cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Advanced Group and User Management

Starting the Advanced Configuration Program

Creating a Group Profile

Creating a User Profile in Advanced Configuration Mode

Assigning TACACS+ Attributes to a Group or User Profile

Common TACACS+ Attributes

Assigning RADIUS Attributes to a Group or User Profile

RADIUS Attributes Used in User Profiles

Fully Enabling the RADIUS-Cisco11.3 Dictionary

Assigning Access Control Privilege Levels

Copying a Group or User Profile

Finding a Group or User

Displaying a Profile in Text Format

Interpreting a User Profile in Text Format

Displaying a System Summary and Expired Passwords

Moving a Profile

Unlocking a Profile

Deleting a Profile Attribute

Editing the unknown_user Default Profile

Uses of the unknown_user Profile

Logging Off the CiscoSecure Administrator Interface


Advanced Group and User Management


This chapter contains the instructions for advanced configuration of group and user profiles.

The CiscoSecure Administrator advanced configuration program enables you to carry out more advanced and specialized operations: creating user groups and direct assignment of TACACS+ and RADIUS attributes to customize user and group session parameters in more detail than is possible in the CiscoSecure Access Control Server (ACS) web interface mode.

This chapter covers the following topics:

Starting the Advanced Configuration Program

Creating a Group Profile

Creating a User Profile in Advanced Configuration Mode

Assigning TACACS+ Attributes to a Group or User Profile

Assigning RADIUS Attributes to a Group or User Profile

Assigning Access Control Privilege Levels

Copying a Group or User Profile

Finding a Group or User

Displaying a Profile in Text Format

Displaying a System Summary and Expired Passwords

Moving a Profile

Unlocking a Profile

Deleting a Profile Attribute

Editing the unknown_user Default Profile

Logging Off the CiscoSecure Administrator Interface


Note All changes made using the Administrator program are reflected in the database, and all changes made to the database are visible on the Administrator program, after you have refreshed it.


Starting the Advanced Configuration Program

You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.

In the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again. The Java-based CiscoSecure Administrator advanced configuration program appears. It might require a few minutes to load.


Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface.


Figure 5-1 The CiscoSecure Administrator Advanced Configuration Program

Creating a Group Profile

Use the CiscoSecure Administrator advanced configuration program to create and configure group profiles. Cisco recommends creating group profiles to configure detailed authentication, authorization, and accounting requirements for large numbers of similar users. After the group profile is defined, you can use the CiscoSecure ACS Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user.

To create a group profile:


Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect the Browse check box in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.

Step 2 In the Navigator pane, do one of the following:

If you want to create a group profile with no parent, locate and click the [Root] folder icon.

If you want to create your group profile as the child of another group profile, locate the group that you want to be the parent and click on it.

If the group that you want to be the parent is itself a child group, first click on its parent group's folder to display it.

Step 3 Click Create New Profile to display the New Profile dialog box.

Step 4 Select the Group check box, enter the name of the group you want to create, and click OK. The new group appears in the tree.

Step 5 After you create the group profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization, and accounting properties, as follows:

If you want to assign TACACS+ attributes to the profile, see the "Assigning TACACS+ Attributes to a Group or User Profile" section for details.

If you want to assign RADIUS attributes to the profile, see the "Assigning RADIUS Attributes to a Group or User Profile" section for details.


Figure 5-2 Creating a Group Profile

Creating a User Profile in Advanced Configuration Mode

You can also use the CiscoSecure Administrator advanced configuration mode to create and configure a user profile. You might do this to customize the user profile's authorization and accounting related attributes in more detail than is possible through the Quick User Add page.

To create a user profile:


Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.

Step 2 In the Navigator pane, do one of the following:

Locate and click the group to which the user will belong.

If you do not want the user to belong to a group, click the [Root] folder icon.

Step 3 Click Create Profile to display the New Profile dialog box.

Step 4 Make sure the Group check box is deselected.

Step 5 Enter the name of the user you want to create and click OK. The new user appears in the tree.

Step 6 After you create the user profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization and accounting properties as follows:

To assign TACACS+ profiles to the user profile, see the "Assigning TACACS+ Attributes to a Group or User Profile" section for details.

