Installing the CiscoSecure ACS Software

This chapter contains instructions on installing the CiscoSecure Access Control Server (ACS) software and setting up an initial configuration an user account to test authentication. The topics covered in this chapter include:

• Overview of Installation and Initial Configuration

• Installing the CiscoSecure ACS Software

• Setting Up and Supporting a Test User Profile with TACACS+ Attributes

• Setting Up and Supporting a Test User Profile with RADIUS Attributes

• Testing the User Login and Authorization

After completing and verifying installation and initial configuration of your CiscoSecure ACS software in this chapter, you can expand and customize your access control system following directions in the chapters "Managing User Authentication and Authorization" and "Applying TACACS+ and RADIUS Attributes."

---

Note See the instructions in the chapter "Preparing to Install the CiscoSecure ACS Software" for important steps you need to take before you begin installing the CiscoSecure ACS software. Be sure you have filled in the information in Table 2-1.

---

Overview of Installation and Initial Configuration

To achieve the fastest installation and configuration of the CiscsoSecure ACS, Cisco recommends the following steps:

1. Install the CiscoSecure ACS software on a SPARCstation using the CiscoSecure installation program and the pre-installation information you filled out in Table 2-1.
   
   
2. Run the web-based CiscoSecure Administrator to set up an initial user profile. This task varies according to whether you specified TACACS+ protocol support, RADIUS protocol support, or combined TACACS+ and RADIUS protocol support during installation.
   
   
3. Log in to the network access server (NAS) that you want the CiscoSecure ACS to manage and input the relevant NAS configuration commands. The NAS configuration commands will vary according to whether you specified TACACS+ protocol support, RADIUS protocol support, or combined TACACS+ and RADIUS protocol support during installation.
   
   
4. Log in to one of the supported NASes under the initial user profile to test network operation.
   

After installing and verifying your initial configuration, you can expand and customize your access control system following directions in the chapters "Managing User Authentication and Authorization" and "Applying TACACS+ and RADIUS Attributes."

Installing the CiscoSecure ACS Software

Take the following steps to run the CiscoSecure ACS installer:

Step 1 At the SPARCstation where you want to install the CiscoSecure ACS, log in as root.

---

Note You must be logged-in as root user to perform the installation.

---

Step 2 At the SPARCstation where you are installing the CiscoSecure ACS, start the installation program by doing one of the following:

• If you are installing the CiscoSecure ACS through an attached CD-ROM drive, insert the CD-ROM labeled CiscoSecure ACS and enter:

pkgadd -d /cdrom/csu212

• If you have previously downloaded the CiscoSecure ACS from our website and followed the directions to uncompress and translate the software to the /tmp directory, enter:

pkgadd -d /tmp CSCEacs

After a few moments, the installer displays the first of a series of installation prompts.

Is this a completely new install Y/N (Default yes, q to quit)?

Using the pre-installation information that you recorded in Table 2-1 "Installation Information," answer the following prompts:

