Tuning CiscoSecure ACS Performance and Configuration

This chapter describes configuration parameters and syntax in various configuration files that one can use for tuning CiscoSecure Access Control Server (ACS) performance and feedback. It includes the following sections:

Overview of Configurable Files in CiscoSecure ACS

The following table lists configurable text files in the CiscoSecure ACS 2.3 for UNIX product:

AAA Server Control File (CSU.cfg)

Table 16-1 Configuration Files for CiscoSecure ACS
Path and Filename	Description
$BASEDIR/config/CSU.cfg	AAA Server control file
$BASEDIR/config/CSConfig.ini	DBServer configuration file
$BASEDIR/ns-home/docs/CScgi/CSS_Config.ini	CGI configuration file
$BASEDIR/ns-home/admserv/ns-admin.conf	Netscape Admin Server configuration file
$BASEDIR/ns-home/httpd-websrvr/config /magnus.conf where websrvr is the name displayed when you enter uname -n at the web server.	Netscape Web Server configuration file
$BASEDIR/FastAdmin/turbo.conf	Acme Web Server config file
$BASEDIR/CSU/libenigma.conf	Secure Computing SafeWord AS config file
$BASEDIR/CSU/libdb.conf	AAA Server DBClient configuration file
$BASEDIR/utils/bin/env_setup	CSdbTool/ExecSQL configuration file
$BASEDIR/utils/CSProperties.txt	CSimport/CSmigrate configuration file

The AAA server control file (CSU.cfg) is the main file required to set up the AAA server module of the CiscoSecure ACS software and is located in the $BASEDIR/config directory. This file includes basic configuration parameters for each TACACS+ network access server (NAS) to be serviced and specifies the following information:

–

Encryption key shared between the CiscoSecure ACS and the selected TACACS+ NAS

–

Maximum time (in seconds) after sending a response to wait for a client to continue a transaction

–

Maximum number of attempts to get username and password before the operation is cancelled

–

Maximum period of inactivity (in seconds) before an open accounting session is timed out and closed

The syntax of the server control file is similar to that of C-language syntax. Each statement or grouping is terminated by a semicolon. Comments begin with the characters "/*" and end with the characters "*/". Lines can be continued on a successive line by ending them with a back-slash (\).

The variables shown in Table 16-2 are either valid in the CSU.cfg file or appear there when the CiscoSecure ACS is installed.

