Cisco Acs 57 User Guide

							1
Cisco Systems, Inc.www.cisco.com
 
Managing System Administration 
Configurations
After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS 
web interface allows you to easily configure ACS to perform various operations. For a list of post-installation 
configuration tasks to get started with ACS, see Post-Installation Configuration Tasks, page 1.
When you choose System Administration > Configuration, you can access pages that allow you do the following:
Configure global system options, including settings for TACACS+, EAP-TLS, PEAP, and EAP-FAST. See Configuring 
Global System Options, page 1.
Configure protocol dictionaries. See Managing Dictionaries, page 6.
Manage local sever certificates. See Configuring Local Server Certificates, page 16.
Manage log configurations. See Configuring Local and Remote Log Storage, page 23.
Manage licensing. See Licensing Overview, page 36.
Configuring Global System Options
From the System Administration > Configuration > Global System Options pages, you can view these options:
Configuring TACACS+ Settings, page 1
Configuring EAP-TLS Settings, page 2
Configuring PEAP Settings, page 3
Configuring HTTP Proxy Settings for CRL Requests, page 3
Configuring EAP-FAST Settings, page 4
Generating EAP-FAST PAC, page 4
Generating EAP-FAST PAC, page 4
Configuring TACACS+ Settings
Use the TACACS+ Settings page to configure TACACS+ runtime characteristics. 
Select System Administration > Configuration > Global System Options > TACACS+ Settings.
The TACACS+ Settings page appears as described in Table 1 on page 2: 
						

							2
Managing System Administration Configurations
 
Configuring Global System Options
Configuring EAP-TLS Settings
Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. 
Choose System Administration > Configuration > Global System Options > EAP-TLS Settings.
The EAP-TLS Settings page appears as described in Table 2 on page 2:
Table 1 TACACS+ Settings 
Option Description
Port to Listen Port number on which to listen. By default, the port number is displayed as 49. ACS 5.7 allows 
you to edit this field. You can configure the TACACS+ port with number 49 and numbers ranging 
from 1024 to 65535. However, ACS does not allow the port numbers that are already assigned 
to other ports. This operation restarts the ACS runtime and all registered instances.
Connection Timeout Number of minutes before the connection times out.
Session Timeout Number of minutes before the session times out.
Maximum Packet Size Maximum packet size (in bytes).
Single Connect Support Check to enable single connect support.
Login Prompts
Username Prompt Text string to use as the username prompt.
Password Prompt Text string to use as the password prompt.
Password Change Control
Enable TELNET Change 
PasswordChoose this option if you want to provide an option to change password during a TELNET session.
Prompt for Old 
Password:Text string to use as the old password prompt.
Prompt for New 
PasswordText string to use as the new password prompt.
Prompt for Confirm 
PasswordText string to use as the confirm password prompt.
Disable TELNET Change 
PasswordChoose this option if you do not want change password during a TELNET session.
Message when Disabled Message that is displayed when you choose the Disable TELNET Change Password option.
Ta b l e 2 E A P -T L S  S e t t i n g s  
Option Description
General
Enable EAP-TLS Session 
ResumeCheck this check box to support abbreviated reauthentication of a user who has passed full 
EAP-TLS authentication. 
This feature provides reauthentication of the user with only an SSL handshake and without the 
application of certificates. EAP-TLS session resume works only within the specified EAP-TLS 
session timeout value. 
EAP-TLS Session 
Ti m e o u tEnter the number of seconds before the EAP-TLS session times out. The default value is 
7200 seconds. 
						

