|
|
This chapter describes the basic operation of each of the configuration areas of CiscoSecure ACS 2.0 for Windows NT. It also provides additional information about each function or attribute.
Before completing any of the tasks in this chapter you must have:
Each of the eight buttons on the navigational bar represents a particular area or function that you can configure. Depending on you configuration, you may not need to configure all of the eight areas. This chapter has a section for each of the areas of configuration or operation with step by step details of the general operation. Click one of these buttons to begin configuring:
The pervious bulleted list follows the order of the buttons in the navigational bar. The order to follow for configuration depends on you preferences and needs. One typical order of configuration is listed below.
Select on the navigational bar to perform the following tasks:
Step 1 Click User Setup.
The Select and Help windows appear.
Step 2 Enter a name in the User field. User account names can be up to 32 characters in length. They must not contain any of the following special characters:
Step 3 Click Add/Edit.
The Edit form appears in the left window. The username being added or edited appears at the top of the window.
Step 4 Select the Password Authentication type and supply password as required.
Step 5 Select a User Group the group list box--Represents a set of attributes and operations that are applied to all users assigned to the group. The default group is Windows NT Users. Its group number is zero (0).
Step 6 Enter a Static IP Address--An IP address assigned to this specific user. Leave this field blank if the user's IP address is dynamically assigned from an address pool.
Step 7 Enter a CLID address for Authenticate by CLI--An ISDN number, IP address or X121 address can be used to identify a user calling into a NAS. This allows users to be identified by this number instead of a username. Entering an address in this field overrides other caller identification settings when a username is not configured.
Step 8 Enter the address for Remote Address Filter--An address or partial address that is matched against and individual user. This can be different types of addresses such as IP address or telephone number. You can also enter a comma separated list with wildcards. An asterisk (*) matches any string of characters and a question mark (?) matches any single character.
Step 9 Enter a Callback String--A string, either a number or command string, sent back to a modem to call back a specific user.
Step 10 Enter the expiration information for this user account.
Step 11 Select TACACS+ Enable Control to use TACACS+ features. This option must be enabled when CiscoSecure is used to manage routers.
Step 12 Select Max Privilege--A level of access given that authorizes a user to access specific services. Zero (0) is the default privilege and allows view only privilege.
Step 13 TACACS+ Outbound Password--Enter an password to be used by device such as routers that request services from the CiscoSecure ACS. This is an advanced feature and should be used only if you are knowledgeable about how TACACS+ uses this function.
Step 14 Click Submit. You are returned to the Select window.
Step 15 Verify that the user was added by entering the username in the User field and clicking Find. The User List should appear with the entry you just submitted.
To delete a user account from the CiscoSecure Database:
Step 1 Click User Setup.
The Select and Help windows appear.
Step 2 Enter the full name to be deleted in the User field.
Step 3 Click Add/Edit.
Step 4 At the bottom of the Edit window, Click Delete.
Select Group Setup on the navigational bar to perform the following tasks:
To list all users in a specified group:
Step 1 Click Group Setup on the navigational bar. The Select and Help windows appear.
Step 2 Select a group from the Group pulldown list.
Step 3 Click Users in Group.
The User List appears in the window to the right. The Edit window appears in the left with the user's account information after you select a user. You can view, modify, or delete a user by clicking on the user's name in the list.
To assign or edit a group's authorization and authentication settings, follow these steps:
Step 1 Click Group Setup. The Select window appears.
Step 2 Select a group from the pulldown list.
Step 3 Click Edit Settings. The Edit window appears.
Step 4 Complete the Group Setup section.
Before you configure Group Setup it is important to understand how this window functions. Group Setup is dynamically built depending on the configuration of your NAS and the security protocols being used. There are six basic sections to Group Setup:
The General Information and Token Card Information is always be displayed. TACACS+ and RADIUS sections are displayed depending on the configuration of your access device. If one NAS has been configured within CiscoSecure and it is running TACACS+, the only sub-sections displayed are:
If a second NAS was added that used RADIUS (IETF), these sub-sections are displayed:
The content of each of these sub-sections is dynamic. Only those attributes that are selected from the NAS Configuration under the Protocol Configuration Options section are displayed. This allows you to select and display only those attributes that you want. You can change what is displayed in each of the subsections by selecting a security protocol from the Protocol Configuration Options in the NAS Configuration window.
