cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

ACS and NAS Management

Managing Profiles for TACACS+-Enabled NASes

Adding and Configuring Profiles of TACACS+-Enabled NASes

Deleting TACACS+ NAS Profiles

Adding and Configuring NASes as RADIUS Clients

Managing Profiles of RADIUS-Enabled NASes

Adding a Profile of a RADIUS-Enabled NAS

Changing Profile Information for a RADIUS-Enabled NAS

Deleting a NAS as a RADIUS-Enabled Client

Managing General Settings on the ACS

Managing RADIUS Settings on the ACS

Adding a RADIUS Server Profile for an ACS

Changing RADIUS Profile Information for an ACS

Deleting a RADIUS Profile for an ACS

Managing RADIUS Dictionaries

Adding a RADIUS Dictionary

Adding New Attributes To A Newly Created Dictionary

Changing RADIUS Dictionary Information

Deleting a RADIUS Dictionary

Displaying a System Summary and Expired Passwords

Clearing the Failed Logins Counter

Setting Up Access to a Local or Remote Domain

Deleting Access to a Local or Remote Domain

Logging Off the CiscoSecure Administrator Interface


ACS and NAS Management


This chapter contains the instructions for managing the CiscoSecure Access Control Server (ACS) and its network access server (NAS) clients through the CiscoSecure ACS web-based management interface.

This chapter covers the following topics:

Managing Profiles for TACACS+-Enabled NASes

Adding and Configuring NASes as RADIUS Clients

Managing General Settings on the ACS

Managing RADIUS Settings on the ACS

Managing RADIUS Dictionaries

Displaying a System Summary and Expired Passwords

Clearing the Failed Logins Counter

Setting Up Access to a Local or Remote Domain

Logging Off the CiscoSecure Administrator Interface

Managing Profiles for TACACS+-Enabled NASes

When you installed the CiscoSecure ACS, you either specified a single NAS as a TACACS+-enabled ACS client or you allowed any NAS with a matching secret TACACS+ key to act as an ACS client. The CiscoSecure ACS AAA NAS web page enables you to add, configure, and delete profiles of TACACS+-enabled NASes as ACS clients.

Adding and Configuring Profiles of TACACS+-Enabled NASes


Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and NAS to display the AAA NAS web page.

Figure 6-1 AAA NAS Page

Step 2 When the AAA NAS page appears, specify the name of the NAS client that you want to add or configure.

To add a profile for a new TACACS+-enabled NAS, click New.

To edit the profile of an existing TACACS+-enabled NAS, select the NAS name and click Edit.

The NAS configuration page appears.

Figure 6-2 NAS Configuration Page

Step 3 Fill in or edit the appropriate fields:

NAS Name—The TACACS+ NAS name. This is usually the NAS host name. It can also be the IP address of the NAS. The CiscoSecure Administrator GUI accepts a maximum of 255 characters for NAS name/IP address.


Note If you use their IP addresses to specify your NASes, use either all regular expressions (for example, 10.10.1) or all fully defined IP addresses (for example, 10.10.1.48). Do not define one of your NASes with a regular expression and other NASes with fully defined subsets of that expression.


NAS Secret—The secret TACACS+ key to be used for communication between the TACACS+-enabled NAS and ACS.

NAS Message Catalogue file name—The name of the message catalogue file containing the messages to be displayed from the specified NAS client.

UserName Retries Allowed—The number of username reentries allowed before a login attempt to the specified NAS is terminated.

Password Retries Allowed—The number of password reentries allowed before a login attempt to the specified NAS is terminated.

Step 4 Click Save and then click Re-Initialize at the top right of the page to effect the changes.


Deleting TACACS+ NAS Profiles

To delete an existing profile of a TACACS+-enabled NAS client, do as follows:


Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and NAS to display the AAA NAS web page.

Step 2 In the TACACS+ NAS Configurations list box, select the profile name of the NAS that you want to disable as a CiscoSecure ACS client and click Delete.

Step 3 Click Re-Initialize at the top right of the page to effect the change.


Adding and Configuring NASes as RADIUS Clients

The CiscoSecure Administrator advanced configuration program provides a special tabbed NASes page for adding NASes as RADIUS-enabled clients to the CiscoSecure ACS.

Managing Profiles of RADIUS-Enabled NASes

To display, add, copy, delete, edit, or unlock the NASes configured as RADIUS-enabled clients, follow these steps:


Step 1 Start the Java-based CiscoSecure Administrator advanced configuration program and click the NASes tab.