							3   
Managing System Administration Configurations
Configuring Global System Options
Configuring PEAP Settings
Use the PEAP Settings page to configure PEAP runtime characteristics. 
Choose System Administration > Configuration > Global System Options > PEAP Settings.
The PEAP Settings page appears as described in Table 3 on page 3:
Related Topics
Generating EAP-FAST PAC, page 4
Configuring HTTP Proxy Settings for CRL Requests
ACS 5.7 introduces proxy settings for CRL downloads to proxy requests and responses from the CRL distribution server 
for greater security. ACS provides an option for administrators to enable the proxy settings on the HTTP Proxy Settings 
page for ACS to communicate with the CRL distribution server through the configured proxy server. The proxy server 
receives the request from ACS and forwards it to the CRL distribution server. The CRL distribution server, upon receiving 
the request from the proxy, processes it and forwards the CRLs to the proxy server. The proxy server receives the CRLs 
from the CRL distribution server and forwards them to ACS. 
Use the HTTP Proxy Settings page to configure the HTTP Proxy for CRL requests from ACS. 
Choose System Administration > Configuration > Global System Options > HTTP Proxy Settings.
The HTTP Proxy Settings page appears as described in Table 3 on page 3: Stateless Session Resume
Master Key Generation 
PeriodThe value is used to regenerate the master key after the specified period of time. The default is 
one week. 
Revoke Click Revoke to cancel all previous master keys. This operation should be used with caution.
If the ACS node is a secondary node, the Revoke option is disabled.
Table 2 EAP-TLS Settings   (continued)
Option Description
Ta b l e 3 P E A P  S e t t i n g s
Option Description
Enable PEAP Session 
ResumeWhen checked, ACS caches the TLS session that is created during phase one of PEAP 
authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs 
to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, 
resulting in faster PEAP performance and a lessened AAA server load. 
You must specify a PEAP session timeout value for the PEAP session resume features to work.
PEAP Session Timeout Enter the number of seconds before the PEAP session times out. The default value is 7200 
seconds.
Enable Fast Reconnect Check to allow a PEAP session to resume in ACS without checking user credentials when the 
session resume feature is enabled. 
						

							4
Managing System Administration Configurations
 
Configuring Global System Options
Related Topics
Adding a Certificate Authority, page 84
Configuring EAP-FAST Settings
Use the EAP-FAST Settings page to configure EAP-FAST runtime characteristics. 
Select System Administration > Configuration > Global System Options > EAP-FAST > Settings.
The EAP-FAST Settings page appears as described in Table 5 on page 4:
Generating EAP-FAST PAC
Use the EAP-FAST Generate PAC page to generate a user or machine PAC. 
1.Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC.
The Generate PAC page appears as described in Table 6 on page 5:
Ta b l e 4 H T T P  P r ox y  S e t t i n g s
Option Description
General
Enable HTTP Proxy Check the Enable HTTP Proxy check box for ACS to communicate with the CRL distribution URL 
through a proxy server. 
Proxy  Address Enter the proxy IP address or DNS-resolvable hostname to be used as a proxy server for retrieving 
CRLs from an external CRL distribution server. ACS communicates with the configured proxy 
server for CRL information. The proxy server forwards the request to the CRL distribution server 
URL. The proxy server receives the revocation list and forwards it to ACS. 
Proxy Port Enter the port number through which the proxy traffic travels to and from ACS. 
Table 5 EAP-FAST Settings 
Option Description
General
Authority Identity Info 
DescriptionUser-friendly string that describes the ACS server that sends credentials to a client. The client 
can discover this string in the Protected Access Credentials Information (PAC-Info) 
Type-Length-Value (TLV). The default value is Cisco Secure ACS.
Master Key Generation 
PeriodThe value is used to encrypt or decrypt and sign or authenticate PACs. The default is one week. 
Revoke
Revoke Click Revoke to revoke all previous master keys and PACs. This operation should be used with 
caution.
If the ACS node is a secondary node, the Revoke option is disabled. 
						

							5   
Managing System Administration Configurations
Configuring RSA SecurID Prompts
2.Click Generate PAC.
Configuring RSA SecurID Prompts
You can configure RSA prompts for an ACS deployment. The set of RSA prompts that you configure is used for all RSA 
realms and ACS instances in a deployment. To configure RSA SecurID Prompts:
1.Choose System Administration > Configuration > Global System Options > RSA SecurID Prompts.
The RSA SecurID Prompts page appears.
2.Modify the fields described in Table 7 on page 5.
Ta b l e 6 G e n e r a t e  PA C
Option Description
Tunnel PAC Select to generate a tunnel PAC.
Machine PAC Select to generate a machine PAC.
Identity Specifies the username or machine name presented as the “inner username” by the EAP-FAST 
protocol. If the Identity string does not match that username, authentication will fail.
PAC  Time  To  Live Enter the equivalent maximum value in seconds, minutes, hours, days, weeks, months, and years. 
Enter a positive integer.
Password Enter the password.
Ta b l e 7 R S A  S e c u r I D  P r o m p t s  P a g e
Option Description
Passcode Prompt Text string to request for the passcode. The default value is “Enter 
PASSCODE:”.
Next Token Prompt Text string to request for the next token. The default value is “Enter Next 
TOKENCODE:”.
Choose PIN Type Prompt Text string to request the PIN type. The default value is “Do you want to 
enter your own pin?”.
Accept System PIN Prompt Text string to accept the system-generated PIN. The default value is “ARE 
YOU PREPARED TO ACCEPT A SYSTEM-GENERATED PIN?”.
For the two PIN entry prompts below, if the prompt contains the following strings, they will be substituted as follows:
{MIN_LENGTH}—will be replaced by the minimum PIN length configured for the RSA realm. 
{MAX_LENGTH}—will be replaced by the maximum PIN length configured for the RSA realm. 
/x/—to cancel the new PIN procedure.
Alphanumeric PIN Prompt Text string for requesting an alphanumeric PIN.
Numeric PIN Prompt Text string for requesting a numeric PIN.
Re-Enter PIN Prompt Text string to request the user to re-enter the PIN. The default value is 
“Reenter PIN:”. 
						

