User Guide
Page 9
... Enabling Password Aging for Users in Windows Databases 6-25 Setting IP Address Assignment Method for a User Group 6-27 Assigning a Downloadable PIX ACL to a Group 6-28 Configuring TACACS+ Settings for a User Group 6-29 Configuring a Shell Command Authorization Set for a User Group 6-31 Configuring a PIX Command Authorization Set for a User Group 6-33 Configuring Device-Management Command Authorization for a User Group 6-35 Configuring IETF RADIUS Settings for a User Group 6-37 Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-38 Configuring Cisco Aironet RADIUS Settings for a User...
... Enabling Password Aging for Users in Windows Databases 6-25 Setting IP Address Assignment Method for a User Group 6-27 Assigning a Downloadable PIX ACL to a Group 6-28 Configuring TACACS+ Settings for a User Group 6-29 Configuring a Shell Command Authorization Set for a User Group 6-31 Configuring a PIX Command Authorization Set for a User Group 6-33 Configuring Device-Management Command Authorization for a User Group 6-35 Configuring IETF RADIUS Settings for a User Group 6-37 Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-38 Configuring Cisco Aironet RADIUS Settings for a User...
User Guide
Page 11
...Users 7-54 Finding a User 7-54 Disabling a User Account 7-55 Deleting a User Account 7-56 Resetting User Session Quota Counters 7-57 Resetting a User Account after Login Failure 7-58 Saving User Settings 7-59 Establishing Cisco Secure ACS System Configuration 8-1 Service Control 8-2 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Local Password Management 8-5 Configuring Local Password Management 8-7 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for Windows Server...
...Users 7-54 Finding a User 7-54 Disabling a User Account 7-55 Deleting a User Account 7-56 Resetting User Session Quota Counters 7-57 Resetting a User Account after Login Failure 7-58 Saving User Settings 7-59 Establishing Cisco Secure ACS System Configuration 8-1 Service Control 8-2 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Local Password Management 8-5 Configuring Local Password Management 8-7 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for Windows Server...
User Guide
Page 14
... Protocols and Certification 8-69 Digital Certificates 8-69 About the EAP-TLS Protocol 8-70 About the PEAP Protocol 8-72 Installing a Cisco Secure ACS Server Certificate 8-74 Adding a Certificate Authority Certificate 8-76 Editing the Certificate Trust List 8-77 Generating a Certificate Signing Request 8-78 Updating or Replacing a Cisco Secure ACS Certificate 8-80 Global Authentication Setup 8-81 Configuring Authentication Options 8-81 User Guide for Cisco Secure ACS for Windows Server xiv 78-14696-01, Version...
... Protocols and Certification 8-69 Digital Certificates 8-69 About the EAP-TLS Protocol 8-70 About the PEAP Protocol 8-72 Installing a Cisco Secure ACS Server Certificate 8-74 Adding a Certificate Authority Certificate 8-76 Editing the Certificate Trust List 8-77 Generating a Certificate Signing Request 8-78 Updating or Replacing a Cisco Secure ACS Certificate 8-80 Global Authentication Setup 8-81 Configuring Authentication Options 8-81 User Guide for Cisco Secure ACS for Windows Server xiv 78-14696-01, Version...
User Guide
Page 50
... either case, Cisco Secure ACS can restrict users to Monday through a public network such as premium customers and users. The information can be for the access server (such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. You can be used for Windows Server 78-14696-01, Version 3.1 This would make it possible for Virtual Private Dial-Up Networks (VPDNs). One fast-growing service being offered...
... either case, Cisco Secure ACS can restrict users to Monday through a public network such as premium customers and users. The information can be for the access server (such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. You can be used for Windows Server 78-14696-01, Version 3.1 This would make it possible for Virtual Private Dial-Up Networks (VPDNs). One fast-growing service being offered...
User Guide
Page 53
... service (DNIS) (see Setting Network Access Restrictions for a User Group, page 6-7). • IP Pools for IP address assignment of end-user client hosts (see Setting IP Address Assignment Method for a User Group, page 6-27). • Per-user and per-group TACACS+ or RADIUS attributes (see Advanced Options, page 3-4). • Support for Voice over IP (VoIP), including configurable logging of accounting data (see Enabling VoIP Support for a User Group, page 6-4). 78-14696-01, Version 3.1 User Guide for Cisco Secure...
