Cisco Systems 3.3 User manual

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

User Guide for Cisco Secure ACS for

Windows Server

Version 3.3

May 2004

Customer Order Number: DOC-7816592=

Text Part Number: 78-16592-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT

NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT

ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR

THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION

PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO

LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE

PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR

IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL

DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR

INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES.

User Guide for Cisco Secure ACS for Windows Server

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of

Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,

BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,

Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast,

EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,

LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,

ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your

Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other

countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (0403R)

iii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CONTENTS

Preface xxix

Audience xxix

Organization xxix

Conventions xxxi

Product Documentation xxxii

Related Documentation xxxiii

Obtaining Documentation xxxv

Cisco.com xxxvi

Ordering Documentation xxxvi

Documentation Feedback xxxvi

Obtaining Technical Assistance xxxvii

Cisco Technical Support Website xxxvii

Submitting a Service Request xxxvii

Definitions of Service Request Severity xxxviii

Obtaining Additional Publications and Information xxxix

CHAPTER

1 Overview 1-1

The Cisco Secure ACS Paradigm 1-2

Cisco Secure ACS Specifications 1-3

System Performance Specifications 1-3

Cisco Secure ACS Windows Services 1-4

AAA Server Functions and Concepts 1-5

Cisco Secure ACS and the AAA Client 1-6

Contents

iv

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

AAA Protocols—TACACS+ and RADIUS 1-6

TACACS+ 1-7

RADIUS 1-7

Authentication 1-8

Authentication Considerations 1-9

Authentication and User Databases 1-10

Authentication Protocol-Database Compatibility 1-10

Passwords 1-11

Other Authentication-Related Features 1-16

Authorization 1-17

Max Sessions 1-18

Dynamic Usage Quotas 1-18

Shared Profile Components 1-19

Support for Cisco Device-Management Applications 1-19

Other Authorization-Related Features 1-21

Accounting 1-22

Other Accounting-Related Features 1-22

Administration 1-23

HTTP Port Allocation for Administrative Sessions 1-23

Network Device Groups 1-24

Other Administration-Related Features 1-24

Posture Validation 1-25

Cisco Secure ACS HTML Interface 1-25

About the Cisco Secure ACS HTML Interface 1-26

HTML Interface Security 1-26

HTML Interface Layout 1-27

Uniform Resource Locator for the HTML Interface 1-29

Network Environments and Administrative Sessions 1-30

Administrative Sessions and HTTP Proxy 1-30

Administrative Sessions through Firewalls 1-31

v

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Administrative Sessions through a NAT Gateway 1-31