							6
Managing System Administration Configurations
 
Managing Dictionaries
3.Click Submit to configure the RSA SecurID Prompts.
Managing Dictionaries
The following tasks are available when you select System Administration > Configuration > Dictionaries:
Viewing RADIUS and TACACS+ Attributes, page 6
Configuring Identity Dictionaries, page 12
Viewing RADIUS and TACACS+ Attributes
The RADIUS and TACACS+ Dictionary pages display the available protocol attributes in these dictionaries:
RADIUS (IETF)
RADIUS (Cisco)
RADIUS (Microsoft)
RADIUS (Ascend)
RADIUS (Cisco Airespace)
RADIUS (Cisco Aironet)
RADIUS (Cisco BBSM)
RADIUS (Cisco VPN 3000)
RADIUS (Cisco VPN 5000)
RADIUS (Juniper)
RADIUS (Nortel [Bay Networks])
RADIUS (RedCreek)
RADIUS (US Robotics)
TACACS+
To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries 
> Protocols; then choose a dictionary. 
The Dictionary page appears with a list of available attributes as shown in Table 8 on page 6:
Table 8  Protocols Dictionary Page
Option Description
Attribute Name of the attribute.
ID (RADIUS only) The VSA ID. 
						

							7   
Managing System Administration Configurations
Managing Dictionaries
Use the arrows to scroll through the attribute list.
ACS 5.7 also supports RADIUS vendor-specific attributes (VSAs). A set of predefined RADIUS VSAs are available. 
You can define additional vendors and attributes from the ACS web interface. You can create, edit, or delete RADIUS 
VSAs. 
After you have defined new VSAs, you can use them in policies, authorization profiles, and RADIUS token servers in 
the same way as predefined VSAs. For more information, see:
RADIUS VSAs, page 6.
Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 7
Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes
Vendor-specific attributes (VSAs) allow vendors to create extensions to the RADIUS attributes. Vendors are assigned a 
specific vendor numbers. VSAs are attributes that contain subattributes. ACS 5.7 allows you to create, duplicate, and 
edit RADIUS VSAs.
To Create, edit, and duplicate RADIUS VSAs:
Some of the internally used attributes cannot be modified. You cannot modify an attribute’s type if the attribute is used 
by any policy or policy element.
1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA.
2.Do one of the following:
Click Create.
Check the check box the RADIUS VSA that you want to duplicate, and click Duplicate.
Check the check box the RADIUS VSA that you want to edit, and click Edit.
The RADIUS VSA page appears. Modify the fields as described in Table 9 on page 8. Type Data type of the attribute.
Direction (RADIUS only) Specifies where the attribute is in use: in the request, in the response, or both. Single or 
bidirectional authentication.
Multiple  Allowed (RADIUS only) Multiple attributes are allowed. Attributes that specify multiple allowed c a n  b e  u s e d  m o r e  
than once in one request or response.
Table 8  Protocols Dictionary Page  (continued)
Option Description 
						