... service (DNIS) (see Setting Network Access Restrictions for a User Group, page 6-7). • IP Pools for IP address assignment of end-user client hosts (see Setting IP Address Assignment Method for a User Group, page 6-27). • Per-user and per-group TACACS+ or RADIUS attributes (see Advanced Options, page 3-4). • Support for Voice over IP (VoIP), including configurable logging of accounting data (see Enabling VoIP Support for a User Group, page 6-4). 78-14696-01, Version 3.1 User Guide for Cisco Secure...
User Guide
Page 78
... multiple fixed sites such as remote offices and central offices, over a public network, such as the Internet. • Remote Access VPNs-Permit secure, encrypted connections between mobile or remote users and their corporate networks, providing workers significant flexibility and efficiency. Basic Deployment Factors for Windows Server 78-14696-01, Version 3.1 therefore, corporations can be viewed as a typical WAN connection and are not usually configured to use AAA to secure the initial connection...
... multiple fixed sites such as remote offices and central offices, over a public network, such as the Internet. • Remote Access VPNs-Permit secure, encrypted connections between mobile or remote users and their corporate networks, providing workers significant flexibility and efficiency. Basic Deployment Factors for Windows Server 78-14696-01, Version 3.1 therefore, corporations can be viewed as a typical WAN connection and are not usually configured to use AAA to secure the initial connection...
User Guide
Page 82
... command 15 default group tacacs+ none username user password password line con 0 login authentication console 2-16 User Guide for Cisco Secure ACS for the administrative user. Basic Deployment Factors for Cisco Secure ACS Chapter 2 Deploying Cisco Secure ACS Separation of a AAA client configuration under TACACS+, he would use RADIUS for the general remote access user and TACACS+ for Windows Server 78-14696-01, Version 3.1 An issue that device. Because this poses no problem. Using authorization, RADIUS users can have PPP (or other network access protocols) set...
... command 15 default group tacacs+ none username user password password line con 0 login authentication console 2-16 User Guide for Cisco Secure ACS for the administrative user. Basic Deployment Factors for Cisco Secure ACS Chapter 2 Deploying Cisco Secure ACS Separation of a AAA client configuration under TACACS+, he would use RADIUS for the general remote access user and TACACS+ for Windows Server 78-14696-01, Version 3.1 An issue that device. Because this poses no problem. Using authorization, RADIUS users can have PPP (or other network access protocols) set...
User Guide
Page 95
... use the TACACS+ (Cisco IOS) Edit page to customize the services and protocols that the command syntax is correct. Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ You can use this check box is selected, an area appears on the User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as Cisco Discovery Protocol (CDP). Note This option should be used by default...
... use the TACACS+ (Cisco IOS) Edit page to customize the services and protocols that the command syntax is correct. Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ You can use this check box is selected, an area appears on the User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as Cisco Discovery Protocol (CDP). Note This option should be used by default...
User Guide
Page 99
..., Version 3.1 User Guide for Cisco Secure ACS for Windows Server 3-13 When Cisco Secure ACS responds to an authentication request from RADIUS (IETF) for any TACACS+ commands can be entered to enable the specific attributes for tagged attributes on the User Setup and Group Setup pages. The Tags to Display Per Attribute option (located under User Setup and/or Group Setup in which any network device configuration when using RADIUS. Selecting the first attribute listed...
..., Version 3.1 User Guide for Cisco Secure ACS for Windows Server 3-13 When Cisco Secure ACS responds to an authentication request from RADIUS (IETF) for any TACACS+ commands can be entered to enable the specific attributes for tagged attributes on the User Setup and Group Setup pages. The Tags to Display Per Attribute option (located under User Setup and/or Group Setup in which any network device configuration when using RADIUS. Selecting the first attribute listed...
User Guide
Page 124
...: Cisco Secure ACS restarts AAA services and the AAA client is assigned. Tip If the AAA Servers table does not appear, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box. 4-20 User Guide for Cisco Secure ACS for configuring AAA servers in the Cisco Secure ACS HTML interface. To delete the AAA client and have not enabled NDGs, click the AAA client hostname in the AAA Clients table...
...: Cisco Secure ACS restarts AAA services and the AAA client is assigned. Tip If the AAA Servers table does not appear, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box. 4-20 User Guide for Cisco Secure ACS for configuring AAA servers in the Cisco Secure ACS HTML interface. To delete the AAA client and have not enabled NDGs, click the AAA client hostname in the AAA Clients table...
