settings.
authorization on
the AAA client, If a specific attribute for TACACS+ or RADIUS is not displayed within the
Cisco Secure ACS Group Setup section, this might indicate it has not been enabled in Interface
returns a PASS for Configuration: TACACS+ (Cisco IOS) or RADIUS.
authentication, but
returns a FAIL for
authorization.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-12 78-14698-02
 Appendix A Troubleshooting
Proxy Issues

Proxy Issues
Condition Recovery Action
Proxy fails Make sure that the direction on the remote server is set to Incoming/Outgoing or
Incoming, and that the direction on the authentication forwarding server is set to
Incoming/Outgoing or Outgoing.
Make sure the shared secret (key) matches the shared secret of one or both
Cisco Secure ACSes.
Make sure the character string and delimiter match the stripping information
configured in the Proxy Distribution Table, and the position is set correctly to either
Prefix or Suffix.
One or more servers is down, or no fallback server is configured. Go to Network
Configuration and configure a fallback server. Fallback servers are used only under
the following circumstances:
• The remote Cisco Secure ACS is down.
• One or more services (CSTacacs, CSRadius, or CSAuth) are down.
• The secret key is misconfigured.
• Inbound/Outbound messaging is misconfigured.

Installation and Upgrade Issues

Condition Recovery Action
Installation difficulties Refer to your Installation and Setup Guide for Cisco Secure ACS
Appliance.
From the serial console, the You must first obtain an appliance upgrade (when available, obtained
upgrade command has no from the Appliance Upgrade page of System Configuration).
effect.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-13
 Appendix A Troubleshooting
MaxSessions Issues

MaxSessions Issues
Condition Recovery Action
MaxSessions over VPDN is The use of MaxSessions over VPDN is not supported.
not working.
User MaxSessions Services were restarted, possibly because the connection between the
fluctuates or is unreliable. Cisco Secure ACS and the AAA client is unstable. Click to clear the
Single Connect TACACS+ AAA Client check box.
User MaxSessions not Make sure you have accounting configured on the AAA client and you
taking affect. are receiving accounting start/stop records.

Report Issues
Condition Recovery Action
The You changed protocol configurations recently.
lognameactive.csv Whenever protocol configurations change, the existing lognameactive.csv
report is blank. report file is renamed to lognameyyyy-mm-dd.csv, and a new, blank
lognameactive.csv report is generated
A report is blank. Make sure you have selected Log to reportname Report under System
Configuration: Logging: Log Target: reportname. You must also set Network
Configuration: servername: Access Server Type to Cisco Secure ACS for
Windows NT.
No Unknown User The Unknown User database was changed. Accounting reports will still
information is included contain unknown user information.
in reports.
Two entries are logged Make sure that the remote logging function is not configured to send
for one user session. accounting packets to the same location as the Send Accounting Information
fields in the Proxy Distribution Table.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-14 78-14698-02
 Appendix A Troubleshooting
Report Issues

Condition Recovery Action

After you have changed To see the changes made, you must restart the csadmin services and log on
the date format, the again.
Logged-In User list and
the CSAdmin log still
display old format
dates.
The Logged in Users For the Logged in Users report to work (and this also applies to most other
report works with some features involving sessions), packets should include at least the following
devices, but not with fields:
others
• Authentication Request packet
– nas-ip-address
– nas-port
• Accounting Start packet
– nas-ip-address
– nas-port
– session-id
– framed-ip-address
• Accounting Stop packet
– nas-ip-address
– nas-port
– session-id
– framed-ip-address
Also, if a connection is so brief that there is little time between the start and
stop packets (for example, HTTP through the PIX Firewall), the Logged in
Users report may fail.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-15
 Appendix A Troubleshooting
Third-Party Server Issues

Third-Party Server Issues

Condition Recovery Action
Authentication request does not Set logging to full in System Configuration > Service Control.
hit the external database.
Use the Support feature to check csauth.log for confirmation that the
authentication request is being forwarded to the third-party server. If
it is not being forwarded, confirm that the external database
configuration is correct, as well as the unknown user policy settings.
On ACE/SDI server no For dial-up users, make sure you are using PAP and not MS-CHAP
incoming request is seen from or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS
Cisco Secure ACS, although will not send the request to the RSA server, but rather it will log an
RSA/agent authentication error with external database failure.
works.

PIX Firewall Issues

Condition Recovery Action
Remote administrator cannot bring If Network Address Translation is enabled on the PIX Firewall,
up Cisco Secure ACS from his or administration through the firewall cannot work.
her browser or receives a warning
To administer Cisco Secure ACS through a firewall, you must
that access is not permitted.
configure an HTTP port range in System Configuration: Access
Policy. The PIX Firewall must be configured to permit HTTP
traffic over all ports included in the range specified in
Cisco Secure ACS. For more information, see Access Policy,
page 12-11.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-16 78-14698-02
 Appendix A Troubleshooting
User Authentication Issues

User Authentication Issues

Condition Recovery Action
After the administrator disables the Restart Cisco Secure ACS services. For steps, see
Dialin Permission setting, Windows Stopping, Starting, or Restarting Services, page 8-2.
database users can still dial in and apply
the Callback string configured under the
Windows user database. (You can locate
the Dialin Permission check box by
clicking External User Databases,
clicking Database Configuration,
clicking Windows Database, and clicking
Configure.)
User did not inherit settings from new Users moved to a new group inherit new group settings but
group. they keep their existing user settings. Manually change the
settings in the User Setup section.
Authentication fails. Check the Failed Attempts report.
The retry interval may be too short. (The default is 5
seconds.) Increase the retry interval (tacacs-server
timeout 20) on the AAA client to 20 or greater.
The AAA client times out when Increase the TACACS+/RADIUS timeout interval from the
authenticating against a Windows user default, 5, to 20. Set the Cisco IOS command as follows:
database. tacacs-server timeout 20
radius-server timeout 20
Authentication fails; the error “Unknown Verify the following:
NAS” appears in the Failed Attempts log. • AAA client is configured under the Network
Configuration section.
• If you have RADIUS/TACACS source-interface
command configured on the AAA client, make sure the
client on ACS is configured using the IP address of the
interface specified.
Alternatively, you can configure a default NAS in the NAS
configuration area by leaving the hostname and IP address
blank and entering only the key.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 A-17
 Appendix A Troubleshooting
TACACS+ and RADIUS Attribute Issues

Condition Recovery Action

Authentication fails; the error “key Verify that the TACACS+ or RADIUS keys, in both AAA
mismatch” appears in the Failed client and Cisco Secure ACS, are identical (case sensitive).
Attempts log.
Re-enter the keys to confirm they are identical.
User can authenticate, but authorizations Different vendors use different AV pairs. AV pairs used in
are not what is expected. one vendor protocol may be ignored by another vendor
protocol. Make sure that the user settings reflect the correct
vendor protocol; for example, RADIUS (Cisco IOS/PIX).
LEAP authentication fails; the error Verify the correct authentication type has been set on the
“Radius extension DLL rejected user” Access Point. Make sure that, at a minimum, the
appears in the Failed Attempts log. Network-EAP check box is selected
If you are using an external user database for
authentication, verify that it is supported. For more
information, see Authentication Protocol-Database
Compatibility, page 1-9.

TACACS+ and RADIUS Attribute Issues

Condition Recovery Action
TACACS+ and RADIUS Make sure that you have at least one RADIUS or TACACS+ AAA
attributes do not appear on the client configured in the Network Configuration section and that, in
Group Setup page. the Interface Configuration section, you have enabled the
attributes you need to configure.
Note Some attributes are not customer-configurable in
Cisco Secure ACS; instead, their values are set by
Cisco Secure ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

A-18 78-14698-02
 A P P E N D I X B
TACACS+ Attribute-Value Pairs

Cisco Secure Access Control Server (ACS) Appliance supports Terminal Access
Controller Access Control System (TACACS+) attribute-value (AV) pairs. You
can enable different AV pairs for any supported attribute value.

Cisco IOS AV Pair Dictionary

Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your
AAA client is running Cisco IOS Release 11.2 or later. Earlier versions of Cisco
IOS work with Cisco Secure ACS but do not fully support the TACACS+ features
in Cisco Secure ACS.

Note If you specify a given AV pair in Cisco Secure ACS, you must also enable the
corresponding AV pair in the Cisco IOS software running on the AAA client.
Therefore, you must consider which AV pairs your Cisco IOS release supports. If
Cisco Secure ACS sends an AV pair to the AAA client that the Cisco IOS software
does not support, that attribute is not implemented.

For more information on TACACS+ AV pairs, refer to Cisco IOS documentation

for the release of Cisco IOS running on your AAA clients.

Note All TACACS+ values are strings. The concept of value “type” does not exist in
TACACS+ as it does in Remote Access Dial-In User Service (RADIUS).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 B-1
 Appendix B TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary

TACACS+ AV Pairs

Note Beginning with Cisco Secure ACS 2.3, some TACACS+ attributes no longer
appear on the Group Setup page. This is because IP pools and callback supersede
the following attributes:

addr
addr-pool
callback-dialstring

Additionally, these attributes cannot be set via database synchronization, and

ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).

Cisco Secure ACS supports many TACACS+ AV pairs. For descriptions of these
attributes, refer to Cisco IOS documentation for the release of Cisco IOS running
on your AAA clients. TACACS+ AV pairs supported in Cisco Secure ACS are as
follows:
• acl=
• addr=
• addr-pool=
• autocmd=
• callback-dialstring
• callback-line
• callback-rotary
• cmd-arg=
• cmd=
• dns-servers=
• gw-password
• idletime=
• inacl#n
• inacl=
• interface-config=

User Guide for Cisco Secure ACS Appliance, version 3.2

B-2 78-14698-02
Appendix B TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary

• ip-addresses
• link-compression=
• load-threshold=n
• max-links=n
• nas-password
• nocallback-verify
• noescape=
• nohangup=
• old-prompts
• outacl#n
• outacl=
• pool-def#n
• pool-timeout=
• ppp-vj-slot-
compression
• priv-lvl=
• protocol=
• route
• route#n
• routing=
• rte-ftr-in#n
• rte-ftr-out#n
• sap#n
• sap-fltr-in#n
• sap-fltr-out#n
• service=
• source-ip=
• timeout=
• tunnel-id

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 B-3
 Appendix B TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary

• wins-servers=
• zonelist=

TACACS+ Accounting AV Pairs

Cisco Secure ACS supports many TACACS+ accounting AV pairs. For
descriptions of these attributes, see Cisco IOS documentation for the release of
Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs
supported in Cisco Secure ACS are as follows:
• bytes_in
• bytes_out
• cmd
• data-rate
• disc-cause
• disc-cause-ext
• elapsed_time
• event
• mlp-links-max
• mlp-sess-id
• nas-rx-speed
• nas-tx-speed
• paks_in
• paks_out
• port
• pre-bytes-in
• pre-bytes-out
• pre-paks-in
• pre-paks-out
• pre-session-time
• priv_level

User Guide for Cisco Secure ACS Appliance, version 3.2

B-4 78-14698-02
Appendix B TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary

• protocol
• reason
• service
• start_time
• stop_time
• task_id
• timezone
• xmit-rate

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 B-5
 Appendix B TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary

User Guide for Cisco Secure ACS Appliance, version 3.2

B-6 78-14698-02
 A P P E N D I X C
RADIUS Attributes

Cisco Secure Access Control Server (Cisco Secure ACS) Appliance version 3.2
supports many RADIUS attributes. This appendix lists the standard attributes,
vendor-proprietary attributes, and vendor-specific attributes supported by
Cisco Secure ACS for the following vendor implementations of RADIUS:
• Cisco IOS RADIUS
• Cisco VPN 3000 Concentrator RADIUS
• Cisco VPN 5000 Concentrator RADIUS
• Cisco Building Broadband Service Manager RADIUS
• Microsoft RADIUS
• Ascend RADIUS
• Nortel RADIUS
• Juniper RADIUS
• Internet Engineering Task Force (IETF) RADIUS
You can enable different attribute-value (AV) pairs for IETF RADIUS and for any
supported vendor. This appendix provides information about the following
RADIUS AV pairs:
• Cisco IOS Dictionary of RADIUS AV Pairs, page C-2
• Cisco IOS/PIX Dictionary of RADIUS VSAs, page C-5
• Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs, page C-7
• Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs, page C-11

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-1
 Appendix C RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs

• Cisco Building Broadband Service Manager Dictionary of RADIUS VSA,

page C-12
• IETF Dictionary of RADIUS AV Pairs, page C-12
• Microsoft MPPE Dictionary of RADIUS VSAs, page C-27
• Ascend Dictionary of RADIUS AV Pairs, page C-30
• Nortel Dictionary of RADIUS VSAs, page C-42
• Juniper Dictionary of RADIUS VSAs, page C-43

Cisco IOS Dictionary of RADIUS AV Pairs

Cisco Secure ACS supports Cisco IOS RADIUS AV pairs. Before selecting AV
pairs for Cisco Secure ACS, confirm that your AAA client is a compatible release
of Cisco IOS or compatible AAA client software. For more information, see
Network and Port Requirements, page 2-2.

Note If you specify a given AV pair on Cisco Secure ACS, the corresponding AV pair
must be implemented in the Cisco IOS software running on the network device.
Always consider which AV pairs your Cisco IOS release supports. If
Cisco Secure ACS sends an AV pair that the Cisco IOS software does not
support, the attribute is not implemented.

Note Because IP pools and callback supersede them, the following RADIUS attributes
do not appear on the Group Setup page:

8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool

None of these attributes can be set via RDBMS Synchronization.

Table C-1 lists the supported Cisco IOS RADIUS AV pairs.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-2 78-14698-02
 Appendix C RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs

Table C-1 Cisco IOS Software RADIUS AV Pairs

Attribute Number Type of Value Inbound/Outbound Multiple

User-Name 1 String Inbound No
User-Password 2 String Outbound No
CHAP-Password 3 String Outbound No
NAS-IP Address 4 Ipaddr Inbound No
NAS-Port 5 Integer Inbound No
Service-Type 6 Integer Both No
Framed-Protocol 7 Integer Both No
Framed-IP-Netmask 9 Ipaddr (maximum Outbound No
length 15
characters)
Framed-Routing 10 Integer Outbound No
Filter-Id 11 String Outbound Yes
Framed-MTU 12 Integer (maximum Outbound No
length 10
characters)
Framed-Compression 13 Integer Outbound Yes
Login-IP-Host 14 Ipaddr (maximum Both Yes
length 15
characters)
Login-Service 15 Integer Both No
Login-TCP-Port 16 Integer (maximum Outbound No
length 10
characters)
Reply-Message 18 String Outbound Yes
Expiration 21 Date — —
Framed-Route 22 String Outbound Yes
State 24 String (maximum Outbound No
length 253
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-3
 Appendix C RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs

Table C-1 Cisco IOS Software RADIUS AV Pairs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

Class 25 String Outbound Yes
Vendor specific 26 String Outbound Yes
Session-Timeout 27 Integer (maximum Outbound No
length 10
characters)
Idle-Timeout 28 Integer (maximum Outbound No
length 10
characters)
Called-Station-ID 30 String Inbound No
Calling-Station-ID 31 String Inbound No
Login-LAT-Service 33 String (maximum Inbound No
length 253
characters)
Acct-Status-Type 40 Integer Inbound No
Acct-Delay-Time 41 Integer Inbound No
Acct-Input-Octets 42 Integer Inbound No
Acct-Output-Octets 43 Integer Inbound No
Acct-Session-ID 44 String Inbound No
Acct-Authentic 45 Integer Inbound No
Acct-Session-Time 46 Integer Inbound No
Acct-Input-Packets 47 Integer Inbound No
Acct-Output-Packets 48 Integer Inbound No
Acct-Terminate-Cause 49 Integer Inbound No
NAS-Port-Type 61 Integer Inbound No
NAS-Port-Limit 62 Integer (maximum Both No
length 10
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-4 78-14698-02
 Appendix C RADIUS Attributes
Cisco IOS/PIX Dictionary of RADIUS VSAs

Cisco IOS/PIX Dictionary of RADIUS VSAs

Cisco Secure ACS supports Cisco IOS/PIX vendor-specific attributes (VSAs).
The vendor ID for this Cisco RADIUS Implementation is 009. Table C-2 lists the
supported Cisco IOS/PIX RADIUS VSAs.

Note For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair
26 in Table C-6.

Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP
documentation.

Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway
VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.

Table C-2 Cisco IOS/PIX RADIUS VSAs

Attribute Number Type of Value Inbound/Outbound Multiple

cisco-av-pair 1 String Both Yes
cisco-nas-port 2 String Inbound No
cisco-h323-remote-address 23 String Inbound No
cisco-h323-conf-id 24 String Inbound No
cisco-h323-setup-time 25 String Inbound No
cisco-h323-call-origin 26 String Inbound No
cisco-h323-call-type 27 String Inbound No
cisco-h323-connect-time 28 String Inbound No
cisco-h323-disconnect-time 29 String Inbound No
cisco-h323-disconnect-cause 30 String Inbound No
cisco-h323-voice-quality 31 String Inbound No
cisco-h323-gw-id 33 String Inbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-5
 Appendix C RADIUS Attributes
Cisco IOS/PIX Dictionary of RADIUS VSAs

Table C-2 Cisco IOS/PIX RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

cisco-h323-incoming-conn-id 35 String Inbound No
cisco-h323-credit-amount 101 String (maximum Outbound No
length 247
characters)
cisco-h323-credit-time 102 String (maximum Outbound No
length 247
characters)
cisco-h323-return-code 103 String (maximum Outbound No
length 247
characters)
cisco-h323-prompt-id 104 String (maximum Outbound No
length 247
characters)
cisco-h323-day-and-time 105 String (maximum Outbound No
length 247
characters)
cisco-h323-redirect-number 106 String (maximum Outbound No
length 247
characters)
cisco-h323-preferred-lang 107 String (maximum Outbound No
length 247
characters)
cisco-h323-redirect-ip-addr 108 String (maximum Outbound No
length 247
characters)
cisco-h323-billing-model 109 String (maximum Outbound No
length 247
characters)
cisco-h323-currency 110 String (maximum Outbound No
length 247
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-6 78-14698-02
 Appendix C RADIUS Attributes
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Table C-2 Cisco IOS/PIX RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

cisco-ssg-account-info 250 String (maximum Outbound No
length 247
characters)
cisco-ssg-service-info 251 String (maximum Both No
length 247
characters)
cisco-ssg-control-info 253 String (maximum Both No
length 247
characters)

Cisco VPN 3000 Concentrator Dictionary of RADIUS

VSAs
Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for
this Cisco RADIUS Implementation is 3076. Table C-3 lists the supported
Cisco VPN 3000 Concentrator RADIUS VSAs.