Step 2 (Optional) To update the list of NASes, click the NASes button at the top of the list of available NASes. The Administrator window will reload from the database and get the current list of available NASes. This is useful when more than one person is making changes to NAS profiles.

Step 3 Click the IP address in the left column to display NAS profile information. (See Figure 6-3.)

Figure 6-3 CiscoSecure Administrator NASes Tabbed Page

The following information displays:

NAS IP address—IP address of the NAS.

Shared Secret—Password shared between the CiscoSecure ACS and the NAS.

RADIUS Vendor—Vendor classification of the NAS. Currently there are three choices: Cisco, Ascend, and IETF. This classification lets the RADIUS/AAA server know which set of extensions to associate with this NAS.

RADIUS Dictionary—The name of the RADIUS dictionary associated with this NAS. (See the "RADIUS Attribute-Value Pairs and Dictionary Management" chapter for more information on the dictionary.)


Adding a Profile of a RADIUS-Enabled NAS

To add a NAS to the list of CiscoSecure ACS clients:


Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click New. You will be prompted to enter the IP address of the new NAS.

Step 2 Enter the IP address of the new NAS in the NAS IP Address field.

Step 3 If necessary, log in to the NAS and input the appropriate NAS configuration commands as described in the "Changing Profile Information for a RADIUS-Enabled NAS" section.



Timesaver To create a NAS profile with characteristics similar to one already created, just click the IP address of the similar NAS, then click Copy. You can then modify individual characteristics of the new NAS by clicking Edit.


Changing Profile Information for a RADIUS-Enabled NAS

To change the information for a NAS RADIUS-enabled NAS client, follow these steps:


Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click the name of the NAS for which you want to change information.

Step 2 Click Edit.

Step 3 Click the field you want to change. The following information can be changed:

Shared Secret

RADIUS Vendor

RADIUS Dictionary. (See the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide for more information.)

Step 4 Type or select the new information.

Step 5 When you have finished, click one of the following:

Done—Save the edits you just made and unlock the object

Save—Save the edits you just made and keep the object locked

Cancel—Exit without making changes and unlock the object


Deleting a NAS as a RADIUS-Enabled Client

To delete a NAS as a RADIUS-enabled client:


Step 1 In the NASes page of the CiscoSecure Administrator advanced configuration program, click the name of the NAS you want to delete.

Step 2 Click Delete. The name of the NAS will be removed from the list.


Managing General Settings on the ACS

The CiscoSecure ACS AAA General web page enables you to specify authentication methods, time zone, and logging mode options for the CiscoSecure ACS server.


Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click General to display the AAA General configuration page.

Figure 6-4 AAA General Web Page

Step 2 Check off the authentication methods that you want the ACS to support. The choices are:

S/KEY—Enables the ACS to support the one-time password system from Bellcore.

PAP—Password Authentication Protocol. Enables the ACS to support the use of passwords for PAP authentication during PPP negotiation.

CHAP—Challenge Handshake Authentication Protocol. Enables the ACS to support passwords for CHAP authentication during PPP negotiation.

ARAP—AppleTalk Remote Access Protocol. Enables the ACS to support passwords for ARAP authentication during AppleTalk Remote Access (ARA).

CryptoCard—Enables the ACS to support authentication by the CRYPTOCard token card that will be used for generating passwords.

Secure Computing—Enables the ACS to support authentication by the Secure Computing SafeWord authentication server.

Security Dynamics (ACE Server)—Enables the ACS to support authentication by Security Dynamics, Inc. ACE Server.

Step 3 In the Local Timezone field, specify the local time zone in relation to Universal Mean Time (Greenwich Mean Time). For example, Universal Mean Time is 0 (zero); United States Eastern Standard Time is -5; and United States Pacific Standard Time is -8.

Step 4 In the CiscoSecure License Key field, enter the server license key. This is the key code that you received after you accessed the CiscoSecure License web page or filled out the "CiscoSecure Fax Back Form" before installing
CiscoSecure ACS 2.3.

Step 5 In the Max Sessions Enabled field, select the type of max sessions control that you want enabled for this ACS. Max sessions controls enable the administrator to limit the number of sessions that a user, or group of users can open at any one time.


Note For any Max Sessions Enabled selection to take effect, the CiscoSecure ACS must be stopped and restarted, not simply "Re-Initialized." See step 10 of this procedure.


Max Sessions Enabled selections are:

None—Disables all maximum sessions controls.

