Table Of Contents
Basic User and ACS Management
Starting the CiscoSecure Administrator Interface
Web Browser Requirements for the CiscoSecure Administrator
Accessing and Logging into the CiscoSecure Administrator
Changing the Superuser Password
Performing CiscoSecure Quick Operations
Creating a Quick User Profile
Editing a User Profile
Deleting a User Profile
Browsing Groups and Users
Viewing Groups and Users
User-Level Functions (Changing a Password)
Changing a Password through the Web
Logging Off the CiscoSecure Administrator Interface
Starting and Stopping the CiscoSecure ACS Software
Configuring the CiscoSecure AutoRestart Feature
Basic User and ACS Management
This chapter contains the instructions for simple management of your CiscoSecure users. Most management of the CiscoSecure Access Control Server (ACS) is done through the Administrator program.
This chapter covers the following topics:
•
Starting the CiscoSecure Administrator Interface
• Performing CiscoSecure Quick Operations
• User-Level Functions (Changing a Password)
• Logging Off the CiscoSecure Administrator Interface
• Starting and Stopping the CiscoSecure ACS Software
Note All changes made using the Administrator program are reflected in the database, and all changes made to the database are visible on the Administrator program, after you have refreshed it.
Note Many of the operations described in this chapter can also be carried out through the CiscoSecure command-line interface. For a description of the command-line interface, see the CiscoSecure ACS 2.3 for UNIX Reference Guide.
Starting the CiscoSecure Administrator Interface
This section describes the basic steps to log in to the CiscoSecure Administrator GUI and how to change the superuser password.
Web Browser Requirements for the CiscoSecure Administrator
To manage the CiscoSecure ACS using the Administrator program, you need a web browser that supports Java and JavaScript. The Administrator program operates on any hardware platform that supports the web browsers listed in the readme.txt file and release notes.
Accessing and Logging into the CiscoSecure Administrator
To access and log in to the CiscoSecure Administrator:
Step 1 From any workstation with a web connection to the ACS, open your web browser.
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
•If the security socket layer feature on your browser is not enabled, enter:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
•If the security socket layer feature on your browser is enabled, specify "https" rather than "http" as the hypertext transmission protocol. Enter:
https://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Note URLs and server names are case sensitive; they must be typed with uppercase and lowercase letters exactly as shown.
The CiscoSecure ACS Logon page displays.
Figure 4-1 CiscoSecure ACS Logon Page
Step 3 Enter your username and password and click Submit.
Note The initial default username is "superuser." The initial default password is "changeme." After your initial login, you should change the username and password immediately for maximum security. See the "Changing the Superuser Password" section.
After you log in, the CiscoSecure ACS main page appears, displaying the main menu options along the top.
Note CiscoSecure ACS for UNIX allows Date Encryption Standard (DES) encrypted password and SecurID ACE/Server authentication at the same time. To use both methods of authentication, do not specify the -D option when starting CiscoSecure ACS for UNIX.
CiscoSecure ACS Main Menu Page
The CiscoSecure ACS Main menu page will only appear if the user provides a name and password that have an administrator privilege level. If the user provides a name and password that has only user-level privileges, then a different screen appears. Refer to the "User-Level Functions (Changing a Password)" section.
Figure 4-2 The CiscoSecure ACS Web Menu Bar
Several options appear at the top of the page:
Table 4-1 CiscoSecure ACS Web Menu Buttons
Button
|
Description
|
Main
|
Return to the Main menu.
|
Member
|
Display the user and group related suboptions: Add, Edit, Delete, Browse, and View.
|
•Add
|
Add users to existing database.
|
•Edit
|
Edit privileges, passwords, access, and other parameters for a specified user.
|
•Delete
|
Delete users from existing database.
|
•Browse
|
Provide a means to browse a group or user hierarchy.
|
•View
|
Enable the administrator to view the profile of a specified user.
|
AAA
|
Display server and NAS related suboptions: General, NAS1 , Domain, Re-Initialize.
|
•General
|
Configure the current CiscoSecure ACS with TACACS+-related options.
|
•NAS1
|
Add and configure TACACS+-enabled NASes as CiscoSecure ACS clients.
|
•Domain
|
Configure the CiscoSecure ACS to authenticate or route users logging in with local or remote domain name strings.
|
•Re-Initialize
|
Initialize the new CiscoSecure ACS General, NAS, or Domain settings without terminating and restarting server operations.
|
Help
|
Access instructions for a specified aspect of CiscoSecure ACS.
|
Advanced
|
Takes the user to the CiscoSecure Administrator Java-based advanced configuration program. For details on using this program, see "Starting the Advanced Configuration Program" in "Advanced Group and User Management."
|
Log Off
|
Log off CiscoSecure.
|
Note The CiscoSecure ACS web menu bar appears in every HTML page throughout the CiscoSecure ACS web interface, so there is no need to return to the Main menu in order to access a new function.
