cc/td/doc/product/access/acs_soft/cs_ezacs
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Using CiscoSecure EasyACS
About the EasyACS Graphical User Interface Design
Reports and Activity
Online Documentation

Using CiscoSecure EasyACS


This chapter describes how to use the CiscoSecure EasyACS web-based interface to provide network security and to track activity on your network. The web-based interface lets you easily manage your database through the same type of web browser you use to view the internet. You can use the web-based interface to easily perform network administrator tasks such as adding and deleting user and group profiles and assigning attributes and permissions. All changes made using the web-based interface are reflected in the database and all changes made to the database are visible on the web interface.


Note      Your browser must be running either Microsoft Internet Explorer 3.0 or Netscape Navigator 3.0.


The following description and instructions for using the graphical user interface (GUI) assume that you are familiar with the operation of your web browser and that you have already installed and configured CiscoSecure EasyACS using the Quick Installation quick reference card shipped with the product and Chapter 2, "First-Time Configuration of CiscoSecure EasyACS Software."

About the EasyACS Graphical User Interface Design

The CiscoSecure EasyACS welcome screen displays a vertical navigational bar for performing network administration tasks and viewing online documentation. (See Figure 3-1.)


Figure 3-1   The CiscoSecure EasyACS Welcome Screen

The navigational bar lists the following selections:

When you choose one of the selections from the navigational bar on the CiscoSecure EasyACS welcome screen, the GUI presents a divided screen layout. While the navigational bar continues to display on the left, two windows now appear side-by-side to the right of the navigational bar. In Figure 3-2, for example, you see the User Setup window with its divided screen layout.


Figure 3-2   User Setup Window Showing CiscoSecure EasyACS GUI Divided Screen Layout

Of the five navigational bar selections, only User Setup, Group Setup, and EasyACS Configuration have input fields. In all three cases, all editing and modifying of parameters occurs in the left window. The right window displays various kinds of information. It either provides a Help window with specific information to assist you in performing the steps in the left window along with a More Detailed Information button to display relevant sections in the user documentation or it displays the output that is the result of performing the steps. Clicking the Back to Help button at the bottom of the left window will return you to the top of the right Help window.

User Setup

Select User Setup on the navigational bar to perform the following tasks:

Adding User Accounts

To add a user account, follow these steps:


Step 1   Click User Setup on the navigational bar.

The Select and Help windows appear. (See Figure 3-2.)


Note The only CiscoSecure EasyACS account limits are as follows: usernames are 1 to 32 characters in length; passwords are 0 to 64 characters and cannot include the following characters: space.,;:"'~^*?|\


Step 2   Enter the username to be added (for example, Rex) to the EasyACS database in the User field.

Step 3   Click Add/Edit.

The Edit form appears in the left window. The username being added appears at the top of the window. (See Figure 3-2.)

Step 4   Select a database for password authentication

    (a). To authenticate users and passwords against the Windows NT User Database, click the button to the left of Use the NT Database. Go to Step 5.

    (b). To authenticate against the EasyACS User Database, enter the EasyACS user password in the appropriate field.

The next section on the form allows you to assign a group. This group refers to the TACACS+ settings for that group. To assign or modify a group's TACACS+ settings, see the section "Group Setup" later in this chapter.

Step 5   To assign this user account to a group, select a group from the "User assigned to group" pulldown list.

If the group's TACACS+ settings have not yet been specified, go to Step 7.

Step 6   If the group's TACACS+ settings have been specified, click View Group Settings... to view the group's current TACACS+ settings in the right window.
(See Figure 3-3.)


Figure 3-3   The Group Settings Edit Window

The next section on the form allows you to specify account status information. which provides additional checks to the user account after the password has been verified. Here, you can set accounts to never expire, expire on a given date, expire after n unsuccessful authentications, or disable the account altogether. (For more information, see the section"Account Expiration" in the chapter "Overview of CiscoSecure EasyACS").


Note      Disabling an account does not, however, remove the account from either the EasyACS database or the NT User Database. (For more information, see the section "Deleting A User Account" later in this chapter.)


Step 7   Enter the expiration information for this user account in the appropriate fields.

Step 8   If you are pulling the IP address for this user from an IP pool, leave the Address Pool field blank. Otherwise, enter the user's assigned IP address. (See the section, "Configuration #2: Using the Windows NT User Database for Authentication and Assigning an Individual IP Address to Each User" or "Configuration #5: Using the EasyACS User Database for Authentication and Assigning an Individual IP Address to Each User" in the chapter "First-Time Configuration of CiscoSecure EasyACS Software.")

Step 9   When you have completed this form, click Submit.

Editing A User Account

To edit a user account, follow these steps:


Step 1   Click User Setup on the navigational bar.

The Select and Help windows appear.