Note Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are
interdependent. Before you implement them, we recommend that you refer to
Cisco VPN 3000-series Concentrator documentation.

To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is
enabled, Cisco Secure ACS determines the values to be sent in outbound
RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco
VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are
enabled in the Cisco Secure ACS HTML interface or how those attributes might
be configured.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-7
 Appendix C RADIUS Attributes
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN3000-Access-Hours 1 String (maximum Outbound No
length 247
characters)
CVPN3000-Simultaneous-Logins 2 Integer (maximum Outbound No
length 10
characters)
CVPN3000-Primary-DNS 5 Ipaddr (maximum Outbound No
length 15
characters)
CVPN3000-Secondary-DNS 6 Ipaddr (maximum Outbound No
length 15
characters)
CVPN3000-Primary-WINS 7 Ipaddr (maximum Outbound No
length 15
characters)
CVPN3000-Secondary-WINS 8 Ipaddr (maximum Outbound No
length 15
characters)
CVPN3000-SEP-Card-Assignment 9 Integer Outbound No
CVPN3000-Tunneling-Protocols 11 Integer Outbound No
CVPN3000-IPSec-Sec-Association 12 String (maximum Outbound No
length 247
characters)
CVPN3000-IPSec-Authentication 13 Integer Outbound No
CVPN3000-IPSec-Banner1 15 String (maximum Outbound No
length 247
characters)
CVPN3000-IPSec-Allow-Passwd- 16 Integer Outbound No
Store
CVPN3000-Use-Client-Address 17 Integer Outbound No
CVPN3000-PPTP-Encryption 20 Integer Outbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

C-8 78-14698-02
 Appendix C RADIUS Attributes
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN3000-L2TP-Encryption 21 Integer Outbound No
CVPN3000-IPSec-Split-Tunnel- 27 String (maximum Outbound No
List length 247
characters)
CVPN3000-IPSec-Default-Domain 28 String (maximum Outbound No
length 247
characters)
CVPN3000-IPSec-Split-DNS-Nam 29 String (maximum Outbound No
es length 247
characters)
CVPN3000-IPSec-Tunnel-Type 30 Integer Outbound No
CVPN3000-IPSec-Mode-Config 31 Integer Outbound No
CVPN3000-IPSec-User-Group- 33 Integer Outbound No
Lock
CVPN3000-IPSec-Over-UDP 34 Integer Outbound No
CVPN3000-IPSec-Over-UDP-Port 35 Integer (maximum Outbound No
length 10
characters)
CVPN3000-IPSec-Banner2 36 String (maximum Outbound No
length 247
characters)
CVPN3000-PPTP-MPPC- 37 Integer Outbound No
Compression
CVPN3000-L2TP-MPPC- 38 Integer Outbound No
Compression
CVPN3000-IPSec-IP-Compression 39 Integer Outbound No
CVPN3000-IPSec-IKE-Peer-ID- 40 Integer Outbound No
Check
CVPN3000-IKE-Keep-Alives 41 Integer Outbound No
CVPN3000-IPSec-Auth-On-Rekey 42 Integer Outbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-9
 Appendix C RADIUS Attributes
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN3000-Required-Client- 45 Integer (maximum Outbound No
Firewall-Vendor-Code length 10
characters)
CVPN3000-Required-Client- 46 Integer (maximum Outbound No
Firewall-Product-Code length 10
characters)
CVPN3000-Required-Client- 47 String (maximum Outbound No
Firewall-Description length 247
characters)
CVPN3000-Require-HW-Client- 48 Integer Outbound No
Auth
CVPN3000-Require-Individual- 49 Integer Outbound No
User-Auth
CVPN3000-Authenticated-User- 50 Integer (maximum Outbound No
Idle-Timeout length 10
characters)
CVPN3000-Cisco-IP-Phone- 51 Integer Outbound No
Bypass
CVPN3000-User-Auth-Server- 52 String (maximum Outbound No
Name length 247
characters)
CVPN3000-User-Auth-Server-Port 53 Integer (maximum Outbound No
length 10
characters)
CVPN3000-User-Auth-Server- 54 String (maximum Outbound No
Secret length 247
characters)
CVPN3000-IPSec-Split-Tunneling- 55 Integer Outbound No
Policy
CVPN3000-IPSec-Required-Client- 56 Integer Outbound No
Firewall-Capability

User Guide for Cisco Secure ACS Appliance, version 3.2

C-10 78-14698-02
 Appendix C RADIUS Attributes
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN3000-IPSec-Client-Firewall- 57 String (maximum Outbound No
Filter-Name length 247
characters)
CVPN3000-IPSec-Client-Firewall- 58 Integer Outbound No
Filter-Optional
CVPN3000-IPSec-Backup-Servers 59 Integer Outbound No
CVPN3000-IPSec-Backup-Server- 60 String (maximum Outbound No
List length 247
characters)
CVPN3000-MS-Client-Intercept- 62 Integer Outbound No
DHCP-Configure-Message
CVPN3000-MS-Client-Subnet- 63 Ipaddr (maximum Outbound No
Mask length 15
characters)
CVPN3000-Allow-Network- 64 Integer Outbound No
Extension-Mode
CVPN3000-Strip-Realm 135 Integer Outbound No

Cisco VPN 5000 Concentrator Dictionary of RADIUS

VSAs
Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID
for this Cisco RADIUS Implementation is 255. Table C-4 lists the supported
Cisco VPN 5000 Concentrator RADIUS VSAs.

Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN5000-Tunnel-Throughput 001 Integer Inbound No
CVPN5000-Client-Assigned-IP 002 String Inbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-11
 Appendix C RADIUS Attributes
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs (continued)

Attribute Number Type of Value Inbound/Outbound Multiple

CVPN5000-Client-Real-IP 003 String Inbound No
CVPN5000-VPN-GroupInfo 004 String (maximum Outbound No
length 247
characters)
CVPN5000-VPN-Password 005 String (maximum Outbound No
length 247
characters)
CVPN5000-Echo 006 Integer Inbound No
CVPN5000-Client-Assigned-IPX 007 Integer Inbound No

Cisco Building Broadband Service Manager

Dictionary of RADIUS VSA
Cisco Secure ACS supports a Cisco Building Broadband Service Manager
(BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation
is 5263. Table C-5 lists the supported Cisco BBSM RADIUS VSA.

Table C-5 Cisco BBSM RADIUS VSA

Attribute Number Type of Value Inbound/Outbound Multiple

CBBSM-Bandwidth 001 Integer Both No

IETF Dictionary of RADIUS AV Pairs

Table C-6 on page C-13 lists the supported RADIUS (IETF) attributes. If the
attribute has a security server-specific format, the format is specified.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-12 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes

Type of Inbound/
Attribute Number Description Value Outbound Multiple
User-Name 1 Name of the user being String Inbound No
authenticated.
User-Password 2 User password or input following an String Outbound No
access challenge. Passwords longer
than 16 characters are encrypted
using IETF Draft #2 or later
specifications.
CHAP-Password 3 PPP (Point-to-Point Protocol) CHAP String Outbound No
(Challenge Handshake
Authentication Protocol) response to
an Access-Challenge.
NAS-IP Address 4 IP address of the AAA client that is Ipaddr Inbound No
requesting authentication.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-13
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
NAS-Port 5 Physical port number of the AAA Integer Inbound No
client that is authenticating the user.
The AAA client port value (32 bits)
consists of one or two 16-bit values,
depending on the setting of the
RADIUS server extended
portnames command. Each 16-bit
number is a 5-digit decimal integer
interpreted as follows:
• For asynchronous terminal
lines, async network interfaces,
and virtual async interfaces, the
value is 00ttt, where ttt is the
line number or async interface
unit number.
• For ordinary synchronous
network interfaces, the value is
10xxx.

• For channels on a primary-rate

ISDN (Integrated Services
Digital Network) interface, the
value is 2ppcc.
• For channels on a basic rate
ISDN interface, the value is
3bb0c.

• For other types of interfaces, the

value is 6nnss.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-14 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Service-Type 6 Type of service requested or type of Integer Both No
service to be provided:
• In a request:
– Framed—For known PPP
or SLIP (Serial Line
Internet Protocol)
connection.
– Administrative User—For
enable command.
• In a response:
– Login—Make a
connection.
– Framed—Start SLIP or
PPP.
– Administrative
User—Start an EXEC or
enable ok.
– Exec User—Start an EXEC
session.
Framed-Protocol 7 Framing to be used for framed Integer Both No
access.
Framed-IP- 8 Address to be configured for the — — —
Address user.
Framed-IP- 9 IP netmask to be configured for the Ipaddr Outbound No
Netmask user when the user is a router to a (maximum
network. This AV results in a static length 15
route being added for characters)
Framed-IP-Address with the mask
specified.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-15
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Framed-Routing 10 Routing method for the user when Integer Outbound No
the user is a router to a network.
Only None and Send and Listen
values are supported for this
attribute.
Filter-Id 11 Name of the filter list for the user, String Outbound Yes
formatted as follows: %d, %d.in, or
%d.out. This attribute is associated
with the most recent service-type
command. For login and EXEC, use
%d or %d.out as the line access list
value from 0 to 199. For Framed
service, use %d or %d.out as
interface output access list and
%d.in for input access list. The
numbers are self-encoding to the
protocol to which they refer.
Framed-MTU 12 Indicates the maximum transmission Integer Outbound No
unit (MTU) that can be configured (maximum
for the user when the MTU is not length 10
negotiated by PPP or some other characters)
means.
Framed-Compress 13 Compression protocol used for the Integer Outbound Yes
ion link. This attribute results in
“/compress” being added to the PPP
or SLIP autocommand generated
during EXEC authorization. Not
currently implemented for
non-EXEC authorization.
Login-IP-Host 14 Host to which the user will connect Ipaddr Both Yes
when the Login-Service attribute is (maximum
included. length 15
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-16 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Login-Service 15 Service that should be used to Integer Both No
connect the user to the login host.
Service is indicated by a numeric
value as follows:
• 0: Telnet
• 1: Rlogin
• 2: TCP-Clear
• 3: PortMaster
• 4: LAT
Login-TCP-Port 16 TCP (Transmission Control Integer Outbound No
Protocol) port with which the user is (maximum
to be connected when the length 10
Login-Service attribute is also characters)
present.
Reply-Message 18 Text to be displayed to the user. String Outbound Yes
Callback-Number 19 — String Outbound No
Callback-Id 20 — String Outbound No
Framed-Route 22 Routing information to be String Outbound Yes
configured for the user on this AAA
client. The RADIUS RFC (Request
for Comments) format (net/bits
[router [metric]]) and the old style
dotted mask (net mask [router
[metric]]) are supported. If the router
field is omitted or 0 (zero), the peer
IP address is used. Metrics are
ignored.
Framed-IPX- 23 — Integer Outbound No
Network

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-17
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
State 24 Allows State information to be String Outbound No
maintained between the AAA client (maximum
and the RADIUS server. This length 253
attribute is applicable only to CHAP characters)
challenges.
Class 25 Arbitrary value that the AAA client String Both Yes
includes in all accounting packets
for this user if supplied by the
RADIUS server.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-18 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Vendor-Specific 26 Allows vendors to support their own String Outbound Yes
extended attributes. The Cisco
RADIUS implementation supports
one vendor-specific option using the
format recommended in the
specification. The Cisco vendor-ID
is 9, and the supported option is
vendor-type 1, cisco-avpair. The
value is a string of the format:
protocol:attribute sep value

protocol is a value of the Cisco

protocol attribute for a particular
type of authorization. Attribute and
value are an appropriate AV pair
defined in the Cisco TACACS+
specification, and “sep” is “=” for
mandatory attributes and “*” for
optional attributes. This allows the
full set of TACACS+ authorization
features to be used for RADIUS. The
following is an example:
cisco-avpair=
“ip:addr-pool=first”
cisco-avpair=
“shell:priv-lvl=15”

The first example causes the Cisco

multiple named IP address pools
feature to be activated during IP
authorization (during PPP IPCP
address assignment). The second
example causes a user of a
device-hosted administrative session
to have immediate access to EXEC
commands.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-19
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Session-Timeout 27 Maximum number of seconds of Integer Outbound No
service to be provided to the user (maximum
before the session terminates. This length 10
AV becomes the per-user absolute characters)
timeout. This attribute is not valid
for PPP sessions.
Idle-Timeout 28 Maximum number of consecutive Integer Outbound No
seconds of idle connection time (maximum
allowed to the user before the length 10
session terminates. This AV characters)
becomes the per-user
session-timeout. This attribute is not
valid for PPP sessions.
Termination- 29 — Integer Both No
Action
Called-Station-Id 30 Allows the AAA client to send the String Inbound No
telephone number the call came from
as part of the access-request packet
using automatic number
identification or similar technology.
This attribute has the same value as
remote-addr in TACACS+. This
attribute is supported only on ISDN
and for modem calls on the Cisco
AS5200 if used with PRI.
Calling-Station-Id 31 Allows the AAA client to send the String Inbound No
telephone number the user called
into as part of the access-request
packet, using DNIS (Dialed Number
Identification Server) or similar
technology. This attribute is only
supported on ISDN and for modem
calls on the Cisco AS5200 if used
with PRI (Primary Rate Interface).

User Guide for Cisco Secure ACS Appliance, version 3.2

C-20 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
NAS-Identifier 32 — String Inbound No
Proxy-State 33 Included in proxied RADIUS String Inbound No
requests per RADIUS standards. The (maximum
operation of Cisco Secure ACS does length 253
not depend on the contents of this characters)
attribute.
Login-LAT- 34 System with which the user is to be String Inbound No
Service connected by local area transport (maximum
(LAT) protocol. This attribute is only length 253
available in the EXEC mode. characters)
Login-LAT-Node 35 — String Inbound No
Login-LAT-Group 36 — String Inbound No
Framed- 37 — Integer Outbound No
AppleTalk-Link
Framed- 38 — Integer Outbound Yes
AppleTalk-
Network
Framed- 39 — String Out No
AppleTalk-
Zone
Acct-Status-Type 40 Specifies whether this Integer Inbound No
accounting-request marks the
beginning of the user service (start)
or the end (stop).
Acct-Delay-Time 41 Number of seconds the client has Integer Inbound No
been trying to send a particular
record.
Acct-Input-Octets 42 Number of octets received from the Integer Inbound No
port while this service is being
provided.
Acct-Output- 43 Number of octets sent to the port Integer Inbound No
Octets while this service is being delivered.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-21
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Acct-Session-Id 44 Unique accounting identifier that String Inbound No
makes it easy to match start and stop
records in a log file. The
Acct-Session-Id restarts at 1 each
time the router is power cycled or the
software is reloaded. Contact Cisco
support if this is unsuitable.
Acct-Authentic 45 Way in which the user was Integer Inbound No
authenticated—by RADIUS, by the
AAA client itself, or by another
remote authentication protocol. This
attribute is set to radius for users
authenticated by RADIUS; to
remote for TACACS+ and Kerberos;
or to local for local, enable, line, and
if-needed methods. For all other
methods, the attribute is omitted.
Acct-Session- 46 Number of seconds the user has been Integer Inbound No
Time receiving service.
Acct-Input- 47 Number of packets received from the Integer Inbound No
Packets port while this service is being
provided to a framed user.
Acct-Output- 48 Number of packets sent to the port Integer Inbound No
Packets while this service is being delivered
to a framed user.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-22 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Acct-Terminate- 49 Reports details on why the Integer Inbound No
Cause connection was terminated.
Termination causes are indicated by
a numeric value as follows:
• 1: User request
• 2: Lost carrier
• 3: Lost service
• 4: Idle timeout
• 5: Session-timeout
• 6: Admin reset
• 7: Admin reboot
• 8: Port error
• 9: AAA client error
• 10: AAA client request
• 11: AAA client reboot
• 12: Port unneeded
• 13: Port pre-empted
• 14: Port suspended
• 15: Service unavailable
• 16: Callback
• 17: User error
• 18: Host request
Acct-Multi- 50 — String Inbound No
Session-Id
Acct-Link-Count 51 — Integer Inbound No
Acct-Input- 52 — Integer Inbound No
Gigawords

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-23
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Acct-Output- 53 — Integer Inbound No
Gigawords
Event-Timestamp 55 — Date Inbound No
CHAP-Challenge 60 — String Inbound No
NAS-Port-Type 61 Indicates the type of physical port Integer Inbound No
the AAA client is using to
authenticate the user. Physical ports
are indicated by a numeric value as
follows:
• 0: Asynchronous
• 1: Synchronous
• 2: ISDN-Synchronous
• 3: ISDN-Asynchronous (V.120)
• 4: ISDN- Asynchronous (V.110)
• 5: Virtual
Port-Limit 62 Sets the maximum number of ports Integer Both No
to be provided to the user by the (maximum
network access server. length 10
characters)
Login-LAT-Port 63 — String Both No
Tunnel-Type 64 — Tagged Both Yes
integer
Tunnel-Medium- 65 — Tagged Both Yes
Type integer
Tunnel-Client- 66 — tagged Both Yes
Endpoint string
Tunnel-Server- 67 — Tagged Both Yes
Endpoint string

User Guide for Cisco Secure ACS Appliance, version 3.2

C-24 78-14698-02
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Acct-Tunnel- 68 — String Inbound No
Connection
Tunnel-Password 69 — tagged Both Yes
string
ARAP-Password 70 — String Inbound No
ARAP-Features 71 — String Outbound No
ARAP-Zone- 72 — Integer Outbound No
Access
ARAP-Security 73 — Integer Inbound No
ARAP-Security- 74 — String Inbound No
Data
Password-Retry 75 — Integer Internal No
use only
Prompt 76 — Integer Internal No
use only
Connect-Info 77 — String Inbound No
Configuration- 78 — String Internal No
Token use only
EAP-Message 79 — String Internal No
use only
Message- 80 — String Outbound No
Authenticator
Tunnel-Private- 81 — tagged Both Yes
Group-ID string
Tunnel- 82 — tagged Both Yes
Assignment-ID string
Tunnel-Preference 83 — Tagged Both No
integer
Acct-Interim- 85 — Integer Outbound No
Interval

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-25
 Appendix C RADIUS Attributes
IETF Dictionary of RADIUS AV Pairs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
NAS-Port-Id 87 — String Inbound No
Framed-Pool 88 — String Internal No
use only
Tunnel-Client- 90 — tagged Both Yes
Auth-ID string
Tunnel-Server- 91 — tagged Both Yes
Auth-ID string
Primary-DNS- 135 — Ipaddr Both No
Server
Secondary-DNS- 136 — Ipaddr Both No
Server
Multilink-ID 187 — Integer Inbound No
Num-In-Multilink 188 — Integer Inbound No
Pre-Input-Octets 190 — Integer Inbound No
Pre-Output-Octets 191 — Integer Inbound No
Pre-Input-Packets 192 — Integer Inbound No
Pre-Output- 193 — Integer Inbound No
Packets
Maximum-Time 194 — Integer Both No
Disconnect-Cause 195 — Integer Inbound No
Data-Rate 197 — Integer Inbound No
PreSession-Time 198 — Integer Inbound No
PW-Lifetime 208 — Integer Outbound No
IP-Direct 209 — Ipaddr Outbound No
PPP-VJ-Slot- 210 — Integer Outbound No
Comp
Assign-IP-pool 218 — Integer Outbound No
Route-IP 228 — Integer Outbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

C-26 78-14698-02
 Appendix C RADIUS Attributes
Microsoft MPPE Dictionary of RADIUS VSAs

Table C-6 RADIUS (IETF) Attributes (continued)

Type of Inbound/
Attribute Number Description Value Outbound Multiple
Link-Compression 233 — Integer Outbound No
Target-Utils 234 — Integer Outbound No
Maximum- 235 — Integer Outbound No
Channels
Data-Filter 242 — Ascend Outbound Yes
filter
Call-Filter 243 — Ascend Outbound Yes
filter
Idle-Limit 244 — Integer Outbound No

Microsoft MPPE Dictionary of RADIUS VSAs

Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft
Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS
Implementation is 311. MPPE is an encryption technology developed by
Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via
a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several
RADIUS network device vendors that Cisco Secure ACS supports. The following
Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSAs:
• Cisco IOS
• Cisco VPN 3000
• Ascend
To control Microsoft MPPE settings for users accessing the network through a
Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA
20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for
CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA
21) override Microsoft MPPE RADIUS settings. If either of these attributes is
enabled, Cisco Secure ACS determines the values to be sent in outbound
RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-27
 Appendix C RADIUS Attributes
Microsoft MPPE Dictionary of RADIUS VSAs

VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are

enabled in the Cisco Secure ACS HTML interface or how those attributes might
be configured.
Table C-7 lists the supported MPPE RADIUS VSAs.