Accessing the HTML Interface 1-32

Logging Off the HTML Interface 1-33

Online Help and Online Documentation 1-33

Using Online Help 1-34

Using the Online Documentation 1-34

CHAPTER

2 Deployment Considerations 2-1

Basic Deployment Requirements for Cisco Secure ACS 2-2

System Requirements 2-2

Hardware Requirements 2-2

Operating System Requirements 2-2

Third-Party Software Requirements 2-3

Network and Port Requirements 2-4

Basic Deployment Factors for Cisco Secure ACS 2-6

Network Topology 2-6

Dial-Up Topology 2-6

Wireless Network 2-9

Remote Access using VPN 2-12

Remote Access Policy 2-14

Security Policy 2-15

Administrative Access Policy 2-15

Separation of Administrative and General Users 2-17

Database 2-18

Number of Users 2-18

Type of Database 2-18

Network Latency and Reliability 2-19

Suggested Deployment Sequence 2-19

Contents

vi

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

3 Interface Configuration 3-1

Interface Design Concepts 3-2

User-to-Group Relationship 3-2

Per-User or Per-Group Features 3-2

User Data Configuration Options 3-3

Defining New User Data Fields 3-3

Advanced Options 3-4

Setting Advanced Options for the Cisco Secure ACS User Interface 3-6

Protocol Configuration Options for TACACS+ 3-7

Setting Options for TACACS+ 3-9

Protocol Configuration Options for RADIUS 3-11

Setting Protocol Configuration Options for IETF RADIUS Attributes 3-16

Setting Protocol Configuration Options for Non-IETF RADIUS Attributes 3-17

CHAPTER

4 Network Configuration 4-1

About Network Configuration 4-1

About Distributed Systems 4-2

AAA Servers in Distributed Systems 4-3

Default Distributed System Settings 4-3

Proxy in Distributed Systems 4-4

Fallback on Failed Connection 4-5

Character String 4-6

Stripping 4-6

Proxy in an Enterprise 4-6

Remote Use of Accounting Packets 4-7

Other Features Enabled by System Distribution 4-8

Network Device Searches 4-8

Network Device Search Criteria 4-8

Searching for Network Devices 4-9

vii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

AAA Client Configuration 4-11

AAA Client Configuration Options 4-11

Adding a AAA Client 4-16

Editing a AAA Client 4-19

Deleting a AAA Client 4-21

AAA Server Configuration 4-21

AAA Server Configuration Options 4-22

Adding a AAA Server 4-24

Editing a AAA Server 4-26

Deleting a AAA Server 4-28

Network Device Group Configuration 4-28

Adding a Network Device Group 4-29

Assigning an Unassigned AAA Client or AAA Server to an NDG 4-30

Reassigning a AAA Client or AAA Server to an NDG 4-31

Renaming a Network Device Group 4-32

Deleting a Network Device Group 4-32

Proxy Distribution Table Configuration 4-34

About the Proxy Distribution Table 4-34

Adding a New Proxy Distribution Table Entry 4-35

Sorting the Character String Match Order of Distribution Entries 4-36

Editing a Proxy Distribution Table Entry 4-37

Deleting a Proxy Distribution Table Entry 4-38

CHAPTER

5 Shared Profile Components 5-1

About Shared Profile Components 5-1

Network Access Filters 5-2

About Network Access Filters 5-2

Adding a Network Access Filter 5-3

Editing a Network Access Filter 5-5

Contents

viii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Deleting a Network Access Filter 5-7

Downloadable IP ACLs 5-7

About Downloadable IP ACLs 5-8

Adding a Downloadable IP ACL 5-10

Editing a Downloadable IP ACL 5-13

Deleting a Downloadable IP ACL 5-14

Network Access Restrictions 5-14

About Network Access Restrictions 5-15

About IP-based NAR Filters 5-17

About Non-IP-based NAR Filters 5-18

Adding a Shared Network Access Restriction 5-19

Editing a Shared Network Access Restriction 5-23

Deleting a Shared Network Access Restriction 5-24

Command Authorization Sets 5-25

About Command Authorization Sets 5-26

Command Authorization Sets Description 5-26

Command Authorization Sets Assignment 5-28

Case Sensitivity and Command Authorization 5-29

Arguments and Command Authorization 5-29

About Pattern Matching 5-30

Adding a Command Authorization Set 5-31

Editing a Command Authorization Set 5-33

Deleting a Command Authorization Set 5-35

CHAPTER

6 User Group Management 6-1

About User Group Setup Features and Functions 6-2

Default Group 6-2

Group TACACS+ Settings 6-2

ix

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Basic User Group Settings 6-3

Group Disablement 6-4

Enabling VoIP Support for a User Group 6-4

Setting Default Time-of-Day Access for a User Group 6-5

Setting Callback Options for a User Group 6-7

Setting Network Access Restrictions for a User Group 6-8

Setting Max Sessions for a User Group 6-12

Setting Usage Quotas for a User Group 6-14

Configuration-specific User Group Settings 6-16

Setting Token Card Settings for a User Group 6-18

Setting Enable Privilege Options for a User Group 6-19

Enabling Password Aging for the CiscoSecure User Database 6-21

Enabling Password Aging for Users in Windows Databases 6-26

Setting IP Address Assignment Method for a User Group 6-28

Assigning a Downloadable IP ACL to a Group 6-30

Configuring TACACS+ Settings for a User Group 6-31

Configuring a Shell Command Authorization Set for a User Group 6-33

Configuring a PIX Command Authorization Set for a User Group 6-35

Configuring Device-Management Command Authorization for a User

Group

6-37

Configuring IETF RADIUS Settings for a User Group 6-38

Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-40

Configuring Cisco Aironet RADIUS Settings for a User Group 6-41

Configuring Ascend RADIUS Settings for a User Group 6-43

Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User

Group

6-44

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User

Group

6-46

Configuring Microsoft RADIUS Settings for a User Group 6-47

Configuring Nortel RADIUS Settings for a User Group 6-49

Configuring Juniper RADIUS Settings for a User Group 6-50

Contents

x

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Configuring BBSM RADIUS Settings for a User Group 6-51