Changing the Superuser Password
The default administrator of the CiscoSecure ACS is "superuser," and the default password is "changeme." As a security measure, Cisco recommends that you change the password for superuser as quickly as possible after installing the CiscoSecure ACS.
Step 1 In the CiscoSecure ACS web menu bar, click Member and then click Edit.
Step 2 In the Edit a User page, enter superuser in the User Name to Edit field.
Step 3 Click Edit.
Step 4 Enter your new password string in the Password field.
Valid characters for passwords are:
•Uppercase A through Z
•Lowercase a through z
•Numbers 0 through 9
Step 5 Verify your entry by entering the new password again in the Confirm field and clicking Save.
CiscoSecure displays a confirmation of the password change.
Performing CiscoSecure Quick Operations
The operations described in this section are carried out through the CiscoSecure ACS web pages. They are the quickest and most frequently executed of CiscoSecure operations. These operations include:
•Creating, editing, and copying simple user profiles.
•If applicable, assigning those profiles to existing user groups.
•You can also browse and view group and user profile configurations.
Creating a Quick User Profile
To add a user to the CiscoSecure ACS database, use the Add a User web page. The Add a User web page enables you to quickly set up a user profile with basic password information.
Note To set up more complex authentication, authorization, and accounting requirements for large numbers of similar users, Cisco recommends first using the Java-based CiscoSecure Administrator advanced configuration program to configure these requirements for a group profile. After the group profile is defined, you can use the Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user. See "Creating a Group Profile" in "Advanced Group and User Management" for details.
Add a user profile:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Add. The Add a User page appears.
Figure 4-3 CiscoSecure Add a User Page
Step 2 Enter the Group of which this user will be a member.
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more on using the Browse function, refer to the section, " Browsing Groups and Users" later in this chapter. Enter the new user's name in the User Name field.
Step 3 Enter the name of the new user in the User Name field.
Step 4 Enter an optional password for this user in the Password field. Valid characters for passwords are:
•Uppercase A through Z
•Lowercase a through z
•Numbers 0 through 9
An asterisk will appear in place of each letter.
Step 5 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 6 Click any of the 3 check boxes to indicate the type of authentication methods to use with the specified password:
•CHAP—Challenge Handshake Authentication Protocol. Indicates the use of the specified password for CHAP authentication during PPP negotiation.
•Clear—Clear Text transmission. Indicates the transmission of the specified password in clear text for terminal-based authentication, such as with Telnet.
•PAP—Password Authentication Protocol. Indicates the use of the specified password for PAP during PPP negotiation.
Note You can use Clear Text or CHAP passwords with RADIUS profiles.This allows you to use external databases with RADIUS.
Step 7 Specify the level of ACS administration this user can exercise using the Web Privilege button. Click one of the following:
•None—No privileges provided.
•User—Users can change their password via the CiscoSecure ACS GUI.
•Group Administrator—Users can add, delete, and modify group and user profiles within their home group.
•System Administrator—Users can add, delete, or modify their own and other users' profiles.
Note If you select any web privilege option other than None, you must also specify a password in the Password field. To satisfy the web privilege password requirement, a single blank space is minimally acceptable.
Step 8 Click More to access more authentication options for this user. The Add a User page changes. (See Figure 4-4.)
Figure 4-4 Expanded Add A User Page
The additional fields in the Add a User page include several new authentication methods:
•Password File—If you want this user's password to be specified in a UNIX password formatted file, instead of on this web page, specify the path and filename in this field.
•Password Alternate—Indicates that, instead of a password, a path to an old style (prior to Solaris) UNIX shadow-formatted file is specified that contains the password for this user.
•ARAP—AppleTalk Remote Access Protocol. Indicates the use of the password for ARAP authentication during AppleTalk Remote Access (ARA).