To assign RADIUS profiles to the user profile, see the "Assigning RADIUS Attributes to a Group or User Profile" section for details.


Assigning TACACS+ Attributes to a Group or User Profile

To assign specific TACACS+ services and attributes to a group or user profile:


Step 1 In the CiscoSecure Administrator advanced configuration program, click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.

Step 2 If necessary, in the Profile pane, click the Profile icon to expand it.

A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.

Step 3 Click the service or protocol that you want to add and click Apply.

The service is added to the profile.

Step 4 Enter or select the necessary text in the Attribute window. Valid entries are explained in "Strategies for Applying Attributes."


Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels.


Step 5 Repeat step 1 through step 4 for each additional service or protocol to add.

Step 6 When you have finished making all your changes, click Submit.

Refer to the Common TACACS+ Attributes for a listing of the most frequently used TACACS+ protocols and services.


Figure 5-3 Assigning TACACS+ Attributes to a Profile

Common TACACS+ Attributes

If necessary, use Table 5-1 as a guide when assigning TACACS+ attributes to a user or group profile.

Table 5-1 TACACS+ Attributes 

Attribute
Definition
Value

service

Indicates that this is an authorization request for starting a primary service.

slip, ppp, arap, shell

protocol

Network protocol that is a subset of the service. This attribute must be specified when the service is PPP1 to indicate that a protocol is being brought up as a secondary service.

lcp, ip, ipx, atalk, vines, unknown

cmd

Indicates the command name for a shell command that is to be run.

NULL = shell itself

cmd-arg

Indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified and are order dependent.

 

acl (access control list)

ASCII number representing a connection access list. Used only when service = shell and cmd = NULL.

 

inacl

ASCII number for an interface input access list.

 

outacl

ASCII number for an interface output access list.

 

zonelist

Numeric zonelist value. Applicable to AppleTalk only.

 

addr

Network address.

 

addr-pool

Name of an address pool from which the NAS2 should assign an address.

 

routing

Specifies whether routing information is to be propagated to and accepted from this interface.

Boolean value

route

Indicates a route that is to be applied to this interface. Values must be of the form:

dst_address mask routing_addr

If routing_addr is missing, the current interface will be used.

 

timeout

Sets a value, in minutes, after which a session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Release 11.1 and 11.2. Used for ARAP3 .

0 - nn where

0 = no timeout

idletime

Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Releases 11.1 and 11.2.

0 - nn where

0 = no timeout

autocmd

Auto-command to run. Used only when service = shell and cmd = NULL.

 

noescape

Prevents user from using an escape character. Used only when service=shell and cmd=NULL.

Boolean

nohangup

Do no disconnect after an automatic command. Used only when service=shell and cmd=NULL.

Boolean

priv_lvl

Privilege level to be assigned.

1 - 15

callback-dialstring

Number the NAS will call back.

NULL = dialstring

callback-line

Line the NAS uses to call back the user.

 

callback-rotary

Rotary number to use for a callback.

 

nocallback-verify

Indicates a connection doesn't require authentication after callback.

1

1 PPP = Point-to-Point Protocol.

2 NAS = network access server.

3 ARAP = Appletalk Remote Access Protocol.


Assigning RADIUS Attributes to a Group or User Profile

To assign specific RADIUS attributes to a group or user profile:


Step 1 Assign a RADIUS dictionary to the group profile:

a. On the Members page of the CiscoSecure Administrator advanced configuration program, click the group or user icon, then click the Profile icon in the Profiles pane to display the Options menu in the Attributes pane.

b. In the Options menu, click the name of the RADIUS dictionary you want the group or user to use; for example, RADIUS - Cisco. Then click Apply.

Figure 5-4 Assigning a RADIUS Dictionary to a Group or User

Step 2 Add the required Check Items and Reply Attributes to the RADIUS profile:


Note Check items are the attributes required for authentication, such as user ID and password. Reply Attributes are the attributes sent to the NAS after the profile has passed the authentication procedure, such as Framed-Protocol. For lists and explanations of Check Items and Reply Attributes, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.


a. In the Profile window, click the RADIUS - dictionaryname folder icon. (You might need to click the profile's + symbol to expand the RADIUS folder.) The Check Items and Reply Attributes options appear in the Attribute Group window.

b. To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.

c. Click the + symbol for the RADIUS - dictionaryname to expand the folder.