This information is applied to all members of a group:
(a) Select Default Time of Day Access Settings--Defines the default time of day you want to allow user access for this group. Select Setup Default to activate the time grid (if not enabled, 24hour / 7 day a week access is permitted). Click Clear All to clear all the times, or click Set All to enable all the times. Using the arrow and left mouse button, highlight the areas with green for the time of day access should be permitted. These settings apply to both TACACS+ and RADIUS.
(b) Select Force Remote Address Filtering--Switches on or off the enforcement an administrator security policy that requires a string to be entered for every user in the Group. This prevents users from accidentally being entered without a filter which helps prevent breaches in security policy. The Filter may be defined at the Group or User level. A popular application for the remote address filter is for use with ISDN. Using it requires a user to call from a specific or group of CLID's. This means the user must pass normal username and password authentication, and must be calling from a pre-determined location. This elevates the need to define the CLID's on the NAS itself.
(c) Default Remote Address Filter--Defines the strings used as filters. If a match is found, the user's authorizations will be processed. Filters are defined here for entire groups. A user level filter can be defined under User Setup and overrides the Group setting. The wildcard asterisk (*) is supported at any point in the string (1234*, *1234, 12*34). Furthermore, multiple strings maybe entered and separated by a comma making it possible to define an entire group of CLID's to be used, eliminating the requirement to enter them for each user.
(d) Token Card Caching--When using a Security Dynamics Token Card Server and Terminal Adapters, it is possible to cache the token to support the use of a second 'b' channel without a second token OTP. It can be configured on a per session basis or with a specified duration for which the token is cached.
These parameters will only be displayed if a NAS has been configured to use TACACS+. The default service-protocol settings displayed for TACACS+ are:
To display or hide additional services or protocols, see NAS Configuration - Protocol Configuration Options.
(e) Select which services-protocols that should be authorized for the Group by checking the box next to the protocol-service. Below each service-protocol, select the attributes to further define the authorization for that protocol-service. In the case of access control lists (ACLs) and IP Address Pools, the name of the ACL or Pool as defined on the NAS should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.) Leave blank if the default (as defined on the NAS) should be used. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.
When configuring Shell (Exec), it is possible to define which Cisco IOS commands and arguments that should be permitted or denied. Click the box to enable the command, enter the name of the command, define its arguments using standard permit or deny syntax and define if Unlisted Arguments should be permitted or denied. CiscoSecure will support any number of commands to be entered. To add additional entry fields, simply submit the changes for the first commands and re-enter the Group Setup. The submitted commands will appear and additional field entry boxes will become available.
These parameters are displayed only when a NAS has been configured to use RADIUS (IETF). The default attribute settings that displayed for RADIUS are:
| |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(f) Select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the appendices of this document, or within the NAS documentation.
The RADIUS (IETF) and RADIUS (Cisco) parameters will only be displayed if a NAS has been configured to use RADIUS (Cisco). RADIUS (Cisco) represents the Cisco Vendor Specific Attribute (VSA) IETF #26. Therefore, when configuring RADIUS (Cisco), both IETF and Cisco VSA apply.
The default attribute settings displayed for RADIUS (Cisco) are:
(g) For the IETF attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.
(h) For the Cisco VSA, enter the commands (such as TACACS+ commands) that should be packed as a RADIUS VSA.
The RADIUS (IETF) and RADIUS (Ascend) parameters will only be displayed if a NAS has been configured to use RADIUS (Ascend). RADIUS (Ascend) represents the Ascend proprietary attributes. Therefore, when configuring RADIUS (Ascend), both IETF and Ascend apply (proprietary attributes override IETF when conflicting).
The default attribute settings displayed for RADIUS is:
To display additional, or hide any l of these RADIUS (IETF) attributes, see NAS Configuration.
(i) For the IETF attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.
(j) For the Ascend attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.
Step 5 Click Submit + Restart. The group attributes are applied and services are restarted. The Edit window appears. (Click Submit if you want to save your changes and apply them later by restarting the services.)
Step 6 Verify that your changes were applied by selecting the group and click Edit Settings. View the settings.
To rename a group, follow these steps:
Step 1 Click Group Setup. The Select window appears.
Step 2 Select a group from the pulldown list.
Step 3 Click Rename Group.
Step 4 Enter the new name in the Group field.
Step 5 Click Rename Group. The Select window appears with the new group name selected.
The NAS you use with the CiscoSecure ACS must be configured and active on the network.
Step 1 Click NAS Configuration.
Step 2 Click the Add New Access Server button. The following window appears.
Step 3 Provide the following information:
(a) Enter the Access Server Hostname.
(b) Enter the Access Server IP address.
(c) Enter the Key value (this is the secret value shared between the NAS and the CiscoSecure ACS).