Table 16-2 Variables in the CSU.cfg Files
Type	Name	Default	Description and Example
String	config_acct_filename	/var/log /CSAccounting Log	The file where accounting records are stored in case of database failure. Example: `STRING config_acct_filename = "/spec/Acct";`
Number	config_acct_fn_ enable	1 (enable)	Whether to enable or disable inclusion of per user group membership information in an accounting record if a user profile has the "accounting feature" attribute added. When this function is disabled, an accounting record for a user session will not insert group information in the accounting record. 1 = enable; 0 = disable Example: `NUMBER config_acct_fn_enable = 0;` For details on the accounting feature attribute and group membership accounting information, see "Tuning CiscoSecure ACS Performance and Configuration."
Number	config_cache_group_ timeout	5 (seconds)	Number of seconds to maintain group profile records in the ACS profile cache. Normally group profiles are maintained in the profile cache for only short periods to save system memory; however, if group profile information is frequently accessed for ACS authentication, authorization, and accounting functions, you can improve performance by extending the seconds a group profile remains in cache before timing out. 0 = no timeout Example: `NUMBER config_cache_group_timeout = 240`
Number	config_callerid_ enable	1 (enable)	Whether to enable or disable the use of the caller ID as a username when a username cannot be found. If the caller ID support feature is not required, Cisco recommends disabling it to improve authentication performance. 1 = enable; 0 = disable Example: `NUMBER config_callerid_enable = 0;` For details on caller ID support, see the section Caller ID Profile-Sample Configuration in the chapter, "Strategies Applying Attributes" in the CiscoSecure ACS 2.3 for UNIX User Guide.
Number	config_defaultuser_ enable	1 (enable)	Whether to enable or disable use of the default user profile if the user/callerID cannot be found. If the default user/caller ID support feature is not required, Cisco recommends disabling it to improve authentication performance. 1 = enable; 0 = disable Example: `NUMBER config_defaultuser_enable = 0;`
Number	config_distmaxsessions _enable	0 (disable)	Whether to enable or disable the Distributed Session Manager (DSM) features in CiscoSecure ACS 2.3 for UNIX packages with the optional DSM module. Even if you installed CiscoSecure with the licensed DSM module, you must enable this variable after installation to enable the DSM features. The enabled setting is valid only if the optional DSM module has been licensed and installed. Normally, this setting is enabled through the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page. Important: If this variable is enabled, then the config_maxsessions_enable variable, which enables limited AAA server-based max sessions control, must be disabled.
Number	config_expiry_period	60 (days)	Number of days before a (new) password changed via CHPASS expires. Example: `NUMBER config_expiry_period = 30;`
Number	config_get_names_ from_dns	1 (true)	Whether the AAA server should perform IP address-to-hostname lookups. Example: `NUMBER config_get_names_from_dns = 0;`
Number	config_hex_string_ support_ enable	0 (disable)	Whether to enable or disable use of hex string in the RADIUS string type. This variable can be toggled to enable ACS output of raw binary data required by certain models of U.S. Robotics NASes. If this function is enabled, you can enter any binary string by using "0x" followed by the hexadecimal representation of the string you wish to output. For example, "0x30313a3222" would generate "01:23." 1 = enable; 0 = disable Example: `NUMBER config_hex_string_support_enable = 1`
List	config_license_key	None	The license key used to enable the product. Example: `LIST config_license_key = {"061db8afcf66db981f3c"};`
Number	config_limit_for_idle_ connection	300 (seconds)	Maximum number of seconds to hold an idle NAS connection open. Example: `NUMBER config_limit_for_idle_connection = 300;`
Number	config_logging_ configuration	0x7E	Configure logging parameters.The default (0x7E) turns on all the standard logging levels. Additional details and debugging information can be configured through options in the CiscoSecure ACS AAA General web page, described in "Managing General Settings on the ACS" in the chapter "ACS and NAS Management" of the CiscoSecure ACS 2.3 for UNIX User Guide. Example: `NUMBER config_logging_configuration = 0x7E` `NUMBER` `config_logging_configuration = 0xffffffff; /* allow RADIUS debug /` `NUMBER` `config_logging_configuration = 0xffffff7f; / no RADIUS debug */`
Number	config_max_failed_ authentication	10	The maximum number of failed authentications allowed until a profile is disabled. This feature minimizes the possibility of successful "random password generator" attacks on CiscoSecure user accounts. This setting is normally determined by the value you specify for the Max Failed Authentications field in the CiscoSecure ACS AAA General web page.