Note If you select the RADIUS-Cisco11.3 option, make sure Cisco IOS Release 11.3.3(T) or later is installed on your connecting NASes and add new command lines to your NAS configurations. See the "Fully Enabling the RADIUS-Cisco11.3 Dictionary" section.


Step 3 Specify values for added Check Items and Reply Attributes:

a. Click Check Items and/or Reply Attributes. A list of applicable Check Items and Reply Attributes values appears in the lower right window. Click the + symbol to expand the folder.

b. Click the values you want to assign, then click Apply. For more information on the values, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.


Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels.


c. When you have finished making changes, click Submit.


Caution For the RADIUS protocol, inheritance is additive as opposed to hierarchical inheritance, like TACACS+. For example, if you assign the same reply attributes to both the user and group profiles, authorization will fail because the NAS will be sent twice the number of attributes and will not be able to make sense of the reply attributes. Be careful not to assign the same check item or reply attribute to both the group and user profiles.

Figure 5-5 Assigning Check Items and Reply Attributes to a RADIUS Profile

Step 4 To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.

For more information on specific RADIUS attributes, see the "RADIUS Attributes Used in User Profiles" section.


RADIUS Attributes Used in User Profiles

Table 5-2 lists the RADIUS attributes that are most commonly used in user profiles. This list is not an exhaustive list of the attributes supported by all vendors such as Ascend, Cisco, and Livingston and does not include any accounting attributes. This table only attempts to list the standard RADIUS attributes that are meaningful for use in a user profile. The table gives a description of each attribute and an explanation of how the attribute might be used in a user profile. Wherever applicable, special information is provided on Cisco's support for the attribute in current versions of Cisco IOS software.

Table 5-2 Common RADIUS Attributes 

Attribute (Mnemonic)
Description / Use in Profile

1 (User-Name)

Specifies the user's name. This attribute is not commonly used in a profile. It is sometimes used, however, as a Check Item in special profiles.

2 (User-Password)

Specifies the user's password. It is used to specify every password type (for example, CHAP, PAP, sdi, and so on) for RADIUS as opposed to TACACS+, which uses different password statements for different password types. Used as a Check Item in a profile.

4 (NAS-IP-Address)

Identifies the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS into which the user is calling.

5 (NAS-Port)

Specifies the physical port number of the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS port the user is calling in to if the NAS sends this attribute as part of the authentication request.

6 (Service-Type)

Indicates the type of service to authorize for the user. This is the main RADIUS attribute used in defining authorization with RADIUS. It often determines which additional attributes will be specified. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item.

7 (Framed-Protocol)

Specifies the framing type to be used for framed access. It is used with Service-Type = Framed-User as a Reply Attribute.

8 (Framed-IP-Address)

Specifies the IP address to be assigned to the user. It is used with Service-Type = Framed-User as a Reply Attribute.

9 (Framed-IP-Netmask)

Indicates the IP subnet mask to be configured for the user when the user is a router. This attribute value results in a static route being added for Framed-IP-Address with the specified subnet mask. It is used with Service-Type = Framed-User as a Reply Attribute.

10 (Framed-Routing)

Indicates the routing method for the user when the user is a router. Cisco IOS software supports "None" and "Send and Listen" values for this attribute. It is used with Service-Type = Framed-User as a Reply Attribute.

11 (Filter-Id)

Indicates the name of the filter list for the user. It is used as a Reply Attribute in a profile.

12 (Framed-MTU)

Indicates the Maximum Transmission Unit (Packet Size) to be configured for the user on the link. It can be used when the MTU is not negotiated by some other means. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Framed-User as a Reply Attribute.

13 (Framed-Compression)

Indicates the compression type to be used for the link. Cisco IOS software does not currently support this attribute for non-EXEC authorization. It is used with Service-Type = Framed-User as a Reply Attribute.

