Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1 Managing Users and Identity Stores Managing Internal Identity Stores Table 39 Advanced Tab Options Description Account Disable Supports account disablement policy for internal users. Never Default option where accounts never expire. All internal users who got disabled because of this policy, are enabled if you select this option. Disable account if Date exceeds Internal user is disabled when the configured date exceeds. For example, if the configured date is 28th Dec 2010, all internal users will be disabled on the midnight of 28th Dec, 2010. The configured date can either be the current system date or a future date. You are not allowed to enter a date that is earlier than the current system date. All the internal users who get disabled due to Date exceeds option are enabled according to the configuration changes made in the Date exceeds option. Disable account if Days exceed Internal user is disabled when the configured number of days exceed. For example, if the configured number of days to disable the account of a user is 60 days, that particular user will be disabled after 60 days from the time account was enabled. Disable account if Failed Attempts Exceed Internal user is disabled when the successive failed attempts count reaches the configured value. For example, if the configured value is 5, the internal user will be disabled when the successive failed attempts count reaches 5. Reset current failed attempts count on submitIf selected, failed attempts counts of all the internal users is set to 0. All internal users who were disabled because of Failed Attempts Exceed option are enabled. Disable user account after n days of inactivitySpecifies that the user account must be disabled based on the number of days the user is not logged in to the network. This option is applicable only for the internal users. The days ranges between 1 and 365. Password History Password must be different from the previous n versions.Specifies the number of previous passwords for this user to be compared against. The number of previous passwords include the default password as well. This option prevents the users from setting a password that was recently used. Valid options are 1 to 99. Password Lifetime Users can be required to periodically change password Disable user account after n days if password is not changed for n daysSpecifies that the user account must be disabled after n days if the password is not changed; the valid options are 1 to 365. This option is applicable only for TACACS+ and RADIUS with MS-CHAPv2 authentication. Expire the password after n days if the password is not changed for ndaysSpecifies that the user password must be expired after ndays if the password is not changed; valid options are 1 to 365. This option is applicable only for TACACS+ and RADIUS with MS-CHAPv2 authentication. Display reminder after n days Displays a reminder after n days to change password; the valid options are 1 to 365. This option, when set, only displays a reminder. It does not prompt you for a new password. This option is applicable only for TACACS+ and RADIUS with MS-CHAPv2 authentication.
1 Managing Users and Identity Stores Managing Internal Identity Stores 4.Click Submit. The user password is configured with the defined criteria. These criteria will apply only for future logins. Note: If one of the users gets disabled, the failed attempt count value needs to be reconfigured multiple times. In such a case, the administrators should either note separately the current failed attempt count of that user, or reset the count to 0 for all users. Disabling User Account After N Days of Inactivity Before you Begin: This feature is applicable only for the ACS internal users. ACS must be configured to send passed authentication messages to the log collector server. The log collector server must be running and receiving syslog messages from all ACS nodes in the deployment. The log recovery feature must be enabled. ACS 5.7 allows the administrator to configure the maximum number of days from ACS web interface during which the internal users’ accounts are enabled despite the users not having logged in to the network. Once the configured period is exceeded, the user’s account is disabled if the user has not logged in to the network. The number of days ranges between 1 and 365. For this feature to work properly, the log collector server should be running and receiving the syslog messages from ACS nodes in the deployment. The last login date is not stored in the database and hence it will not be displayed in the web interface. Every day at 10 PM, ACS View runs a job to provide the list of active users to the primary management. The active user is one who has made at least one successful authentication for the configured period of time. You can view the last active date of an user from the passed authentication reports in ACS Reports web interface. Based on this list, the primary management identifies the inactive users list, disables them, and sends an audit log message to the log collector server. The administrator can enable the disabled user account. After enabling the user account, the subsequent calculation for inactivity will be calculated from the last enabled date. Note: When you change the log collector server, it is mandatory to restore the back up taken from the old log collector server in the new log collector server. Note: When you restore the ACS backup from one ACS instance to another ACS instance, the view back u p also shoul d b e restored along with the ACS backup. To disable user accounts after n days of inactivity: 1.Choose System Administration > Users > Authentication Settings. Send Email for password expiry before ndaysCheck this check box and enter the number of days if you want ACS to send an email notification a day to the internal users starting from n th day before their password expires. This option helps the internal users change their password before it expires. ACS does not allow you to configure this option without configuring the “Expire the password after n days if the password is not changed for ndays” or “Disable user account after n days if password is not changed for n days options.” TACACS Enable Password Select whether a separate password should be defined in the user record to store the Enable Password TACACS Enable Password Check the check box to enable a separate password for TACACS+ authentication. Table 39 Advanced Tab Options Description
1 Managing Users and Identity Stores Managing Internal Identity Stores The User Authentication Settings page appears. 2.Check Disable user account after n days of inactivity check box. 3.Enter the number of days in the text box. ACS disables the user account if it is not active for the configured number of days. Creating Internal Users In ACS, you can create internal users that do not access external identity stores for security reasons. You can use the bulk import feature to import hundreds of internal users at a time; see Performing Bulk Operations for Network Resources and Users, page 7 for more information. Alternatively, you can use the procedure described in this topic to create internal users one at a time. 1.Choose Users and Identity Stores > Internal Identity Store > Users. The Internal Users page appears. 2.Click Create. You can also: Check the check box next to the user that you want to duplicate, then click Duplicate. Click the username that you want to modify, or check the check box next to the name and click Edit. Check the check box next to the user whose password you want to change, then click Change Password. The Change Password page appears. 3.Complete the fields as described in Table 40 on page 14 to change the internal user password.