Table 3-1: Installation Prompts

Installation Prompt	Action
Is this a complete new install (Y/N)?	If you are installing the CiscoSecure ACS for the first time, enter Y for Yes. If you have installed a previous version of the CiscoSecure ACS (2.x) and want to use the same database information, enter N for No.
Enter the directory name to install CiscoSecure into.	Enter the directory where you want the CiscoSecure ACS files to be installed. Make sure the partition contains sufficient disk space (500 MB for the first 10,000 users and 256 KB for each additional 1000 users).
Choose a network protocol to support: 1. TACACS+ only 2. RADIUS only 3. Both	Specify the protocol or protocols to be used between the NAS and the ACS for carrying out AAA operations.
Enter the AAA Server License Key.	Enter the key code that you received after you filled out the "CiscoSecure Fax Back Form." Otherwise, press Enter to skip. See "Obtaining a Software License Key" in the chapter "Preparing to Install the CiscoSecure ACS Software" for details.
(If TACACS+ or Both) Enter the TACACS+ NAS name you will be using.	If you specified TACACS+ or Both as the network protocol, If you want one specific NAS to use CiscoSecure access control services through TACACS+, enter the host name of that NAS. If you want any NAS with a specified TACACS+ secret key to use CiscoSecure access control services, press Enter to leave this prompt blank.
(If TACACS+ or Both) Enter the TACACS+ NAS secret key.	If you specified TACACS+ or Both as the network protocol, enter a secret key. Note this key. You will need to specify this key when configuring NASes to use the CiscoSecure ACS.
Select token card(s) or none: 1. CryptoCard 2. Secure Computing 3. Security Dynamics, Inc.	If supporting token cards, enter the number (1, 2, or 3) or numbers for the type of token cards you support. If entering numbers for more than one type of card, insert a space before each number. Otherwise, press Enter for the default value of None. Note: Selecting Security Dynamics Inc. requires that the SDI client software be properly installed before the ACS is started.
If Secure Computing, IP Address of the Secure Computing Server.	If supporting Secure Computing token cards, enter the IP address of the Safe Word server.
Choose a Database: 1. Sybase SQLAnywhere 2, Oracle Enterprise 3. Sybase Enterprise	Enter 1, 2, or 3 to indicate the database type to use for the CiscoSecure database. SQLAnywhere is the default choice and is supplied with CiscoSecure. Oracle Enterprise support or Sybase Enterprise support require that those products already be installed and accessible on your network.
If SQLAnywhere, the directory of where you want the database files to be created.	If you selected SQLAnywhere database support, enter the directory path where you want the SQLAnywhere database files to be stored.
If Sybase or Oracle, the username and password to the DB account that has been assigned table space for the CiscoSecure data.	If you selected Sybase Enterprise or Oracle Enterprise database support, enter the username and password needed to access the database account that will hold the CiscoSecure ACS data.
If Oracle, the path to the $ORACLE_HOME directory, where Oracle is installed.	If you selected Oracle Enterprise database support, enter the path to where Oracle 7.3.2 is installed. If the Oracle database is on another machine, you require Oracle SQL*Net installed on the ACS.
If Oracle, the TNS Service name of the Oracle Server.	If you selected Oracle Enterprise database support, enter the TNS service name.
If Sybase, the name of the Sybase SQL Server.	If you selected Sybase Enterprise database support, enter the Sybase SQL server name.
If Sybase, the name of the database to use for CiscoSecure.	If you selected Sybase Enterprise database support, enter the name of the database assigned to CiscoSecure.
If Sybase, the path to the $SYBASE directory, where Sybase is installed.	If you selected Sybase Enterprise database support, enter the path to the directory where Sybase Enterprise is installed.
If not a New Install, Do you want to drop and re-init existing Database Tables (Y/N)?	If this is not a new installation of CiscoSecure, enter Y or N to indicate whether you want to remove any existing database and initialize a new one.
Enter the IP addresses of the CiscoSecure DB server, like these examples: 1.171.68.188.242 2.10.3.1.0	The default value is the primary IP address of the server on which you are installing the CiscoSecure ACS. For single server installation, use the default; otherwise enter the address of the first ACS.
Enter an available TCP/IP port to be reserved for the CiscoSecure database server process.	This is the TCP/IP port reserved for running the ACS database process. The default port is 9900. Unless you know that port 9900 is used by another process, you should accept the default.
Enter a unique name for the CiscoSecure DB server process.	This names the CiscoSecure ACS process. To accept the default value of CSdbServer, press Enter. Otherwise, specify a unique string.
Do you want to modify any selections below? Modify any values [y,n,q]:	The installation program displays a summary of your settings and asks you to confirm them. To accept the displayed settings, enter N. To modify the displayed settings, enter Y.