Non-Distributed AAA

Non-Distributed DBServer

Both "Non-Distributed" selections enable the administrator to use the Java-based CiscoSecure Administrator advanced configuration program to apply the Profile Attributes>server max sessions attributes option to single user profiles or group profiles, limiting the number of concurrent sessions allowed to a single user or setting the default number of concurrent sessions allowed to each user in a group.

The Non-Distributed AAA selection implements a faster max sessions control routine.

The Non-Distributed DBServer selection implements a more reliable max sessions control routine—one that maintains user open session counts even if the ACS is stopped and restarted.

AAA accounting packets must be enabled on the client NASes for either selection to take effect.

Distributed—Enables the full-featured Distributed Session Manager (DSM) maximum session control. This selection enables the administrator to use the CiscoSecure Administrator DSM web pages to limit, track, and reset concurrent sessions on a per user, per group, per VPDN, or PoP specific basis.

This selection is valid only if you have licensed the DSM module on this ACS. AAA accounting packets must be enabled on the client NASes for this selection to take effect.

Step 6 In the Max. Failed Authentications field, specify the maximum number of failed authentication attempts allowed per user. This field specifies the number of failed logins allowed each user before CiscoSecure disables that user's account. This feature minimizes the possibility of successful third party "random password generator" attacks on CiscoSecure user accounts.


Note To enable user accounts that are disabled by this feature, see the "Clearing the Failed Logins Counter" section.


Step 7 In the Token Cache Absolute Timeout field, specify, in seconds, the absolute maximum amount of time that a token password will be cached for users being authenticated through this CiscoSecure ACS. This absolute timeout setting overrides individual group or user profile token caching timeout settings that specify longer time periods. This setting does not override group or user profile token caching timeout settings that specify equal or shorter periods.

Step 8 If necessary, select additional logging options in the Logging Options pane. This specifies the types of system messages that the CiscoSecure ACS will record to a system log file that you specify through the UNIX syslog utility.


Note To implement RADIUS logging options, first open the Java-based CiscoSecure Administrator advanced configuration program, click the Servers tab, select the current server, click Edit, enable the Debugging option and click Done. Then return to the AAA General page and enable the appropriate logging options described below.



Note For details on setting up the UNIX system log file, see "UNIX Syslog Configuration" in the chapter "Troubleshooting Information " in the CiscoSecure ACS 2.3 for UNIX Reference Guide.



Caution Cisco recommends that you leave these logging options unchanged. If necessary these options can be selected for troubleshooting purposes in communication with Cisco Technical Support.

The logging options you can enable are as follows:

LOG_DEBUG—Log debug information

LOG_INFO—Log informational messages

LOG_NOTICE—Log notices

LOG_WARNING—Log warnings

LOG_ERROR—Log error messages

LOG_ALERT—Log alerts

LOG_RADIUS_DEBUG—Log RADIUS-related debug messages

AUTHEN_OK—Log normal authentication information

AUTHEN_FAIL—Log failed authentication information

AUTHEN_ERROR—Log authentication error information

AUTHEN_OUTPUT—Log information sent to the NAS client

AUTHOR_OK—Log normal authorization information

AUTHOR_FAIL_CMD—Log authorization commands failed for bad command lines

AUTHOR_FAIL_ARG—Log authorization commands failed for bad arguments

AUTHOR_FAIL_OTHER—Log authorization commands failed for other reasons

AUTHOR_ERROR—Log authorization errors

AUTHOR_OUTPUT—Log the attributes returned to the NAS on completion of an authorization request

ACCOUNT_OK—Log normal accounting information

ACCOUNT_FAIL—Log failed accounting operations

ACCOUNT_ERROR—Log errors in accounting operations

ERRNO_INFO—Log low-level errors protocol and operating errors that CiscoSecure usually recovers from these errors

SERVICE_INFO—Log major protocol operations

PROTOCOL_ERROR—Log TACACS+ protocol errors

PACKET_INFO—Log TACACS+ protocol packets

Step 9 Click Re-Initialize at the top of the page to implement the changes you have made in the AAA>General page.

Step 10 In addition, if you have made changes to the Max Sessions Enabled selection, you must also stop and restart the CiscoSecure ACS for that selection change to take effect.

a. Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:

# /etc/rc0.d/K80CiscoSecure

b. To restart the CiscoSecure ACS, enter:

# /etc/rc2.d/S80CiscoSecure



Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result.