User Guide
Page 128
... Servers table. • To add a AAA server when you are not identical when authentication is forwarded, the request is to be assigned. Note To enable NDGs, click Interface Configuration, click Advanced Options, and then click Network Device Groups. In the AAA Server Name box, type a name for Windows Server 78-14696-01, Version 3.1 If the keys between the remote AAA server and Cisco Secure ACS. 4-24 User Guide for Cisco Secure ACS for the remote AAA server...
... Servers table. • To add a AAA server when you are not identical when authentication is forwarded, the request is to be assigned. Note To enable NDGs, click Interface Configuration, click Advanced Options, and then click Network Device Groups. In the AAA Server Name box, type a name for Windows Server 78-14696-01, Version 3.1 If the keys between the remote AAA server and Cisco Secure ACS. 4-24 User Guide for Cisco Secure ACS for the remote AAA server...
User Guide
Page 197
..., Version 3.1 User Guide for Cisco Secure ACS for Windows Server 6-37 Result: The Group Setup Select page opens. From the Jump To list at its top. To configure the vendor-specific attributes (VSAs) for any of these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 In the navigation bar, click Group Setup. RADIUS attributes are true: • A AAA client has been configured to use one of the RADIUS protocols in Network Configuration...
..., Version 3.1 User Guide for Cisco Secure ACS for Windows Server 6-37 Result: The Group Setup Select page opens. From the Jump To list at its top. To configure the vendor-specific attributes (VSAs) for any of these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 In the navigation bar, click Group Setup. RADIUS attributes are true: • A AAA client has been configured to use one of the RADIUS protocols in Network Configuration...
User Guide
Page 364
... configured using an ODBC format. User Guide for Cisco Secure ACS for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places. About Cisco Secure ACS Logs and Reports Chapter 9 Working with Logging and Reports Table 9-1 Accounting Log Descriptions (continued) Log RADIUS Accounting VoIP Accounting Failed Attempts Passed Authentications Description Contains the following information: • VoIP session stop and start times • AAA client...
... configured using an ODBC format. User Guide for Cisco Secure ACS for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places. About Cisco Secure ACS Logs and Reports Chapter 9 Working with Logging and Reports Table 9-1 Accounting Log Descriptions (continued) Log RADIUS Accounting VoIP Accounting Failed Attempts Passed Authentications Description Contains the following information: • VoIP session stop and start times • AAA client...
User Guide
Page 369
...Monitoring log, see Configuring Local Password Management, page 8-7. For information about configuring the User Password Changes log, see Cisco Secure ACS Active Service Management, page 8-55. 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for troubleshooting or audits. It does not list password changes made by each system log, including which password change mechanism was used to change the password. This log cannot be configured. Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Cisco Secure ACS System Logs System logs are...
...Monitoring log, see Configuring Local Password Management, page 8-7. For information about configuring the User Password Changes log, see Cisco Secure ACS Active Service Management, page 8-55. 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for troubleshooting or audits. It does not list password changes made by each system log, including which password change mechanism was used to change the password. This log cannot be configured. Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Cisco Secure ACS System Logs System logs are...
User Guide
Page 383
... about configuring CSV logs, see Working with CSV Logs, page 9-13. Add to the AAA Servers table each Cisco Secure ACS that the central logging server is to all Cisco Secure ACSes in the Selected Log Services list. 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for that Cisco Secure ACS in Network Configuration. For more information, see AAA Server Configuration, page 4-20. Step 3 Step 4 For each additional server. Enable remote logging. Remote Logging Options Cisco Secure ACS provides the remote logging options listed below. Chapter 9 Working...
... about configuring CSV logs, see Working with CSV Logs, page 9-13. Add to the AAA Servers table each Cisco Secure ACS that the central logging server is to all Cisco Secure ACSes in the Selected Log Services list. 78-14696-01, Version 3.1 User Guide for Cisco Secure ACS for that Cisco Secure ACS in Network Configuration. For more information, see AAA Server Configuration, page 4-20. Step 3 Step 4 For each additional server. Enable remote logging. Remote Logging Options Cisco Secure ACS provides the remote logging options listed below. Chapter 9 Working...