							8
Managing System Administration Configurations
 
Managing Dictionaries
3.Click Submit to save the changes.
Related Topics
Viewing RADIUS and TACACS+ Attributes, page 6
Importing RADIUS Vendors and Vendor-Specific Attributes
ACS 5.7 supports importing RADIUS vendors and RADIUS vendor-specific attributes (VSAs). In ACS 5.7, you have the 
option to import the RADIUS vendors and RADIUS VSAs from a text file. This text file is based on the Free RADIUS format. 
For more information on the Free RADIUS format, see http://linux.die.net/man/5/dictionary. The ACS 5.7 web interface 
provides you the option to download the Import template. You need to enter the vendor and its attributes in the same file. 
Note: ACS supports A-Z, a-z, 0-9, -, _, and / characters for use in the Import file.
Each RADIUS vendor should have a unique vendor ID. You cannot provide different IDs for the same vendor. Therefore, 
when you import vendors and VSAs, if the vendor name or attribute is already present in ACS, then the import operation 
fails with errors. In this case, you need to delete that particular vendor, or both the vendors and its attributes, and then 
re-import the file. ACS displays an appropriate error message and stops the import operation if the file format is wrong 
or any unsupported characters are present in the file. 
Table 9 RADIUS VSA - Create, Duplicate, Edit Page
Option Description
Attribute Name of the RADIUS VSA.
Description (Optional) A brief description of the RADIUS VSA.
Vendor ID ID of the RADIUS vendor.
Attribute Prefix (Optional) Prefix that you want to prepend to the 
RADIUS attribute so that all attributes for the 
vendor start with the same prefix.
Use Advanced Vendor Options
Vendor Length Field Size Vendor length field of 8 bits for specifying the 
length of the VSA. Choose the vendor length of 
the VSA. Valid options are 0 and 1. The default 
value is 1.
Vendor Type Field Size Vendor type field of 8 bits. Choose the vendor 
type of the VSA. Valid options are 1, 2, and 4. The 
default value is 1. 
						

							9   
Managing System Administration Configurations
Managing Dictionaries
Figure 1 Example for RADIUS Vendor and VSAs in Free RADIUS File
The # key at the beginning of a line indicates that the line is a comment line. The keyword VENDOR at the beginning of 
a line indicates that the line has vendors. The keyword ATTRIBUTE at the beginning of a line indicates that the line has 
VSAs. The value of a VSA should start with the vendor name. For instance, if the vendor name is Cisco, then the attribute 
value is cisco-fax-message-id. 
When an attribute is of the Enumeration type, you need to specify the Enumeration name and Enumeration ID in the Free 
RADIUS file. 
Table 10 on page 9 displays the attributes types that are supported in a Free RADIUS text file and their mapping with the 
attribute types in ACS. 
The edit operation, delete operation, directions, and multi-value attributes are not supported when you import RADIUS 
vendors and RADIUS VSAs. You need to manually perform these operations after importing the vendors and VSAs. 
To import RADIUS vendors and RADIUS VSAs: 
1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA.
The RADIUS VSA page appears.
2.Click Import.
The Import dialog box appears.
Table 10 Attributes Mapping Between Free RADIUS File and ACS
Attribute Type in Free RADIUS FileAttribute Type in ACS Web Interface
String String
Octets HexString
IP address IPv4 address
Integer Integer/Enumeration 
						

							10
Managing System Administration Configurations
 
Managing Dictionaries
3.Click Download Template to download the import file template from the ACS web interface and save it to your client 
machine.
4.Enter the RADIUS vendors and RADIUS VSAs in the specified format and save them.
5.Click Browse to browse to the location of the Free RADIUS format file that has the RADIUS vendors and RADIUS 
VSAs and is ready to be imported.
6.Click Start Import to start the import operation.
The RADIUS vendors and RADIUS VSAs are imported. ACS displays the log messages in a pop-up window.
Related Topics
Viewing RADIUS and TACACS+ Attributes, page 6
Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes
To create, duplicate, and edit RADIUS vendor-specific subattributes:
1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA.
You can alternatively choose the RADIUS VSA from the navigation pane.
2.Do one of the following:
Click Create to create a subattribute for this RADIUS VSA.
Check the check box the RADIUS VSA that you want to duplicate, then click Duplicate.
Check the check box the RADIUS VSA that you want to edit, then click Edit.
Check the checkbox a RADIUS Vendor and click Show Vendor Attributes to view the VSAs of this Vendor. 
The RADIUS VSA subattribute create page appears.
3.Complete the fields described in Table 11 on page 11.