Managing RADIUS Settings on the ACS

The Servers tab in the Java-based CiscoSecure Administrator advanced configuration program enables you to carry out simple RADIUS-specific configuration of all CiscoSecure ACSes installed on the network and using the same CiscoSecure database. To configure another ACS on the network, you create a profile for that ACS and edit its parameters.

To display, add, copy, delete, edit, or unlock the available CiscoSecure ACS RADIUS settings profiles:


Step 1 Start Java-based CiscoSecure Administrator advanced configuration program and click the Servers tab.

Step 2 (Optional) To update the list of access control servers, click Servers at the top of the list of available servers. The Administrator window will reload the current list of available access control server profiles from the database. This is useful when more than one person can make changes to the ACS profiles.

Step 3 Click a server's IP address in the left window. The CiscoSecure ACS displays information about the server. (See Figure 6-5.)

Figure 6-5 CiscoSecure ACS Servers Window


Note You can move between fields by clicking the field with the mouse or pressing the Tab key.


The following fields and information display:

Server Name (IP address)—IP address of the access control server—cannot be changed.

Authentication and Authorization—Toggles authentication and authorization between enabled and disabled for this port.

Port Number—Port on which this server will accept authentication and authorization packets.

Accounting—Accounting method; selections are:

Database—Place accounting information in a database in a modified format.

Database and File—Place accounting information in both a database and a flat file.

Database then File—Place accounting information in the database. If for any reason the CiscoSecure ACS is no longer able to place it in the database, the accounting information will be placed in a flat file.

File—Place accounting information in a flat file (text in RADIUS format).

None—Ignore accounting packets on this server.

Directory—Directory in which to store accounting information, if you have selected the File, Database and File, or Database then File options for Accounting.

Perform Profile Caching—Toggles between enabled and disabled. Disabling this option turns off the profile-caching performance feature for the CiscoSecure ACS.


Note The Perform Profile Caching field applies to both RADIUS and TACACS+ server profiles.


Directory—Directory in which to store cached profile information.

Port Number—Port on which this server will listen for and/or accept accounting packets.

Time to Live—Time interval (in seconds) at which the server checks the database for updated information for the server, NAS, and dictionary profiles. Changes to the Time to Live (TTL) will not take effect until the server's next polling cycle.


Adding a RADIUS Server Profile for an ACS

To add an access control server profile to the list:


Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click New. You will be prompted to enter the IP address of the new server.

Step 2 Enter the IP address for the access server in the Server Name field.

Step 3 If necessary, change the configuration as described in the "Changing RADIUS Profile Information for an ACS" section.



Timesaver To create a server profile with characteristics similar to those of an existing server profile, click the IP address of the existing server profile, then click Copy. You can then modify individual characteristics, if necessary, by clicking Edit.


Changing RADIUS Profile Information for an ACS

To change RADIUS profile information for an ACS server:


Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click Edit.

Step 2 Click the field for the information you want to change for your server.

Step 3 Type or select the new information. Some of the information cannot be changed. The information you can change depends on your system and desired operation of the ACS. For an explanation of the fields on this screen, see the "Managing RADIUS Settings on the ACS" section.


Note The directories mentioned in the following list should already exist.


Step 4 When you have finished, click one of the following:

Done—Save the edits you just made and unlock the server profile

Save—Save the edits you just made and keep the server profile locked

Cancel—Exit without making changes and unlock the server profile


Deleting a RADIUS Profile for an ACS

To delete an access control server profile:


Step 1 In the Servers page of the CiscoSecure Administrator advanced configuration program, click the IP address of the server profile you want to delete.

Step 2 Click Delete. The IP address of the server profile will be removed from the list.


Managing RADIUS Dictionaries

The following RADIUS dictionaries are installed when you select the RADIUS protocol during installation:

Cisco—Optimized for generic Cisco IOS support

Cisco11.1—Optimized to support Cisco IOS Release 11.1

Cisco11.2—Optimized to support Cisco IOS Release 11.2

Cisco11.3—Optimized to support Cisco IOS Release 11.3

Ascend—Optimized to support Ascend

Ascend5—Optimized to support Ascend version 5

IETF—In full compliance with the IETF RADIUS RFC 2138 and RFC 2139 specifications.


Note These dictionaries cannot be changed or deleted; however, you can create copies and change the copies.



Note You do not need to configure dictionary support for the TACACS+ protocol.


To display the RADIUS dictionaries:


Step 1 Start the CiscoSecure Administrator advanced configuration program and click the Dictionaries tab.