User Guide
Page 386
..., Version 3.1 Result: Cisco Secure ACS no longer sends its accounting information to remote logging servers. Click Submit. Select the Do not log Remotely option. For example, RADIUS service logs are created even if you are using the RADIUS protocol in your network. 9-28 User Guide for Cisco Secure ACS for general use by Cisco Secure ACS administrators; Disabling Remote Logging By disabling the Remote Logging feature, you specified. Service Logs Service logs are considered diagnostic logs and are not using the service. Service Logs Chapter 9 Working with Logging and...
..., Version 3.1 Result: Cisco Secure ACS no longer sends its accounting information to remote logging servers. Click Submit. Select the Do not log Remotely option. For example, RADIUS service logs are created even if you are using the RADIUS protocol in your network. 9-28 User Guide for Cisco Secure ACS for general use by Cisco Secure ACS administrators; Disabling Remote Logging By disabling the Remote Logging feature, you specified. Service Logs Service logs are considered diagnostic logs and are not using the service. Service Logs Chapter 9 Working with Logging and...
User Guide
Page 442
... Cisco Secure ACS. Cisco Secure ACS supports group mapping for Windows Server 78-14696-01, Version 3.1 For more information, refer to authenticate users defined in your Novell and Microsoft documentation. 11-34 User Guide for Cisco Secure ACS for unknown users by interpreting authentication responses received from Novell NDS user databases. Cisco Secure ACS does not enforce address restrictions. For more information about group mapping for each user. To use NDS authentication, you should configure a Cisco Secure...
... Cisco Secure ACS. Cisco Secure ACS supports group mapping for Windows Server 78-14696-01, Version 3.1 For more information, refer to authenticate users defined in your Novell and Microsoft documentation. 11-34 User Guide for Cisco Secure ACS for unknown users by interpreting authentication responses received from Novell NDS user databases. Cisco Secure ACS does not enforce address restrictions. For more information about group mapping for each user. To use NDS authentication, you should configure a Cisco Secure...
Getting Started Guide
Page 9
... screws for mounting the controller on a desk, shelf, or wall. • Two wall anchors. • Strain relief clip and screw. • Optional hardware will need the following items: • One Cisco 2504 Wireless Controller. • One Power supply and power cord (power cord option configurable). • Cisco 2504 Wireless Controller software pre-loaded on CLI console (PC, laptop, or palmtop) - Network, operating system service network, and access point cables as required • Command-line interface (CLI) console - VT-100...
... screws for mounting the controller on a desk, shelf, or wall. • Two wall anchors. • Strain relief clip and screw. • Optional hardware will need the following items: • One Cisco 2504 Wireless Controller. • One Power supply and power cord (power cord option configurable). • Cisco 2504 Wireless Controller software pre-loaded on CLI console (PC, laptop, or palmtop) - Network, operating system service network, and access point cables as required • Command-line interface (CLI) console - VT-100...
Getting Started Guide
Page 10
... contain up to clients and the management interface. • A virtual gateway IP address (a fictitious, unassigned IP address, such as 1.1.1.1, used by all Cisco wireless controller Layer 3 security and mobility managers). • A Cisco wireless controller mobility or RF group name, such as the Cisco WCS because Cisco WCS and third-party TFTP servers use the same communication port. An SSID can contain up to 32 printable, case-sensitive ASCII characters. • DHCP bridging • Whether or...
... contain up to clients and the management interface. • A virtual gateway IP address (a fictitious, unassigned IP address, such as 1.1.1.1, used by all Cisco wireless controller Layer 3 security and mobility managers). • A Cisco wireless controller mobility or RF group name, such as the Cisco WCS because Cisco WCS and third-party TFTP servers use the same communication port. An SSID can contain up to 32 printable, case-sensitive ASCII characters. • DHCP bridging • Whether or...
User Guide
Page 66
... probably want to use to configure the router. 4-12 Router Installation and Configuration Guide You will see the user EXEC prompt (Router>). Take the following steps to configure the router manually: Step 1 Connect a console terminal following tasks: (a) Assign a host name for the router using the hostname command. (b) Enter an enable secret password using the enable password command. (c) Assign addresses to the interfaces using the protocol address command. (d) Specify which protocols to enter privileged EXEC mode.
... probably want to use to configure the router. 4-12 Router Installation and Configuration Guide You will see the user EXEC prompt (Router>). Take the following steps to configure the router manually: Step 1 Connect a console terminal following tasks: (a) Assign a host name for the router using the hostname command. (b) Enter an enable secret password using the enable password command. (c) Assign addresses to the interfaces using the protocol address command. (d) Specify which protocols to enter privileged EXEC mode.