If you enter n for the last prompt, the installation process begins and output similar to the following displays:

Using </usr/ciscosecure> as the package directory.
Using </export/csu> as the package base directory.
## Processing package information.
## Processing system information.
3 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <CiscoSecure-2.1.x.x> [y,n,?] y

As the installation commences, the names of the files will display as the files are copied to their destination directories. Then the following information displays:

## Executing postinstall script.

Creating the initial database tables and views........

Installation is complete. However, further configuration may be necessary.
For more information on the steps necessary to finish configuration, read
the /export/csu/DOCS/readme.txt file.

Results of this install are saved in the /tmp/cs_install.log file.

Installation of CSEACS was successful.

Step 4 To start the CiscoSecure ACS immediately, enter:

# /etc/rc2.d/S80CiscoSecure

Note the following points:

• If, in the future, you shut down and restart the SPARCstation where the CiscoSecure ACS is installed, the CiscoSecure ACS software will start up automatically from the above shell script.

• When you run the startup command or restart the server, Netscape FastTrack (web-server software) is installed automatically for you. The web server software provides the means to run the web-based CiscoSecure ACS Administrator program that you will run to configure group and user profiles.

  ---

  Note You should wait at least 45 seconds after you start the CiscoSecure ACS before attempting to log into the Administrator program.

  ---

• The location and filename for the CiscoSecure ACS startup file is: /etc/rc2.d/S80CiscoSecure.

• The location and filename for the CiscoSecure ACS shutdown file is: /etc/rc0.d/K80CiscoSecure.

---

Note You must be logged in as root user to run either the startup or shutdown file for the CiscoSecure ACS.

---

Where to Go Next

After you have installed the CiscoSecure ACS on the SPARCstation, go to the section of this user guide that best suits your needs:

• If you are installing this version of CiscoSecure ACS over CiscoSecure ACS 1.0x, go to the appendix "Converting an Existing AA Database to a CiscoSecure ACS 2.1 Database."

• If you are installing this version of CiscoSecure over version 1.2.0 and already have user and group profiles set up, go to the chapter "Managing User Authentication and Authorization," for instructions on administering through the new version of the web-based CiscoSecure ACS Administrator program.

• If you are installing CiscoSecure ACS for the first time, go to one of the following sections in this chapter for instructions on setting up an initial test user profile.

  • To set up a user profile that uses the TACACS+ protocol, see "Setting Up and Supporting a Test User Profile with TACACS+ Attributes."

  • If you want to set up a user profile that uses the RADIUS protocol, see "Setting Up and Supporting a Test User Profile with RADIUS Attributes."

Setting Up and Supporting an Initial User Profile

If you are installing CiscoSecure ACS for the first time, and have no user or group profiles already configured, your next step, after installing and starting the ACS software, is to set up an initial test user profile and configure your NAS to support this profile. The procedures to carry this out vary according to whether you are assigning TACACS+ protocol attributes or RADIUS protocol attributes to the user profile.

Setting Up and Supporting a Test User Profile with TACACS+ Attributes

In this section, you will run the CiscoSecure Administrator and configure a NAS to set up and support an initial test user profile with TACACS+ protocol attributes.

---

Note To assign TACACS+ attributes to the user profile, you must have specified TACACS+ or Both (RADIUS and TACACS+) during the CiscoSecure ACS installation.

---

Physical Testing Setup

For testing purposes, locate the CiscoSecureACS, the host NAS, and a login workstation on the same Ethernet segment.

Figure 3-1: CiscoSecure Recommended Test Setup

---

Note The GUI Client and the CiscoSecure ACS both need to have name resolution enabled.

---

Set Up a TACACS+ User Profile through the CiscoSecure Administrator

Using the CiscoSecure Administrator, you will create an initial test user profile. Using TACACS+ protocol attributes, you will name the profile "Simple," assign it a clear text password, "Cisco" and enable Telnet login by enabling all commands and attributes associated with shell service.

Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address.

http://your_server_name/cs

where your_server_name is the name of the ACS that you specified during installation.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Advanced and then click To Continue.