14 (Login-IP-Host)

Indicates the host to which the user will connect when the Login-Service attribute is included. It is used with Service-Type = Login-User. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item.

15 (Login-Service)

Indicates the type of service that should be used to connect the user to the login host. It is used with Service-Type = Login-User as a Reply Attribute.

16 (Login-TCP-Port)

Indicates the TCP port with which the user is to be connected when the Login-Service attribute is also present. It is used with Service-Type = Login-User as a Reply Attribute.

18 (Reply-Message)

Displays text messages to the user. It can be used only when a "terminal window" is used during login. It is used as a Reply Attribute.

19 (Callback-Number)

Specifies the number to be used by the NAS to call back the user when Callback is configured. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute.

20 (Callback-Id)

Indicates the name of a place to be called back by the NAS. It is the responsibility of the NAS to be able to distinguish the meaning of the name. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute.

22 (Framed-Route)

Provides routing information to be configured for the user on the NAS. It is used with Service-Type = Framed-User. Used as a Reply Attribute in a profile.

23 (Framed-IPX-Network)

Specifies the IPX Network number to be configured for the link. It is used with Service-Type = Framed-User as a Reply Attribute.

26

or

vendor-Id vendor-type Vendor-Specific

Allows vendors to support their own extended attributes not suitable for general use. It is referred to as attribute 26 or vendor-Id vendor-type. Cisco has implemented a vendor specific attribute called the cisco-avpair that has vendor type 1. Cisco's Vendor-Id is 9. See Cisco's web site for more information. This attribute is used as a Reply Attribute.

27 (Session-Timeout)

Sets the maximum number of seconds of service to be provided to the user before the session terminates. Cisco IOS software does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute.

28 (Idle-Timeout)

Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. Cisco IOS software does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute.

32 (NAS-Identifier)

Indicates a name for the NAS requesting authentication. Cisco IOS software does not currently support this attribute. It is not commonly used in a profile, but can be used as Check Item to permit / deny based on the name of the NAS if the NAS sends this attribute as part of the authentication request. Attribute 4 (NAS-IP-Address) is more commonly sent by NASes than this attribute. The name specified must match exactly what is sent by the NAS.

34 (Login-LAT-Service)

Indicates the system with which the user is to be connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. Cisco IOS software only supports this attribute in EXEC mode. This attribute is used as a Reply Attribute.

35 (Login-LAT-Node)

Indicates the node with which the user is to be automatically connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute.

35 (Login-LAT-Group)

Identifies the LAT group codes that this user is authorized to use. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute.

61 (NAS-Port-Type)

Indicates the type of physical port the NAS is using for the user that is requesting authentication. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the type of port the user is dialing into if the NAS sends this attribute as part of the authentication request.



Caution Care should be taken when using any attributes besides User-Password as Check Items in a user profile. Unless all Check Items match the information that is sent by the NAS exactly, authentication will fail.

Fully Enabling the RADIUS-Cisco11.3 Dictionary

The RADIUS-Cisco11.3 dictionary includes Cisco's set of vendor-proprietary extended RADIUS attributes. To take full advantage of this version, configure the associated NAS as follows:

Make sure that Cisco IOS Release 11.3.3(T) or later is installed on the NAS.

Replace the radius-server host hostname | ip-address command line with the following command line in the NAS configuration:

radius-server host hostname|ip-address non-standard

Where hostname | ip-address is the FQDN or IP address of the CiscoSecure ACS assigned to this NAS.

Add the following command line to the NAS configuration:

radius-server configurenas

For a description of the vendor-proprietary attributes themselves, see "RADIUS Vendor-Proprietary Attributes," in the appendix "RADIUS Attributes" in the document Security Configuration Guide, accessible at the Cisco documentation web site at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed /113ed_cr/secur_c/scprt6/index.htm

Assigning Access Control Privilege Levels

The superuser administrator can use the web privilege= attribute to assign a level of access control privilege to CiscoSecure users.


Step 1 In the CiscoSecure Administrator advanced configuration program, click the user whose access control privilege you want to assign, then click the Profile icon in the Profiles pane.