•DES—Data Encryption Standard. Standard cryptographic algorithm developed by the National Bureau of Standards. Indicates the use of the password for the DES Password type. This password type is similar to Clear except the password is stored using DES encryption.
•No Password—Indicates that no password is required and does not need to be requested.
•Outbound PAP—Indicates the use of the password for Outbound PAP authentication during PPP negotiation.
•Crypto—Indicates that the user has a CRYPTOCard token card that will be used for generating passwords.
•Enigma—Indicates that the user will use an authentication method supported by Secure Computing's (formerly Enigma Logic) SafeWord Authentication Server.
Note If you select the Enigma authentication method and save the user profile, you will be given access to the SafeWord configuration pages after you add this profile. The next time you edit the profile, an Edit Enigma Token button appears. Click this button to configure the current user as a SafeWord user also. Refer to "Configuring Users for Secure Computing Token Card Use" in "Token Server Support."
•SDI—Indicates that the user will utilize an authentication method supported by Security Dynamics, Inc. ACE Server.
•S/Key—Indicates that the user will use the S/Key one-time password system from Bellcore for generating passwords.
•System—Indicates that the user's password is stored in the UNIX Password system.
Each of these encryption types requires custom configurations. For more information on S/Key, CRYPTOCard, Enigma, and SDI, see "Token Server Support."
Note The functionality of any password type except ARAP, CHAP, PAP, and Outbound PAP is affected by its position in the user profile. If multiple unexpired password statements appear in a user profile, the AAA server will use the first appropriate password type that appears in the profile.
Step 9 Select one or more of the check boxes if one or more of the additional password types is required.
Step 10 When you have finished, click one of the following:
•Add—Confirm your selections and return to the Main menu.
•Reset—Clear all information entered and begin again.
Editing a User Profile
Use the Edit a User web page to modify the configuration of an existing user profile:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Edit. The initial Edit a User page appears.
Figure 4-5 Initial Edit a User Page
Step 2 In the User Name to Edit field, enter the name of the user whose password and privilege you want to edit.
If you don't know the name of the user you want to edit, click Browse at the top of the menu to access the edit menu. See the "Browsing Groups and Users" section for details.
Step 3 When the name you need appears in the User Name to Edit field, click Edit.
The full Edit a User page appears.
Figure 4-6 The Full Edit a User Page
Step 4 Specify the Group this user will be a member of, if required. If the specified user is a member of another group, this reassigns the user.
Note A user can only be a member of one group.
If you need to search the database for the correct group, click Browse... to the right of the field. The Browse screen will appear. For more information about using the Browse function, refer to the "Browsing Groups and Users" section.
Step 5 Enter an optional password for this user in the Password field. Valid characters for passwords are:
•Uppercase A through Z
•Lowercase a through z
•Numbers 0 through 9
An asterisk will appear for each letter you type.
Step 6 Retype the password in the Confirm field.
The Password and Confirm entries must agree. If the entry in the Password field does not agree with the entry in the Confirm field, you will be prompted to retype.
Step 7 Specify the level of ACS administration this user can exercise using the Web Privilege button. Click one of the following:
•None—No privileges provided.
•User—Users can change their password via the CiscoSecure ACS GUI.
•Group Administrator—Users can add, delete, and modify group and user profiles within their home group.
•System Administrator—Users can add, delete, or modify their own and other users' profiles.
Note If you select any web privilege option other than None, you must also specify a password in the Password field. To satisfy the web privilege password requirement, a single blank space is minimally acceptable.
Step 8 If you want this user's password to be specified in a UNIX password formatted file rather than on this web page, indicate the path to that file in the Password File field.
Step 9 If required, select one or more of these check box options:
•ARAP—AppleTalk Remote Access Protocol. Indicates the use of the password for ARAP authentication during AppleTalk Remote Access (ARA).
•CHAP—Challenge Handshake Authentication Protocol. Indicates the use of the specified password for CHAP authentication during PPP negotiation.
•Clear—Clear Text transmission. Indicates the transmission of the specified password in clear text for terminal-based authentication, such as with Telnet.
•DES—Data Encryption Standard. Standard cryptographic algorithm developed by the National Bureau of Standards. Indicates the use of the password for the DES Password type. This password type is similar to Clear except the password is stored using DES encryption.
•No Password—Indicates that no password is required and does not need to be requested.