The Advanced Configurator program may require several minutes to load.

Step 4 Create and name a test user profile (to be used for authentication):

(a) When the advanced CiscoSecure Administrator window appears, locate and deselect the Browse option in the Navigator pane. This displays the Create New Profile icon.

(b) In the Navigator pane, locate and click the root folder icon.

(c) Click Create New Profile to display the New Profile dialog box and enter Simple. This names the user profile "Simple."

(d) Click OK. The simple user profile icon appears on the tree underneath the Root icon.

Figure 3-2: Creating a Test User Profile

Step 5 Specify clear text password transmission and shell service for the user profile.

(a) Click the Simple profile icon in the Navigator pane and click Profile in the Profile pane. This displays the "Simple" profile's Options menu in the lower right corner Attributes pane.

(b) In the Options menu, select Password-clear and Service-shell then click Apply. The Password-clear and Service-shell attribute icons appear under the Profile icon in the Profile pane.

Figure 3-3: Specifying Shell Service

Step 6 Assign a password to the user profile (to be used for authentication):

(a) Click the Password-clear attribute icon to display the Password tab in the lower right corner pane.

(b) Enter Cisco in the password field and click Apply. This makes "Cisco" the password for the user "Simple."

Figure 3-4: Specifying Password and NAS Shell Service

Step 7 Click Submit.

Step 8 Click Logoff to exit and terminate the CiscoSecure Administrator session. Your web browser may require several minutes to terminate.

Enter NAS Commands for the TACACS+ User Profile

From a network workstation, log in to the host NAS. Bring up the configuration window and input the following configuration commands:

aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs line
aaa authorization exec tacacs+ if-authenticated
enable password cisco
!
tacacs-server host acs_ip_address
tacacs-server key secret-key
!
line con 0
 login authentication no_tacacs
 password cisco

where:

acs_ip_address is the IP address of the CiscoSecure ACS.

secret_key is the secret TACACS+ NAS key that you entered for the NAS during the CiscoSecure ACS installation.

---

Note The "no_tacacs+" authentication method in the above NAS command description is a precautionary measure, included so that an administrator will be able to log in to the console port of the NAS even if the CiscoSecure ACS is unavailable. To log in to the NAS console port with this configuration, enter an arbitrary username with the line password of "cisco."

---

Setting Up and Supporting a Test User Profile with RADIUS Attributes

In this section, you will run the CiscoSecure Administrator and configure a NAS to set up an initial test user profile with RADIUS protocol attributes.

---

Note To assign RADIUS attributes to a user profile, you must have specified RADIUS or Both (RADIUS and TACACS+) during the CiscoSecure ACS installation.

---

Physical Testing Setup

For testing purposes, locate the CiscoSecure ACS, the host NAS, and a login workstation on the same Ethernet segment.

Figure 3-5: CiscoSecure Recommended Test Setup

Set Up a RADIUS User Profile through the CiscoSecure Administrator

Using the CiscoSecure Administrator, you will create an initial test user profile. Using RADIUS protocol attributes, you will name the profile "Simple," assign it a clear text password, "Cisco," and enable Telnet login.

Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser, enter the following URL:

http://your_server_name/cs

where your_server_name is the name of the ACS that you specified during installation.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit.

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Advanced then click To Continue.

The Advanced Configurator program may require a few minutes to load.

Step 4 Specify the host NAS, its shared secret key, and supported version of RADIUS protocol:

(a) When the advanced CiscoSecure Administrator window appears, locate and click the NAS page tab.

(b) Click New, enter the IP address of the host NAS, and click OK. The IP address appears in the NAS list in the Navigator pane.

(c) Select the host NAS IP address, then click Edit.

(d) Click on the Shared Secret window, type in a secret key for the NAS, note the key for later reference.

(e) Make sure the "RADIUS Vendor" states "Cisco" to indicate that you are using a NAS that supports Cisco RADIUS.