Step 2 In the options menu, click web privilege and select one of the following values.

0—Denies the specified user any access control privileges, even the ability to change the user's CiscoSecure password.

1—Grants the specified user access to the CSUser web page. This page allows CiscoSecure users to change their personal CiscoSecure password. For details on how they can do this, see "User-Level Functions (Changing a Password)" in "Basic User and ACS Management."

12—Grants the specified user group administrator privileges.

15—Grants the specified user system administrator privileges.


Note If you select any web privilege option other than 0, you must also specify a password. To satisfy the web privilege password requirement, a single blank space is minimally acceptable.


Step 3 Click Apply and then click Submit.


Copying a Group or User Profile

Use the Copy a Profile button to add a group or user whose profile is a duplicate of an existing username or group profile:


Step 1 In the Members tabbed page of the CiscoSecure Administrator advanced configuration program, click the group or user to be copied.

Step 2 Click the Copy a Profile button.

Figure 5-6 Copy a Profile Button

Step 3 When prompted, enter the new group name or username.

Step 4 Click OK.

Step 5 The new group name or username appears in the tree.


Finding a Group or User

To find a group or user profile:


Step 1 In the Members page of the CiscoSecure Administrator advanced configuration program, click the Find a Group or User button.

Figure 5-7 Find a Group or User Button

Step 2 Enter the name of the group or user to search for in the Group or User Name field.

The profile of the group or user you selected is placed in a temporary folder that appears at the top of the list of users. Use this folder as a "shortcut" to the groups or users to work with during this session.


Note The temporary folder appears for this session only.


Step 3 Repeat Step 2 as many times as necessary for the groups or users to work with during this session.


Displaying a Profile in Text Format

To display a group or user profile in text format, go to the Members tab of the CiscoSecure Administrator advanced configuration program, select the user or group profile whose text format you want to display, and click the Display a Profile button.

Figure 5-8 Display a Profile Button

Information similar to that shown in Figure 5-9 will display.

Figure 5-9 CiscoSecure Profile Window

The information displayed is the same information as that shown in the Profile window, but it is shown in CiscoSecure ACS 1.0 format.

Interpreting a User Profile in Text Format

The text format is a representation of the actual data that is stored in the RDBMS. Reading the text format of a user or group profile is a quick way of understanding the TACACS+ or RADIUS-based attributes of a user profile.

In the following example user profile, configured through the Java-based CiscoSecure Advanced configuration program, the text format indicates that the user ga_simpson:

Is assigned the password "sesame1" to start an EXEC session on the NAS.

If the NAS has command authorization enabled, then the only two commands that user ga_simpson can use are show version and telnet 10.6.8.11.

user = ga_simpson {
password = clear "sesame1"
service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}
}

The curly braces { } in the above expression enclose either:

Parameters specified for the attribute and value preceding them, for example:

cmd = telnet {
permit "10\.6\.8\.11"
}

Attributes embedded within a higher level attribute, for example:

service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}

Note For a thorough description of CiscoSecure profile syntax, consult the online document titled, CiscoSecure Syntax Guide and Sample Profiles, accessed through the Help menu option in the CiscoSecure ACS Administrator web pages.


Displaying a System Summary and Expired Passwords

To display a summary of the system's statistics, go to the Members tab of the CiscoSecure Administrator advanced configuration program and click the Display System Summary and Expired Passwords button. You can also click this button to display users with expired passwords by password type.

Figure 5-10 Display System Summary and Expired Passwords Button

The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 5-11.)

Figure 5-11 CiscoSecure Summary Statistics Window

To view expired passwords, click the Expired Passwords tab. (See Figure 5-12.)

Figure 5-12 CiscoSecure Expired Passwords Window

Moving a Profile

Use the Move a Profile button to move a group or user to a different or new group. This is useful, for example, to change an employee from one department to another.

To move a profile:


Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.

Step 2 Click the group or user to be moved.

Step 3 Click Move a Profile.

Figure 5-13 Move a Profile Button

Step 4 Enter the name of the destination group. The group name or user icon moves from its current group to the new one.