Step 2 (Optional) To update the list of dictionaries, click Dictionaries at the top of the list of available dictionaries. The Administrator window will reload from the database and get the current list of available dictionaries. This is useful when more than one person can make changes to the dictionary profiles.

Step 3 Click the name of the dictionary for which you want to display information.

The dictionary attributes display.

Figure 6-6 RADIUS Dictionary Page View Mode

For each attribute, a summary line is displayed containing the following information:

ID—Number ID of this attribute.

Mnemonic—Attribute name.

Type—Type of data this attribute specifies. Attribute types are listed in Table 6-1.

Table 6-1 Attribute Type Values 

Attribute
Type
Format

string

Displayable ASCII

Length cannot exceed 253 characters

ipaddr

4 octets

Octets must be in network byte order

integer

32 bit value

Big endian order (high byte first)

date

32 bit value

Big endian order; seconds since 00:00:00 GMT, January 1, 1970

abinary

ASCII character set

Length cannot exceed 254 characters

enum

32-bit value

Subset of integers


Step 4 To view the detailed information for a specific attribute, click that attribute's magnifying glass icon.

When you click the attribute's magnifying glass, its detailed information appears in an attribute editor frame at the bottom of the page. The detailed information includes:

Non-Vendor or Vendor specific status—Indicates whether the attribute is a vendor-specific RADIUS attribute.

Attribute ID—Indicates the ID number of the attribute.

Attribute name—Indicates the name of the attribute.

Attribute type—Indicates the type of value in which the attribute is expressed.

Check and/or Reply item—Indicates whether the attribute falls into the category or Check item, Reply item, both, or neither.


Adding a RADIUS Dictionary

To add a dictionary to the list:


Step 1 In the Dictionaries page of the Java-based CiscoSecure Administrator advanced configuration program, click New.

Step 2 Enter the name of the dictionary to add.

Step 3 If necessary, change the configuration as described in the "Changing RADIUS Dictionary Information" section.



Timesaver To create a dictionary with characteristics similar to one already created, just click the name of the similar dictionary, then click Copy. You can then modify individual characteristics of the new dictionary by clicking Edit.


Adding New Attributes To A Newly Created Dictionary


Step 1 Select the new dictionary in the dictionary page and click Edit.

Step 2 Click New. A dialog with the prompt "Create a Dictionary Mnemonic using ID XX, or enter another, unused ID" opens.

Step 3 Enter the appropriate identification and click OK. The new attribute will be created with the ID you entered.


Changing RADIUS Dictionary Information


Caution Use caution when editing dictionaries. Changes to a dictionary will affect all users who are using that dictionary. Only experienced RADIUS system administrators should attempt to edit dictionaries.

Take the following steps to change the information for a dictionary:


Step 1 In the Dictionaries page of the Java-based CiscoSecure Administrator advanced configuration program, click the name of the dictionary for which you want to change information.


Note The Cisco11.1, Cisco11.2, Cisco11.3, Ascend, Ascend5, and IETF dictionaries cannot be changed.


Step 2 Click Edit. The magnifying glass view icons become pencil edit icons. (See Figure 6-7.)

Figure 6-7 RADIUS Dictionary Page Edit Mode

Step 3 If you want to change the vendor ID for the entire dictionary, click vendor= in the lower right corner, enter a new ID number in the Enter Vendor ID dialog box, and click OK.

Step 4 If you want to change the detailed information for a specific attribute, click that attribute's pencil icon.

You can then edit that attribute's detailed information fields in the attribute edit frame at the bottom of the page:

a. Click the pencil icon to edit the values or the paper icon to add a new value.

b. Click the checkmark icon to apply changes, the broken pencil icon to cancel changes, or the X icon to delete a value.

For details on the fields, see the "Managing RADIUS Dictionaries" section.


Note Clicking the checkmark icon applies changes to memory only. Changes are not applied to the database until you click Done or Save.


Step 5 When you have finished, click one of the following:

Done—Save the edits you just made and unlock the object

Save—Save the edits you just made and keep the object locked

Cancel—Exit without making changes and unlock the object


For more information on the Dictionaries window, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.

Deleting a RADIUS Dictionary

To delete a dictionary:


Step 1 In the Dictionaries page of the CiscoSecure Administrator advanced configuration program, click the name of the dictionary you want to delete.

Step 2 Click Delete. The name of the dictionary will be removed from the list.