Table C-7 Microsoft MPPE RADIUS VSAs

Type of Inbound/
Attribute Number Value Description Outbound Multiple
MS-CHAP- 1 String — Inbound No
Response
MS-CHAP-Error 2 String — Outbound No
MS-CHAP-CPW- 3 String — Inbound No
1
MS-CHAP-CPW- 4 String — Inbound No
2
MS-CHAP-LM- 5 String — Inbound No
Enc-PW
MS-CHAP-NT- 6 String — Inbound No
Enc-PW
MS-MPPE- 7 Integer The MS-MPPE-Encryption-Policy Outbound No
Encryption-Policy attribute signifies whether the use of
encryption is allowed or required. If
the Policy field is equal to 1
(Encryption-Allowed), any or none
of the encryption types specified in
the MS-MPPE-Encryption-Types
attribute can be used. If the Policy
field is equal to 2
(Encryption-Required), any of the
encryption types specified in the
MS-MPPE-Encryption-Types
attribute can be used, but at least one
must be used.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-28 78-14698-02
 Appendix C RADIUS Attributes
Microsoft MPPE Dictionary of RADIUS VSAs

Table C-7 Microsoft MPPE RADIUS VSAs (continued)

Type of Inbound/
Attribute Number Value Description Outbound Multiple
MS-MPPE- 8 Integer The MS-MPPE-Encryption-Types Outbound No
Encryption-Types attribute signifies the types of
encryption available for use with
MPPE. It is a four octet integer that
is interpreted as a string of bits.
MS-CHAP- 10 String — Inbound No
Domain
MS-CHAP- 11 String — Inbound No
Challenge
MS-CHAP- 12 String The MS-CHAP-MPPE-Keys Outbound No
MPPE-Keys attribute contains two session keys
for use by the MPPE. This attribute
is only included in Access-Accept
packets.
Note The MS-CHAP-MPPE-Keys
attribute value is
autogenerated by
Cisco Secure ACS; there is
no value to set in the HTML
interface.
MS-MPPE-Send- 16 String The MS-MPPE-Send-Key attribute Outbound No
Key (maximum contains a session key for use by
length 240 MPPE. This key is for encrypting
characters) packets sent from the AAA client to
the remote host. This attribute is
only included in Access-Accept
packets.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-29
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-7 Microsoft MPPE RADIUS VSAs (continued)

Type of Inbound/
Attribute Number Value Description Outbound Multiple
MS-MPPE-Recv- 17 String The MS-MPPE-Recv-Key attribute Outbound No
Key (maximum contains a session key for use by
length 240 MPPE. This key is for encrypting
characters) packets received by the AAA client
from the remote host. This attribute
is only included in Access-Accept
packets.
MS-RAS-Version 18 String — Inbound No
MS-CHAP-NT- 25 String — Inbound No
Enc-PW
MS-CHAP2- 26 String — Outbound No
Response
MS-CHAP2-CPW 27 String — Inbound No

Ascend Dictionary of RADIUS AV Pairs

Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table C-8 contains
Ascend RADIUS dictionary translations for parsing requests and generating
responses. All transactions are composed of AV pairs. The value of each attribute
is specified as one of the following valid data types:
• String—0-253 octets.
• Abinary—0-254 octets.
• Ipaddr—4 octets in network byte order.
• Integer—32-bit value in big endian order (high byte first).

User Guide for Cisco Secure ACS Appliance, version 3.2

C-30 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

• Call filter—Defines a call filter for the profile.

Note RADIUS filters are retrieved only when a call is placed using a
RADIUS outgoing profile or answered using a RADIUS incoming
profile. Filter entries are applied in the order in which they are
entered. If you make changes to a filter in an Ascend RADIUS
profile, the changes do not take effect until a call uses that profile.

• Date—32-bit value in big-endian order. For example, seconds since 00:00:00

universal time (UT), January 1, 1970.
• Enum—Enumerated values are stored in the user file with dictionary value
translations for easy administration.

Table C-8 Ascend RADIUS Attributes

Inbound/
Attribute Number Type of Value Outbound Multiple
Dictionary of Ascend Attributes
User-Name 1 String Inbound No
User-Password 2 String Outbound No
CHAP-Password 3 String Outbound No
NAS-IP-Address 4 Ipaddr Inbound No
NAS-Port 5 Integer Inbound No
Service-Type 6 Integer Both No
Framed-Protocol 7 Integer Both No
Framed-IP-Address 8 Ipaddr Both No
Framed-IP-Netmask 9 Ipaddr Outbound No
Framed-Routing 10 Integer Outbound No
Framed-Filter 11 String Outbound Yes
Framed-MTU 12 Integer Outbound No
Framed-Compression 13 Integer Outbound Yes
Login-IP-Host 14 Ipaddr Both Yes
Login-Service 15 Integer Both No

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-31
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Login-TCP-Port 16 Integer Outbound No
Change-Password 17 String — —
Reply-Message 18 String Outbound Yes
Callback-ID 19 String Outbound No
Callback-Name 20 String Outbound No
Framed-Route 22 String Outbound Yes
Framed-IPX-Network 23 Integer Outbound No
State 24 String Outbound No
Class 25 String Outbound Yes
Vendor-Specific 26 String Outbound Yes
Call-Station-ID 30 String Inbound No
Calling-Station-ID 31 String Inbound No
Acct-Status-Type 40 Integer Inbound No
Acct-Delay-Time 41 Integer Inbound No
Acct-Input-Octets 42 Integer Inbound No
Acct-Output-Octets 43 Integer Inbound No
Acct-Session-Id 44 Integer Inbound No
Acct-Authentic 45 Integer Inbound No
Acct-Session-Time 46 Integer Inbound No
Acct-Input-Packets 47 Integer Inbound No
Acct-Output-Packets 48 Integer Inbound No
Tunnel-Type 64 String Both Yes
Tunnel-Medium-Type 65 String Both Yes
Tunnel-Client-Endpoint 66 String (maximum length 250 Both Yes
characters)
Tunnel-Server-Endpoint 67 String (maximum length 250 Both Yes
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-32 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Acct-Tunnel-Connection 68 Integer (maximum length 253 Inbound No
characters)
Ascend-Private-Route 104 String (maximum length 253 Both No
characters)
Ascend-Numbering-Plan-ID 105 Integer (maximum length 10 Both No
characters)
Ascend-FR-Link-Status-Dlci 106 Integer (maximum length 10 Both No
characters)
Ascend-Calling-Subaddress 107 String (maximum length 253 Both No
characters)
Ascend-Callback-Delay 108 String (maximum length 10 Both No
characters)
Ascend-Endpoint-Disc 109 String (maximum length 253 Both No
characters)
Ascend-Remote-FW 110 String (maximum length 253 Both No
characters)
Ascend-Multicast-GLeave-Delay 111 Integer (maximum length 10 Both No
characters)
Ascend-CBCP-Enable 112 String Both No
Ascend-CBCP-Mode 113 String Both No
Ascend-CBCP-Delay 114 String (maximum length 10 Both No
characters)
Ascend-CBCP-Trunk-Group 115 String (maximum length 10 Both No
characters)
Ascend-AppleTalk-Route 116 String (maximum length 253 Both No
characters)
Ascend-AppleTalk-Peer-Mode 117 String (maximum length 10 Both No
characters)
Ascend-Route-AppleTalk 118 String (maximum length 10 Both No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-33
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-FCP-Parameter 119 String (maximum length 253 Both No
characters)
Ascend-Modem-PortNo 120 Integer (maximum length 10 Inbound No
characters)
Ascend-Modem-SlotNo 121 Integer (maximum length 10 Inbound No
characters)
Ascend-Modem-ShelfNo 122 Integer (maximum length 10 Inbound No
characters)
Ascend-Call-Attempt-Limit 123 Integer (maximum length 10 Both No
characters)
Ascend-Call-Block_Duration 124 Integer (maximum length 10 Both No
characters)
Ascend-Maximum-Call-Duration 125 Integer (maximum length 10 Both No
characters)
Ascend-Router-Preference 126 String (maximum length 10 Both No
characters)
Ascend-Tunneling-Protocol 127 String (maximum length 10 Both No
characters)
Ascend-Shared-Profile-Enable 128 Integer Both No
Ascend-Primary-Home-Agent 129 String (maximum length 253 Both No
characters)
Ascend-Secondary-Home-Agent 130 String (maximum length 253 Both No
characters)
Ascend-Dialout-Allowed 131 Integer Both No
Ascend-BACP-Enable 133 Integer Both No
Ascend-DHCP-Maximum-Leases 134 Integer (maximum length 10 Both No
characters)
Ascend-Client-Primary-DNS 135 Address (maximum length 15 Both No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-34 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-Client-Secondary-DNS 136 Address (maximum length 15 Both No
characters)
Ascend-Client-Assign-DNS 137 Enum Both No
Ascend-User-Acct-Type 138 Enum Both No
Ascend-User-Acct-Host 139 Address (maximum length 15 Both No
characters)
Ascend-User-Acct-Port 140 Integer (maximum length 10 Both No
characters)
Ascend-User-Acct-Key 141 String (maximum length 253 Both No
characters)
Ascend-User-Acct-Base 142 Enum (maximum length 10 Both No
characters)
Ascend-User-Acct-Time 143 Integer (maximum length 10 Both No
characters)
Support IP Address Allocation from Global Pools
Ascend-Assign-IP-Client 144 Ipaddr (maximum length 15 Outbound No
characters)
Ascend-Assign-IP-Server 145 Ipaddr (maximum length 15 Outbound No
characters)
Ascend-Assign-IP-Global-Pool 146 String (maximum length 253 Outbound No
characters)
DHCP Server Functions
Ascend-DHCP-Reply 147 Integer Outbound No
Ascend-DHCP-Pool-Number 148 Integer (maximum length 10 Outbound No
characters)
Connection Profile/Telco Option
Ascend-Expect-Callback 149 Integer Outbound No
Event Type for an Ascend-Event Packet

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-35
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-Event-Type 150 Integer (maximum length 10 Inbound No
characters)
RADIUS Server Session Key
Ascend-Session-Svr-Key 151 String (maximum length 253 Outbound No
characters)
Multicast Rate Limit Per Client
Ascend-Multicast-Rate-Limit 152 Integer (maximum length 10 Outbound No
characters)
Connection Profile Fields to Support Interface-Based Routing
Ascend-IF-Netmask 153 Ipaddr (maximum length 15 Outbound No
characters)
Ascend-Remote-Addr 154 Ipaddr (maximum length 15 Outbound No
characters)
Multicast Support
Ascend-Multicast-Client 155 Integer (maximum length 10 Outbound No
characters)
Frame Datalink Profiles
Ascend-FR-Circuit-Name 156 String (maximum length 253 Outbound No
characters)
Ascend-FR-LinkUp 157 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-Nailed-Group 158 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-Type 159 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-Link-Mgt 160 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-N391 161 Integer (maximum length 10 Outbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-36 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-FR-DCE-N392 162 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-DTE-N392 163 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-DCE-N393 164 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-DTE-N393 165 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-T391 166 Integer (maximum length 10 Outbound No
characters)
Ascend-FR-T392 167 Integer (maximum length 10 Outbound No
characters)
Ascend-Bridge-Address 168 String (maximum length 253 Outbound No
characters)
Ascend-TS-Idle-Limit 169 Integer (maximum length 10 Outbound No
characters)
Ascend-TS-Idle-Mode 170 Integer (maximum length 10 Outbound No
characters)
Ascend-DBA-Monitor 171 Integer (maximum length 10 Outbound No
characters)
Ascend-Base-Channel-Count 172 Integer (maximum length 10 Outbound No
characters)
Ascend-Minimum-Channels 173 Integer (maximum length 10 Outbound No
characters)
IPX Static Routes
Ascend-IPX-Route 174 String (maximum length 253 Inbound No
characters)
Ascend-FT1-Caller 175 Integer (maximum length 10 Inbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-37
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-Backup 176 String (maximum length 253 Inbound No
characters)
Ascend-Call-Type 177 Integer Inbound No
Ascend-Group 178 String (maximum length 253 Inbound No
characters)
Ascend-FR-DLCI 179 Integer (maximum length 10 Inbound No
characters)
Ascend-FR-Profile-Name 180 String (maximum length 253 Inbound No
characters)
Ascend-Ara-PW 181 String (maximum length 253 Inbound No
characters)
Ascend-IPX-Node-Addr 182 String (maximum length 253 Both No
characters)
Ascend-Home-Agent-IP-Addr 183 Ipaddr (maximum length 15 Outbound No
characters)
Ascend-Home-Agent-Password 184 String (maximum length 253 Outbound No
characters)
Ascend-Home-Network-Name 185 String (maximum length 253 Outbound No
characters)
Ascend-Home-Agent-UDP-Port 186 Integer (maximum length 10 Outbound No
characters)
Ascend-Multilink-ID 187 Integer Inbound No
Ascend-Num-In-Multilink 188 Integer Inbound No
Ascend-First-Dest 189 Ipaddr Inbound No
Ascend-Pre-Input-Octets 190 Integer Inbound No
Ascend-Pre-Output-Octets 191 Integer Inbound No
Ascend-Pre-Input-Packets 192 Integer Inbound No
Ascend-Pre-Output-Packets 193 Integer Inbound No

User Guide for Cisco Secure ACS Appliance, version 3.2

C-38 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-Maximum-Time 194 Integer (maximum length 10 Both No
characters)
Ascend-Disconnect-Cause 195 Integer Inbound No
Ascend-Connect-Progress 196 Integer Inbound No
Ascend-Data-Rate 197 Integer Inbound No
Ascend-PreSession-Time 198 Integer Inbound No
Ascend-Token-Idle 199 Integer (maximum length 10 Outbound No
characters)
Ascend-Token-Immediate 200 Integer Outbound No
Ascend-Require-Auth 201 Integer (maximum length 10 Outbound No
characters)
Ascend-Number-Sessions 202 String (maximum length 253 Outbound No
characters)
Ascend-Authen-Alias 203 String (maximum length 253 Outbound No
characters)
Ascend-Token-Expiry 204 Integer (maximum length 10 Outbound No
characters)
Ascend-Menu-Selector 205 String (maximum length 253 Outbound No
characters)
Ascend-Menu-Item 206 String Outbound Yes
RADIUS Password Expiration Options
Ascend-PW-Warntime 207 Integer (maximum length 10 Outbound No
characters)
Ascend-PW-Lifetime 208 Integer (maximum length 10 Outbound No
characters)
Ascend-IP-Direct 209 Ipaddr (maximum length 15 Outbound No
characters)
Ascend-PPP-VJ-Slot-Comp 210 Integer (maximum length 10 Outbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-39
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-PPP-VJ-1172 211 Integer (maximum length 10 Outbound No
characters)
Ascend-PPP-Async-Map 212 Integer (maximum length 10 Outbound No
characters)
Ascend-Third-Prompt 213 String (maximum length 253 Outbound No
characters)
Ascend-Send-Secret 214 String (maximum length 253 Outbound No
characters)
Ascend-Receive-Secret 215 String (maximum length 253 Outbound No
characters)
Ascend-IPX-Peer-Mode 216 Integer Outbound No
Ascend-IP-Pool-Definition 217 String (maximum length 253 Outbound No
characters)
Ascend-Assign-IP-Pool 218 Integer Outbound No
Ascend-FR-Direct 219 Integer Outbound No
Ascend-FR-Direct-Profile 220 String (maximum length 253 Outbound No
characters)
Ascend-FR-Direct-DLCI 221 Integer (maximum length 10 Outbound No
characters)
Ascend-Handle-IPX 222 Integer Outbound No
Ascend-Netware-Timeout 223 Integer (maximum length 10 Outbound No
characters)
Ascend-IPX-Alias 224 String (maximum length 253 Outbound No
characters)
Ascend-Metric 225 Integer (maximum length 10 Outbound No
characters)
Ascend-PRI-Number-Type 226 Integer Outbound No
Ascend-Dial-Number 227 String (maximum length 253 Outbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