Number	config_maxsessions_ enable	0 (disable)	Whether to enable or disable the limited AAA server implementation of max sessions checking of groups or users. 1 = enable; 0 = disable Example: `NUMBER config_maxsessions_enable = 1;` Normally, this setting is enabled through the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page. Note If this parameter is enabled, then the config_distmaxsessions_enable parameter, which enables full DSM-based max sessions control, must be disabled.
Number	config_maxsessions_ session_timeout	1440 (minutes)	Number of minutes after which a session will be considered closed by the limited AAA max sessions counter. The purpose of this variable is to remove from the max sessions count sessions that should be timed out, but that, for some reason, have not been noted as closed or decremented by the max session counter. It does not actually enforce closure of the session in the NAS. Example: `NUMBER config_maxsessions_session_timeout = 60;` Note This variable applies only to the limited AAA server implementation of max sessions checking. For details on this variable see the "Tuning AAA Server-Based Timed Out Max Sessions Counts" section.
Number	config_maxsessions_ purge_ interval	60 (minutes)	Interval in minutes between checking the possible timeout of sessions for the purpose of updating the max sessions counter. Example: `NUMBER config_maxsessions_purge_interval = 90;` Note This variable applies only to the limited AAA server implementation of max sessions checking. For details on this variable see the "Tuning AAA Server-Based Timed Out Max Sessions Counts" section.
Number	config_metrics_enable	0 (disable)	Whether to enable or disable AAA server metrics monitoring. This feature records AAA server performance statistics (such as transactions per second, total authentications) in the csuslog file. 1 = enable; 0 = disable Example: `NUMBER config_metrics_enable = 1;` For a description of the AAA server metrics, see "Troubleshooting "Severe SQL Error" Messages" in "Troubleshooting Information." See the config_metrics_log_interval description for other related information. Note AAA server metrics information can cause the csuslog file to grow extremely large. Cisco recommends enabling this feature only for short periods of time.
Number	config_metrics_log_ interval	8 (seconds)	Number of seconds between the AAA metrics updates to the csuslog file. See the config_metrics_enable description in this table for related information. Example: `NUMBER config_metrics_log_interval = 10;`
NAS	config_nas_config	None	Specifies for each TACACS+ NAS client, the NAS host name, the secret encryption key, message catalog, username retries allowed, password retries allowed, default NAS configuration (1/0), trusted NAS for SEND pass (1/0), and password expiration period in days. Example: `NAS` `config_nas_config = {` `{` `"NAS_NAMEA", "SECRET12345","./cat_1",1,3,1,1,30` `}` `{` `"NAS_NAMEB", "SECRET16789","./cat_1",1,3,0,0,30` `}` `}`
Number	config_nodelay_for_tcp	1 (on)	Decide whether to TCP_NODELAY on TCP^¹ sockets, and thus turn off the Nagel algorithm. Should be left ON for performance reasons. Example: `NUMBER config_nodelay_for_tcp = 1;`
Number	config_priv_level_for_ own_CHPASS	1	Privilege level at which a user can change his/her own password. Example: `NUMBER config_priv_level_for_own_CHPASS = 1;`
Number	config_receive_buffer_ size	16384 (16 KB)	Buffer size to allocate for receive function in each TCP connection. Example: `NUMBER config_receive_buffer_size = 8192;`
Number	config_record_write_ frequency	5	This variable is no longer used.
Number	config_send_buffer_ size	16384 (16 KB)	Buffer size to allocate for send function in each TCP connection. Example: `NUMBER config_send_buffer_size = 8192;`
String	config_server_ip_ address	NA	The IP address of the CiscoSecure ACS. Do not change this value.
Number	config_system_logging _level	0x80	Syslog facility under which to log. Example: `NUMBER config_system_logging_level= 0x80;`
Number	config_system_priority _level	-4	System priority to assign the CiscoSecure ACS daemon. Example: `NUMBER config_system_priority_level = -4;`
Number	config_token_cache_ absolute_timeout	86400 (seconds in one day)	The absolute number of seconds that a token password will be cached for users being authenticated through the CiscoSecure ACS. This is the time out for the tokens that are using method=session. There are cases where a token can remain valid forever if the stop record was lost. This is meant to be a safeguard parameter that does not allow any token (method=session) to remain valid beyond the configured time. This setting is normally determined by the value you specify for the Token Cache Absolute Timeout field in the CiscoSecure ACS AAA General web page.
String	config_update_log_ filename	None	This variable is no longer used
Number	config_use_keepalives	1 (on)	Determines whether SO_KEEPALIVE on TCP sockets should be set. Example: `NUMBER config_use_keepalives = 1;`
Number	config_warning_period	20 (days)	Number of days before a password expires during which the user is warned that his or her password will expire soon. Example: `NUMBER config_warning_period = 10;`

