Page is loading ...
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking
Academy, the Cisco Systems Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet
Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder,
ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way
We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst,
CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch,
FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,
Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its
affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0110R)
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Copyright © 2001, Cisco Systems, Inc.
All rights reserved
iii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
CONTENTS
Preface xxvii
Document Objectives
xxvii
Who Should Read This Guide xxvii
How This Guide is Organized xxviii
Conventions Used in This Guide xxx
Related Documentation xxxi
Obtaining Documentation xxxii
World Wide Web xxxii
Documentation CD-ROM xxxii
Ordering Documentation xxxii
Documentation Feedback xxxiii
Obtaining Technical Assistance xxxiii
Cisco.com xxxiii
Technical Assistance Center xxxiv
Cisco TAC Web Site xxxiv
Cisco TAC Escalation Center xxxv
CHAPTER
1 Overview of Cisco Secure ACS 1-1
The Cisco Secure ACS Paradigm 1-1
Cisco Secure ACS Specifications 1-2
System Performance Specifications 1-3
Cisco Secure ACS Windows Services 1-3
Contents
iv
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
AAA Server Functions and Concepts 1-4
Cisco Secure ACS and the AAA Client 1-5
AAA Protocols—TACACS+ and RADIUS 1-5
TACACS+ 1-6
RADIUS 1-6
Authentication 1-7
Authentication Considerations 1-8
Authentication and User Databases 1-8
Passwords 1-10
Other Authentication-Related Features 1-14
Authorization 1-15
Max Sessions 1-16
Dynamic Usage Quotas 1-16
Other Authorization-Related Features 1-17
Accounting 1-17
Other Accounting-Related Features 1-18
Administration 1-18
HTTP Port Allocation for Remote Administrative Sessions 1-19
Network Device Groups 1-20
Other Administration-Related Features 1-20
Cisco Secure ACS HTML Interface 1-21
About the Cisco Secure ACS HTML Interface 1-21
HTML Interface Layout 1-22
Uniform Resource Locator for the HTML Interface 1-24
Network Environments and Remote Administrative Sessions 1-24
Remote Administrative Sessions and HTTP Proxy 1-24
Remote Administrative Sessions through Firewalls 1-25
v
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Remote Administrative Sessions through a NAT Gateway 1-25
Accessing the HTML Interface 1-26
Logging Off the HTML Interface 1-26
Online Help and Online Documentation 1-27
Using Online Help 1-27
Using the Online Documentation 1-28
CHAPTER
2 Deploying Cisco Secure ACS 2-1
Basic Deployment Requirements for Cisco Secure ACS 2-2
System Requirements 2-2
Hardware Requirements 2-2
Operating System Requirements 2-3
Third-Party Software Requirements 2-3
Network Requirements 2-4
Basic Deployment Factors for Cisco Secure ACS 2-4
Network Topology 2-5
Dial-Up Topology 2-5
Wireless Network 2-8
Remote Access using VPN 2-11
Remote Access Policy 2-13
Security Policy 2-14
Administrative Access Policy 2-14
Separation of Administrative and General Users 2-16
Database 2-17
Number of Users 2-17
Type of Database 2-17
Contents
vi
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Network Speed and Reliability 2-18
Suggested Deployment Sequence 2-18
CHAPTER
3 Setting Up the Cisco Secure ACS HTML Interface 3-1
Interface Design Concepts 3-2
User-to-Group Relationship 3-2
Per-User or Per-Group Features 3-2
User Data Configuration Options 3-3
Defining New User Data Fields 3-3
Advanced Options 3-4
Setting Advanced Options for the Cisco Secure ACS User Interface 3-6
Protocol Configuration Options for TACACS+ 3-7
Setting Options for TACACS+ 3-9
Protocol Configuration Options for RADIUS 3-10
Setting Protocol Configuration Options for (IETF) RADIUS 3-12
Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX) 3-14
Setting Protocol Configuration Options for RADIUS (Ascend) 3-14
Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000) 3-15
Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000) 3-16
Setting Protocol Configuration Options for RADIUS (Microsoft) 3-17
Setting Protocol Configuration Options for RADIUS (Nortel) 3-18
Setting Protocol Configuration Options for RADIUS (Juniper) 3-19
Setting Protocol Configuration Options for RADIUS (Cisco BBSM) 3-20
CHAPTER
4 Setting Up and Managing Network Configuration 4-1
About Distributed Systems 4-2
AAA Servers in Distributed Systems 4-3
vii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Default Distributed System Settings 4-3
Proxy in Distributed Systems 4-4
Fallback on Failed Connection 4-5
Character String 4-6
Stripping 4-6
Proxy in an Enterprise 4-6
Remote Use of Accounting Packets 4-7
Other Features Enabled by System Distribution 4-8
AAA Client Configuration 4-8
Adding and Configuring a AAA Client 4-9
Editing an Existing AAA Client 4-12
Deleting a AAA Client 4-14
AAA Server Configuration 4-15
Adding and Configuring a AAA Server 4-16
Editing a AAA Server Configuration 4-18
Deleting a AAA Server 4-20
Network Device Group Configuration 4-20
Adding a Network Device Group 4-21
Assigning an Unassigned AAA Client or AAA Server to an NDG 4-22
Reassigning a AAA Client or AAA Server to an NDG 4-23
Renaming a Network Device Group 4-23
Deleting a Network Device Group 4-24
Proxy Distribution Table Configuration 4-25
About the Proxy Distribution Table 4-25
Adding a New Proxy Distribution Table Entry 4-26
Sorting the Character String Match Order of Distribution Entries 4-28
Contents
viii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Editing a Proxy Distribution Table Entry 4-28
Deleting a Proxy Distribution Table Entry 4-29
CHAPTER
5 Setting Up and Managing Shared Profile Components 5-1
Downloadable PIX ACLs 5-2
About Downloadable PIX ACLs 5-2
Downloadable PIX ACL Configuration 5-3
Adding a Downloadable PIX ACL 5-3
Editing a Downloadable PIX ACL 5-4
Deleting a Downloadable PIX ACL 5-5
Network Access Restrictions 5-6
About Network Access Restrictions 5-6
Shared Network Access Restrictions Configuration 5-7
Adding a Shared Network Access Restriction 5-8
Editing a Shared Network Access Restriction 5-10
Deleting a Shared Network Access Restriction 5-12
Command Authorization Sets 5-12
About Command Authorization Sets 5-13
About Pattern Matching 5-14
Command Authorization Sets Configuration 5-14
Adding a Command Authorization Set 5-15
Editing a Command Authorization Set 5-17
Deleting a Command Authorization Set 5-17
CHAPTER
6 Setting Up and Managing User Groups 6-1
User Group Setup Features and Functions 6-2
Default Group 6-2
ix
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Group TACACS+ Settings 6-2
Common User Group Settings 6-3
Enabling VoIP Support for a User Group 6-4
Setting Default Time of Day Access for a User Group 6-5
Setting Callback Options for a User Group 6-6
Setting Network Access Restrictions for a User Group 6-7
Setting Max Sessions for a User Group 6-11
Setting Usage Quotas for a User Group 6-13
Configuration-specific User Group Settings 6-15
Setting Token Card Settings for a User Group 6-17
Setting Enable Privilege Options for a User Group 6-18
Enabling Password Aging for the CiscoSecure User Database 6-20
Varieties of Password Aging Supported by Cisco Secure ACS 6-20
Password Aging Feature Settings 6-21
Enabling Password Aging for Users in Windows Databases 6-25
Setting IP Address Assignment Method for a User Group 6-26
Assigning a Downloadable PIX ACL to a Group 6-27
Configuring TACACS+ Settings for a User Group 6-28
Configuring a Shell Command Authorization Set for a User Group 6-30
Configuring a PIX Command Authorization Set for a User Group 6-32
Configuring IETF RADIUS Settings for a User Group 6-34
Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-36
Configuring Ascend RADIUS Settings for a User Group 6-37
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group
6-38
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User