C-40 78-14698-02
 Appendix C RADIUS Attributes
Ascend Dictionary of RADIUS AV Pairs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Connection Profile/PPP Options
Ascend-Route-IP 228 Integer Outbound No
Ascend-Route-IPX 229 Integer Outbound No
Ascend-Bridge 230 Integer Outbound No
Ascend-Send-Auth 231 Integer Outbound No
Ascend-Send-Passwd 232 String (maximum length 253 Outbound No
characters)
Ascend-Link-Compression 233 Integer Outbound No
Ascend-Target-Util 234 Integer (maximum length 10 Outbound No
characters)
Ascend-Max-Channels 235 Integer (maximum length 10 Outbound No
characters)
Ascend-Inc-Channel-Count 236 Integer (maximum length 10 Outbound No
characters)
Ascend-Dec-Channel-Count 237 Integer (maximum length 10 Outbound No
characters)
Ascend-Seconds-Of-History 238 Integer (maximum length 10 Outbound No
characters)
Ascend-History-Weigh-Type 239 Integer Outbound No
Ascend-Add-Seconds 240 Integer (maximum length 10 Outbound No
characters)
Ascend-Remove-Seconds 241 Integer (maximum length 10 Outbound No
characters)
Connection Profile/Session Options
Ascend-Data-Filter 242 Call filter Outbound Yes
Ascend-Call-Filter 243 Call filter Outbound Yes
Ascend-Idle-Limit 244 Integer (maximum length 10 Outbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-41
 Appendix C RADIUS Attributes
Nortel Dictionary of RADIUS VSAs

Table C-8 Ascend RADIUS Attributes (continued)

Inbound/
Attribute Number Type of Value Outbound Multiple
Ascend-Preempt-Limit 245 Integer (maximum length 10 Outbound No
characters)
Connection Profile/Telco Options
Ascend-Callback 246 Integer Outbound No
Ascend-Data-Svc 247 Integer Outbound No
Ascend-Force-56 248 Integer Outbound No
Ascend-Billing-Number 249 String (maximum length 253 Outbound No
characters)
Ascend-Call-By-Call 250 Integer (maximum length 10 Outbound No
characters)
Ascend-Transit-Number 251 String (maximum length 253 Outbound No
characters)
Terminal Server Attributes
Ascend-Host-Info 252 String (maximum length 253 Outbound No
characters)
PPP Local Address Attribute
Ascend-PPP-Address 253 Ipaddr (maximum length 15 Outbound No
characters)
MPP Percent Idle Attribute
Ascend-MPP-Idle-Percent 254 Integer (maximum length 10 Outbound No
characters)
Ascend-Xmit-Rate 255 Integer (maximum length 10 Outbound No
characters)

Nortel Dictionary of RADIUS VSAs

Table C-9 on page C-43 lists the Nortel RADIUS VSAs supported by
Cisco Secure ACS. The Nortel vendor ID number is 1584.

User Guide for Cisco Secure ACS Appliance, version 3.2

C-42 78-14698-02
 Appendix C RADIUS Attributes
Juniper Dictionary of RADIUS VSAs

Table C-9 Nortel RADIUS VSAs

Inbound/
Attribute Number Type of Value Outbound Multiple
Bay-Local-IP-Address 035 Ipaddr (maximum length 15 Outbound No
characters)
Bay-Primary-DNS-Server 054 Ipaddr (maximum length 15 Outbound No
characters)
Bay-Secondary-DNS-Server 055 Ipaddr (maximum length 15 Outbound No
characters)
Bay-Primary-NBNS-Server 056 Ipaddr (maximum length 15 Outbound No
characters)
Bay-Secondary-NBNS-Server 057 Ipaddr (maximum length 15 Outbound No
characters)
Bay-User-Level 100 Integer Outbound No
Bay-Audit-Level 101 Integer Outbound No

Juniper Dictionary of RADIUS VSAs

Table C-10 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The
Juniper vendor ID number is 2636.

Table C-10 Juniper RADIUS VSAs

Inbound/
Attribute Number Type of Value Outbound Multiple
Juniper-Local-User-Name 001 String (maximum length 247 Outbound No
characters)
Juniper-Allow-Commands 002 String (maximum length 247 Outbound No
characters)
Juniper-Deny-Commands 003 String (maximum length 247 Outbound No
characters)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 C-43
 Appendix C RADIUS Attributes
Juniper Dictionary of RADIUS VSAs

User Guide for Cisco Secure ACS Appliance, version 3.2

C-44 78-14698-02
 A P P E N D I X D
VPDN Processing

Cisco Secure ACS Appliance supports authentication forwarding of virtual

private dial-up network (VPDN) requests. There are two basic types of “roaming”
users: Internet and intranet; VPDN addresses the requirements of roaming
intranet users. This chapter provides information about the VPDN process and
how it affects the operation of Cisco Secure ACS.

VPDN Process
This section describes the steps for processing VPDN requests in a standard
environment.
1. A VPDN user dials in to the network access server (NAS) of the regional
service provider (RSP). The standard call/point-to-point protocol (PPP) setup
is done. A username and password are sent to the NAS in the format
username@domain (for example, mary@corporation.us). See Figure D-1 on
page D-2.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 D-1
 Appendix D VPDN Processing
VPDN Process

Figure D-1 VPDN User Dials In

Call setup / PPP setup

Username = mary@corporation.us

Corporation RSP

S6645
ACS ACS
VPDN user
User = mary@corporation.us

2. If VPDN is enabled, the NAS assumes that the user is a VPDN user. The NAS
strips off the “username@” (mary@) portion of the username and authorizes
(not authenticates) the domain portion (corporation.us) with the ACS. See
Figure D-2.

Figure D-2 NAS Attempts to Authorize Domain

Authorization request
User = corporation.us

Corporation RSP S6646

ACS ACS
VPDN user
User = mary@corporation.us

3. If the domain authorization fails, the NAS assumes the user is not a VPDN
user. The NAS then authenticates (not authorizes) the user as if the user is a
standard non-VPDN dial user. See Figure D-3 on page D-3.

User Guide for Cisco Secure ACS Appliance, version 3.2

D-2 78-14698-02
 Appendix D VPDN Processing
VPDN Process

Figure D-3 Authorization of Domain Fails

Corporation
Authorization RSP
failed

S6655
ACS ACS
VPDN user
User = mary@corporation.us

If the ACS authorizes the domain, it returns the Tunnel ID and the IP address
of the home gateway (HG); these are used to create the tunnel. See
Figure D-4.

Figure D-4 ACS Authorizes Domain

CHAP challenge Authorization reply

Tunnel ID = nas_tun
IP address = 10.1.1.1

Corporation RSP
S6647

ACS ACS
VPDN user
User = mary@corporation.us

4. The HG uses its ACS to authenticate the tunnel, where the username is the
name of the tunnel (nas_tun). See Figure D-5 on page D-4.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 D-3
 Appendix D VPDN Processing
VPDN Process

Figure D-5 HG Authenticates Tunnel with ACS

Username = nas_tun
Authentication request Password = CHAP_stuff

Corporation
RSP

S6649
ACS ACS
VPDN user
User = mary@corporation.us

5. The HG now authenticates the tunnel with the NAS, where the username is
the name of the HG. This name is chosen based on the name of the tunnel, so
the HG might have different names depending on the tunnel being set up. See
Figure D-6.

Figure D-6 HG Authenticates Tunnel with the NAS

CHAP challenge

Corporation RSP
S6650

ACS ACS
VPDN user
User = mary@corporation.us

6. The NAS now uses its ACS to authenticate the tunnel from the HG. See
Figure D-7 on page D-5.

User Guide for Cisco Secure ACS Appliance, version 3.2

D-4 78-14698-02
 Appendix D VPDN Processing
VPDN Process

Figure D-7 NAS Authenticates Tunnel with ACS

Username = home_gate
Password = CHAP_stuff

Corporation RSP

S6651
ACS ACS
VPDN user
User = mary@corporation.us

7. After authenticating, the tunnel is established. Now the actual user

(mary@corporation.us) must be authenticated. See Figure D-8.

Figure D-8 VPDN Tunnel is Established

CHAP response

Corporation RSP
S6652
ACS ACS
VPDN user
User = mary@corporation.us

8. The HG now authenticates the user as if the user dialed directly in to the HG.
The HG might now challenge the user for a password. The Cisco Secure ACS
at RSP can be configured to strip off the @ and domain before it passes the
authentication to the HG. (The user is passed as mary@corporation.us.) The
HG uses its ACS to authenticate the user. See Figure D-9 on page D-6.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 D-5
 Appendix D VPDN Processing
VPDN Process

Figure D-9 HG Uses ACS to Authenticate User

Username = mary@corporation.us
Password = secret

Corporation RSP

S6653
ACS ACS
VPDN user
User = mary@corporation.us

9. If another user (sue@corporation.us) dials in to the NAS while the tunnel is

up, the NAS does not repeat the entire authorization/authentication process.
Instead, it passes the user through the existing tunnel to the HG. See
Figure D-10.

Figure D-10 Another User Dials In While Tunnel is Up

VPDN user
User = sue@corporation.us

Username = sue@corporation.us
Password = secret2

VPDN
Corporation customer RSP
S6654

ACS ACS
VPDN user
User = mary@corporation.us

User Guide for Cisco Secure ACS Appliance, version 3.2

D-6 78-14698-02
 A P P E N D I X E
RDBMS Synchronization Import
Definitions

RDBMS synchronization import definitions are a listing of the action codes

allowable in an accountActions file. The RDBMS Synchronization feature of
Cisco Secure Access Control Server (ACS) Appliance uses a comma-separated
value (CSV) file named “accountActions” as input for automated or manual
updates of the CiscoSecure user database. Each line in accountActions represents
one action, with the exception of the first line, which is ignored during
synchronization events. This permits the use of the first line of accountActions as
field headers.
For more information about the RDBMS Synchronization feature and
accountActions, see RDBMS Synchronization, page 9-24.
This chapter contains the following topics:
• accountActions Specification, page E-1
• Action Codes, page E-5
• Cisco Secure ACS Attributes and Action Codes, page E-34
• An Example of accountActions, page E-38

accountActions Specification
Whether you create accountActions by hand in a text editor or through automation
using a third-party system that writes to accountActions, you must adhere to the
accountActions specification and must only use the action codes detailed in

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-1
 Appendix E RDBMS Synchronization Import Definitions
accountActions Specification

Action Codes, page E-5. Otherwise, RDBMS Synchronization may import

incorrect information into the CiscoSecure user database or may fail to occur at
all.

accountActions Format
Each row in accountActions has 14 fields (or columns). Table E-1 lists the fields
that compose accountActions. Table E-1 also reflects the order in which the fields
appear in accountActions.
The one-letter or two-letter abbreviations given in the Mnemonic column are a
shorthand notation used to indicate required fields for each action code in Action
Codes, page E-5.
To see an example accountActions, see An Example of accountActions,
page E-38.

Table E-1 accountActions Fields

Size (Max.
Field Name Mnemonic Type Length) Comments
SequenceId SI AutoNumber 32 The unique action ID.
Priority P Integer 1 The priority with which this update is to
be treated. 0 is the lowest priority.
UserName UN String 32 The name of the user to which the
transaction applies.
GroupName GN String 32 The name of the group to which the
transaction applies.
Action A Number 0-216 The Action required. (See Action Codes,
page E-5.)
ValueName VN String 255 The name of the parameter to change.
Value1 V1 String 255 The new value (for numeric parameters,
this is a decimal string).
Value2 V2 String 255 The name of a TACACS+ protocol; for
example, “ip” or RADIUS VSA Vendor
ID.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-2 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
accountActions Specification

Table E-1 accountActions Fields (continued)

Size (Max.
Field Name Mnemonic Type Length) Comments
Value3 V3 String 255 The name of a TACACS+ service; for
example, “ppp” or the RADIUS VSA
attribute number.
DateTime DT DateTime — The date/time the Action was created.
MessageNo MN Integer — Used to number related transactions for
audit purposes.
ComputerNames CN String 32 RESERVED by CSDBSync.
AppId AI String 255 The type of configuration parameter to
change.
Status S Number 32 TRI-STATE:0=not processed, 1=done,
2=failed. This should normally be set to
0.

accountActions Mandatory Fields

For all actions, the following three fields cannot be empty and must have a valid
value:
• Action
• DateTime
• SequenceID
In addition to the three required fields above, the UserName and GroupName
fields are also often required to have a valid value:
• If a transaction is acting upon a user account, a valid value is required in the
UserName field.
• If a transaction is acting upon a group, a valid value is required in the
GroupName field.
• If a transaction is acting upon AAA client configuration, neither the
UserName field nor the GroupName field require a value.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-3
 Appendix E RDBMS Synchronization Import Definitions
accountActions Specification

Note The UserName and GroupName fields are mutually exclusive; only one of these
two fields can have a value and neither field is always required.

accountActions Processing Order

Cisco Secure ACS reads rows from accountActions and processes them in a
specific order. Cisco Secure ACS determines the order first by the values in the
Priority fields (mnemonic: P) and then by the values in the Sequence ID fields
(mnemonic: SI). Cisco Secure ACS processes the rows with the highest Priority
field. The lower the number in the Priority field, the higher the priority. For
example, if row A has the value 1 in its Priority field and row B has the value 2 in
its Priority field, Cisco Secure ACS would process row A first, regardless of
whether row B has a lower sequence ID or not. If rows have an equal priority,
Cisco Secure ACS processes them by their sequence ID, with the lowest sequence
ID processed first.
Thus, the Priority field (P) enables transactions of higher importance to occur
first, such as deleting a user or changing a password. In the most common
implementations of RDBMS Synchronization, a third-party system writes to
accountActions in batch mode, with all actions (rows) assigned a priority of zero
(0).

Note When changing transaction priorities, be careful that they are processed in the
correct order; for example, a user account must be created before the user
password is assigned.

You can use the MessageNo field (mnemonic: MN) to associate related
transactions, such as the addition of a user and subsequent actions to set password
values and status. You can use the MessageNo field to create an audit trail for a
third-party system that writes to accountActions.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-4 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Action Codes
This section provides the action codes valid for use in the Action field (mnemonic:
A) of accountActions. The Required column uses the field mnemonic names to
indicate which fields should be completed, except for the mandatory fields, which
are assumed. For more information about the mnemonic names of accountActions
fields, see Table E-1 on page E-2. For more information about the mandatory
fields, see accountActions Mandatory Fields, page E-3.
If an action can be applied to either a user or group, “UN|GN” appears, using the
vertical bar to indicate that either one of the two fields is required. To make the
action affect only the user, leave the group name empty; to make the action affect
only the group, leave the user name empty.
This section contains the following topics:
• Action Codes for Setting and Deleting Values, page E-5
• Action Codes for Creating and Modifying User Accounts, page E-7
• Action Codes for Initializing and Modifying Access Filters, page E-15
• Action Codes for Modifying TACACS+ and RADIUS Group and User
Settings, page E-19
• Action Codes for Modifying Network Configuration, page E-27

Action Codes for Setting and Deleting Values

The two most fundamental action codes are SET_VALUE (action code: 1) and
DELETE_VALUE (action code: 2), described in Table E-2 on page E-6.
The SET_VALUE (action code: 1) and DELETE_VALUE (action code: 2)
actions, described in Table E-2, instruct RDBMS Synchronization to assign a
value to various internal attributes in Cisco Secure ACS. Unless asked to use these
action codes for other purposes by a Cisco representative, you can only use these
action codes for assigning values to user-defined fields (see User-Specific
Attributes, page E-34).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-5
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-2 Action Codes for Setting and Deleting Values

Action
Code Name Required Description
1 SET_VALUE UN|GN, AI, Sets a value (V1) named (VN) of type (V2) for App ID
VN, V1, V2 (AI).
App IDs (AI) can be one of the following:
• APP_CSAUTH
• APP_CSTACACS
• APP_CSRADIUS
• APP_CSADMIN
Value types (V2) can be one of the following:
• TYPE_BYTE—Single 8-bit number.
• TYPE_SHORT—Single 16-bit number.
• TYPE_INT—Single 32-bit number.
• TYPE_STRING—Single string.
• TYPE_ENCRYPTED_STRING—Single string
to be saved encrypted.
• TYPE_MULTI_STRING—Tab-separated set of
substrings.
• TYPE_MULTI_INT—Tab-separated set of
32-bit numbers.
For example:
UN = “fred”
AI = “APP_CSAUTH”
VN = “My Value”
V2 = “TYPE_MULTI_STRING”
V1 = “str1tabstr2tab str3”
2 DELETE_VALUE UN|GN, AI, Deletes value (VN) for App ID (AI) and user (UN) or
VN group (GN).

User Guide for Cisco Secure ACS Appliance, version 3.2

E-6 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Action Codes for Creating and Modifying User Accounts

Table E-3 lists the action codes for creating, modifying, and deleting user
accounts.

Note Before you can modify a user account, such as assigning a password, you must
create the user account, either in the HTML interface or by using the ADD_USER
action (action code: 100).

Transactions using these codes affect the configuration displayed in the User
Setup section of the HTML interface. For more information about the User Setup
section, see Chapter 7, “User Management.”

Table E-3 User Creation and Modification Action Codes

Action
Code Name Required Description
100 ADD_USER UN|GN, V1 Creates a user (32 characters maximum). V1 is used as
the initial password. Optionally, the user can also be
assigned to a group.
101 DELETE_USER UN Removes a user.
102 SET_PAP_PASS UN, V1 Sets the PAP password for a user (64 ASCII characters
maximum). CHAP/ARAP will also default to this.
103 SET_CHAP_PASS UN, V1 Sets the CHAP/ARAP password for a user (64 characters
maximum).
104 SET_OUTBOUND UN, V1 Sets the CHAP/ARAP password for a user (32 characters
_CHAP_PASS maximum).