¹TCP = Transmission Control Protocol.

Disabling Features in CSU.cfg to Improve Authentication Performance

To improve authentication performance, you can set some of the CSU.cfg variables described in Table 16-2 to disabled status if the feature they toggle is not required for your operation. Disabling unneeded optional features improves authentication performance by stopping processes that require additional system time.

The following variables can be set to disable if you do not require the feature that they toggle on and off (for example: config_maxsessions_enable = 0):

For any of these listed variables, check the description in Table 16-2 to decide whether you need the feature they enable or not.

Enabling and Reading AAA Server Metrics Information in the csuslog File

Two CSU.cfg variables enable AAA server metrics information in the csuslog file keeps a running total of the authentication checks, accounting, max sessions, and profile information requests sent to the relational database management system (RDBMS), and the current rate of authentication checks performed per second.

To activate AAA server metrics logging, set the following parameters and values in the $BASEDIR/config/CSU.cfg file:

where interval_seconds is the interval, in seconds, between AAA metrics polling.

Each log entry line displays the date and time of the entry and the name of the AAA server doing the processing. Other values displayed include:

•

Total Authentications—Total number of authentication checks performed since the last time the CiscoSecure ACS was restarted. This number includes both successful and failed authentication attempts. It does not include authentications that are in process.

•

APS—Authentications per second. This value is based on additional authentication checks performed between the next-to-last and last AAA server metrics sampling as set by the CSU.cfg variable, config_metrics_log_interval. (See Table 16-2 for details on the config_metrics_log_interval variable.)

•

Accounting, Max Sessions, and Profile—These entries display two columns of values: the total requests, and the total number of processor seconds used to process these requests.

–

TotalReqs—Total requests made to a particular CiscoSecure RDBMS database (either the CiscoSecure accounting records, max sessions counters, or profile databases)

Because requests can be processed in parallel, the value displayed in the TotalSec column might be higher than the actual chronological passage of time. For example, if 20 simultaneous requests are made to the Profiles database and the system simultaneously processes each request using one processor second per request, then the value in the TotalSec column would increment by 20 processor seconds even though only 1 second of chronological time might have passed.

Note

The values in the TotalReqs and TotalSec columns are based on the database requests made and the processor seconds consumed since the last time the CSU.cfg variable config_metrics_enable was disabled and reenabled and the CiscoSecure ACS was reinitialized.

Tuning AAA Server-Based Timed Out Max Sessions Counts

After AAA server-based max sessions control is enabled, the AAA server-based session counter follows default CSU.cfg file settings to carry out a maintenance routine that identifies and cleans out the records of timed out sessions from CiscoSecure users' session counts. By default the AAA server-based session counter considers sessions over 1440 minutes (24 hours) to be timed out and purges the record of such sessions from its session count every 60 minutes.

You can edit the following variables in the CSU.cfg file to adjust these parameters:

•

config_maxsessions_session_timeout—Specifies the maximum amount of minutes that the record of a CiscoSecure sessions can remain open before the AAA server-based max sessions counter assumes it is timed out and decrements the max sessions count by one.

Note

This setting does not actually close or time out a CiscoSecure session; rather, it is used to "clean up" the records of sessions that should have already closed or timed out but that, for some reason, have not been noted as closed by the max sessions counter and thus not decremented. To set actual time out values for your users' CiscoSecure sessions, apply the TACACS+ timeout attribute or the RADIUS session-timeout attribute to their group or user profiles.

The value you specify for session_minutes should equal or exceed, in minutes, the actual timeout time that you set by applying the TACACS+ timeout attribute or RADIUS session timeout attribute to the group or user profile.

•

config_maxsessions_purge_interval—Specifies the time interval in minutes at which the max sessions counter checks for the records of timed out sessions to decrement. The shortest interval between purges that you can specify is 1 minute; however, to avoid unnecessary allocation of system resources, Cisco recommends a setting of 60 minutes or more (for example: config_maxsessions_purge_interval = 60).

