Database replication
Scheduled ACS system backup and the ability to restore from the backup file
These and other features give you totally granular control over the AAA process, putting the matter of user access in your hands. In addition, CSNT provides the tools you need to completely monitor the CSNT server and manipulate the user database.
CS ACS 3.0.2 also has the following features and capabilities:
802.1x support
Lightweight and Efficient Application Protocol (LEAP) support
Extensible Authentication Protocol (EAP) support (EAP-MD5, EAP-TLS)
Command authorization sets
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2 support
Per-user access control lists
Shared network access restrictions (NARs)
Wildcards in NARs
Multiple devices per AAA client configuration
Multiple LDAP lookups and LDAP failover
User-defined RADIUS vendor-specific attributes (VSAs)
Installing Cisco Secure ACS 3.0
The CS ACS installation can be condensed into the following steps:
1. Verify that the NAS and the Windows server can communicate over a LAN using TCP/IP.
Ping will work fine for this job.
2. Install the ACS 3.0 ACS on the Windows 2000 server platform. Although this supposedly works with Windows NT 4.0, it’s recommended that you use a Windows 2000 server.
3. Disable Internet Access Service (IAS) on the Windows 2000 server (if it’s running), or the Cisco RADIUS server will not work.
4. Bring up the web browser interface of the ACS server.
5. Configure the NAS for AAA using TACACS+ and/or RADIUS.
6. Verify the installation and operation of the NAS and ACS server.
Exercise 3.1 assumes that step 1 has been completed and gets right into the installation of the ACS software.
4422c03.fm Page 57 Thursday, December 23, 2004 4:53 PM
58 Chapter 3 Configuring Cisco Secure ACS and TACACS+
E X E R C I S E 3 . 1
Cisco Secure ACS 3.0 Installation
After you bring up and test network connectivity between the Windows server and the NAS server, install the ACS on the Windows server using the following steps:
1. Once you click the Setup file, the ACS program displays the Before You Begin screen:
This screen asks you to verify that you have some basic configuration on the NAS before the ACS is installed. Be sure you don’t miss the note about the minimum IOS version on the NAS—especially if you’re studying for your SECUR exam.
2. After you’ve completed the basic configuration needed to install the ACS, click Next. The Authentication Database Configuration screen appears:
This is where you choose to use a local database on the ACS server or use the Windows server database.
Installing Cisco Secure ACS 3.0 59
3. You’re prompted to configure the ACS to talk to the NAS on the CiscoSecure ACS Network Access Server Details screen:
Look at the lower-right corner of the screen. If you click Explain, an Explanation Of Cisco-Secure ACS Network Access Server Details screen appears:
This screen can be unbelievably helpful. Read this information, and you’ll learn what each file in the Details screen requires. On the CiscoSecure ACS Network Access Server Details screen, I entered the name of the NAS and the IP address of the NAS F0/0 interface. For the key, I made up a key that’s unique and extremely hard to break.
E X E R C I S E 3 . 1 ( c o n t i n u e d )
60 Chapter 3 Configuring Cisco Secure ACS and TACACS+
4. The next screen, Advanced Options, asks you to enter any advanced information to be displayed when using the ACS user interface:
Again, to find out why you would choose each option, click the Explain button. The Explanation Of Advanced Options Configuration screen appears:
E X E R C I S E 3 . 1 ( c o n t i n u e d )
Installing Cisco Secure ACS 3.0 61
5. The next screen, Active Service Monitoring, gives you an opportunity to configure monitor-ing on the ACS, as shown here:
This screen provides a great way to set up your e-mail notification in case of failure. Clicking Explain provides a description of the options, but you probably won’t need to go there because they’re self-explanatory.
6. The Network Access Server Configuration screen allows you to configure the ACS so that it configures the NAS server. This is much easier than the local authentication configura-tion you did in the last chapter:
E X E R C I S E 3 . 1 ( c o n t i n u e d )
62 Chapter 3 Configuring Cisco Secure ACS and TACACS+
Again, clicking Explain displays additional information:
7. Next you’ll see the Enable Secret Password screen. It asks you for the enable secret pass-word of the NAS and explains what the ACS installation is trying to accomplish:
8. The next screen, Access Server Configuration, tells you that the ACS will show you how to configure the NAS, step by step:
E X E R C I S E 3 . 1 ( c o n t i n u e d )
Installing Cisco Secure ACS 3.0 63
9. Click Next to see the configuration you need to type into the NAS on the NAS Configuration screen:
10. Keep scrolling down, and you can see the entire configuration you need to configure on the NAS. The last two configuration screens appear as follows:
E X E R C I S E 3 . 1 ( c o n t i n u e d )
64 Chapter 3 Configuring Cisco Secure ACS and TACACS+
It can’t get much easier than that. Notice that the Setup Complete screen tells you how to get into the ACS admin screen through a browser, http://127.0.0.1:2002. The 127.0.0.1 address is con-sidered the internal loopback or diagnostic IP address of the local machine. You use it to verify that IP is running properly on a host. In this case, the IP address 127.0.0.1 also tells the browser that you mean “this host.” The 2002 is the default port that makes a system call to the CS ACS application.
In a minute, I’ll go through the configuration of the NAS, but first let’s look at the ACS con-figuration. (If you want, this is a great time to take a short break and digest what you’ve just done before moving on.)