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-7
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
105 SET_T+_ENABLE UN, VN, Sets the TACACS+ enable password (V1) (32 characters
_PASS V1, V2, V3 maximum) and Max Privilege level (V2) (0-15).
The enable type (V3) should be one of the following:
• ENABLE_LEVEL_AS_GROUP—Max privilege
taken from group setting.
• ENABLE_LEVEL_NONE—No T+ enable
configured.
• ENABLE_LEVEL_STATIC—Value set in V2 used
during enable level check.
You can use VN to link the enable password to an external
authenticator, as per action 108 SET_PASS_TYPE.
106 SET_GROUP UN, GN Sets the Cisco Secure ACS group assignment of the user.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-8 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
108 SET_PASS_TYPE UN|GN, V1 Sets the password type of the user. This can be one of the
CiscoSecure user database password types or any of the
external databases supported:
• PASS_TYPE_CSDB—CSDB internal password.
• PASS_ TYPE_CSDB_UNIX—CSDB internal
password (UNIX encrypted).
• PASS_TYPE_NT—External Windows user
database password.
• PASS_TYPE_NDS—External Novell database
password.
• PASS_TYPE_LDAP—External generic LDAP
database password.
• PASS_TYPE_SDI—External RSA Security
database password.
• PASS_TYPE_ANPI—External PassGo database
password.
• PASS_TYPE_ENIGMA—External SafeWord
database password.
• PASS_TYPE_CRYPTO—External CRYPTOCard
database password.
• PASS_TYPE_LEAP—External LEAP proxy
RADIUS server database password.
• PASS_TYPE_ACTIVCARD—External ActivCard
database password.
• PASS_TYPE_VASCO—External Vasco database
password.
• PASS_TYPE_RADIUS_TOKEN—External
RADIUS token server database password.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-9
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
109 REMOVE_PASS_ UN,V1 Removes a password status flag. This results in the status
STATUS states being linked in a logical XOR condition. V1 should
contain one of the following:
• PASS_STATUS_EXPIRES—Password expires on a
given date.
• PASS_STATUS_NEVER—Password never expires.
• PASS_STATUS_WRONG—Password expires after
a given number of login attempts using the wrong
password.
• PASS_STATUS_DISABLED—The account has
been disabled.
110 ADD_PASS_ UN, V1 Defines how a password should be expired by
STATUS Cisco Secure ACS. To set multiple password states for a
user, use multiple instances of this action. This results in
the status states being linked in a logical XOR condition.
V1 should contain one of the following:
• PASS_STATUS_EXPIRES—Password expires on a
given date.
• PASS_STATUS_NEVER—Password never expires.
• PASS_STATUS_WRONG—Password expires after
a given number of login attempts using the wrong
password.
• PASS_STATUS_RIGHT—Password expires after a
given number of login attempts using the correct
password.
• PASS_STATUS_DISABLED—The account has
been disabled.
112 SET_PASS_ UN,V1 Sets the maximum number of bad authentications
EXPIRY_WRONG allowed (automatic reset on good password if not
exceeded) and reset current count.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-10 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
113 SET_PASS_ UN,V1 Sets the date on which the account expires. The date
EXPIRY_DATE format should be YYYYMMDD.
114 SET_MAX_SESSI UN|GN,V1 Sets the maximum number of simultaneous sessions for a
ONS user or group. V1 should contain one of the following
values:
• MAX_SESSIONS_UNLIMITED
• MAX_SESSIONS_AS_GROUP
• 1-65534
115 SET_MAX_ GN,V1 Sets the max sessions for a user of the group to one of the
SESSIONS_ following values:
GROUP_USER • MAX_SESSIONS_UNLIMITED
• 1-65534

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-11
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
260 SET_QUOTA VN,V1,V2 Sets a quota for a user or group.
VN defines the quota type. Valid values are:
• online time—The quota limits the user or group by
the number of seconds logged in to the network for
the period defined in V2.
• sessions—The quota limits the user or group by the
number of sessions on the network for the period
defined in V2.
V1 defines the quota. If VN is set to sessions, V1 is the
maximum number of sessions in the period defined in V2.
If VN is set to online time, V1 is the maximum number of
seconds.
V2 holds the period for the quota. Valid values are:
• QUOTA_PERIOD_DAILY—The quota is enforced
in 24-hour cycles, from 12:01 A.M. to midnight.
• QUOTA_PERIOD_WEEKLY—The quota is
enforced in 7-day cycles, from 12:01 A.M. Sunday
until midnight Saturday.
• QUOTA_PERIOD_MONTHLY—The quota is
enforced in monthly cycles, from 12:01 A.M. on the
first of the month until midnight on the last day of the
month.
• QUOTA_PERIOD_ABSOLUTE—The quota is
enforced in an ongoing basis, without an end.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-12 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
261 DISABLE_QUOTA UN|GN,VN Disables a group or user usage quota.
VN defines the quota type. Valid values are:
• online time—The quota limits the user or group by
the number of seconds logged in to the network for
the period defined in V2.
• sessions—The quota limits the user or group by the
number of sessions on the network for the period
defined in V2.
262 RESET_ UN|GN Resets usage quota counters for a user or group.
COUNTERS
263 SET_QUOTA_ V1 Defines whether a user usage quota is determined by the
APPLY_TYPE user group quota or by a quota unique to the user. V1
makes this specification. Valid values for V1 are:
• ASSIGNMENT_FROM_USER
• ASSIGNMENT_FROM_GROUP

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-13
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
270 SET_DCS_TYPE UN|GN, Sets the type of device command set (DCS) authorization
VN,V1, for a group or user.
Optionally VN defines the service. Valid service types are:
V2
• shell—Cisco IOS shell command authorization.
• pixshell—Cisco PIX command authorization.
Note If additional DCS types have been added to your
Cisco Secure ACS, you can find the valid value in
the Interface Configuration page for TACACS+
(Cisco IOS). The valid values appear in
parentheses after the service title, such as PIX
Shell (pixshell).

V1 defines the assignment type. The valid values for VN

are:
• none—Sets no DCS for the user or group.
• as group—For users only, this value signifies that
the user DCS settings for the service specified should
be the same as the user group DCS settings.
• static—Sets a DCS for the user or group for all
devices enabled to perform command authorization
for the service specified.
If V1 is set to static, V2 is required and must contain
the name of the DCS to assign to the user or group for
the given service.
• ndg—Specifies that command authorization for the
user or group is to be done on a per-NDG basis. Use
action 271 to add DCS to NDG mappings for the user
or group.
Note Changing a user or group assignment type (V1)
results in clearing previous data, including NDG
to DCS mappings (defined by action 271).

User Guide for Cisco Secure ACS Appliance, version 3.2

E-14 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-3 User Creation and Modification Action Codes (continued)

Action
Code Name Required Description
271 SET_DCS_NDG_ UN|GN,VN Use this action code to map between the device command
MAP ,V1,V2 set and the NDG when the assignment type specified by a
270 action code is ndg.
VN defines the service. Valid service types are:
• shell—Cisco IOS shell command authorization.
• pixshell—Cisco PIX command authorization.
Note If additional DCS types have been added to your
Cisco Secure ACS, you can find the valid value in
the Interface Configuration page for TACACS+
(Cisco IOS). The valid values appear in
parentheses after the service title, such as PIX
Shell (pixshell).

V1 defines the name of the NDG. Use the name of the

NDG as it appears in the HTML interface. For example,
if you have configured an NDG named “East Coast
NASes” and want to use action 271 to apply a DCS to that
NDG, V1 should be “East Coast NASes”.
V2 defines the name of the DCS. Use the name of the
DCS as it appears in the HTML interface. For example, if
you have configured a DCS named “Tier2 PIX Admin
DCS” and want to use action 271 to apply it to an NDG,
V2 should be “Tier2 PIX Admin DCS”.

Action Codes for Initializing and Modifying Access Filters

Table E-4 on page E-16 lists the action codes for initializing and modifying AAA
client access filters. AAA client access filters control Telnet access to a AAA
client. Dial access filters control access by dial-up users.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-15
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Transactions using these codes affect the configuration displayed in the User
Setup and Group Setup sections of the HTML interface. For more information
about the User Setup section, see Chapter 7, “User Management.” For more
information about the Group Setup section, see Chapter 6, “User Group
Management.”

Table E-4 Action Codes for Initializing and Modifying Access Filters

Action
Code Name Required Description
120 INIT_NAS_ACCESS_ UN|GN, Clears the AAA client access filter list and initialize
CONTROL V1 permit/deny for any forthcoming filters. V1 should
be one of the following values:
• ACCESS_PERMIT
• ACCESS DENY
121 INIT_DIAL_ACCESS_ UN|GN, Clears the dial-up access filter list and initialize
CONTROL V1 permit/deny for any forthcoming filters. V1 should
be one of the following values:
• ACCESS_PERMIT
• ACCESS DENY
122 ADD_NAS_ACCESS_ UN|GN, Adds a AAA client filter for the user|group.
FILTER V1
V1 should contain a single (AAA client name, AAA
client port, remote address, CLID) tuple; for
example:
NAS01,tty0,0898-69696969

Optionally, the AAA client name can be “All AAA

clients” to specify that the filter applies to all
configured AAA clients and an asterisk (*) to
represent all ports.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-16 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-4 Action Codes for Initializing and Modifying Access Filters (continued)

Action
Code Name Required Description
123 ADD_DIAL_ACCESS_ UN|GN, Adds a dial-up filter for the user|group.
FILTER V1, V2 V1 should contain one of the following values:
• Calling station ID
• Called station ID
• Calling and called station ID; for example:
01732-875374,0898-69696969

• AAA client IP address, AAA client port; for

example:
10.45.6.123,tty0

V2 should contain the filter type as one of the

following values:
• CLID—The user is filtered by the calling station
ID.
• DNIS—The user is filtered by the called station
ID.
• CLID/DNIS—The user is filtered by both
calling and called station IDs.
• AAA client/PORT—The user is filtered by
AAA client IP and AAA client port address.
130 SET_TOKEN_CACHE_ GN, V1 Enables/disables token caching for an entire session;
SESSION V1 is 0=disable, 1=enable.
131 SET_TOKEN_CACHE_ GN, V1 Sets the duration that tokens are cached. V1 is the
TIME token cache duration in seconds.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-17
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-4 Action Codes for Initializing and Modifying Access Filters (continued)

Action
Code Name Required Description
140 SET_TODDOW_ UN|GN, Sets periods during which access is permitted. V1
ACCESS V1 contains a string of 168 characters. Each character
represents a single hour of the week. A “1”
represents an hour that is permitted, while a “0”
represents an hour that is denied. If this parameter is
not specified for a user, the group setting applies.
The default group setting is “111111111111” and so
on.
150 SET_STATIC_IP UN, V1, Configures the (TACACS+ and RADIUS) IP address
V2 assignment for this user.
V1 holds the IP address in the following format:
xxx.xxx.xxx.xxx
V2 should be one of the following:
• ALLOC_METHOD_STATIC—The IP address
in V1 is assigned to the user in the format
xxx.xxx.xxx.xxx.
• ALLOC_METHOD_NAS_POOL—The IP
pool named in V1 (configured on the AAA
client) will be assigned to the user.
• ALLOC_METHOD_AAA_POOL—The IP
pool named in V1 (configured on the AAA
server) will be assigned to the user.
• ALLOC_METHOD_CLIENT—The dial-in
client will assign its own IP address.
• ALLOC_METHOD_AS_GROUP—The IP
address assignment configured for the group will
be used.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-18 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-4 Action Codes for Initializing and Modifying Access Filters (continued)

Action
Code Name Required Description
151 SET_CALLBACK_NO UN|GN, Sets the callback number for this user or group
V1 (TACACS+ and RADIUS). V1 should be one of the
following:
• Callback number—The phone number the
AAA client is to call back.
• none—No callback is allowed.
• roaming—The dial-up client determines the
callback number.
• as group—Use the callback string or method
defined by the group.

Action Codes for Modifying TACACS+ and RADIUS Group and

User Settings
Table E-5 on page E-20 lists the action codes for creating, modifying, and
deleting TACACS+ and RADIUS settings for Cisco Secure ACS groups and
users. In the event that Cisco Secure ACS has conflicting user and group settings,
user settings always override group settings.
Transactions using these codes affect the configuration displayed in the User
Setup and Group Setup sections of the HTML interface. For more information
about the User Setup section, see Chapter 7, “User Management.” For more
information about the Group Setup section, see Chapter 6, “User Group
Management.”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-19
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings

Action
Code Name Required Description
161 DEL_RADIUS_ UN|GN, VN, Deletes the named RADIUS attribute for the group or user,
ATTR Optionally where:
V2, V3
• VN = “Vendor-Specific”
• V2 = IETF vendor ID
• V3 = VSA attribute ID
For example, to specify the Cisco IOS/PIX vendor ID and
the Cisco AV Pair:
VN = “Vendor-Specific”
V2 = “9”
V3 = “1”

User Guide for Cisco Secure ACS Appliance, version 3.2

E-20 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
163 ADD_RADIUS UN|GN, VN, Adds the numbered attribute (VN) to value (V) for the
_ ATTR V1, user/group (UN|GN). For example, to set the IETF
Optionally RADIUS Reply-Message attribute (attr. 18) for a group:
V2, V3 GN = “Group 1"
VN = “18”
V1 = “Greetings”

As another example, to set the IETF RADIUS

Framed-IP-Address attribute (attr. 9) for a user:
UN = “fred”
VN = “9”
V1 = “10.1.1.1”

To add a vendor-specific attribute (VSA), set VN = “26”

and use V2 and V3 as follows:
• V2 = IETF vendor ID
• V3 = VSA attribute ID
For example, to add the Cisco IOS/PIX RADIUS
cisco-av-pair attribute with a value of “addr-pool=pool1”:
V2 = “9”
V3 = “1”
V1 = “addr-pool=pool1”

RADIUS attribute values can be one of the following:

• INTEGER
• TIME
• IP ADDRESS
• STRING

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-21
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
170 ADD_TACACS UN|GN, VN, Permits the service for that user or group of users. For
_SERVICE V1, V3, example:
Optionally GN = “Group 1"
V2 V1 = “ppp”
V2 = “ip”

or
UN = “fred”
V1 = “ppp”
V2 = “ip”

or
UN = “fred”
V1= “exec”

171 REMOVE_ UN|GN, V1 Denies the service for that user or group of users. For
TACACS_ Optionally example:
SERVICE V2 GN = “Group 1"
V1 = “ppp”
V2 = “ip”

or
UN = “fred”
V1 = “ppp”
V2 = “ip”

or
UN = “fred”
V1 = “exec”

This also resets the valid attributes for the service.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-22 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
172 ADD_TACACS UN|GN, VN, Sets a service-specific attribute. The service must already
_ATTR V1, V3 have been permitted either via the HTML interface or using
Optionally Action 170:
V2 GN = “Group 1"
VN = “routing”
V1 = “ppp”
V2 = “ip”
V3 = “true”

or
UN = “fred”
VN = “route”
V1 = “ppp”
V2 = “ip”
V3 = 10.2.2.2
173 REMOVE_ UN|GN, VN, Removes a service-specific attribute:
TACACS_ATTR V1 GN = “Group 1"
Optionally V1 = “ppp”
V2 = “ip”
V2 VN = “routing”

or
UN = “fred”
V1 = “ppp”
V2 = “ip”
VN = “route”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-23
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
174 ADD_IOS_ UN|GN, VN, Authorizes the given Cisco IOS command and determines
COMMAND V1 if any arguments given to the command are to be found in
a defined set or are not to be found in a defined set. The
defined set is created using Actions 176 and 177:
GN = “Group 1"
VN = “telnet”
V1 = “permit”

or
UN = “fred”
VN = “configure”
V1 = “deny”

The first example permits the Telnet command to be

authorized for users of Group 1. Any arguments can be
supplied to the Telnet command as long as they are not
matched against any arguments defined via Action 176.
The second example permits the configure command to be
authorized for user fred, but only if the arguments supplied
are permitted by the filter defined by a series of Action 176.
175 REMOVE_IOS_ UN|GN, VN Removes command authorization for the user or group:
COMMAND GN = “Group 1"
VN = “telnet”

or
UN = “fred”
VN = “configure”

Users of Group 1 can no longer use the Cisco IOS telnet

command.
User fred can no longer use the configure command.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-24 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
176 ADD_IOS_ UN|GN, VN, Specifies a set of command-line arguments that are either
COMMAND_ V1, V2 permitted or denied for the Cisco IOS command contained
ARG in VN. The command must have already been added via
Action 174:
GN = “Group 1"
VN = “telnet”
V1 = “permit”
V2 = “10.1.1.2”

or
UN = “fred”
VN = “show”
V1 = “deny”
V2 = “run”

The first example will allow the telnet command with

argument 10.1.1.2 to be used by any user in Group 1.
The second example ensures that user fred cannot issue the
Cisco IOS command show run.
177 REMOVE_IOS_ UN|GN, VN, Removes the permit or deny entry for the given Cisco IOS
COMMAND_ V2 command argument:
ARG GN = “Group 1"
VN = “telnet”
V2 = “10.1.1.1”

or
UN = “fred”
VN = “show”
V2 = “run”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-25
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued)

Action
Code Name Required Description
178 SET_PERMIT_ UN|GN, V1 Sets unmatched Cisco IOS command behavior. The default
DENY_ is that any Cisco IOS commands not defined via a
UNMATCHED_ combination of Actions 174 and 175 will be denied. This
IOS_ behavior can be changed so that issued Cisco IOS
COMMANDS commands that do not match any command/command
argument pairs are authorized:
GN = “Group 1"
V1 = “permit”

or
UN = “fred”
V1 = “deny”

The first example will permit any command not defined by

Action 174.
179 REMOVE_ALL UN|GN This action removes all Cisco IOS commands defined for a
_IOS_ particular user or group.
COMMANDS
210 RENAME_ GN,V1 Renames an existing group to the name supplied in V1.
GROUP
211 RESET_ GN Resets a group back to the factory default.
GROUP
212 SET_VOIP GN, V1 Enables or disables Voice over IP (VoIP) support for the
group named, as follows:
• GN = name of group
• V1 = ENABLE or DISABLE

User Guide for Cisco Secure ACS Appliance, version 3.2

E-26 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Action Codes for Modifying Network Configuration

Table E-6 on page E-28 lists the action codes for adding AAA clients, AAA
servers, network device groups, and proxy table entries. Transactions using these
codes affect the configuration displayed in the Network Configuration section of
the HTML interface. For more information about the Network Configuration
section, see Chapter 4, “Network Configuration.”