Displaying a System Summary and Expired Passwords

To display a summary of the system's statistics, go the Members page of the CiscoSecure advanced configuration program, and click the Display System Summary and Expired Passwords button. You can also click this button to display users with expired passwords by password type.

Figure 6-8 Display System Summary and Expired Passwords Button

The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 6-9.)

Figure 6-9 CiscoSecure Summary Statistics Window

To view expired passwords, click the Expired Passwords tab. (See Figure 6-10.)

Figure 6-10 CiscoSecure Expired Passwords Window

Clearing the Failed Logins Counter

If the number of consecutive failed logins for a given user exceeds the number set in the Max. Failed Authentications field of the CiscoSecure ACS AAA General web page, that user's account is temporarily disabled.

To reenable a user account disabled by too many consecutive failed authentications:


Step 1 In the Members page of the CiscoSecure Administrator advanced configuration program, deselect Browse, find and click the profile of the user whose account was disabled in the Navigator pane, and click Profile in the Profile pane.

Step 2 Reset the failed logins count by locating and selecting the server-current-failed logins icon in the Profile pane. Then, do one of the following:

In the Profile pane, delete the server-current-failed logins attribute and click Apply.

In the Options menu, reset the number of failed logins to zero or to a value below the number specified for Max. Failed Authentications. Then click Apply.

The ACS increments the counter by one for each failed login attempt. If the current count for a user is below the global number and the user logs in successfully, the counter is reset to zero.

Step 3 Reenable the user profile by locating and selecting the profile status icon on the Profile pane. Then do one of the following:

In the Profile pane, delete the profile status icon and click Apply.

On the profile status window, click enabled and click Apply.

Step 4 Click Submit to confirm the user profile's enabled status.


Setting Up Access to a Local or Remote Domain

If you maintain an Internet service accessed by various customers maintaining separate virtual private dial-up networks (VPDNs), the CiscoSecure ACS Domain web page enables you to authenticate VPDN users logging in to access local domains and route VPDN users logging in to access remote domains.

You can configure the CiscoSecure ACS to recognize and authenticate users logging in with specific local domain name strings. You can also configure CiscoSecure ACS to recognize and route users logging in with specific remote domain name strings to the home gateway NAS of those domains.


Note This section provides information only on setting up the CiscoSecure ACS to support login to existing VPDNs. For background information on setting up VPDNs, see the Cisco IOS Release 11.3 Dial Solutions Configuration Guide, Cisco document number 78-4732-01.


To configure the ACS to handle user login strings with domain names:


Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click Domain to display the AAA Domain configuration page.

Figure 6-11 AAA Domain Web Page

Step 2 In the Domain Name field, enter the name of the remote domain that CiscoSecure users might want to access.

For example, in the login string "sam@zephyr.com," "zephyr.com" is the domain name.

Step 3 In the Delimiter field, select the delimiter character.

This is the character that separates the username from the domain name. For example, for the login string, "sam@zephyr.com," "@" is the delimiter.

Step 4 In the Domain Name Position field, specify the domain name position in relation to the delimiter. Select Before or After.

Step 5 In the Domain Type field, specify whether the domain is local or remote.

A local domain is a domain for which a local NAS (one that is a client of the local ACS) serves as the login host.

A remote domain is a domain for which a remote NAS (one that is not a client of the local ACS) serves as the login host.

Step 6 Click Add Domain.

The domain name string you specified is displayed either in the Local Domains or Remote Domains list box.

Step 7 Click Re-Initialize at the top of the page to effect the changes.


You can enter a local domain name in the CiscoSecure Administrator GUI in the Domain Name\User Name format.

Deleting Access to a Local or Remote Domain

To delete access to a local or remote domain:


Step 1 In the CiscoSecure ACS web menu bar of the web interface, click AAA and then click Domain to display the AAA Domain configuration page.

Step 2 In the Local Domains or Remote Domains list box, select the domain name string you want to disable, then click either Delete Local or Delete Remote, whichever is applicable.

The selected domain name string disappears from the list box.

Step 3 Click Re-Initialize at the top of the page to effect the changes.


Logging Off the CiscoSecure Administrator Interface

To exit the Administrator program, click Logoff.

If you are on any CiscoSecure ACS web page, the Logoff button is in the options bar at the top of the page.

If you are in the Java-based CiscoSecure Administrator advanced configuration program, the Logoff button is located underneath the CiscoSecure Administrator banner.


Note When you log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down.



hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:32:04 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.