Note The moved group or user will inherit the attributes of the group to which it is moved.


Unlocking a Profile

Use the Unlock a Profile button to unlock a record that became locked inadvertently. When a profile is locked, a keyhole icon displays next to the group's folder icon. Profiles are locked when they are being updated; however, it is possible to have a locked record that is not in use, such as when the computer is rebooted while updating a profile.

To unlock a profile:


Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.

Step 2 Click the locked profile.

Step 3 Click Unlock a Profile. The keyhole icon disappears.


Figure 5-14 Unlock a Profile Button

Deleting a Profile Attribute

To delete a profile attribute from a group or user profile:


Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.

Step 2 Click the icon for the applicable group or user in the tree that is displayed in the Navigator (left) window.

Step 3 In the Profile window, click whatever services or attributes you require to expand the directory structure until you see the attribute you want to delete.

Step 4 Click the applicable attribute.

Step 5 Click the Delete a Profile Attribute (minus sign) button at the top of the Profile window.

Figure 5-15 Delete a Profile Attribute Button

Step 6 Repeat Step 2 through Step 5 for each additional attribute to delete.

Step 7 When you have finished making changes, click Submit.


Editing the unknown_user Default Profile

The CiscoSecure ACS unknown_user default profile feature enables access to users not specified (unknown) in the CiscoSecure database. The unknown_user profile can support unknown users requesting authentication via both the TACACS+ and RADIUS protocol.

When you install the CiscoSecure ACS, the unknown_user profile is empty, but you can edit it to provide a default profile for non-CiscoSecure users dialing in to a supported NAS.

Edit the unkown_user default profile as follows:


Step 1 Start the CiscoSecure Administrator advanced configuration program.

Step 2 Click the Members tab.

Step 3 Deselect Browse.

Step 4 Select the unknown_user profile in the Navigator pane and click the Profile icon in the Profile pane to view the unknown_user profile configuration.

You can edit the unknown_user profile like any other user profile. See the section " Creating a User Profile in Advanced Configuration Mode" earlier in this chapter for details on assigning attributes through the CiscoSecure Administrator advanced configuration program.


Uses of the unknown_user Profile

The effect that this unknown_user profile has on unknown users dialing in to the network varies depending on how the client NAS is configured. For example, the unknown_user profile shown in Figure 5-16 is not configured for RADIUS and therefore does not allow any access to unknown users who are communicating with CiscoSecure via NASes enabled for RADIUS protocol only.

Figure 5-16 Customized unknown_user Profile Configuration

For TACACS+ the default unknown_user profile shown in Figure 5-16 authenticates any users who are configured in the UNIX authentication system on which the ACS is running.

The concept of the Default Profile is useful if you already have a large number of users defined in another authentication system, such as the UNIX /etc/passwd and /etc/shadow files or a Security Dynamics, Inc. ACE Server.

The unknown_user profile enables you to grant users specified in these other authentication systems immediate access to the network without having to respecify them in CiscoSecure database. For example, the following default profile might be used to authorize a shell on the NAS via RADIUS for users who are configured in an ACE Server but not yet specified in the CiscoSecure database:

unknown_user = {
radius = Cisco {
check_items = {
2 = sdi
}
reply_attributes = {
6 = 6
}
}
}

Additionally, the unknown_user profile can be used to grant guest access to the network for unknown users. The following unknown_user profile might be used to allow guests to log in without a password via TACACS+:

unknown_user = {
password = no_password
service = shell {
}
}

If there is no unknown_user profile declared, then users not declared in the CiscoSecure database cannot be authenticated or authorized to use any service when dialing in to the CiscoSecure ACS client NASes.


Note The attribute values assigned to the unknown_user profile never apply to users who are already configured with a CiscoSecure user profile.


Logging Off the CiscoSecure Administrator Interface

To exit the Administrator program, click Logoff.

If you are on any CiscoSecure ACS web page, the Logoff button is in the options bar at the top of the page.

If you are in the Java-based CiscoSecure Administrator advanced configuration program, the Logoff button is located under the CiscoSecure Administrator banner.


Note If you are using Netscape and you want to log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down.



hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:24:59 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.