Step 2   Enter the full or partial name to be edited in the EasyACS Database in the User field (no wildcard such as * is needed).

Step 3   Click Add/Edit.

The Edit form appears, displaying the user account information

Step 4   Edit the user account information, as desired.

Step 5   Click Submit.


Note      To change a username in the CiscoSecure EasyACS User Database, you must first delete the user and then add the renamed user. (See the next section, "Deleting A User Account.")


Deleting A User Account

To delete a user account from the CiscoSecure EasyACS Database, follow these steps.


Step 1   Click User Setup on the navigational bar.

The Select and Help windows appear.

Step 2   Enter the full or partial name to be deleted in the EasyACS Database in the User field (no wildcard such as * is needed).

Step 3   Click Add/Edit.

Step 4   At the bottom of the Edit window, Click Delete User.

The Confirm Deletion action window appears. (See Figure 3-4.)


Figure 3-4   The Confirm Deletion Window

Step 5   Click Confirm.

The information window displays the user account as deleted from the CiscoSecure EasyACS User Database.


Note      If you are authenticating against the Windows NT User Database, you must also delete the user account from the Windows NT User Database. This prevents the username from being automatically re-added to the CiscoSecure EasyACS User Database the next time the user tries to log in.


Listing Users

In the User Setup Select window, you can start a database search for user accounts using any of three options:

If you select a user by specifying List users beginning with letter/number or List All Users, you see the account information in the window to the right for modification or deletion. (See Figure 3-5.)


Figure 3-5   Example of User Account Information.

Note      Users who are being authenticated against the Windows NT User Database will not appear on either list until they have been successfully authenticated once. Then, their username will be displayed. Removing the NT User from the list does not prevent them from authenticating again if they are still listed in the Windows NT User Database.


Group Setup

Select Group Setup on the navigational bar to perform the following tasks:

Listing a Group's Users

To list all users in a specified group, follow these steps:


Step 1   Click Group Setup on the navigational bar.

The Group Setup Select and Help windows appear. (See Figure 3-6.)


Figure 3-6   The Group Setup Select and Help Windows

Step 2   Select a group profile from the Group: pulldown list.

Step 3   Click Users in Group to get a listing of users assigned to that group.

The User List displays in the window to the right. If you select a user from this list, the User X form appears, displaying this user's account information. Use this form to view, modify settings, or delete the user from the group.

Step 4   Click Group Setup to return to the Select and Help windows.

Assigning and Editing Group Settings

To assign or edit a group's authorization settings, follow the steps:


Note      A user is assigned to the default group, NT Users, until the user has been reassigned to another group under User Setup.



Step 1   Confirm that you have the Group Setup window displayed. (If you're not sure, click the Group Setup button on the navigation bar to display the window.)

Step 2   Select a group profile from the pulldown list in the Select window.

Step 3   Click Edit Settings.

The group settings for the selected group appear in the left window. (See Figure 3-7.)


Figure 3-7   The Group Setup Edit Window

This form lists the group's network services which will be authorized during a dial-in session. Below the services is the list of commands and arguments to be permitted or denied. Commands only apply to the EXEC service not to IP/IPX. (For a detailed description of the services, attributes, and commands, refer to the documentation that accompanied your network access server.)

Step 4   Click Permit to allow all unmatched Cisco IOS command strings; or click Deny to not allow any mismatched Cisco IOS command strings.

Step 5   To enable a particular network service, select the checkbox immediately to the left of the service listed under Grouping.

Attributes are defined for each service. Authorization attributes are designed specifically to help you modify the network environment of users when they log in. When you set these attributes, their values are returned to the network access server on successful completion of an authentication exchange. These attributes allow system-wide controls to be administered from CiscoSecure EasyACS.

For more information, refer to the documentation that came with your Cisco network access server. CiscoSecure EasyACS supports a subset of the TACACS+ attributes.

Step 6   Enter the value to the right of the attribute where appropriate; or click Enable to define the attribute for the selected service.


Note      If you leave the Address Pool field blank, the default IP pool configured on the network access server will be used. (See the section, "Configuration #2: Using the Windows NT User Database for Authentication and Assigning an Individual IP Address to Each User" or "Configuration #5: Using the EasyACS User Database for Authentication and Assigning an Individual IP Address to Each User" in the chapter "First-Time Configuration of CiscoSecure EasyACS Software.")


The list of commands that are currently authorized for this profile is displayed at the bottom of the Settings window.

Step 7   If you have finished editing the group settings, either click Submit to save these group settings or Clear to clear all values.


Note In Group Setup, clicking Submit saves any additions or changes to the network settings and the CiscoSecure EasyACS services are automatically stopped and restarted. For service status, select EasyACS Configuration from the navigational bar.