Configuring Custom RADIUS VSA Settings for a User Group 6-53

Group Setting Management 6-54

Listing Users in a User Group 6-54

Resetting Usage Quota Counters for a User Group 6-55

Renaming a User Group 6-55

Saving Changes to User Group Settings 6-56

CHAPTER

7 User Management 7-1

About User Setup Features and Functions 7-1

About User Databases 7-2

Basic User Setup Options 7-3

Adding a Basic User Account 7-4

Setting Supplementary User Information 7-6

Setting a Separate CHAP/MS-CHAP/ARAP Password 7-7

Assigning a User to a Group 7-8

Setting User Callback Option 7-9

Assigning a User to a Client IP Address 7-10

Setting Network Access Restrictions for a User 7-11

Setting Max Sessions Options for a User 7-16

Setting User Usage Quotas Options 7-18

Setting Options for User Account Disablement 7-20

Assigning a Downloadable IP ACL to a User 7-21

Advanced User Authentication Settings 7-22

TACACS+ Settings (User) 7-23

Configuring TACACS+ Settings for a User 7-24

Configuring a Shell Command Authorization Set for a User 7-26

Configuring a PIX Command Authorization Set for a User 7-29

xi

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Configuring Device-Management Command Authorization for a

User

7-30

Configuring the Unknown Service Setting for a User 7-32

Advanced TACACS+ Settings (User) 7-33

Setting Enable Privilege Options for a User 7-33

Setting TACACS+ Enable Password Options for a User 7-35

Setting TACACS+ Outbound Password for a User 7-37

RADIUS Attributes 7-37

Setting IETF RADIUS Parameters for a User 7-38

Setting Cisco IOS/PIX RADIUS Parameters for a User 7-39

Setting Cisco Aironet RADIUS Parameters for a User 7-41

Setting Ascend RADIUS Parameters for a User 7-43

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a

User

7-44

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a

User

7-46

Setting Microsoft RADIUS Parameters for a User 7-47

Setting Nortel RADIUS Parameters for a User 7-49

Setting Juniper RADIUS Parameters for a User 7-51

Setting BBSM RADIUS Parameters for a User 7-52

Setting Custom RADIUS Attributes for a User 7-53

User Management 7-54

Listing All Users 7-55

Finding a User 7-55

Disabling a User Account 7-56

Deleting a User Account 7-57

Resetting User Session Quota Counters 7-58

Resetting a User Account after Login Failure 7-59

Saving User Settings 7-60

Contents

xii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

8 System Configuration: Basic 8-1

Service Control 8-1

Determining the Status of Cisco Secure ACS Services 8-2

Stopping, Starting, or Restarting Services 8-2

Logging 8-3

Date Format Control 8-3

Setting the Date Format 8-4

Local Password Management 8-5

Configuring Local Password Management 8-7

Cisco Secure ACS Backup 8-9

About Cisco Secure ACS Backup 8-9

Backup File Locations 8-10

Directory Management 8-10

Components Backed Up 8-10

Reports of Cisco Secure ACS Backups 8-11

Backup Options 8-11

Performing a Manual Cisco Secure ACS Backup 8-12

Scheduling Cisco Secure ACS Backups 8-12

Disabling Scheduled Cisco Secure ACS Backups 8-13

Cisco Secure ACS System Restore 8-14

About Cisco Secure ACS System Restore 8-14

Backup Filenames and Locations 8-15

Components Restored 8-16

Reports of Cisco Secure ACS Restorations 8-16

Restoring Cisco Secure ACS from a Backup File 8-16

Cisco Secure ACS Active Service Management 8-17

System Monitoring 8-18

System Monitoring Options 8-18

Setting Up System Monitoring 8-19

xiii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Event Logging 8-20

Setting Up Event Logging 8-20

VoIP Accounting Configuration 8-21

Configuring VoIP Accounting 8-21

CHAPTER

9 System Configuration: Advanced 9-1

CiscoSecure Database Replication 9-1

About CiscoSecure Database Replication 9-2

Replication Process 9-4

Replication Frequency 9-7

Important Implementation Considerations 9-7

Database Replication Versus Database Backup 9-10

Database Replication Logging 9-10

Replication Options 9-11

Replication Components Options 9-11

Outbound Replication Options 9-12

Inbound Replication Options 9-15