(f) Verify that the "Dictionary" drop-down box states "Cisco" as well.

(g) Click Done.

Figure 3-6: Specifying the Host NAS and RADIUS Version

Step 5 Create a test user profile:

(a) Click the Members tab.

(b) Deselect the Browse check box in the Navigator pane. This displays the Create New Profile icon (Figure 3-7).

(c) In the Navigator pane, locate and click the "Root" folder icon.

(d) Click Create New Profile to display the New Profile dialog box.

(e) Enter Simple. This names the user profile "Simple."

(f) Click OK. The Simple user profile icon appears on the tree underneath the "Root" folder icon.

Figure 3-7: Creating a Test User Profile

Step 6 Specify the RADIUS-Cisco dictionary for this user profile:

(a) Click the Simple profile icon in the Navigator pane and click the Profile icon in the Profile pane. This displays the "Simple" profile's Options menu in the lower right Attributes pane.

(b) In the Options menu, select RADIUS-Cisco and click Apply. The RADIUS-Cisco attribute icon appears under the Profile icon in the Profile pane.

Figure 3-8: Specifying a RADIUS Dictionary

Step 7 Specify RADIUS-Cisco Check Item and Reply attributes:

(a) Click the RADIUS-Cisco attribute icon in the Profile pane. This displays the RADIUS-Cisco Options menu in the Attributes pane.

(b) Select Reply Attributes and Check Items in the Options menu and click Apply.

Step 8 Click the plus/minus symbol by the RADIUS-Cisco icon to display the Reply Attributes and Check Items icons in the Profile pane.

Step 9 Specify the password:

(a) Select the Check Items icon to display its options in the Attributes pane.

(b) Select 2=Password, string and click Apply.

(c) Click the plus/minus sign by the Check Items icon to display the check item attribute icons.

(d) Select the Password icon in the Profile pane to display the String dialog box in the lower-right pane.

(e) Enter Cisco in the String dialog box and click Apply. This sets the password to "Cisco" for the user "Simple."

Figure 3-9: Specifying a Password

Step 10 Specify the Reply Attributes values:

(a) Select the Reply Attributes icon to display its options in the Attributes pane.

(b) Select 6=User-Service-Type, enumeration in the Options menu and click Apply.

(c) Click the plus/minus sign by the Reply Attributes icon to display the Reply Attribute icons.

(d) Select the User-Service_Type icon in the Profile pane to display the Enumeration dialog box in the lower-right pane.

(e) Select 6=Shell-User from the Enumeration dialog box and click Apply. This will authorize a command shell on the NAS.

Step 11 Click Submit.

Enter NAS Commands for the RADIUS User Profile

From a network workstation, log in to the host NAS. Bring up the configuration window and enter the following configuration commands:

aaa new-model
aaa authentication login default radius enable
aaa authentication login no_radius local
aaa authorization exec radius if-authenticated
enable password cisco
!
username root password cisco
!
radius-server host acs_ip_address
radius-server key secret_key
!
line con 0
 login authentication no_radius

where:

• acs_ip_address is the IP address of the CiscoSecure ACS.

• secret_key is the secret key that you entered when you were specifying the host NAS in the CiscoSecure Administrator.

---

Note The "no_radius" authentication method in the above NAS command description is a precautionary measure, included so that an administrator will be able to log in to the console port of the NAS even if the CiscoSecure ACS is unavailable. To log in to the NAS console port with this configuration, enter an arbitrary username with the line password of "cisco."

---

Testing the User Login and Authorization

In this last section, you will verify your test user's login and authorization:

Step 1 Open a Telnet window on your PC or SPARCstation using the Start/Run command.

Step 2 Telnet to the IP address of the NAS.

Step 3 Enter the username Simple and the password Cisco at the appropriate prompts.

Step 4 If the NAS lets you in, then this username and password have been properly set up and authorized.