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-27
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration

Action
Code Name Required Description
220 ADD_NAS VN, V1, Adds a new AAA client (named in VN) with an IP address (V1),
V2, V3 shared secret key (V2), and vendor (V3). Valid vendors are as
follows:
• VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
• VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX
RADIUS.
• VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
• VENDOR_ID_ASCEND_RADIUS—For Ascend
RADIUS.
• VENDOR_ID_ALTIGA_RADIUS—For Cisco VPN 3000
RADIUS.
• VENDOR_ID_COMPATIBLE_RADIUS—For Cisco VPN
5000 RADIUS.
• VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet
RADIUS.
• VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
• VENDOR_ID_JUNIPER_RADIUS—For Juniper
RADIUS.
• VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS
RADIUS.
For example:
VN = AS5200-11
V1 = 192.168.1.11
V2 = byZantine32
V3 = VENDOR_ID_CISCO_RADIUS

User Guide for Cisco Secure ACS Appliance, version 3.2

E-28 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration (continued)

Action
Code Name Required Description
221 SET_NAS_ VN, V1 Sets one of the per-AAA client flags (V1) for the named AAA
FLAG client (VN). Use the action once for each flag required. Valid
values for per-AAA client flags are as follows:
• FLAG_SINGLE_CONNECT
• FLAG_LOG_KEEP_ALIVE
• FLAG_LOG_TUNNELS
222 DEL_HOST VN Deletes the named AAA client (VN).
223 ADD_NAS_ VN,V1, Adds a new AAA client (named in VN) with an IP address (V1),
BY_IETF_ V2, V3 shared secret key (V2), and the enterprise code for the vendor
CODE (V3).
230 ADD_AAA_ VN, V1, Adds a new AAA server named (VN) with IP address (V1),
SERVER V2 shared secret key (V2).
231 SET_AAA_ VN, V1 Sets the AAA server type for server (VN) to value in V1, which
TYPE should be one of the following:
• TYPE_ACS
• TYPE_TACACS
• TYPE_RADIUS
• The default is AAA_SERVER_TYPE_ACS
232 SET_AAA_ VN, V1 Sets one of the per-AAA client flags (V1) for the named AAA
FLAG server (VN):
• FLAG_LOG_KEEP_ALIVE
• FLAG_LOG_TUNNELS
Use the action once for each flag required.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-29
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration (continued)

Action
Code Name Required Description
233 SET_AAA_ VN, V1 Sets the appropriate traffic type (V1) for the named AAA server
TRAFFIC_ (VN):
TYPE • TRAFFIC_TYPE_INBOUND
• TRAFFIC_TYPE_OUTBOUND
• TRAFFIC_TYPE_BOTH
The default is TRAFFIC_TYPE_BOTH.
234 DEL_AAA_ VN Deletes the named AAA server (VN).
SERVER
240 ADD_ VN, V1, Adds a new proxy markup (VN) with markup type (V1) strip
PROXY V2, V3 markup flag (V2) and accounting flag (V3).
The markup type (V1) must be one of the following:
• MARKUP_TYPE_PREFIX
• MARKUP_TYPE_SUFFIX
The markup strip flag should be TRUE if the markup is to be
removed from the username before forwarding.
The accounting flag (V3) should be one of the following:
• ACCT_FLAG_LOCAL
• ACCT_FLAG_REMOTE
• ACCT_FLAG_BOTH
241 ADD_ VN, V1 Adds to named proxy markup (VN) the host name (V1). The host
PROXY_ should already be configured on the Cisco Secure ACS.
TARGET
Note The order in which proxy targets are added sets the proxy
search order; the first target added is the first target
proxied to, and so on. The order must be changed through
the HTML interface.
242 DEL_ VN Deletes the named proxy markup (VN).
PROXY
250 ADD_NDG VN Creates a network device group (NDG) named (VN).

User Guide for Cisco Secure ACS Appliance, version 3.2

E-30 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration (continued)

Action
Code Name Required Description
251 DEL_NDG VN Deletes the named NDG.
252 ADD_HOST VN, V1 Adds to the named AAA client/AAA server (VN) the NDG (V1).
_TO_NDG
270 SET_DCS_ — —
ASSIGNME
NT
271 ADD_NDG_ — —
TO_DCS_
MAPPING
300 RESTART_ — Restarts the CSRadius and CSTacacs services to apply new
PROTO_ settings.
MODULES
350 ADD_UDV VN, V1, Adds a RADIUS vendor to the Cisco Secure ACS vendor
V2 database. Vendors added to Cisco Secure ACS by this method are
know as User-Defined Vendors (UDV).
VN contains the name of the Vendor.
Note Cisco Secure ACS adds “RADIUS(...)” to the name
entered in the Variable Name field. For example, if you
enter the name “MyCo”, Cisco Secure ACS displays
“RADIUS (MyCo)” in the HTML interface.

V1 contains the user-defined vendor slot number or

AUTO_ASSIGN_SLOT. Cisco Secure ACS has ten vendor slots,
numbered 0 through 9. If you specify AUTO_ASSIGN_SLOT,
Cisco Secure ACS selects the next available slot for your vendor.
Note If you want to replicate UDVs between Cisco Secure
ACSes, you must assign the UDV to the same slot number
on both Cisco Secure ACSes.

V2 contains the IANA-assigned enterprise code for the vendor.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-31
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration (continued)

Action
Code Name Required Description
351 DEL_UDV V1 Removes the vendor with the IETF code specified in V1 and any
defined VSAs.
Note Action code 351 does not remove any instances of VSAs
assigned to Cisco Secure ACS groups or users. If
Cisco Secure ACS has AAA clients configured with the
UDV specified in V1, the delete operation fails.
352 ADD_VSA VN, V1, Adds a new VSA to the vendor specified by the vendor IETF code
V2, V3 in V1.
VN is the VSA name. If the vendor name is MyCo and the
attribute is assigned a group ID, we recommend prefixing the
vendor name or an abbreviation to all VSAs. For example, VSAs
could be “MyCo-Assigned-Group-Id”.
Note VSA names must be unique to both the vendor and to the
Cisco Secure ACS dictionary. For example,
“MyCo-Framed-IP-Address” is allowed but
“Framed-IP-Address” is not, because
“Framed-IP-Address” is used by IETF action code 8 in
the RADIUS attributes.

V2 is the VSA number. This must be in the 0-255 range.

V3 is the VSA type as one of following values:
• INTEGER
• STRING
• IPADDR
By default, VSAs are assumed to be outbound (or authorization)
attributes. If the VSA is either multi-instance or used in
accounting messages, use SET_VSA_PROFILE (Action code
353).

User Guide for Cisco Secure ACS Appliance, version 3.2

E-32 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Action Codes

Table E-6 Action Codes for Modifying Network Configuration (continued)

Action
Code Name Required Description
353 SET_VSA_ V1, V2, V3 Sets the inbound/outbound profile of the VSA. The profile
PROFILE specifies usage “IN” for accounting, “OUT” for authorization, or
“MULTI” if more than a singe instance is allowed per RADIUS
message. Combinations are allowed.
V1 contains the vendor IETF code.
V2 contains the VSA number.
V3 contains the profile, one of the following:
IN
OUT
IN OUT
MULTI OUT
MULTI IN OUT

354 ADD_VSA_ VN, V1, Sets meaningful enumerated values, if the VSA attribute has
ENUM V2, V3 enumerated. In the User Setup section, the Cisco Secure ACS
HTML interface displays the enumeration strings in a list.
VN contains the VSA Enum Name.
V1 contains the vendor IETF code.
V2 contains the VSA number.
V3 contains the VSA Enum Value.
Example:
VN = Disabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 0

or
VN = Enabled
V1 = 9034
V2 = MyCo-Encryption
V3 = 1
355 ADOPT_ — Restarts the CSAdmin, CSRadius, and CSLog services. These
NEW_UDV_ services must be restarted before new UDVs or VSAs can become
OR_VSA usable.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-33
 Appendix E RDBMS Synchronization Import Definitions
Cisco Secure ACS Attributes and Action Codes

Cisco Secure ACS Attributes and Action Codes

This section complements the previous section by providing an inverse reference;
it provides topics with tables that list Cisco Secure ACS attributes, their data types
and limits, and the action codes you can use to act upon the Cisco Secure ACS
attributes.
This section contains the following topics:
• User-Specific Attributes, page E-34
• User-Defined Attributes, page E-36
• Group-Specific Attributes, page E-37

User-Specific Attributes
Table E-7 lists the attributes that define a Cisco Secure ACS user, including their
data types, limits, and default values. It also provides the action code you can use
in accountActions to affect each attribute. Although there are many actions
available, adding a user requires only one transaction: ADD_USER. You can
safely leave other user attributes at their default values. The term NULL is not
simply an empty string, but means not set; that is, the value will not be processed.
Some features are processed only if they have a value assigned to them. For more
information about action codes, see Action Codes, page E-5.

Table E-7 User-Specific Attributes

Attribute Actions Logical Type Limits Default

Username 100, 101 String 1-64 —
characters
ASCII/PAP 100, 102 String 4-32 Random string
Password characters
CHAP Password 103 String 4-32 Random string
characters
Outbound CHAP 104 String 4-32 NULL
Password characters

User Guide for Cisco Secure ACS Appliance, version 3.2

E-34 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Cisco Secure ACS Attributes and Action Codes

Table E-7 User-Specific Attributes (continued)

Attribute Actions Logical Type Limits Default

TACACS+ Enable 105 String Password 4-32 NULL
Password characters
Integer privilege 0-15 NULL
level characters
Group 106 String 0-100 “Default Group”
characters
Password Supplier 107 Enum See LIBRARY_CSDB
Table E-3.
Password Type 108 Enum See PASS_TYPE_CSDB
Table E-3. (password is cleartext
PAP)
Password Expiry 109, 110 Bitwise Enum See PASS_STATUS_
Status Table E-3. NEVER (never expires)
Expiry Data 112, 113 Short wrong 0-32,767 —
max/current
Expiry date — —
Max Sessions 114 Unsigned short 0-65535 MAX_SESSIONS_AS
_GROUP
TODDOW 140 String 168 111111111111
Restrictions characters
NAS Access Control 120, 122 Bool enabled T/F NULL
Bool permit/deny T/F
ACL String (See 0-31 KB
Table E-4.)
Dial-Up Access 121, 123 Bool enabled T/F NULL
Control Bool permit/deny T/F
ACL String (See 0-31 KB
Table E-4.)

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-35
 Appendix E RDBMS Synchronization Import Definitions
Cisco Secure ACS Attributes and Action Codes

Table E-7 User-Specific Attributes (continued)

Attribute Actions Logical Type Limits Default

Static IP Address 150 Enum scheme (See Client
Table E-4.)
String IP/Pool 0-31 KB NULL
name

Callback Number 151 String 0-31 KB NULL

TACACS Attributes 160, 162 Formatted String 0-31 KB NULL
RADIUS Attributes 170, 173 Formatted String 0-31 KB NULL
UDF 1 1, 2 String Real Name 0-31 KB NULL
UDF 2 1, 2 String Description 0-31 KB NULL
UDF 3 1, 2 String 0-31 KB NULL
UDF 4 1, 2 String 0-31 KB NULL
UDF 5 1, 2 String 0-31 KB NULL

User-Defined Attributes
User-defined attributes (UDAs) are string values that can contain any data, such
as social security number, department name, telephone number, and so on. You
can configure Cisco Secure ACS to include UDAs on accounting logs about user
activity. For more information about configuring UDAs, see User Data
Configuration Options, page 3-3.
RDBMS Synchronization can set UDAs by using the SET_VALUE action (code
1) to create a value called “USER_DEFINED_FIELD_0” or
“USER_DEFINED_FIELD_1”. For accountActions rows defining a UDA value,
the AppId (AI) field must contain “APP_ CSAUTH” and the Value2(V2) field
must contain “TYPE_STRING”.
Table E-8 on page E-37 lists the data fields that define UDAs. For more
information about action codes, see Action Codes, page E-5.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-36 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
Cisco Secure ACS Attributes and Action Codes

Table E-8 User-Defined Attributes

Username
Action (UN) ValueName (VN) Value1 (V1) Value2 (V2) AppId (AI)
1 fred USER_DEFINED_FIELD SS123456789 TYPE_STRING APP_CSAUTH
_0
1 fred USER_DEFINED_FIELD Engineering TYPE_STRING APP_CSAUTH
_1
1 fred USER_DEFINED_FIELD 949-555-1111 TYPE_STRING APP_CSAUTH
_2

Note If more than two UDAs are created, only the first two are passed to accounting
logs.

Group-Specific Attributes
Table E-9 lists the attributes that define a Cisco Secure ACS group, including
their data types, limits, and default values. It also provides the action code you can
use in your accountActions table to affect each field. For more information about
action codes, see Action Codes, page E-5.

Table E-9 Group-Specific Attributes

Attribute Actions Logical Type Limits Default

Max Sessions 114 Unsigned short 0-65534 MAX_SESSIONS_
UNLIMITED
Max Sessions for user of group 115 Unsigned short 0-65534 MAX_SESSIONS_
UNLIMITED
Token caching for session 130 Bool T/F NULL
Token caching for duration 131 Integer time in 0-65535 NULL
seconds
TODDOW Restrictions 140 String 168 characters 111111111111

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-37
 Appendix E RDBMS Synchronization Import Definitions
An Example of accountActions

Table E-9 Group-Specific Attributes (continued)

Attribute Actions Logical Type Limits Default

NAS Access Control 120, 122 Bool enabled T/F NULL
Bool T/F
permit/deny
ACL String (See 0-31 KB
Table E-4.)
Dial-Up Access Control 121, 123 Bool enabled T/F NULL
Bool T/F
permit/deny
ACL String (See 0-31 KB
Table E-4.)
Static IP Address 150 Enum scheme (See Client
Table E-4.)
String IP/Pool 0-31 KB NULL
name
TACACS Attributes 160, 162 Formatted String 0-31 KB NULL
RADIUS Attributes 170, 173 Formatted String 0-31 KB NULL
VoIP Support 212 Bool disabled T/F NULL

An Example of accountActions
Table E-10 on page E-39 presents an sample instance of accountActions that
contains some of the action codes described in Action Codes, page E-5. First user
“fred” is created, along with his passwords, including a TACACS_ Enable
password with privilege level 10. Fred is assigned to “Group 2." His account
expires after December 31, 1999, or after 10 incorrect authentication attempts.
Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token
caching, and some RADIUS attributes.

User Guide for Cisco Secure ACS Appliance, version 3.2

E-38 78-14698-02
 Appendix E RDBMS Synchronization Import Definitions
An Example of accountActions

Note This example omits several columns that should appear in any accountActions
table. The omitted columns are Sequence ID (SI), Priority (P), DateTime (DT),
and MessageNo (MN).

Table E-10 Example accountActions Table

User name Group Value Value2 Value3 AppId

Action (UN) Name (GN) Name (VN) Value1 (V1) (V2) (V3) (AI)
100 fred — — fred — — —
102 fred — — freds_password — — —
103 fred — — freds_chap_password — — —
104 fred — — freds_outbound_ — — —
password
105 fred — — freds_enable_password 10 — —
106 fred Group 2 — — — — —
150 fred — — 123.123.123.123 — — —
151 fred — — 01832-123900 — — —
109 fred — — PASS_STATUS_ — — —
NEVER
110 fred — — PASS_STATUS_ — — —
WRONG
110 fred — — PASS_STATUS_ — — —
EXPIRES
112 fred — — 10 — — —
113 fred — — 19991231 — — —
114 fred — — 50 — — —
115 fred — — 50 — — —
120 fred — — ACCESS_PERMIT — — —
121 fred — — ACCESS_DENY — — —
122 fred — — NAS01,tty0, — — —
01732-975374

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 E-39
 Appendix E RDBMS Synchronization Import Definitions
An Example of accountActions

Table E-10 Example accountActions Table (continued)

User name Group Value Value2 Value3 AppId

Action (UN) Name (GN) Name (VN) Value1 (V1) (V2) (V3) (AI)
123 fred — — 01732-975374,01622-1 CLID/ — —
23123 DNIS
1 fred — USER_ Fred Jones TYPE_ — APP_
DEFINED STRING CSAUT
_FIELD_0 H
140 — Group 2 — [a string of 168 ones — — —
(1)]
130 — Group 2 — DISABLE — — —
131 — Group 2 — 61 — — —
163 — Group 2 Reply- Welcome to Your — — —
Message Internet Service
163 — Group 2 Vendor- addr-pool=pool2 9 1 —
Specific

User Guide for Cisco Secure ACS Appliance, version 3.2

E-40 78-14698-02
 A P P E N D I X F
Internal Architecture

This chapter describes the Cisco Secure ACS Appliance architectural

components. It includes the following topics:
• Cisco Secure ACS Services, page F-1
• CSAdmin, page F-2
• CSAuth, page F-3
• CSDBSync, page F-3
• CSLog, page F-4
• CSMon, page F-4
• CSTacacs and CSRadius, page F-7

Cisco Secure ACS Services

Cisco Secure ACS is modular and flexible to fit the needs of both simple and large
networks. This appendix describes the Cisco Secure ACS architectural
components. Cisco Secure ACS includes the following service modules:
• CSAdmin
• CSAuth
• CSDBSync
• CSLog
• CSMon

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 F-1
 Appendix F Internal Architecture
CSAdmin

• CSTacacs
• CSRadius
You can stop or restart Cisco Secure ACS services as a group, except for
CSAdmin, using the Cisco Secure ACS HTML interface. For more information,
see Service Control, page 8-2.
Individual Cisco Secure ACS services can be started, stopped, and restarted from
the appliance serial console. For more information about starting, stopping, and
restarting services using the serial console, see the Installation and Setup Guide
for Cisco Secure ACS Appliance.

CSAdmin
CSAdmin is the service that provides the web server for the Cisco Secure ACS
HTML interface. After Cisco Secure ACS is installed, you must configure it from
its HTML interface; therefore, CSAdmin must be running when you configure
Cisco Secure ACS.
Because the Cisco Secure ACS web server uses port 2002 rather than the standard
port 80 usually associated with HTTP traffic, you can use another web server on
the same machine to provide other web services. We have not performed
interoperability testing with other web servers, but unless a second web server is
configured to use either port 2002 or one of the ports within the range specified
in the HTTP Port Allocation feature, you should not encounter port conflicts for
HTTP traffic. For more information about the HTTP Port Allocation feature, see
Access Policy, page 12-11.

Note For more information about access to the HTML interface and network
environments, see Network Environments and Administrative Sessions,
page 1-27.

Although you can start and stop services from within the Cisco Secure ACS
HTML interface, this does not include starting or stopping CSAdmin. If CSAdmin
stops abnormally because of an external action, you can only restart the service
using the appliance serial console. For more information about starting, stopping,
and restarting services using the serial console, see the Installation and Setup
Guide for Cisco Secure ACS Appliance.