•Outbound PAP—Indicates the use of the password for Outbound PAP authentication during PPP negotiation.
•PAP—Password Authentication Protocol. Indicates the use of the specified password for PAP during PPP negotiation.
Step 10 If required, select/deselect one or more of these check box options:
•Crypto—Indicates that the user has a CRYPTOCard token card that will be used for generating passwords.
•S/Key—Indicates that the user will use the S/Key one-time password system from Bellcore for generating passwords.
•Enigma—Indicates that the user will use an authentication method supported by Secure Computing's (formerly Enigma Logic) SafeWord Authentication Server.
Note If you select the Enigma authentication method and save the user profile, you will be given access to the SafeWord configuration pages after you add this profile. The next time you edit the profile, an Edit Enigma Token button appears. Click this button to configure the current user as a SafeWord user also. See "Configuring Users for Secure Computing Token Card Use" in "Token Server Support."
•System—Indicates that the user's password is stored in the UNIX Password system.
•SDI—Indicates that the user will utilize an authentication method supported by Security Dynamics, Inc. Ace Server.
Note Each of these encryption types requires custom configuration. For more information about S/Key, CRYPTOCard, Enigma, and SDI, refer to "Token Server Support."
Step 11 When you have finished, click one of the following:
•Save—To confirm your selections.
•Reset—To clear all information entered and begin again.
If you select Save, a confirmation of the edit appears.
Step 12 Continue to edit users as required or click Main to return to the Main menu.
Deleting a User Profile
Use the Delete a User button to delete a user from the CiscoSecure database:
Step 1 In the CiscoSecure ACS web menu bar, click Member and click Delete. The Delete a User page appears.
Figure 4-7 Delete a User Page
Step 2 Enter the name of the current user whose profile you want to delete in the field.
If you don't know the name of the user you want to delete, click Browse at the top of the menu and delete the user through that option. For more on the Browse option, refer to the "Browsing Groups and Users" section.
Step 3 When the name you need appears in the User Name field, click Delete.
Step 4 Continue to delete users as required.
Step 5 When you are finished, click the Main button to return to the Main menu.
Browsing Groups and Users
The Browse option can be used to review the CiscoSecure ACS database for both users and groups. Through this option, you can:
•Add existing users to existing groups
•Edit user profiles for existing users
•Delete existing users from the database
To access a user or group directly, use the View option. See the "Viewing Groups and Users" section for more information.
To browse the CiscoSecure database:
Step 1 In the CiscoSecure ACS web menu bar, click Member and Browse. The Browse page appears.
Figure 4-8 Browse Page
This screen consists of two sections:
•Groups
•Users
In addition to names, each section contains several icons. The names to the right of these icons serve as links to other menu options within the program.
Table 4-2 CiscoSecure ACS Administrator Icons
Icon:
|
Means:
|
|
A group. Click this symbol to access the Profile and member information for the specified group.
|
|
A user. Click this symbol to access the Profile information for the specified user.
|
|
Add a user to the specified group. This is another way to access the Add a User screen.
|
|
This represents one of the RADIUS dictionaries stored in the database. These include IETF, Cisco, and Ascend. The HTML-based GUI is not designed to edit these dictionaries.
|
|
This represents a NAS. All values to the right of this indicate the NAS configuration. The HTML-based GUI is not designed to edit this information.
|
|
This represents a AAA server (one type of which is a CiscoSecure ACS). All values to the right of this indicate the AAA configuration. The HTML-based GUI is not designed to edit this information.
|
|
Edit the specified user. This is another way to access the Edit a User screen.
|
|
Delete the specified user. This is another way to access the Delete a User screen.
|
Step 2 To view the profile for a specific group or user, click the group/username. Alternatively, click on the icon to the left of the name. The group or user profile for the selected item appears.
For more on deciphering the meaning of the terms and statistics appearing in the profiles, refer to the "Viewing Groups and Users" section.
Step 3 Click the icons indicated above to add users to a specific group, edit a specific user profile, or delete a user from the database:
a. To add a user to a specified group, click the Add User icon. The Add a User screen appears. Refer to the "Creating a Quick User Profile" section.
b. To edit a specific user, click the Pencil icon to the right of that user's name. The Edit a User screen appears with the user's information displayed. Refer to the section "Editing a User Profile" section for details.
c. To delete a specific user, click the Delete User icon to the right of the user's name. The Delete a User screen appears. Refer to the "Deleting a User Profile" section on page -14 for details.