1 Managing Users and Identity Stores Managing Internal Identity Stores Click File Operations to: —Add—Adds internal users from the import to ACS. —Update—Overwrites the existing internal users in ACS with the list of users from the import. —Delete—Removes the internal users listed in the import from ACS. Click Export to export a list of internal users to your local hard disk. For more information on the File Operations option, see Performing Bulk Operations for Network Resources and Users, page 7. The User Properties page appears when you choose the Create, Duplicate, or Edit option. In the Edit view, you can see the information on the original creation and last modification of the user. You cannot edit this information. 4.Complete the fields as described in Table 41 on page 15. Table 40 Internal User - Change Password Page Option Description Password Information Password Type Displays all configured external identity store names, along with Internal Users which is the default password type. You can choose any one identity store from the list. During user authentication, if an external identity store is configured for the user then internal identity store forwards the authentication request to the configured external identity store. If an external identity store is selected, you cannot configure a password for the user. The password edit box is disabled. You cannot use identity sequences as external identity stores for the Password Type. You can change Password Type using the Change Password button located in the Users and Identity Stores > Internal Identity Stores > Users page. Password User’s current password, which must comply with the password policies defined under System Administration > Users > Authentication Settings. Confirm Password User’s password, which must match the Password entry exactly. Change Password on Next Login Check this box to start the process to change the user’s password at the next user login, after authentication with the old password. Enable Password Information Enable Password (Optional) The internal user’s TACACS+ enable password, from 4 to 32 characters. You can disable this option. See Authentication Information, page 5 for more information. Confirm Password (Optional) The internal user’s TACACS+ enable password, which must match the Enable Password entry exactly.
1 Managing Users and Identity Stores Managing Internal Identity Stores . Table 41 Users and Identity Stores > Internal Identity Store > User Properties Page Option Description General Name Username. Status Use the drop-down list box to select the status for the user: Enabled—Authentication requests for this user are allowed. Disabled—Authentication requests for this user fail. Description (Optional) Description of the user. Identity Group Click Select to display the Identity Groups window. Choose an identity group and click OK to configure the user with a specific identity group. Email Address Enter the internal user email address. ACS View sends alerts to this email address. ACS uses this email address to notify the internal users about their password expiry n days before their password expires. Account Disable Disable Account if Date Exceeds Check this check box to use the account disablement policy for each individual user. This option allows you to disable the user accounts when the configured date is exceeded. This option overrides the global account disablement policy of the users. This means that the administrator can configure different expiry dates for different users as required. The default value for this option is 60 days from the account creation date. The user account will be disabled at midnight on the configured date. Disable account after n successive failed attemptsCheck this check box to configure the failed attempts count for each user. You can enter the failed attempts count at the text box provided. The value ranges from 1 to 99. If a user enters an incorrect login credentials, ACS uses this failed attempts count to decide whether it has to disable the user account or allow the user to try again. If the failed attempts count reaches n, then ACS disables the user account. If you do not configure the failed attempt count here, ACS tries to check the failed attempt count configuration at identity group level. The user level failed attempt count takes the precedence. Password Hash Enable Password Hash Check this check box to enable password hashing using the PBKDF2 of Cisco SSL hashing algorithm to provide enhanced security to the user passwords. This option is only applicable for internal users. If you enable this option, the authentication types such as CHAP and MSCHAP will not work. This option is disabled by default. When you disable this option in the middle, you have to re-configure your password using the change password option immediately after disabling this option. For more information, see Enable and Disable Password Hashing for Internal Users, page 18. Password Lifetime Password Never Expired/DisabledCheck the Password Never Expired/Disabled check box for the user account to be active when the password lifetime is completed. This option overrides the password lifetime settings configured on the System Administration > Users > Authentication Settings > Advanced page. Password Information This section of the page appears only when you create an internal user. Password must contain at least 4 characters