User Guide for Cisco Secure ACS Appliance, version 3.2

F-2 78-14698-02
Appendix F Internal Architecture
CSAuth

CSAdmin is a multi-threaded application that enables several Cisco Secure ACS

administrators to access it at the same time. Therefore, CSAdmin is well suited
for distributed, multiprocessor environments.

CSAuth
CSAuth is the authentication and authorization service. It permits or denies access
to users by processing authentication and authorization requests. CSAuth
determines if access should be granted and defines the privileges for a particular
user. CSAuth is the Cisco Secure ACS database manager.
To authenticate users, Cisco Secure ACS can use the internal user database or one
of many external databases. When a request for authentication arrives,
Cisco Secure ACS checks the database that is configured for that user. If the user
is unknown, Cisco Secure ACS checks the database(s) configured for unknown
users. For more information about how Cisco Secure ACS handles authentication
requests for unknown users, see Unknown User Processing, page 14-2.
For more information about the various database types supported by Cisco Secure
ACS, see Chapter 13, “User Databases.”
When a user has authenticated, Cisco Secure ACS obtains a set of authorizations
from the user profile and the group to which the user is assigned. This information
is stored with the username in the CiscoSecure user database. Some of the
authorizations included are the services to which the user is entitled, such as IP
over PPP, IP pools from which to draw an IP address, access lists, and
password-aging information. The authorizations, with the approval of
authentication, are then passed to the CSTacacs or CSRadius modules to be
forwarded to the requesting device.

CSDBSync
CSDBSync is the service used to synchronize the Cisco Secure ACS database
with data from comma-separated value files. CSDBSync synchronizes AAA
client, AAA server, network device groups (NDGs) and Proxy Table information.
For information on RDBMS Synchronization, see RDBMS Synchronization,
page 9-24.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 F-3
 Appendix F Internal Architecture
CSLog

CSLog
CSLog is the service used to capture and place logging information. CSLog
gathers data from the TACACS+ or RADIUS packet and CSAuth, and then
manipulates the data to be placed into the comma-separated value (CSV) files.
CSV files can be imported into spreadsheets that support this format.
For information about the logs generated by Cisco Secure ACS, see Chapter 1,
“Overview.”

CSMon
CSMon is a service that helps minimize downtime in a remote access network
environment. CSMon works for both TACACS+ and RADIUS and automatically
detects which protocols are in use.
You can use the Cisco Secure ACS HTML interface to configure the CSMon
service. The Cisco Secure ACS Active Service Management feature provides
options for configuring CSMon behavior. For more information, see Cisco Secure
ACS Active Service Management, page 8-17.

Note CSMon is not intended as a replacement for system, network, or application

management applications but is provided as an application-specific utility that can
be used with other, more generic system management tools.

CSMon performs four basic activities, outlined in the following topics:

• Monitoring, page F-5
• Recording, page F-6
• Notification, page F-6
• Response, page F-7

User Guide for Cisco Secure ACS Appliance, version 3.2

F-4 78-14698-02
 Appendix F Internal Architecture
CSMon

Monitoring
CSMon monitors the overall status of Cisco Secure ACS and the system on which
it is running. CSMon actively monitors three basic sets of system parameters:
• Generic host system state—CSMon monitors the following key system
thresholds:
– Available hard disk space
– Processor utilization
– Physical memory utilization
All events related to generic host system state are categorized as “warning
events”.
• Application-specific performance
– Application viability—CSMon periodically performs a test login using
a special built-in test account (the default period is one minute).
Problems with this authentication can be used to determine if the service
has been compromised.
– Application performance thresholds—CSMon monitors and records
the latency of each test authentication request (the time it takes to receive
a positive response). Each time this is performed, CSMon updates a
variable containing the average response time value. Additionally, it
records whether retries were necessary to achieve a successful response.
By tracking the average time for each test authentication, CSMon can
build up a “picture” of expected response time on the system in question.
CSMon can therefore detect whether excess re-tries are required for each
authentication or if response times for a single authentication exceed a
percentage threshold over the average.
• System resource consumption by Cisco Secure ACS—CSMon periodically
monitors and records the usage by Cisco Secure ACS of a small set of key
system resources and compares it against predetermined thresholds for
indications of atypical behavior. The parameters monitored include the
following:
– Handle counts
– Memory utilization

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 F-5
 Appendix F Internal Architecture
CSMon

– Processor utilization
– Thread used
– Failed log-on attempts
CSMon cooperates with CSAuth to keep track of user accounts being disabled by
exceeding their failed attempts count maximum. This feature is more oriented to
security and user support than to system viability. If configured, it provides
immediate warning of “brute force” attacks by alerting the administrator to a large
number of accounts becoming disabled. In addition, it helps support technicians
anticipate problems with individual users gaining access.

Recording
CSMon records exception events in a CSV log that you can use to diagnose
problems. Because this logging consumes relatively small amounts of resources,
CSMon logging cannot be disabled.

Notification
CSMon can be configured to notify system administrators in the following cases:
• Exception events
• Response
• Outcome of the response
Notification for exception events and outcomes includes the current state of
Cisco Secure ACS at the time of the message. The default notification method is
simple mail-transfer protocol (SMTP) e-mail, but you can create scripts to enable
other methods.

User Guide for Cisco Secure ACS Appliance, version 3.2

F-6 78-14698-02
 Appendix F Internal Architecture
CSTacacs and CSRadius

Response
CSMon detects exception events that affect the integrity of the service and can
respond to events. For information about monitored events, see Monitoring,
page F-5. These events are application-specific and hard-coded into Cisco Secure
ACS. There are two types of responses:
• Warning events—Service is maintained but some monitored threshold is
breached.
• Failure events—One or more Cisco Secure ACS components stop providing
service.
CSMon responds to the event by logging the event, sending notifications (if
configured) and, if the event is a service failure, taking action. CSMon provides
several options for responding to service failures. These actions are hard-coded
into the program and are always carried out when a triggering event is detected.
For more information about response options, see System Monitoring Options,
page 8-18.
If the event is a warning event, it is logged and the administrator is notified. No
further action is taken. CSMon also attempts to fix the cause of the failure after a
sequence of re-tries and individual service restarts.

CSTacacs and CSRadius

The CSTacacs and CSRadius services communicate between the CSAuth module
and the access device that is requesting authentication and authorization services.
For CSTacacs and CSRadius to work properly, the system must meet the
following conditions:
• CSTacacs and CSRadius services must be configured from CSAdmin.
• CSTacacs and CSRadius services must communicate with access devices
such as access servers, routers, switches, and firewalls.
• The identical shared secret (key) must be configured both in Cisco Secure
ACS and on the access device.
• The access device IP address must be specified in Cisco Secure ACS.
• The type of security protocol being used must be specified in Cisco Secure
ACS.

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 F-7
 Appendix F Internal Architecture
CSTacacs and CSRadius

CSTacacs is used to communicate with TACACS+ devices and CSRadius to

communicate with RADIUS devices. Both services can run at the same time.
When only one security protocol is used, only the applicable service needs to be
running; however, the other service will not interfere with normal operation and
does not need to be disabled. For more information about TACACS+ AV pairs, see
Appendix B, “TACACS+ Attribute-Value Pairs.” For more information about
RADIUS+ AV pairs, see Appendix C, “RADIUS Attributes.”

User Guide for Cisco Secure ACS Appliance, version 3.2

F-8 78-14698-02
 I N D EX

editing 4-27
A
enabling in interface (table) 3-5
AAA functions and concepts 1-4
See also AAA clients in distributed systems 4-3
See also AAA servers master 9-3
definition 1-1 overview 4-22
pools for IP address assignment 7-10 primary 9-3
AAA clients replicating 9-3
AAA Clients table 4-2 searching for 4-9
adding and configuring 4-17 secondary 9-3
configuration 4-11 troubleshooting A-1
definition 1-5 access devices 1-5
deleting 4-21 accessing Cisco Secure ACS
editing 4-20 how to 1-29
interaction with AAA servers 1-5 URL 1-27
IP pools 7-10 with SSL enabled 1-27
multiple IP addresses for 4-12 access policies
searching for 4-9 See administrative access policies
supported Cisco AAA clients 1-2 accountActions File 9-28
timeout values 14-8 account disablement
AAA servers Account Disabled check box 7-4
AAA Servers table 4-2 manual 7-55
adding 4-25 resetting 7-57
configuring 4-22 setting options for 7-19
deleting 4-28 accounting

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-1
 Index

See also logging through firewalls 1-28

logs 11-5 through NAT (network address
overview 1-20 translation) 1-29
administrators
ACLs
See downloadable IP ACLs See also Administration Audit log
See also Administration Control
action codes
See also administrative access policies
for initializing and modifying access
filters E-15 adding 12-6
for modifying network configuration E-27 deleting 12-11
for modifying TACACS+ and RADIUS editing 12-8
settings E-19
locked out 12-10
for setting and deleting values E-5 locking out 12-17
in accountActions E-5
overview 12-2
ActivCard user databases privileges 12-3
configuring 13-61
separation from general users 2-15
group mappings 15-2 troubleshooting A-2
RADIUS-based group specifications 15-13
unlocking 12-10
Administration Audit log advanced options in interface 3-6
viewing 11-14
age-by-date rules for groups 6-24
administration logs 11-7 Aironet
administrative access policies
AAA client configuration 4-14
See also administrators RADIUS parameters for group 6-39
configuring 12-14
RADIUS parameters for user 7-39
limits 12-11 appliance
options 12-12
configuration 8-22
overview 2-13 hardware specifications 1-2
administrative sessions
Appliance Status report
and HTTP proxy 1-28 description 11-8
network environment limitations of 1-27
viewing 11-11
session policies 12-16 ARAP

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-2 78-14698-02
 Index

compatible databases 1-9 See also RADIUS VSAs (vendor specific

attributes)
in User Setup 7-4
protocol supported 1-10 RADIUS
Cisco IOS C-2
architectural components of Cisco Secure
ACS F-1 IETF C-12
ASCII/PAP TACACS+
compatible databases 1-9 accounting B-4
protocol supported 1-10 general B-1
attributes Axent user databases
enabling in interface 3-2 See PassGo user databases
group-specific (table) E-37
logging of user data 11-2
B
per-group 3-2
per-user 3-2 backups
user-specific (table) E-36 components backed up 8-9
attribute-value pairs disabling scheduled 8-13
See AV (attribute value) pairs filenames 8-14
authentication options 8-9
configuration 10-25 overview 8-8
denying external user databases 14-11 performing manually 8-10
options 10-32 reports 8-9
overview 1-8 scheduled vs. manual 8-8
request handling 14-4 scheduling 8-11
via external user databases 13-5 vs. replication 9-10
Windows 13-10 browsers
authorization 1-16 See also HTML interface
authorization sets troubleshooting A-4
See command authorization sets
AV (attribute value) pairs

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-3
 Index

TACACS+ AV (attribute value) pairs B-1

C
troubleshooting A-5
cab file 8-24 Cisco Secure ACS Active Service Management
callback options overview 8-17
in Group Setup 6-6 Cisco Secure ACS Active Service Monitoring
in User Setup 7-8 log

cascading replication 9-6, 9-12 viewing 11-14

certificate database for LDAP servers 13-47 Cisco Secure ACS administration
overview 1-21
certification
Cisco Secure ACS Backup and Restore log
See also EAP-TLS
viewing 11-14
See also PEAP
Cisco Secure ACS backups
adding certificate authority certificates 10-36
See backups
background 10-1
Cisco Secure ACS service management
backups 8-9
event logging configuration 8-20
certificate enrollment 10-33
system monitoring
certificate signing request generation 10-39
configuring 8-19
editing the certificate trust list 10-38
options 8-18
installing certificate 10-33
Cisco Secure ACS Service Monitoring log
replacing certificate 10-40
CSV (comma-separated values) file
updating certificate 10-40 directory 11-26
CHAP Cisco Secure ACS system restore
compatible databases 1-9 See restore
in User Setup 7-4 CiscoSecure Authentication Agent 1-15, 6-20
protocol supported 1-10 CiscoSecure database replication
Cisco IOS See replication
RADIUS CiscoSecure user database
AV (attribute value) pairs C-2 See also databases
group attributes 6-38 overview 13-2
user attributes 7-38 codes

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-4 78-14698-02
 Index

See action codes CSTacacs F-7

command authorization sets CSV (comma-separated values) files
See also shell command authorization sets downloading 11-14
adding 5-19 viewing 11-14
configuring 5-15, 5-19 custom attributes
deleting 5-23 in group-level TACACS+ settings 6-29
editing 5-22 in user-level TACACS+ settings 7-22
overview 5-15
pattern matching 5-19
D
PIX command authorization sets 5-15
conventions xxv database group mappings
CRYPTOCard user databases configuring
configuring 13-61 for token servers 15-3
group mappings 15-2 for Windows domains 15-8
RADIUS-based group specifications 15-13 no access groups 15-6
CSAdmin F-2 order 15-11
CSAuth F-3 deleting
CSDBSync 9-28, F-3 group set mappings 15-10
CSLog F-4 Windows domain configurations 15-11
CSMon in external user databases 15-1
See also Cisco Secure ACS Active Service overview 15-1
Management
Database Replication log
configuration F-4
description 11-12
failure events
viewing 11-14
customer-defined actions F-7
databases
predefined actions F-7
authentication protocol compatibility of 1-9
functions F-4
CiscoSecure user database 13-2
log F-6
deleting 13-64
overview F-4
deployment considerations 2-16
CSRadius F-7

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-5
 Index

external Windows user databases 13-6

See also external user databases date and time setting 8-22
See also unknown user policies date format control 8-3
group mappings debug logs
See database group mappings detail levels 11-27
performance 14-8 frequency 11-27
remote agent selection 13-23 troubleshooting A-12
replication default group in Group Setup 6-2
See replication default group mapping for Windows 15-6
search order 14-10 default time-of-day/day-of-week
specification 3-4
search process 14-9, 14-10
default time-of-day access settings for
selecting user databases 13-1
groups 6-5
synchronization
deleting logged-in users 11-10
See RDBMS synchronization
deployment
token cards
overview 2-1
See token servers
sequence 2-17
troubleshooting A-6, A-16
device command sets
types
See command authorization sets
See ActivCard user databases
device groups
See CRYPTOCard user databases
See network device groups
See generic LDAP user databases
device management applications support 1-18
See LEAP proxy RADIUS user databases
DHCP with IP pools 9-39
See Novell NDS user databases
diagnostic logs 8-27
See PassGo user databases
dial-in permission to users in Windows 13-23
See RADIUS user databases
dial-in troubleshooting A-8
See SafeWord user databases
dial-up networking clients 13-10
unknown users 14-2
dial-up topologies 2-4
user
digital certificates
import methods 13-2
See certification

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-6 78-14698-02
 Index

Disabled Accounts report assigning to groups 6-28

description 11-8 assigning to users 7-20
viewing 11-11 deleting 5-6
discovered users 14-2 editing 5-5
distributed systems enabling in interface
See also proxy group-level 3-5
AAA servers in 4-3 user-level 3-4
overview 4-3 overview 5-2
settings draft-ietf-radius-tunnel-auth 1-6
configuring 4-42
default entry 4-4
E
enabling in interface 3-5
distribution table EAP (Extensible Authentication Protocol)
See Proxy Distribution Table overview 1-12
documentation with Windows authentication 13-12
conventions xxv EAP-FAST
objectives xxiii compatible databases 1-9
online 1-31 enabling 10-23
organization xxiv identity protection 10-13
related xxvii logging 10-12
domain lists master keys
configuring 13-29 definition 10-13
inadvertent user lockouts 13-12, 13-26 states 10-14
overview 13-11 master server 10-22
domain name and hostname configuration 8-23 options 10-26
domain names overview 10-12
Windows operating systems 13-10 PAC
downloadable IP ACLs automatic provisioning 10-17
adding 5-4 definition 10-15

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-7
 Index

manual provisioning 10-18 latency factors 14-8

refresh 10-19 search order 14-8, 14-10
states 10-17 supported 1-9
phases 10-12 turning off authentication from 14-11
replication 10-20 unknown user policy 14-1
EAP-TLS
See also certification
F
authentication configuration 10-25
comparison methods 10-4 Failed Attempts log
compatible databases 1-9 configuring CSV 11-15
domain stripping 13-13 enabling
enabling 10-5 log 11-13
limitations 10-5 viewing 11-14
options 10-29 failed log-on attempts F-6
overview 10-2 failure events
session resume 10-4 customer-defined actions F-7
enable password options for TACACS+ 7-34 predefined actions F-7
enable privilege options for groups 6-18 fallbacks on failed connection 4-6
event logging 8-20 finding users 7-54
exception events F-6 firewalls
Extensible Authentication Protocol administering AAA servers through 1-22
See EAP (Extensible Authentication troubleshooting A-16
Protocol)
FTP setup options 9-31
external token servers
See token servers
external user databases G
See also databases
gateways D-3
authentication via 13-5
generic LDAP user databases
configuring 13-3
authentication 13-30
deleting configuration 13-64

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-8 78-14698-02
 Index

certificate database downloading 13-47 mappings 15-1

configuring multiple mappings 15-5
database 13-42 no access groups 15-5
options 13-36 overriding settings 3-2
directed authentications 13-32 relationship to users 3-2
domain filtering 13-32 renaming 6-54
failover 13-34 resetting usage quota counters for 6-53
mapping database groups to AAA settings for
groups 15-4
callback options 6-6
multiple instances 13-31
configuration-specific 6-15
organizational units and groups 13-32
configuring common 6-3
Global Authentication Setup 10-32
device management command
grant dial-in permission to users 13-9, 13-23 authorization sets 6-35
greeting after login 6-23 enable privilege 6-18
group-level interface enabling IP address assignment method 6-27
downloadable IP ACLs 3-5 management tasks 6-52
network access restrictions 3-5 max sessions 6-11
password aging 3-5 network access restrictions 6-7
group-level network access restrictions password aging rules 6-20
See network access restrictions PIX command authorization sets 6-33
groups shell command authorization sets 6-31
See also network device groups TACACS+ 6-2, 6-29
assigning users to 7-7 time-of-day access 6-5
configuring RADIUS settings for token cards 6-17
See RADIUS usage quotas 6-13
Default Group 6-2, 15-6 setting up and managing 6-1
enabling VoIP (Voice-over-IP) support sort order within group mappings 15-5
for 6-4 GUI
listing all users in 6-53
See HTML interface
mapping order 15-11

