|
|
This chapter contains information you need to know and a checklist to be completed before you begin installing the CiscoSecure Access Control Server (ACS) software. The following topics are covered:
You need to obtain a software license key from Cisco in order to enable your licensed CiscoSecure ACS. Additionally, if you started out using an Evaluation Key, you need to replace it with an official key when the evaluation period expires.
To obtain a software license key:
Step 1 Enter the hostid command to obtain the host ID of the system host:
/usr/ucb/hostid
Step 2 Fill out the "CiscoSecure Software Key Fax-Back Form," including the host ID of the primary and backup CiscoSecure ACS systems, and fax the form to Cisco Systems at the number provided on the form. Your software key will be sent to you within two business days. (For information on licensing, see the section "Basic CiscoSecure ACS Concepts" in the chapter "Introduction to the CiscoSecure ACS Software.")
Step 3 When the license keys are delivered to you, transcribe them into Table 2-1 in the row marked AAA server license keys.
If you do not have a CD-ROM drive attached to the SPARCStation where you want to install the CiscoSecure ACS, download the installation software from a web site, as follows; otherwise, skip this section.
Step 1 Go to the CiscoSecure Software Planner uniform resource locator (URL):
http://www.cisco.com/kobayashi/ciscosecure.html
You are prompted for a username and password in order to access Cisco Connection Online (CCO).
Step 2 Using your SmartNet account, log in to CCO, specifying your username and password as prompted.
Step 3 Click Download CiscoSecure Software. The CiscoSecure Server Software Images page displays.
Step 4 Click the button beside the applicable version of CiscoSecure Solaris. If you agree to the terms of the software agreement, click Execute. You are prompted to specify the location from which to transfer the software image.
Step 5 Click the location of the CCO server that is closest to your target CiscoSecure server. You are prompted again for your CCO password.
Step 6 Enter your CCO password. A file is copied to your home directory.
Step 7 Uncompress the CiscoSecure ACS software package by entering the following command at the UNIX prompt:
uncompress CiscoSecure-2.1.x.x.solaris.PKG.Z
Step 8 Translate the package file by entering the following command at the UNIX prompt:
# pkgtrans CiscoSecure-2.1.x.x.solaris.PKG /tmp
The following output displays:
x.x
Step 9 Enter 1.
The download operation is now complete.
To install the CiscoSecure ACS, you must have certain information available in order to respond successfully to the installer prompts. (See Table 2-1.)
Before installing the CiscoSecure ACS, review the following checklist:
See the section titled, "Obtaining a Software License Key," earlier in this chapter for details.
You will need approximately 500 MB of free disk space for this directory. Create this directory if it does not already exist and make it your current directory. For example:
%suPassword: <password>#mkdir /usr/local/etc/ciscosecure#cd /usr/local/etc/ciscosecure
For details on token card server support, see the chapter "Token Server Support."
CiscoSecure ACS group and user profiles reside in the database you specify. Note the following points:
Occasionally you might be confused by the use of AA databases versus AAA servers. The first is the file created by the CiscoSecure 1.X ACS. This file contained Authorization and Authentication information. Accounting information was stored in another location determined by the AAA server's configuration file. The present version of the CiscoSecure ACS creates a single database containing Authorization, Authentication, and Accounting information.
AAA servers are those servers which hold and process all required authorization, authentication, and accounting information.
Before running the installation program, Cisco recommends that you pre-answer the installation questions that will be asked you. The following questions will be asked:
| Questions You Will Be Asked | Explanation | Your Answer |
|---|---|---|
| Is this a complete new install (Y/N)? |
|
|
| Enter the directory name to install CiscoSecure into. | Specify the directory where you want the CiscoSecure ACS files to be installed. Make sure the partition contains sufficient disk space (500 MB for the first 10,000 users and 256 KB for each additional 1000 users). | |
| Choose a network protocol to support:
1. TACACS+ only 2. RADIUS only 3. Both
| Specify the protocol or protocols to be used between the NAS and the ACS for carrying out AAA operations. | |
| Enter the AAA Server License Key. | Specify the key code that you received after you filled out the "CiscoSecure Fax Back Form." See "Obtaining a Software License Key," earlier in this chapter for details. | |
| (If TACACS+ or Both)
Enter the TACACS+ NAS name you will be using. | If you specified TACACS+ or Both as the network protocol, you can either:
| |
| (If TACACS+ or Both)
Enter the TACACS+ NAS secret key.
| If you specified TACACS+ or Both as the network protocol, specify the secret TACACS+ key. Note this key. You will need to use it during installation and when configuring NASes to use the ACS.
| |
| Select token card(s) or none:
1. CRYPTOCARD 2.Secure Computing 3. Security Dynamics, Inc. | If you want to support one of the listed Token Cards, specify the card you want to support.
Selecting Security Dynamics Incorporated requires that the SDI client software be properly installed before the ACS is started. | |
| If Secure Computing, IP Address of the Secure Computing Server. | If supporting Secure Computing token cards, specify the IP address of the Safe Word Server. | |
| Choose a Database:
1. Sybase SQLAnywhere 2, Oracle Enterprise 3. Sybase Enterprise | Specify the database support for the AAA database. SQLAnywhere is the default choice and is supplied with the CiscoSecure ACS. Oracle Enterprise support or Sybase Enterprise support require that those products already be installed and accessible on your network. | |
| If SQLAnywhere, the directory of where you want the database files to be created. | If you will use the default SQLAnywhere database support, specify the directory path where you want the SQLAnywhere files to be stored. | |
| If Sybase or Oracle, the username and password to the DB account that has been assigned table space for the CiscoSecure data. | If you will use Sybase Enterprise or Oracle Enterprise database support, specify the username and password needed to access the database account that with hold the CiscoSecure ACS data. | |
| If Oracle, the path to the $ORACLE_HOME directory, where Oracle is installed. | If you will use Oracle Enterprise database support, specify the path to where Oracle 7.3.2 is installed. If the Oracle database is on another machine, you require Oracle SQL*Net installed on the ACS. | |
| If Oracle, the TNS Service name of the Oracle Server. | If you will use Oracle Enterprise database support, specify the TNS service name. | |
| If Sybase, the name of the Sybase SQL Server. | If you will use Sybase Enterprise database support, specify the Sybase SQL server name. | |
| If Sybase, the name of the database to use for CiscoSecure. | If you will use Sybase Enterprise database support, specify the name of the database assigned to the CiscoSecure ACS. | |
| If Sybase, the path to the $SYBASE directory, where Sybase is installed. | If you will use Sybase Enterprise database support, specify the path the directory where Sybase Enterprise is installed. | |
| If not a New Install, Do you want to drop and re-init existing Database Tables (Y/N)? | If this is not a new installation of the CiscoSecure ACS, specify whether you want to remove any existing database and initialize a new one. | |
| Enter the IP addresses of the CiscoSecure DB server.
IP addresses consist of five groups of numbers separated by periods, like these examples: 1.171.68.188.2422.10.3.1.0 | The default is the primary IP address of the server on which you are installing the CiscoSecure ACS. For single server installation, use the default; otherwise specify the address of the first ACS. | |
| Enter an available TCP/IP port to be reserved for the CiscoSecure database server process. | The default port is 9900. Unless you know that port 9900 is used by another process, specify the default. | |
| Enter a unique name for the CiscoSecure DB server process. | Specify any unique string. The default value is CSdbServer. |
|
|