Group
6-39
Contents
x
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Configuring Microsoft RADIUS Settings for a User Group 6-41
Configuring Nortel RADIUS Settings for a User Group 6-42
Configuring Juniper RADIUS Settings for a User Group 6-44
Configuring Cisco BBSM RADIUS Settings for a User Group 6-45
Configuring Custom RADIUS VSA Settings for a User Group 6-46
Group Setting Management 6-48
Listing Users in a User Group 6-48
Resetting Usage Quota Counters for a User Group 6-49
Renaming a User Group 6-49
Saving Changes to User Group Settings 6-50
CHAPTER
7 Setting Up and Managing User Accounts 7-1
User Setup Features and Functions 7-2
About User Databases 7-3
Basic User Setup Options 7-4
Adding a Basic User Account 7-5
Setting Supplementary User Information 7-7
Setting a Separate CHAP/MS-CHAP/ARAP Password 7-8
Assigning a User to a Group 7-9
Setting User Callback Option 7-10
Assigning a User to a Client IP Address 7-11
Setting Network Access Restrictions for a User 7-12
Setting Max Sessions Options for a User 7-17
Setting User Usage Quotas Options 7-19
Setting Options for User Account Disablement 7-21
Assigning a PIX ACL to a User 7-22
xi
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Advanced User Authentication Settings 7-23
TACACS+ Settings (User) 7-24
Configuring TACACS+ Settings for a User 7-24
Configuring a Shell Command Authorization Set for a User 7-26
Configuring a PIX Command Authorization Set for a User 7-29
Configuring the Unknown Service Setting for a User 7-31
Advanced TACACS+ Settings (User) 7-31
Setting Enable Privilege Options for a User 7-32
Setting TACACS+ Enable Password Options for a User 7-34
Setting TACACS+ Outbound Password for a User 7-35
RADIUS Attributes 7-36
Setting IETF RADIUS Parameters for a User 7-37
Setting Cisco IOS/PIX RADIUS Parameters for a User 7-38
Setting Ascend RADIUS Parameters for a User 7-39
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a
User
7-41
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a
User
7-42
Setting Microsoft RADIUS Parameters for a User 7-44
Setting Nortel RADIUS Parameters for a User 7-45
Setting Juniper RADIUS Parameters for a User 7-47
Setting BBSM RADIUS Parameters for a User 7-48
Setting Custom RADIUS Attributes for a User 7-49
User Management 7-51
Listing All Users 7-51
Finding a User 7-52
Disabling a User Account 7-53
Contents
xii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Deleting a User Account 7-54
Resetting User Session Quota Counters 7-55
Resetting a User Account after Login Failure 7-55
Saving User Settings 7-56
CHAPTER
8 Establishing Cisco Secure ACS System Configuration 8-1
Service Control 8-2
Determining the Status of Cisco Secure ACS Services 8-2
Stopping, Starting, or Restarting Services 8-2
Logging 8-3
Date Format Control 8-3
Setting the Date Format 8-4
Password Validation 8-4
Setting Password Validation Options 8-5
CiscoSecure Database Replication 8-6
About CiscoSecure Database Replication 8-6
Replication Process 8-8
Replication Frequency 8-10
Important Implementation Considerations 8-10
Database Replication Versus Database Backup 8-11
Database Replication Logging 8-12
Replication Options 8-13
Replication Components Options 8-13
Replication Scheduling Options 8-14
Replication Partners Options 8-15
Implementing Primary and Secondary Replication Setups on
Cisco Secure ACS Servers
8-16
xiii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Configuring a Secondary Cisco Secure ACS Server 8-17
Replicating Immediately 8-18
Scheduling Replication 8-20
Disabling CiscoSecure Database Replication 8-23
Database Replication Event Error Alert Notification 8-23
RDBMS Synchronization 8-24
About RDBMS Synchronization 8-24
RDBMS Synchronization Components 8-25
About CSDBSync 8-25
About the accountActions Table 8-26
Cisco Secure ACS Database Recovery Using the accountActions Table 8-28
Reports and Event (Error) Handling 8-29
Preparing to Use RDBMS Synchronization 8-29
Considerations for Using CSV-Based Synchronization 8-30