Implementing Primary and Secondary Replication Setups on Cisco Secure

ACSes

9-15

Configuring a Secondary Cisco Secure ACS 9-17

Replicating Immediately 9-19

Scheduling Replication 9-21

Disabling CiscoSecure Database Replication 9-24

Database Replication Event Errors 9-25

RDBMS Synchronization 9-25

About RDBMS Synchronization 9-26

Users 9-27

User Groups 9-27

Network Configuration 9-28

Custom RADIUS Vendors and VSAs 9-28

Contents

xiv

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

RDBMS Synchronization Components 9-29

About CSDBSync 9-29

About the accountActions Table 9-31

Cisco Secure ACS Database Recovery Using the accountActions Table 9-32

Reports and Event (Error) Handling 9-33

Preparing to Use RDBMS Synchronization 9-33

Considerations for Using CSV-Based Synchronization 9-35

Preparing for CSV-Based Synchronization 9-36

Configuring a System Data Source Name for RDBMS Synchronization 9-37

RDBMS Synchronization Options 9-38

RDBMS Setup Options 9-38

Synchronization Scheduling Options 9-39

Synchronization Partners Options 9-39

Performing RDBMS Synchronization Immediately 9-40

Scheduling RDBMS Synchronization 9-41

Disabling Scheduled RDBMS Synchronizations 9-43

IP Pools Server 9-44

About IP Pools Server 9-44

Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 9-45

Refreshing the AAA Server IP Pools Table 9-47

Adding a New IP Pool 9-47

Editing an IP Pool Definition 9-48

Resetting an IP Pool 9-49

Deleting an IP Pool 9-50

IP Pools Address Recovery 9-51

Enabling IP Pool Address Recovery 9-51

CHAPTER

10 System Configuration: Authentication and Certificates 10-1

About Certification and EAP Protocols 10-1

Digital Certificates 10-2

xv

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

EAP-TLS Authentication 10-2

About the EAP-TLS Protocol 10-3

EAP-TLS and Cisco Secure ACS 10-4

EAP-TLS Limitations 10-6

Enabling EAP-TLS Authentication 10-7

PEAP Authentication 10-8

About the PEAP Protocol 10-8

PEAP and Cisco Secure ACS 10-9

PEAP and the Unknown User Policy 10-11

Enabling PEAP Authentication 10-12

EAP-FAST Authentication 10-13

About EAP-FAST 10-13

About Master Keys 10-15

About PACs 10-17

Master Key and PAC TTLs 10-21

Replication and EAP-FAST 10-22

Enabling EAP-FAST 10-25

Global Authentication Setup 10-26

Authentication Configuration Options 10-27

Configuring Authentication Options 10-33

Cisco Secure ACS Certificate Setup 10-34

Installing a Cisco Secure ACS Server Certificate 10-35

Adding a Certificate Authority Certificate 10-37

Editing the Certificate Trust List 10-38

Managing Certificate Revocation Lists 10-40

About Certificate Revocation Lists 10-40

Certificate Revocation List Configuration Options 10-41

Adding a Certificate Revocation List Issuer 10-42

Editing a Certificate Revocation List Issuer 10-44

Deleting a Certificate Revocation List Issuer 10-44

Contents

xvi

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Generating a Certificate Signing Request 10-45

Using Self-Signed Certificates 10-47

About Self-Signed Certificates 10-47

Self-Signed Certificate Configuration Options 10-48

Generating a Self-Signed Certificate 10-49

Updating or Replacing a Cisco Secure ACS Certificate 10-50

CHAPTER

11 Logs and Reports 11-1

Logging Formats 11-2

Special Logging Attributes 11-2

NAC Attributes in Logs 11-4

Update Packets in Accounting Logs 11-5

About Cisco Secure ACS Logs and Reports 11-6

Accounting Logs 11-6

Dynamic Administration Reports 11-9

Viewing the Logged-in Users Report 11-10

Deleting Logged-in Users 11-11

Viewing the Disabled Accounts Report 11-12

Cisco Secure ACS System Logs 11-13

Configuring the Administration Audit Log 11-14

Working with CSV Logs 11-15

CSV Log File Names 11-15

CSV Log File Locations 11-16

Enabling or Disabling a CSV Log 11-17

Viewing a CSV Report 11-18

Configuring a CSV Log 11-19

Working with ODBC Logs 11-21

Preparing for ODBC Logging 11-22

Configuring a System Data Source Name for ODBC Logging 11-22

xvii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Configuring an ODBC Log 11-23