Step 8   To modify a command name and specify (or change) which arguments are permitted or denied, click Add/Edit. (The Add/Edit button is located at the very bottom of the Group Setup window. Depending on the size of your monitor, you might have to scroll down the window to view the Add/Edit button.)

The Cisco IOS Commands form appears in the active window. (See Figure 3-8.)


Figure 3-8   The Cisco IOS Commands Form

To enable the network access server to authorize Cisco IOS commands, you must first enter the following commands in the network access server:

aaa authorization commands 0 tacacs+
aaa authorization commands 15 tacacs+

The Cisco IOS debug command can also be used to provide valuable information about authentications and authorizations. Depending on your needs, you can enter the following debug commands on your network access server console:

debug aaa authentication
debug aaa authorization

(Refer to the network access server documentation for additional command information.)

Step 9   Enter the command name that you want to add, modify or delete in the group profile.

Step 10   Enter the arguments for each command in the appropriate field.

Step 11   Click to the left of each argument to specifically permit or deny its expression

Step 12   Click Permit or Deny all unlisted arguments.

Step 13   Either click Finish Editing Commands to save additions or changes to the command list or click Delete Command; then click Submit to save the commands configured for the group.

Renaming a Group

To rename a group, follow these steps:


Step 1   Select a profile from the pulldown list in the Choose a Group action window.


Step 1   Click Rename Group.

Step 2   Enter the new name in the Name field.

Step 3   Click Submit to save the new group name or click Cancel to return to the Choose a group window without saving a new group name.

CiscoSecure EasyACS Configuration

Select EasyACS Configuration from the navigational bar to edit your current CiscoSecure EasyACS configuration.


Note      When you installed CiscoSecure EasyACS, you were asked the following questions: if the service should be started, which database to use for authentication, and your network access server configuration. If you responded correctly, Remote Administration should be the only parameter left to set up.



Step 1   Click EasyACS Configuration on the navigational bar to display your current EasyACS configuration. (See Figure 3-9.)


Figure 3-9   EasyACS Select Window for Remote Administration

The configuration window allows you to set the following parameters:

Restarting or Stopping Service

To restart or stop the CiscoSecure EasyACS services, do the following:

Changing Your Database Preference

To change your database preference for authentication, follow these steps:


Step 1   To change your database preference, click the checkbox to the left of "Check the NT User Database for authentication for EVERY first time dialin user" to enable or disable the preference.

Step 2   If you are authenticating against the Windows NT User Database, click the checkbox to the left of "Verify the Grant dialin permission to user..." to enable or disable the preference.

Step 3   If you've changed your database preference, click Submit to save this change and start the services. (Clicking Submit will automatically stop and restart the services causing the changes to take effect immediately.)

Changing Your Network Access Server Information

To change your network access server information, follow these steps:


Step 1   Click Edit at "Network Access Server Information" table.

A form appears in the active window in which you can edit the network access server information. (See Figure 3-10.)


Figure 3-10   Network Access Server Information Window

    (a). Enter the NAS Host name

    (b). Enter the NAS IP address

    (c). Enter the TACACS+ key

    (d). Click Submit to save these changes, and to stop and start the appropriate services.

The EasyACS Configuration window reappears.

Enabling Remote Administration

You can administer CiscoSecure EasyACS from any workstation in the network as long as the workstation is running either Microsoft Internet Explorer 3.0 or Netscape Navigator 3.0. The address to enter in the remote administrators's browser is: http://<<Windows NT Server ip-address>>:2002.

To enable remote administration, follow these steps:


Step 1   Click Edit at the bottom of the Remote Administration table. (Depending on the size of your monitor, you might have to scroll down to view the Remote Administration Window.)

A form appears in the left window in which you can edit the Remote Administration settings. (See Figure 3-11.)


Figure 3-11   Remote Administration Window

Step 2   To enter a single address, enter the same address in both the Starting IP Address and the End IP Address fields.

Step 3   To set up a range of valid IP addresses to accommodate the use of IP Pools or DHCP, enter the first address in the Starting IP Address field and the last address in the End IP Address field.

Step 4   Click Submit to save these changes and stop and start the appropriate services.

The EasyACS Configuration window reappears.

Reports and Activity

Select Reports & Activity from the navigational bar to view the following information:

You can import these files into most database and spreadsheet applications.

Online Documentation

Use Online Documentation to generate a list of help topics from the CiscoSecure EasyACS User Guide.


Step 1   Click Online Documentation.

The Table of Contents appears in the left window.

Step 2   Click the topic that you want to display.

The online documentation displays in the right window.

Step 3   To print the online documentation, click the right window then click Print on your browser's navigational bar.


Note      You can also access Online Documentation by clicking More Detailed Information in any `Quick Help...' window.



hometocprevnextglossaryfeedbacksearchhelp
Posted: Sun Jan 19 10:46:26 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.