Preparing for CSV-Based Synchronization 8-31
Configuring a System Data Source Name for RDBMS Synchronization 8-32
RDBMS Synchronization Options 8-33
RDBMS Setup Options 8-34
Synchronization Scheduling Options 8-34
Synchronization Partners Options 8-35
Performing RDBMS Synchronization Immediately 8-35
Scheduling RDBMS Synchronization 8-37
Disabling Scheduled RDBMS Synchronizations 8-39
Cisco Secure ACS Backup 8-40
About Cisco Secure ACS Backup 8-40
Backup File Locations 8-41
Directory Management 8-41
Contents
xiv
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Components Backed Up 8-41
Reports of Cisco Secure ACS Backups 8-42
Performing a Manual Cisco Secure ACS Backup 8-42
Scheduling Cisco Secure ACS Backups 8-43
Disabling Scheduled Cisco Secure ACS Backups 8-44
Cisco Secure ACS System Restore 8-45
About Cisco Secure ACS System Restore 8-45
Backup File Names and Locations 8-45
Components Restored 8-47
Reports of Cisco Secure ACS Restorations 8-47
Restoring Cisco Secure ACS from a Backup File 8-47
Cisco Secure ACS Active Service Management 8-48
System Monitoring 8-49
System Monitoring Options 8-49
Setting Up System Monitoring 8-50
Event Logging 8-51
Setting Up Event Logging 8-51
IP Pools Server 8-52
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 8-53
Refreshing the AAA Server IP Pools Table 8-55
Adding a New IP Pool 8-55
Editing an IP Pool Definition 8-56
Resetting an IP Pool 8-57
Deleting an IP Pool 8-58
IP Pools Address Recovery 8-59
Enabling IP Pool Address Recovery 8-59
xv
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
VoIP Accounting Configuration 8-60
Configuring VoIP Accounting 8-61
Cisco Secure ACS Certificate Setup 8-61
Background on Certification 8-62
EAP-TLS Setup Overview 8-63
Requirements for Certificate Enrollment 8-63
Generating a Request for a Certificate 8-64
Installing Cisco Secure ACS Certification with Manual Enrollment 8-66
Installing Cisco Secure ACS Certification with Automatic Enrollment 8-68
Performing Cisco Secure ACS Certification Update or Replacement 8-69
Certification Authority Setup 8-70
Trust Requirements and Models 8-71
Editing the Certificate Trust List 8-72
Adding a New CA Certificate to Local Certificate Storage 8-72
Global Authentication Setup 8-73
CHAPTER
9 Working with Logging and Reports 9-1
Logging Formats 9-1
Special Logging Attributes 9-2
Update Packets In Accounting Logs 9-3
About Cisco Secure ACS Logs and Reports 9-4
Accounting Logs 9-4
TACACS+ Accounting Log 9-5
TACACS+ Administration Log 9-6
RADIUS Accounting Log 9-7
VoIP Accounting Log 9-8
Failed Attempts Log 9-9
Contents
xvi
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Passed Authentications Log 9-10
Dynamic Cisco Secure ACS Administration Reports 9-10
Logged-In Users Report 9-11
Disabled Accounts Report 9-14
Cisco Secure ACS System Logs 9-15
ACS Backup and Restore Log 9-15
RDBMS Synchronization Log 9-16
Database Replication Log 9-16
Administration Audit Log 9-17
ACS Service Monitoring Log 9-18
Working with CSV Logs 9-19
CSV Log File Names 9-19
Enabling or Disabling a CSV Log 9-19
Viewing a CSV Report 9-20
Configuring a CSV Log 9-22
Working with ODBC Logs 9-25
Preparing to Use ODBC Logging 9-25
Configuring a System Data Source Name for ODBC Logging 9-26
Configuring an ODBC Log 9-27
Remote Logging 9-29
About Remote Logging 9-30
Remote Logging Options 9-31
Configuring a Central Logging Server 9-31
Enabling and Configuring Remote Logging 9-32
Disabling Remote Logging 9-33
xvii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Service Logs 9-34
Services Logged 9-34
Configuring Service Logs 9-35
CHAPTER
10 Setting Up and Managing Administrators and Policy 10-1
Administrator Accounts 10-1
Administrator Privileges 10-2
Adding an Administrator Account 10-6
Editing an Administrator Account 10-7
Deleting an Administrator Account 10-9
Access Policy 10-10
Access Policy Options 10-10
Setting Up Access Policy 10-12
Session Policy 10-13
Session Policy Options 10-13
Setting Up Session Policy 10-14
Audit Policy 10-16
CHAPTER