DBServer Control File (CSConfig.ini)

The CSConfig.ini file tunes the performance of the DBServer module of the CiscoSecure ACS software.

Restricting Client Access to the CiscoSecure ACS Administration Tools

You can edit the CSConfig.ini file to restrict administrative access to the CiscoSecure ACS Administrator web pages and command-line interface (CLI) to a specified list of workstations to which you have assigned IDs.

Step 1

Locate the CSConfig.ini file in the $BASEDIR/config directory of the CiscoSecure ACS 2.3 installation.

Step 2

Insert or edit the following lines in the [ValidClients] section of the CSConfig.ini file:

•

ID_num is an arbitrary number you can assign for ID purposes to the workstation from which you want to access the CiscoSecure ACS.

•

my_wrk_station is the FQDN or IP address of the workstation from which you want to access the CiscoSecure ACS.

Note

Repeat the line ID_num = my_wrk_station to assign a unique ID number to every workstation with which you want to access the CiscoSecure ACS Administrator web pages or the CLI.

•

ValidateClients = {true|false} toggles on and off restricted access to the CiscoSecure ACS Administrator web pages or the CLI.

ValidateClients = true restricts access to only those workstations assigned IDs in the [ValidClients] section.

ValidateClients = false allows any workstation to access the CiscoSecure ACS Administrator web pages or CLI whether or not it is specifically listed in the [ValidClients] section.

Step 3

After editing the CSConfig.ini file, restart the CiscoSecure ACS to apply the changes.

Valid Client Feature

CiscoSecure enables the "Valid Client" feature in the CSConfig.ini configuration file by default in release 2.3(5) and later; previously, this feature was disabled by default. This feature requires a valid list of ip addresses (trusted hosts) to access the DBserver. A configuration parameter "FastAdminValidClients" was added which allows the Fast Administration web-based GUI to permit the same IP addresses specified in the valid clients list. This configuration changes enable a higher default security level in the CiscoSecure product.

Example CSConfig.ini [ValidClients] Settings

two workstations, with the FQDNs of ws-barrylee and ws-pameagan, are authorized to access the CiscoSecure administration tools. The setting ValidateClients = true stops any workstation not specifically listed in the [ValidClients] section from accessing the CiscoSecure ACS web pages or CLI.

the setting ValidateClients = false allows any workstation to access the CiscoSecure ACS web pages or the CLI, whether or not it is specifically listed in the [ValidClients] section.

Managing Accounting Performance

Parameters in the [AccountingMgr] section of the $BASEDIR/config/CSConfig.ini file configure memory buffering for ACS accounting. The parameters and default settings are listed below:

Table 16-3 Accounting Management Parameters in the CSConfig.ini File
Parameter	Default	Description and Example
LogRawAccountingPacketToDB	enable	Enables writing of log account packets in the RDBMS cs_accounting_log database table.
BufferAccountingPackets	enable	Enables buffering of account packets in memory before storing in the RDBMS. If this setting is enabled, the DBServer module creates enough buffers to match the number of database connections available minus 2 up to a maximum of 8 buffers. Note In case of sudden termination of the DBServer module (that is, situations where the DBServer is terminated before it can issue a "DBServer has shut down" message), records in this buffer will be lost.
AccountingBufferSize	500	Specifies, in bytes, the size of each packet buffer. Permissible values range from 5 to 10000.
ProcessInMemoryMaxSessionInfo	enable	Enables processing of user max sessions information to save in memory. Supports limited DBServer-based max sessions counting. Normally, this setting is enabled or disabled through the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page. Note If full DSM-based max sessions counting, or limited AAA server-based max sessions counting are enabled, this parameter must be disabled.
ArchiveMaxSessionInfoToDB	enable	Enables writing of user max sessions information to the RDBMS cs__user_accounting database table. Supports limited DBServer-based max sessions counting. Note If the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters are enabled, then max sessions information records will be buffered as well. Normally, this setting is enabled or disabled through the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page. Note If full DSM-based max sessions counting, or limited AAA server-based max sessions counting are enabled, this parameter must be disabled.
AcctPurgeInterval	60	Specifies, in minutes, the minimum interval between the times that the system checks for accounting sessions to purge. Because this purge check interval is dependent upon internal variably-timed DBServer processes, the value set here is not accurate to the minute. For example, the setting: `AcctPurgeInterval = 75` does not necessarily guarantee that a purge check will be performed every 75 minutes. It does guarantee that a purge check will be performed no more frequently than once every 75 minutes. The actual interval between purge checks could be anything from 75 minutes to 135 minutes. The minimum value for this parameter is 60 minutes. For details on this parameter see the "Tuning DBServer-based Timed Out Max Sessions Counts" section.
AcctPurgeTimeOut	1440	Specifies the maximum number of minutes that a CiscoSecure session can remain open before the system assumes it is timed out and purges it. This value is dependent on the AcctPurgeInterval setting and is not accurate to the minute. It is not intended to be set to less than 60. For details on this parameter see the "Tuning DBServer-based Timed Out Max Sessions Counts" section.