1 Managing Users and Identity Stores Managing Internal Identity Stores Password Type Displays all configured external identity store names, along with Internal Users which is the default password type. You can choose any one identity store from the list. During user authentication, if an external identity store is configured for the user then internal identity store forwards the authentication request to the configured external identity store. If an external identity store is selected, you cannot configure a password for the user. The password edit box is disabled. You cannot use identity sequences as external identity stores for the Password Type. You can change Password Type using the Change Password button located in the Users and Identity Stores > Internal Identity Stores > Users page. Password User’s password, which must comply with the password policies defined under System Administration > Users > Authentication Settings. Confirm Password User’s password, which must match the Password entry exactly. Change Password on next login Check this box to start the process to change the user’s password when the user logs in next time, after authentication with the old password Enable Password Information This section of the page appears only when you create an internal user. Password must contain 4-32 characters Enable Password (Optional) Internal user’s TACACS+ enable password, from 4 to 32 characters. You can disable this option. See Authentication Information, page 5 for more information. Confirm Password (Optional) Internal user’s TACACS+ enable password, which must match the Enable Password entry exactly. User Information If defined, this section displays additional identity attributes defined for user records. ManagementHierarchy User’s assigned access level of hierarchy. Enter the hierarchical level of the network devices that the user can access. Example: Location:All:US:NY:MyMgmtCenter1 Location:All:US:NY:MyMgmtCenter1|US:NY:MyMgmtCenter2 The attribute type is string and the maximum character length is 256. Table 41 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description
1 Managing Users and Identity Stores Managing Internal Identity Stores 5.Click Submit. The user configuration is saved. The Internal Users page appears with the new configuration. Note: The Password Never Expired/Disabled option on the Creating Internal Users page overrides only the password lifetime settings configured on the System Administration > Users > Authentication Settings > Advanced page. This option does not override the account disablement settings due to date exceeds, days exceeds, failed attempt count exceeds, or n days of account inactivity. Related Topics Configuring Authentication Settings for Users, page 9 Viewing and Performing Bulk Operations for Internal Identity Store Users, page 21 Deleting Users from Internal Identity Stores, page 17 Deleting Users from Internal Identity Stores To delete a user from an internal identity store: 1.Choose Users and Identity Stores > Internal Identity Store > Users. Creation/Modification Information This section of the page appears only after you have created or modified an internal user. Date CreatedDisplay only. The date and time when the user’s account was created, in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Date ModifiedDisplay only. The date and time when the user’s account was last modified (updated), in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Table 41 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description
1 Managing Users and Identity Stores Managing Internal Identity Stores The Internal Users page appears. 2.Check one or more check boxes next to the users you want to delete. 3.Click Delete. The following message appears: Are you sure you want to delete the selected item/items? 4.Click OK. The selected internal users are deleted. Related Topics Viewing and Performing Bulk Operations for Internal Identity Store Users, page 21 Creating Internal Users, page 13 Enable and Disable Password Hashing for Internal Users ACS 5.7 provides enhanced security to the internal users' password by introducing the “Enable Password Hash” option in Creating Internal Users page of ACS web interface. Previous releases of ACS stored the internal users’ password as clear text in the ACS internal user database. The ACS administrators can view the internal users’ passwords from internal user database. Therefore, to enhance security of internal users’ password, ACS 5.7 introduces the new feature “Enable Password Hash”. If you enable this option, the users’ password is converted into hashes using the PBKDF2 of Cisco SSL hashing algorithm and is stored in the internal user database as hashes. This feature is applicable only for password based authentications. Therefore, when this option is enabled, you cannot use CHAP and MSCHAP authentications. If you enable this option while creating internal users, ACS converts the passwords to hashes and stores the same in the internal user database. When a user tries to access the network using the login password, ACS converts that password to hashes using the PBKDF2 hashing algorithm and compares this hash entry with the entry that is stored in ACS internal user’s database. If the password hash value matches with the database hash value, then ACS allows the user to log in to the network. If the password hash value does not match with the database hash value, then ACS fails the authentication and the user cannot log in to the network. You can uncheck the Enable Password Hash check box to disable this option. Due to the iterations used in PDKDF2 algorithm to ensure stronger security, you can expect a delay in authentication response from ACS when there is a huge load on the server. To enable password hashing for internal users in ACS: 1.Choose Users and Identity Stores > Internal Identity Stores > Users. The Internal Users page appears with the list of available internal users. 2.Perform one of the following: Click Create. Check the check box next to the user to whom you want to enable password hash and click Edit. 3.Check the Enable Password Hash check box. 4.Click Submit. The Password hashing option is enabled for the selected internal user. To disable password hashing for internal users in ACS: 1.Choose Users and Identity Stores > Internal Identity Stores > Users.