Step 4 Review data and perform operations as required. To return to the Main menu, click Main.
Viewing Groups and Users
Use the View option to see the profile for a selected user or group. Depending on the complexity of the values assigned to a particular user or group, the profile can contain many different attributes, each of which is defined in this section.
To view a selected profile:
Step 1 In the CiscoSecure ACS web menu bar, select Member and View. A screen appears prompting you to specify the group or the user whose profile data you want to view.
Figure 4-9 View User or Group Identification Prompt
Step 2 Select one of the following:
•If this is a user, make sure User is selected from the option list below the Name field.
•If this is a group, select Group from the option list.
Step 3 Enter the user or group name in the Name field.
If you can't remember the name, click Browse to look through the entire database.
Step 4 Click Submit Query. A page appears displaying profile information for the specified group or user.
Figure 4-10 Profile Information Page—Simple Example
This provides a profile of the selected user or group. While the example profile above is relatively simple, the profile can contain a great deal of information on the attributes and values assigned to the selected user or group.
To learn more about an attribute, click on the attribute word. Each attribute word is linked to its definition.
Step 5 When you are finished inspecting the profile, select View to see another profile, or click another button to access another function.
The profile seen on the View screen can contain information on any number of attributes assigned to a selected user or group. Attributes are derived from several internetworking protocols, including TACACS+ and RADIUS.
Attributes are normally arranged by rows with greater levels of detail arranged in columns from left to right of each row. For example, the Password attribute usually follows the rows identifying the profile_id, profile_cycle, and group name. In the password row, there are a number of columns which from right to left define: the attribute name, the password type, the password value, the beginning and ending dates when this password is effective.
Table 4-3 Common Attributes and their Meanings
Attribute
|
Definition
|
Value
|
profile_id
|
ID number assigned to the profile by the database. This number is generated internally and cannot be edited by the user.
|
-
|
profile_
cycle
|
This number starts at 1 and is incremented by one each time the profile is modified. This number is generated internally and cannot be edited by the user.
|
-
|
|
If this is a user profile, the group to which the user is currently assigned. Groups can also be members of other groups.
|
-
|
password
|
Type of password, followed by the actual password in quotation marks, followed by the beginning and ending dates during which this password is effective.
|
CHAP, PAP, clear, and so on
|
privilege
|
Whether this profile is web-enabled and what the privilege level is. There are three privilege levels.
Only valid when Privilege = Web.
|
None—No privileges
User—Users can change their password via CiscoSecure ACS GUI
Administrator—Users can add/delete/modify their own and other users' profiles
|
In many cases, the profile won't be more complicated than the profile shown in Figure 4-10. There are occasions, however, when profiles can be far more complex, particularly when a large number of authentication and response attributes have been assigned for a particular user or group. In such cases, the profile might look more like the example in Figure 4-11.
Figure 4-11 Profile Information Page—Complex Example
As Figure 3-11 shows, a great deal of diverse information can be contained in a profile. This includes:
•Basic user information (at the top of the profile)
•Service information (such as values allocated for PPP, SLIP, and so on)
•Authentication information (TACACS+ and/or RADIUS) with all attributes and their values
•Password information including all assigned password types (CHAP, PAP, clear, DES, and so on) with each assigned password in quotation marks
User-Level Functions (Changing a Password)
CiscoSecure users have two ways of connecting to the CiscoSecure ACS for the purpose of changing their personal passwords.
Changing a Password through the Web
CiscoSecure users to whom you assign web privilege (privilege level 1) have the ability to access the CiscoSecure CSUser web page for the purpose of changing their individual password.
Note See the "Creating a Quick User Profile" section on page -6 or the "Editing a User Profile" section for details on assigning a CiscoSecure user web privilege.
CiscoSecure users with web privilege can access this web page as follows:
Step 1 Open up the web browser on any workstation with an HTTP connection to the CiscoSecure ACS.
Step 2 Enter one of the following URLs for the CiscoSecure Administrator web site:
•If the security socket layer feature on your browser is not enabled, enter:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
•If the security socket layer feature on your browser is enabled, specify "https" rather than "http" as the hypertext transmission protocol. Enter:
https://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Note URLs and server names are case sensitive; they must be typed with uppercase and lowercase letters exactly as shown.