Increasing Accounting Reliability

The buffering of accounting records in memory carries an inherent risk of record loss in the unlikely event that the DBServer terminates ungracefully or is unable to write to the RDBMS for some other reason. To minimize this risk, you can set the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters to disable to stop accounting record buffering; however, doing so will adversely and substantially affect accounting performance.

Tuning Profile Caching

Note The information in this section applies only to changes to the database that are not made through the CiscoSecure DBServer but through third-party utility programs or CiscoSecure user database replication operations.

You can edit the DBPollInterval parameter in the [ProfileCaching] section of the $BASEDIR/config/CSConfig.ini file to modify the CiscoSecure profile caching interval. The syntax is:

where caching_interval specifies the interval, in minutes, between profile cache updates from the RDBMS. For example, the default setting of every 30 minutes is specified as:

Tuning DBServer-based Timed Out Max Sessions Counts

Once DBServer-based max sessions control is enabled, the DBServer-based session counter follows default CSConfig.ini file settings to carry out a maintenance routine that identifies and cleans out the records of timed out sessions from CiscoSecure users' session counts. By default the DBServer-based session counter considers sessions of over 1440 minutes (24 hours) to be timed out and purges the record of such sessions from its session count every 60 minutes.

You can edit the following parameters in the [AccountingMgr] section of the CSConfig.ini file in the to modify these default settings:

•

AcctPurgeInterval—Specifies the minimum interval between the times that the max sessions counter checks for the records of timed out sessions to decrement. Because this purge check interval is dependent upon internal variably-timed DBServer processes, the value set here is not accurate to the minute.

does not necessarily guarantee that a purge check will be performed every 75 minutes. It does guarantee that a purge check will be performed no more frequently than once every 75 minutes. The actual interval between purge checks could be any duration from 75 minutes to 135 minutes.

•

AcctPurgeTimeOut—Specifies the maximum amount of minutes that the record of a CiscoSecure session can remain open before the max sessions counter assumes it is timed out and decrements the max sessions count by one.

Note

This setting does not actually close or time out a CiscoSecure session, rather it is used to "clean up" the records of sessions that should have already closed or timed out but that, for some reason, have not been noted as closed by the max sessions counter and thus not decremented. To set actual timeout values for CiscoSecure sessions, apply the TACACS+ timeout attribute or the RADIUS session-timeout attribute to a group or user profile.

The value you specify for session_minutes should equal or exceed, in minutes, the actual timeout period that you set through your profile attributes. The minimum value is 60 minutes.

Message Catalogs

Message catalogs allow system administrators to redefine the set of messages sent by the CiscoSecure ACS to the users connecting to a particular NAS. Message catalogs are editable text files containing message strings that can be customized to support particular groups of users on a per-NAS basis.