Remote Logging 11-26

About Remote Logging 11-26

Implementing Centralized Remote Logging 11-27

Remote Logging Options 11-28

Enabling and Configuring Remote Logging 11-29

Disabling Remote Logging 11-31

Service Logs 11-31

Services Logged 11-32

Configuring Service Logs 11-33

CHAPTER

12 Administrators and Administrative Policy 12-1

Administrator Accounts 12-1

About Administrator Accounts 12-2

Administrator Privileges 12-3

Adding an Administrator Account 12-6

Editing an Administrator Account 12-7

Unlocking a Locked Out Administrator Account 12-10

Deleting an Administrator Account 12-11

Access Policy 12-11

Access Policy Options 12-12

Setting Up Access Policy 12-14

Session Policy 12-16

Session Policy Options 12-16

Setting Up Session Policy 12-17

Audit Policy 12-18

Contents

xviii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

13 User Databases 13-1

CiscoSecure User Database 13-2

About the CiscoSecure User Database 13-2

User Import and Creation 13-3

About External User Databases 13-4

Authenticating with External User Databases 13-5

External User Database Authentication Process 13-6

Windows User Database 13-7

What’s Supported with Windows User Databases 13-8

Authentication with Windows User Databases 13-9

Trust Relationships 13-9

Windows Dial-up Networking Clients 13-10

Windows Dial-up Networking Clients with a Domain Field 13-10

Windows Dial-up Networking Clients without a Domain Field 13-11

Usernames and Windows Authentication 13-11

Username Formats and Windows Authentication 13-11

Non-domain-qualified Usernames 13-13

Domain-Qualified Usernames 13-14

UPN Usernames 13-14

EAP and Windows Authentication 13-15

EAP-TLS Domain Stripping 13-16

Machine Authentication 13-16

Machine Access Restrictions 13-19

Microsoft Windows and Machine Authentication 13-20

Enabling Machine Authentication 13-22

User-Changeable Passwords with Windows User Databases 13-25

Preparing Users for Authenticating with Windows 13-26

Windows User Database Configuration Options 13-26

Configuring a Windows External User Database 13-30

xix

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Contents

Generic LDAP 13-32

Cisco Secure ACS Authentication Process with a Generic LDAP User

Database

13-33

Multiple LDAP Instances 13-33

LDAP Organizational Units and Groups 13-34

Domain Filtering 13-34

LDAP Failover 13-36

Successful Previous Authentication with the Primary LDAP Server 13-36

Unsuccessful Previous Authentication with the Primary LDAP

Server

13-37

LDAP Configuration Options 13-37

Configuring a Generic LDAP External User Database 13-43

Novell NDS Database 13-49

About Novell NDS User Databases 13-50

User Contexts 13-51

Novell NDS External User Database Options 13-52

Configuring a Novell NDS External User Database 13-53

ODBC Database 13-55

What is Supported with ODBC User Databases 13-57

Cisco Secure ACS Authentication Process with an ODBC External User

Database

13-58

Preparing to Authenticate Users with an ODBC-Compliant Relational

Database

13-59

Implementation of Stored Procedures for ODBC Authentication 13-60

Type Definitions 13-61

Microsoft SQL Server and Case-Sensitive Passwords 13-61

Sample Routine for Generating a PAP Authentication SQL Procedure 13-62

Sample Routine for Generating an SQL CHAP Authentication

Procedure

13-63

Sample Routine for Generating an EAP-TLS Authentication Procedure 13-64

PAP Authentication Procedure Input 13-64

Contents

xx

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

PAP Procedure Output 13-65

CHAP/MS-CHAP/ARAP Authentication Procedure Input 13-66

CHAP/MS-CHAP/ARAP Procedure Output 13-66

EAP-TLS Authentication Procedure Input 13-67

EAP-TLS Procedure Output 13-68

Result Codes 13-69

Configuring a System Data Source Name for an ODBC External User

Database

13-70

Configuring an ODBC External User Database 13-71

LEAP Proxy RADIUS Server Database 13-75

Configuring a LEAP Proxy RADIUS Server External User Database 13-76

Token Server User Databases 13-78

About Token Servers and Cisco Secure ACS 13-78

Token Servers and ISDN 13-79

RADIUS-Enabled Token Servers 13-79

About RADIUS-Enabled Token Servers 13-80

Token Server RADIUS Authentication Request and Response

Contents

13-80

Configuring a RADIUS Token Server External User Database 13-81

RSA SecurID Token Servers 13-84

Configuring an RSA SecurID Token Server External User Database 13-85

Deleting an External User Database Configuration 13-86

CHAPTER

14 Network Admission Control 14-1

About Network Admission Control 14-1

NAC AAA Components 14-2

Posture Validation 14-3

Posture Tokens 14-4

Non-Responsive NAC-Client Computers 14-5

Implementing Network Admission Control 14-5

Page is loading ...

Cisco Systems 3.3 User manual

Related papers

Other documents