11 Working with User Databases 11-1
CiscoSecure User Database 11-2
About External User Databases 11-4
Authenticating with External User Databases 11-5
Windows NT/2000 User Database 11-6
The Cisco Secure ACS Authentication Process with Windows NT/2000 User
Databases
11-7
Trust Relationships 11-8
Contents
xviii
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Windows Dial-up Networking Clients 11-9
About the Windows NT/2000 Dial-up Networking Client 11-9
About the Windows 95/98/Millennium Edition Dial-up Networking
Client
11-10
Windows NT/2000 Authentication 11-10
User-Changeable Passwords with Windows NT/2000 User Databases 11-12
Preparing Users for Authenticating with Windows NT/2000 11-12
Configuring a Windows NT/2000 External User Database 11-13
Generic LDAP 11-14
Cisco Secure ACS Authentication Process with a Generic LDAP User
Database
11-15
Multiple LDAP Instances 11-16
LDAP Organizational Units and Groups 11-17
Directed Authentications 11-17
LDAP Failover 11-17
Successful Previous Authentication with the Primary LDAP Server 11-18
Unsuccessful Previous Authentication with the Primary LDAP
Server
11-18
Configuring a Generic LDAP External User Database 11-19
Novell NDS Database 11-24
User Contexts 11-25
Novell NDS External User Database Options 11-27
Configuring a Novell NDS External User Database 11-28
ODBC Database 11-30
Cisco Secure ACS Authentication Process with an ODBC External User
Database
11-31
Preparing to Authenticate Users with an ODBC-Compliant Relational
Database
11-32
xix
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Contents
Implementation of Stored Procedures for ODBC Authentication 11-33
Type Definitions 11-34
Microsoft SQL Server and Case-Sensitive Passwords 11-34
Sample Routine for Generating a PAP Authentication SQL Procedure 11-35
Sample Routine for Generating an SQL CHAP Authentication
Procedure
11-36
PAP Authentication Procedure Input 11-36
PAP Procedure Output 11-37
CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-38
CHAP/MS-CHAP/ARAP Procedure Output 11-38
Result Codes 11-39
Configuring a System Data Source Name for an ODBC External User
Database
11-40
Configuring an ODBC External User Database 11-41
LEAP Proxy RADIUS Server Database 11-44
Configuring a LEAP Proxy RADIUS Server External User Database 11-45
Token Server User Databases 11-47
About Token Servers and Cisco Secure ACS 11-48
Token Servers and ISDN 11-48
RADIUS-Enabled Token Servers 11-49
About RADIUS-Enabled Token Servers 11-49
Token Server RADIUS Authentication Request and Response
Contents
11-50
Configuring a RADIUS Token Server External User Database 11-50
Token Servers with Vendor-Proprietary Interfaces 11-53
About Token Servers with Proprietary Interfaces 11-53
Configuring a SafeWord Token Server External User Database 11-53
Contents
xx
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Configuring an AXENT Token Server External User Database
AXENT
11-55
Configuring an RSA SecurID Token Server External User Database 11-56
Deleting an External User Database Configuration 11-58
CHAPTER
12 Administering External User Databases 12-1
Unknown User Processing 12-1
Known, Unknown, and Cached Users 12-2
General Authentication Request Handling and Rejection Mode 12-3
Authentication Request Handling and Rejection Mode with the
Windows NT/2000 User Database
12-4
Windows Authentication with a Domain Specified 12-4
Windows Authentication with Domain Omitted 12-5
Performance of Unknown User Authentication 12-6
Added Latency 12-6
Authentication Timeout Value on AAA clients 12-6
Network Access Authorization 12-7
Unknown User Policy 12-7
Database Search Order 12-8
Configuring the Unknown User Policy 12-8
Turning off External User Database Authentication 12-9
Database Group Mappings 12-10
Group Mapping by External User Database 12-10
Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC
Database, or LEAP Proxy RADIUS Server Database
12-12
Group Mapping by Group Set Membership 12-13
Group Mapping Order 12-13
No Access Group for Group Set Mappings 12-14
/