Using Message Catalogs to Support Multiple Languages

A system administrator can customize multiple message catalogs to set up specific TACACS+-enabled NASes to support users of specific language backgrounds logging in to the network.

For example, to set up a specific NAS to display Spanish language messages and prompts to the users dialing in, a system administrator can edit and rename an existing message catalog, substituting Spanish language message strings for the message strings already there. (A line in a message catalog consists of a CiscoSecure message ID and a message string. The message ID is not configurable. The message string can be whatever characters you specify.)

The system administrator can then associate that message catalog with the target NAS.

Multiple message catalogs can be set up to support multiple NASes, each NAS with a different user community based on language.

Assigning a Message Catalog to a TACACS+-Enabled NAS

Each TACACS+-enabled NAS served by a CiscoSecure ACS can have a different message catalog assigned to it if necessary.

You can assign TACACS+-enabled NASes a message catalog through the NAS Message Catalog filename field in the AAA NAS page on the CiscoSecure ACS Administrator web site (See "Managing Profiles for TACACS+-Enabled NASes" in the chapter "ACS and NAS Management" of the CiscoSecure ACS 2.3 for UNIX User Guide.)

Note You cannot assign specific message catalogs to NASes enabled for RADIUS-only.

Message Catalog Format

msg_ID is a predefined value permanently associated with a specific CiscoSecure message or prompt.

The formatting and display of messages are determined by the NAS. By convention, however, the Return-Linefeed sequence in the message catalog is represented by a newline (\n) character. You enter special characters using escaped octal notation in which the first character is a backslash (\) and is followed by 3 octal digits representing the ASCII value of the character.

For example, a Return is represented by the value \010 and a Linefeed is represented by the value \012. Extended character sets can contain null values, which are acceptable because each message is stored with an associated length field and is not null terminated.

The following list identifies the default message IDs, message names, and message strings used by the CiscoSecure ACS software:

Note

Only messages 0 through 18 can be customized by the system administrator.

Changing the Default TCP/IP Port Number of the Netscape FastTrack Server

If you change the default value of the Netscape FastTrack Server TCP/IP port number from 80 to some other value, you must perform the following additional steps to ensure continued operation of the Java-based CiscoSecure Administrator advanced configuration program.

Step 1

On the CiscoSecure ACS server, locate the $BASE/FastAdmin/turbo.conf file and change the following line:

Step 2

Locate the $BASEDIR/ns-home/httpd-hostname/config/magnus.conf file and change the following line:

Tuning Netscape Navigator Web Console Browser Performance

If you use the Netscape Navigator or Netscape Communicator web browser to access the CiscoSecure ACS 2.3 for UNIX Administrator web pages, use the following procedures to increase GUI performance:

Increase Memory and Disk Cache

•

In Netscape Navigator versions earlier than 4.x, select the Netscape Navigator Option>Network Preferences menu command and click the Cache tab.

•

In Netscape Navigator 4.x, select the Edit>Preferences>Advanced>Cache options path.

Step 2

In the Memory Cache field, increase the number from the default (1024 kilobytes) to 8000.

Step 3

In the Disk Cache field, increase the number from the default (5000 kilobytes) to 20000.

Clear Cache Memory after CiscoSecure ACS Upgrade

•

In Netscape Navigator versions earlier than 4.x, select the Netscape Navigator Options>Network Preferences menu command and click the Cache tab.

•

In Netscape Navigator 4.x, select the Edit>Preferences>Advanced>Cache options path.

Netscape Virtual Memory Management

When running the administration GUI under Netscape Navigator, the virtual memory used by Netscape constantly increases. There are no known issues associated with this behavior.

Changing the Username and Password on the Web Server

Step 1

Step 2

Enter your administrator username and password to gain access to the Web Server Administration section.

Note

The default username is "admin" and the default password is "password."

Table Of Contents