1 Managing Users and Identity Stores Managing Internal Identity Stores The Internal Users page appears with the list of available internal users. 2.Check the check box next to the user to whom you want to disable password hash and click Edit. 3.Uncheck the Enable Password Hash check box. 4.Click Submit. The Password hashing option is disabled for the selected internal user. Note: After disabling the Enable Password Hash option, you must change the user password immediately. 5.Check the check box next to the user to whom you have disabled the password hash option and click Change Password. 6.Enter the new password in the Password field. 7.Enter the new password in the Confirm Password field. 8.Click Submit. Configuring Password Expiry Notification Emails to Users and Administrators Before you Begin Email Settings must be configured under Monitoring Configuration. See Specifying E Mail Settings, page 14 for Email Settings. ACS 5.7 allows you to configure password expiry notification email for internal users and administrators. You can configure the number of days before the password expiry notification email must be sent for internal users and administrators from Creating Internal Users page from ACS web interface. If you configure this feature, then ACS 5.7 notifies the internal users and administrators through an email a day starting from nth day before their password expires. ACS verifies the users’ and administrators’ password expiry immediately after 5 minutes of the management process being restarted. The subsequent verifications are performed every 24 hours from the last verified time. For this feature to work properly, the Email Settings option must be configured under Monitoring Configuration. Configuring Password Expiry Reminder for Users To send password expiry reminder email to internal users, you have to configure the following from ACS web interface. 1.Choose Users and Identity Stores > Internal Identity Stores > Users. The Internal Users page appears with the list of available internal users. 2.Perform one of the following: Click Create. Check the check box next to the user to whom you want to configure the password expiry reminder and click Edit. 3.Enter the users’ email address in the Email Address text box. 4.Click Submit. 5.Choose System Administration > Users > Authentication Settings > Advanced. The Advanced Authentication Settings page for users appear. 6.Check the Send Email for password expiry before n days check box and enter the number of days.
2 Managing Users and Identity Stores Managing Internal Identity Stores Note: The Send Email for password expiry before n days check box is disabled if the password lifetime is not configured. 7.Click Submit. The password expiry reminder is configured now. The users will receive an email a day starting from the nth day before their password expires. The email has the following message: Dear User, Your password is going to expire on day, date month year at time UTC. We recommend that you reset your password immediately to avoid being locked out. Regards, CiscoSecureACS Administrator. Configuring Password Expiry Reminder for Administrators To send password expiry reminder email to internal administrators, you have to configure the following from ACS web interface. 1.Choose System Administration > Administrators > Accounts. The Administrators accounts page appear with the list of available internal administrators. 2.Perform one of the following: Click Create. Check the check box next to the administrator to whom you want to configure the password expiry reminder and click Edit. 3.Enter the administrators’ email address in the Email Address text box. 4.Click Submit. 5.Choose System Administration > Administrators > Settings > Authentication > Advanced. The Advanced Authentication Settings page for administrators appear. 6.Check the Send Email for password expiry before n days check box and enter the number of days. Note: The Send Email for password expiry before n days check box is disabled if the Disable administrator account after n days if password was not changed option is not configured. 7.Click Submit. The password expiry reminder is configured now. The administrators will receive an email a day starting from the nth day before their password expires. The email has the following message: Dear Administrator, Your password is going to expire on day, date month year at time UTC. We recommend that you reset your password immediately to avoid being locked out. Regards, CiscoSecureACS Administrator. Related Topics Viewing and Performing Bulk Operations for Internal Identity Store Users, page 21 Creating Internal Users, page 13