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-9
 Index

Interface Configuration
H
See also HTML interface
handle counts F-5 advanced options 3-4
hard disk space F-5 configuring 3-1
Help 1-26 customized user data fields 3-3
host and domain names configuration 8-23 security protocol options 3-9
host system state F-5 IP addresses
HTML interface in User Setup 7-9
See also Interface Configuration multiple IP addresses for AAA client 4-12
encrypting 12-13 requirement for CSTacacs and CSRadius F-7
logging off 1-30 setting assignment method for user
overview 1-24 groups 6-27

security 1-24 IP pools

SSL 1-24 address recovery 9-44

web server F-2 deleting 9-43

HTTP port allocation DHCP 9-39

configuring 12-14 editing IP pool definitions 9-41

overview 1-22 enabling in interface 3-5

HTTPS 12-13 IP pools address recovery 3-5

overlapping 9-39, 9-40
refreshing 9-40
I resetting 9-42
servers
IETF 802.1x 1-12
adding IP pools 9-40
inbound authentication 1-13
overview 9-38
inbound password configuration 1-14
replicating IP pools 9-38
installation
user IP addresses 7-10
related documentation xxvii
system requirements 2-2
troubleshooting A-13

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-10 78-14698-02
 Index

format 11-1
L
overview 11-4
LAN manager 1-12 remote agent logging
latency in networks 2-17 configuration 11-22
LDAP databases options 11-22
See generic LDAP user databases remote logging
LEAP proxy RADIUS user databases centralized 11-18
configuring external databases 13-56 configuring 11-20
group mappings 15-2 disabling 11-22
overview 13-55 enabling 11-20
RADIUS-based group specifications 15-13 enabling in interface 3-5
list all users local configuration 11-19
in Group Setup 6-53 options 11-19
in User Setup 7-54 overview 11-17
Logged-In Users report replication 9-11
deleting logged-in users 11-10 services
description 11-8 configuring service logs 11-27
viewing 11-9 list of logs generated 11-26
logging system logs 11-12
See also Reports and Activity troubleshooting A-14
accounting logs 11-5 user data attributes 11-2
configuring 11-16, 11-17 watchdog packets 11-3
configuring remote agent logs 11-24, 11-25 logins
debug log detail levels 11-27 greeting upon 6-23
diagnostic logs 8-27 password aging dependency 6-22
domain names 11-2 login testing frequency 8-18
dynamic administration reports 11-7
event logging 8-20
external user databases 11-2

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-11
 Index

protocol supported 1-10

M
multiple group mappings 15-5
machine authentication multiple IP addresses for AAA clients 4-12
overview 13-13
with Microsoft Windows 13-16
management application support 1-18
N
mappings NAR
database groups to AAA groups 15-4 See network access restrictions
database to AAA groups 15-2 NAS
master AAA servers 9-3 See AAA clients
master key NDG
definition 10-13 See network device groups
states 10-14 network access filters
max sessions See network access restrictions
enabling in interface 3-5 network access quotas 1-18
in Group Setup 6-11 network access restrictions
in User Setup 7-15 adding 5-9
overview 1-17 configuring 5-9
troubleshooting A-14 deleting 5-14
memory utilization F-5 editing 5-12
monitoring enabling in interface
configuring 8-19 group-level 3-4
CSMon F-5 user-level 3-4
overview 8-18 in Group Setup 6-7
services 8-26 Interface Configuration 3-5
MS-CHAP in User Setup 6-7, 7-10
compatible databases 1-9 overview 5-7
configuring 10-25 network access servers
overview 1-12 See AAA clients

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-12 78-14698-02
 Index

Network Configuration 4-1 options 13-51

network device groups user contexts 13-50
adding 4-37 NTP server 8-22
assigning AAA clients to 4-38
assigning AAA servers to 4-38
O
configuring 4-36
deleting 4-40 Online Documentation 1-31
enabling in interface 3-6 online Help
overview 1-22, 4-2 location in HTML interface 1-26
reassigning AAA clients to 4-39 using 1-31
reassigning AAA servers to 4-39 outbound password configuration 1-14
renaming 4-39 overview of Cisco Secure ACS 1-1
network devices
See AAA clients
searches for 4-9
P
network requirements 2-2 PAC
networks automatic provisioning 10-17
latency 2-17 definition 10-15
reliability 2-17 manual provisioning 10-18
network time protocol refresh 10-19
See NTP server PAP
network topologies compatible databases 1-9
deployment 2-4 in User Setup 7-4
wireless 2-7 vs. ARAP 1-11
notifications F-6 vs. CHAP 1-11
Novell NDS user databases Passed Authentications log
authentication 13-49 configuring CSV (comma-separated
configuring 13-53 values) 11-15
mapping database groups to AAA enabling CSV (comma-separated values)
groups 15-4 logging 11-13

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-13
 Index

viewing 11-14 protocols and user database compatibility 1-9

PassGo user databases protocols supported 1-10
configuring external databases 13-61 remote change of 8-5
group mappings 15-2 user-changeable 1-15
RADIUS-based group specifications 15-13 validation options in System
Configuration 8-5
password aging
pattern matching in command
age-by-uses rules 6-22
authorization 5-19
Cisco IOS release requirement for 6-20
PEAP
EAP-FAST 13-22
See also certification
interface configuration 3-5
compatible databases 1-9
in Windows databases 6-25
configuring 10-25
MS-CHAP 13-22
enabling 10-10
overview 1-15
identity protection 10-8
PEAP 13-22
options 10-25
rules 6-20
overview 10-7
passwords
password aging 6-26
See also password aging
phases 10-7
CHAP/MS-CHAP/ARAP 7-6
with Unknown User Policy 10-9
configurations
performance monitoring F-5
caching 1-14
performance specifications 1-2
inbound passwords 1-14
per-group attributes
outbound passwords 1-14
See also groups
separate passwords 1-13
enabling in interface 3-2
single password 1-13
per-user attributes
token caching 1-14
enabling in interface 3-2
token cards 1-13
TACACS+/RADIUS in Interface
expiration 6-22 Configuration 3-4
local management 8-5 PIX ACLs
post-login greeting 6-23 See downloadable IP ACLs

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-14 78-14698-02
 Index

PIX command authorization sets troubleshooting A-13

See command authorization sets Proxy Distribution Table
PIX Firewall troubleshooting A-16 See also proxy
PKI (public key infrastructure) adding entries 4-43
See certification configuring 4-42
port 2002 default entry 4-4, 4-42
in HTTP port ranges 12-13, F-2 deleting entries 4-46
in URLs 1-27 editing entries 4-45
port allocation match order sorting 4-44
See HTTP port allocation overview 4-3, 4-42
ports
See also HTTP port allocation
Q
See also port 2002
RADIUS 1-6 quotas
requirements 2-2 See network access quotas
TACACS+ 1-6 See usage quotas
PPP password aging 6-20
processor utilization F-5
profile components
R
See shared profile components RADIUS
proxy See also RADIUS VSAs (vendor specific
See also Proxy Distribution Table attributes)
character strings attributes
defining 4-6 See also RADIUS VSAs (vendor specific
attributes)
stripping 4-6
in User Setup 7-36
configuring 4-41
AV (attribute value) pairs
in enterprise settings 4-7
See also RADIUS VSAs (vendor specific
overview 4-4 attributes)
sending accounting packets 4-7 Cisco IOS C-2

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-15
 Index

IETF C-12 in User Setup 7-39

overview C-1 Cisco BBSM (Building Broadband Service
Cisco Aironet 4-14 Manager)
in Group Setup 6-50
IETF
in Group Setup 6-37 in User Setup 7-51
supported attributes C-12
interface configuration 3-16
Cisco IOS/PIX
in User Setup 7-37
in Group Setup 6-38
interface configuration overview 3-11
interface configuration 3-17
password aging 6-25
in User Setup 7-38
ports 1-6
supported attributes C-5
specifications 1-6
Cisco VPN 3000
troubleshooting A-18
in Group Setup 6-42
tunneling packets 4-19
in User Setup 7-43
vs. TACACS+ 1-6
supported attributes C-7
RADIUS Accounting log
Cisco VPN 5000
configuring CSV (comma-separated
values) 11-14, 11-15 in Group Setup 6-44
enabling CSV (comma-separated in User Setup 7-45
values) 11-13
supported attributes C-11
RADIUS user databases custom
configuring 13-61
about 9-27
group mappings 15-2 in Group Setup 6-51
RADIUS-based group specifications 15-13
in User Setup 7-52
RADIUS VSAs (vendor specific attributes) Juniper
Ascend
in Group Setup 6-49
in Group Setup 6-41 in User Setup 7-50
in User Setup 7-41
supported attributes C-43
supported attributes C-30 Microsoft
Cisco Aironet
in Group Setup 6-45
in Group Setup 6-39 in User Setup 7-46

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-16 78-14698-02
 Index

supported attributes C-27 scheduling options 9-32

Nortel starting manually 9-32
in Group Setup 6-47 user-related configuration 9-25
in User Setup 7-48 rejection mode
supported attributes C-42 general 14-4
overview C-1 Windows user databases 14-5
user-defined related documentation xxvii
about 9-27 reliability of network 2-17
action codes for E-19 remote access policies 2-12
replicating 9-27 remote agent logging
RDBMS synchronization configuration 11-22
accountActions file options 11-22
as a transaction queue 9-28 remote agents
overview 9-28 adding 4-32
configuring 9-34 configuring 4-29
CSDBSync 9-28 deleting 4-35
disabling 9-37 editing 4-34
enabling in interface 3-5 options 4-30
FTP configuration 9-31 overview 4-29
FTP setup options 9-31 Remote Agents table 4-2
group-related configuration 9-26 selecting for authentication 13-23
import definitions E-1 remote logging
log centralized 11-18
description 11-12 configuring remote agent logs 11-23
viewing 11-14 disabling 11-22
network configuration 9-26 local configuration 11-19
overview 9-24 options 11-19
partners 9-32 overview 11-17
preparations for 9-29 replication

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-17
 Index

backups recommended (Caution) 9-10 scheduling 9-20

cascading 9-6, 9-12 scheduling options 9-12
certificates 9-3 selecting data 9-11
client configuration 9-16 user-defined RADIUS vendors 9-9
components vs. backup 9-10
overwriting (Caution) 9-16 Reports and Activity
overwriting (Note) 9-11 See also logging
selecting 9-11 configuring 11-16, 11-17
configuring 9-20 CSV logs 11-12
corrupted backups (Caution) 9-10 in interface 1-26
disabling 9-23 overview 11-4
EAP-FAST 10-20 request handling
frequency 9-7 general 14-4
immediate 9-18 Windows user databases 14-5
implementing primary and secondary requirements
setups 9-15
network 2-2
important considerations 9-8
system installation 2-2
in System Configuration 9-20
resource consumption F-5
interface configuration 3-5
restarting services 8-2
IP pools 9-3, 9-38
restore
logging 9-11
components restored
manual initiation 9-18
configuring 8-15
master AAA servers 9-3
overview 8-15
notifications 9-23
filenames 8-14
options 9-11
in System Configuration 8-13
overview 9-2
overview 8-14
partners
performing 8-15
configuring 9-22
reports 8-15
options 9-12
RFC2138 1-6
process 9-4

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-18 78-14698-02
 Index

RFC2139 1-6 management 8-17

RSA user database group mappings 15-2 monitoring 8-26
overview 1-4, F-1
starting 8-2
S
stopping 8-2
SafeWord user databases session policies
configuring 13-61 configuring 12-17
group mappings 15-2 options 12-16
RADIUS-based group specifications 15-13 overview 12-16
search order of external user databases 14-10 shared profile components
security policies 2-13 See also command authorization sets
security protocols See also network access restrictions
Cisco AAA client devices 1-2 downloadable IP ACLs 5-2
CSRadius F-7 overview 5-1
CSTacacs F-7 shared secret F-7
interface options 3-9 shell command authorization sets
RADIUS 1-6, C-1 See also command authorization sets
TACACS+ in Group Setup 6-31
custom commands 3-9 in User Setup 7-25
overview 1-6 single password configurations 1-13
time-of-day access 3-8 SMTP (simple mail-transfer protocol) F-6
service control in System Configuration 11-27 specifications
Service Monitoring log RADIUS
See Cisco Secure ACS Service Monitoring RFC2138 1-6
log RFC2139 1-6
services system performance 1-2, 1-3
determining status of 8-2 TACACS+ 1-6
logs SSL (secure socket layer) 12-13
configuring 11-27 starting services 8-2
list of logs generated 11-26

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-19
 Index

static IP addresses 7-9 AV (attribute value) pairs

stopping services 8-2 accounting B-4
supplementary user information general B-1
in User Setup 7-5 custom commands 3-9
setting 7-5 enable password options for users 7-34
support page 8-24 enable privilege options 7-32
synchronization interface configuration 3-7
See RDBMS synchronization interface options 3-9
system outbound passwords for users 7-36
configuration ports 1-6
advanced 9-1 SENDAUTH 1-14
authentication 10-1 settings
basic 8-1 in Group Setup 6-2, 6-29
certificates 10-1 in User Setup 7-21, 7-22
health F-5 specifications 1-6
messages in interface 1-26 time-of-day access 3-8
services troubleshooting A-18
See services vs. RADIUS 1-6
system installation requirements 2-2 TACACS+ Accounting log
system monitoring configuring CSV (comma-separated
values) 11-15
See monitoring
enabling CSV (comma-separated
technical support file 8-24
values) 11-13
viewing 11-14
T TACACS+ Administration log
configuring CSV (comma-separated
TACACS+ values) 11-15
advanced TACACS+ settings enabling CSV (comma-separated
in Group Setup 6-2 values) 11-13

in User Setup 7-32 viewing 11-14

Telnet

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-20 78-14698-02
 Index

See also command authorization sets max sessions issues A-14

password aging 6-20 PIX Firewall issues A-16
test login frequency 8-18 proxy issues A-13
thread used F-6 RADIUS issues A-18
time and date setting 8-22 report issues A-14
time-of-day/day-of-week specification TACACS+ issues A-18
enablement 3-4
third-party server issues A-16
timeout values on AAA clients 14-8
upgrade issues A-13
TLS (transport level security)
user issues A-17
See certification
trust lists
token caching 1-14, 13-59
See certification
token cards
trust relationships 13-9
password configuration 1-13
settings in Group Setup 6-17
token servers U
ISDN terminal adapters 13-59
unknown service user setting 7-31
overview 13-58
unknown user policies
supported servers 1-9
See also unknown users
token caching 13-59
configuring 14-10
topologies
in external user databases 14-10
See network topologies
overview 14-9
troubleshooting
unknown users
AAA servers A-1
See also unknown user policies
administration issues A-2
authentication processing 14-8
browser issues A-4
handling methods 14-2
Cisco IOS issues A-5
network access authorization 14-9
database issues A-6
update packets
debug logs 11-25, A-12
See watchdog packets
dial-in issues A-8
upgrade
installation issues A-13

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-21
 Index

applying 8-35 basic steps 7-3

distribution server requirements 8-29 methods 13-2
overview 8-28 assigning client IP addresses to 7-9
process 8-30 assigning to a group 7-7
transferring 8-32 callback options 7-8
troubleshooting A-13 configuring 7-2
usage quotas configuring device management command
authorization sets for 7-29
in Group Setup 6-13
configuring PIX command authorization sets
in Interface Configuration 3-5
for 7-28
in User Setup 7-17
configuring shell command authorization sets
overview 1-18 for 7-25
resetting customized data fields 3-3
for groups 6-53 data configuration
for single users 7-57 See User Data Configuration
user-changeable passwords deleting 11-10
overview 1-15 deleting accounts 7-56
with Windows user databases 13-22 disabling accounts 7-4
User Data Configuration 3-3 finding 7-54
user groups import methods 13-2
See groups in multiple databases 14-6
user-level in multiple domains 14-6
See also per-user attributes listing all users 7-54
downloadable ACLs interface 3-4 number allowed 2-16
network access restrictions RDBMS synchronization 9-25
See also network access restrictions relationship to groups 3-2
enabling in interface 3-4 resetting accounts 7-57
users saving settings 7-59
See also User Setup supplementary information 7-5
adding troubleshooting A-17

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-22 78-14698-02
 Index

types enabling csv log 11-13

discovered 14-3 viewing 11-14
known 14-2 enabling in interface 3-6
unknown 14-2 group settings in Interface Configuration 3-6
VPDN dialup D-2 in Group Setup 6-4
User Setup VPDN
account management tasks 7-53 advantages 2-10
basic options 7-2 authentication process D-1
configuring 7-2 domain authorization D-2
deleting user accounts 7-56 home gateways D-3
saving settings 7-59 IP addresses D-3
Users in Group button 6-53 tunnel IDs D-3
users D-2
VSAs
V
See RADIUS VSAs (vendor specific
attributes)
validation of passwords 8-5
Vasco user databases
group mappings 15-2 W
RADIUS-based group specifications 15-13
warning events F-5, F-7
vendor-specific attributes
See RADIUS VSAs (vendor specific watchdog packets
attributes) configuring on AAA clients 4-19
viewing logs and reports configuring on AAA servers 4-26
See logging logging 11-3
VoIP (Voice-over-IP) web servers F-2
accounting configuration 8-21 Windows operating systems
accounting configuration in Interface authentication order 14-6
Configuration 3-6 dial-up networking 13-10
Accounting log
dial-up networking clients
configuring 11-15 domain field 13-10

User Guide for Cisco Secure ACS Appliance, version 3.2

78-14698-02 IN-23
 Index

password field 13-10 wireless network topologies 2-7

username field 13-10
Domain List effect 14-6
Z
domains
domain names 13-10, 14-5
trusted 13-10
rejection mode 14-5
request handling 14-5
user databases
configuring 13-29
Windows user databases
Active Directory 13-23
Domain list
inadvertent user lockouts 13-26
domain mapping 15-8
domains
trusted 13-9
grant dial-in permission to users 13-9, 13-23
group mappings
editing 15-8
no access groups 15-6
remapping 15-8
mapping database groups to AAA
groups 15-4
overview 13-6
password aging 6-25
passwords 1-10
trust relationships 13-9
user-changeable passwords 13-22
user manager 13-23

User Guide for Cisco Secure ACS Appliance, version 3.2

IN-24 78-14698-02