The CiscoSecure ACS user logon page displays.
Figure 4-12
User-Level Screen
Step 3 Click Change Password.
A new screen appears.
Figure 4-13 User-Level Password Change
Step 4 Specify the type of password that you want to change. For example CHAP or PAP.
Enter a new password in the Password field. Valid characters for passwords are:
•Uppercase A through Z
•Lowercase a through z
•Numbers 0 through 9
Step 5 Verify this new password by entering the same password in the Verify field.
Step 6 Click Submit. The new password is stored in the database.
Step 7 Click Finish to exit this screen.
Changing a TACACS+ Login Password via VTY or Telnet
Users can change their own login passwords during a VTY or Telnet session if the NAS through which they are accessing the network is using the TACACS+ protocol.
Step 1 Connect to the NAS.
Step 2 Enter your username at the NAS prompt.
Step 3 Press Return at the prompt requesting you to enter a password.
Step 4 Enter yes at the prompt asking if you want to change your password.
Step 5 Enter your existing password at the prompt.
Step 6 Enter your new password at the prompt.
Step 7 Enter your new password a second time to verify that it is correct.
Note This procedure cannot be used to change an encrypted password, such as a CHAP password. Additionally, one-time passwords (OTPs), such as token server passwords, cannot be changed.
Future Passwords
If a future password is specified for a user, the user will not be able to log on with the future password until the date specified as the "from" date. After the date specified as the "until" date, the password is invalid, and the user will no longer be able to log on with it.
Logging Off the CiscoSecure Administrator Interface
To exit the Administrator program, click Logoff.
•If you are on any CiscoSecure ACS web page, the Logoff button is in the options bar at the top of the page.
•If you are in the Java-based CiscoSecure Administrator advanced configuration program, the Logoff button is located underneath the CiscoSecure Administrator banner.
Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface.
Note If you are using Netscape and you want to log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down.
Starting and Stopping the CiscoSecure ACS Software
Normally the CiscoSecure ACS software starts up automatically when you shut down and restart the SPARCstation where it is installed. There are times, however, where you might want to start CiscoSecure ACS manually or shut it down without shutting down the entire SPARCStation.
Step 1 Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS.
Step 2 Invoke the script files to either start or stop the CiscoSecure ACS from the SPARCStation's UNIX command line.
•To start the CiscoSecure ACS manually, enter:
# /etc/rc2.d/S80CiscoSecure
•To stop the CiscoSecure ACS manually, enter:
# /etc/rc0.d/K80CiscoSecure
Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do
not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result.
Configuring the CiscoSecure AutoRestart Feature
The CiscoSecure ACS startup process has been enhanced to autorestart the CiscoSecure ACS if its AAA or DBServer components abnormally abort. To provide this functionality, a new process, "CiscoAuto," is started during CiscoSecure startup. If the AAA or DBServer component aborts, CiscoAuto detects this event and performs a CiscoSecure restart. During this process, the following events occur:
1. The CiscoSecure ACS is shut down.
2. Any core files in the CSU or DBServer directories are moved to $BASEDIR/corefiles and compressed.
3. The CiscoSecure ACS is restarted.
The AutoRestart feature can be customized or disabled by specifying several command-line switches with the S80CiscoSecure startup command. The switches are as follows:
•noauto
Disables AutoRestart. If used, CiscoSecure will not restart if the AAA server or DBServer aborts. The AutoRestart feature is on by default.
Example: S80CiscoSecure noauto
•nosavecore
Disables the autosave of core files during restart. If used, the CiscoSecure ACS will not save the core files into the $BASEDIR/corefiles directory during restart. Any core files contained in the DBServer and CSU directories will remain in their respective directories.
Example: S80CiscoSecure nosavecore
Instructs CiscoAuto not to save the core files in the event of an abort and restart.
Example: S80CiscoSecure nosavecore 5
Instructs CiscoAuto to check the AAA server component every 5 seconds and, in the event of a shutdown and restart, not to save the core files.
•sampletime
Sets the sample monitoring time. Sample time is the number of seconds between checking if the AAA server has aborted. When not supplied, the default is 30 seconds. To set the sampling time, provide a numeric value with the command-line switch.
Example: S80CiscoSecure 5
Checks that the AAA server is running every 5 seconds.
Example: S80CiscoSecure 60
Checks once a minute that the AAA server is running.