(d) Select a security protocol from the Authenticate Using list box.
(e) Click the Submit + Restart.
You can also configure specific security protocol attributes to be used by CiscoSecure. Click on the button for the specific protocol you want to configure. A list of attributes is appeared.
Attributes marked with an asterisk are configured on the NAS and can not be changed from the CiscoSecure user interface. Attributes with a checkbox to the left can be activated by checking the box or deactivated by deselecting or unchecking the box.
You can edit the configuration of a NAS that is listed in the Select window after clicking NAS Configuration.
Step 1 Click NAS Configuration. The Select window appears.
Existing NASes are listed under Access Server Setup.
Step 2 Click on the name of the NAS you want to edit. The Edit window appears.
Step 3 You can change any of the following information:
Access Server IP Address--IP address of the NAS configured to work with the CiscoSecure ACS.
Key--A shared secret between the NAS and the CiscoSecure ACS for either TACACS+ or RADIUS. The shared secret is case sensitive.
Authenticate Using--Defines the type of security control protocol that is used for communication between the CiscoSecure ACS and NAS.
Step 4 Click Submit + Restart to immediately apply the changes, or click Submit if you want to restart the services and apply the changes later.
To edit your current CiscoSecure service configuration, click Service Configuration.
You can:
Token Card Configuration allows you to specify the type of token card server to be used. From the User Setup you must also specify that a Token Card Server is to be used.
Step 1 Click Token Server Configuration. The Token Card Configuration widow appears.
Step 2 Click on the button for one of the installed token card servers.
A confirmation window appears.
Before you start:
Follow these steps:
Step 1 Run the Setup program of the ACE Client software following the setup instructions. Do not restart your Windows NT server when installation is complete.
Step 2 Open an FTP session with the machine that has the ACE server installed.
Step 3 Locate the ACE Server data directory, for example /sdi/ace/data.
Step 4 Get the file named sdconf.rec and place it in your Windows NT directory %SystemRoot%\system32, for example \winnt\system32.
Step 5 Make sure the ACE server host machine name is in the Windows NT local hosts file, \winnt\system32\drivers\etc\hosts.
Step 6 Restart your Windows NT server.
Step 7 Verify connectivity by running the Test Authentication function of your ACE client application. You can run this from the Control Panel.
You should get a challenge when you run the Test Authentication function. You should now be able to use the ACS for Windows NT with SDI.
You can administer CiscoSecure from any workstation in the network as long as the workstation is running either Microsoft Internet Explorer 3.02 or Netscape Navigator 3.0. The address to enter in the remote administrator's browser is: http://<<Windows NT Server ip-address>>:2002. The port number, 2002, is changed after the initial login of a remote administrator.
Remote administrators can use a firewall protected dialin connection, but this is not recommended or supported. Leaving a port open for remote administration could compromise network security.
To enable remote administration from a workstation or remote client:
Step 1 Click Administration Control in the navigational bar.
Step 2 Click Add new administrator.
Step 3 Fill in the following fields:
Step 4 Click Submit to save these changes and stop and start the appropriate services.
An administrative login can be terminated by setting the idle timeout. This parameter applies to the browser session only. It does not apply to the dial-in session. The browser connection with CiscoSecure is terminated if there is no activity for the specified period of time.
Step 1 Enter the Session idle timeout (minutes)--Time in minutes that the browser must remain idle before the connection to CiscoSecure is terminated. This terminates the browser connection only.
Step 2 Click Submit Timeout Value--Updates the idle timeout value set in the Session idle timeout field.
You can change an administrator's password or delete an existing administrator.
To change a password:
Step 1 Click Administration Control. The Select window appears.
Step 2 Click an existing administrator name in the list. The Edit window appears.
Step 3 Enter a new password for the selected administrator. You must enter the password twice for confirmation.
Step 4 Click Submit to update the password now.
To delete an administrator:
Step 1 Click Administration Control. The Select window appears.
Step 2 Click an existing administrator name in the list. The Edit window appears.
Step 3 Click Delete. A delete confirmation window appears.
Step 4 Click OK to delete the selected administrator.
Click Reports & Activity in the navigational bar to view the following information:
You can import these files into most database and spreadsheet applications.
The online documentation provides more detailed information about the configuration, operation, and concepts of CiscoSecure. To view it:
Step 1 Click Online Documentation.
The Table of Contents appears in the left window.
Step 2 Click the topic that you want to appear.
The online documentation appears in the right window.
Step 3 To print the online documentation, click in the right window, then click Print in your browser's navigational bar.
|
|