Before you configure the CiscoSecure ACS for the first time, you need to verify that you have the required settings for the configuration you want. This chapter outlines the necessary settings for the following eight common configurations:
Select the configuration that most closely meets your needs.
Note If you are viewing this as a link from the CiscoSecure Welcome Screen, you are now
viewing the online documentation. Click Online Documentation and select Common
Configurations to return to this section.
Click Online Documentation and select an item in the table of contents for additional information. Two of the selections available in the online documentation are:
Conceptual OverviewDetailed conceptual information about the CiscoSecure ACS and its interaction with different components involved with network security.
Step-by-Step ConfigurationBasic point and click details about the different components within the CiscoSecure ACS.
There are four components that must be configured to successfully initiate connectivity and implement the CiscoSecure ACS for Windows NT services:
Windows NT serverComputer hosting the CiscoSecure ACS 2.0 for Windows NT software and the Windows NT User Database.
CiscoSecure ACSSoftware that provides centralized network security services.
Network access deviceAccess servers, routers or other devices such as firewalls that provide different types of users access to specific networks.
ClientAsync or ISDN dial-up users.
Dial-Up Using the Windows NT User Database with TACACS+
This is a typical configuration that would be used in a Windows NT network using only the Windows NT User Database to maintain access. This configuration is compatible with businesses with a significant investment or strategic direction based on Windows NT. This configuration makes it possible to:
Control dial-up connectivity for the NAS from the Windows NT User Manager
Support single login
Windows NT Server Configuration
This option requires the most configuration of Windows NT server environment because of the high level of dependency on Windows NT management functions. These items are configured from the User Manager on your Window NT server that is running the CiscoSecure ACS. Make sure:
Dial-up user must exist in the Windows NT User Database on the same server as the CiscoSecure ACS.
Dial-up user must belong to a Windows NT group that includes the policy "Log on Locally."
Dial-up user's profile does not have "change password at next login" or "disable account."
Enable the "Grant dial-up permission" from the dial-up menu if you want to be able to enable or disable user login privileges from Window NT. This is optional.
Callback number should not be configured.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.
NAS Configuration Screen
You can configure the following items from the NAS Configuration screen:
Note If the first NAS that clients will be dialing into was set up during the installation of
the CiscoSecure ACS, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and the CiscoSecure ACS, called a "key"
Select TACACS+ (Cisco) as the security control protocol
Click TACACS+ (Cisco) under the Protocol Configuration Options to select the Service/Protocol to be configurable for a group
Note You must also enable PPP LCP when selecting any PPP protocol.
User Setup
Not necessaryUsers successfully authenticated against the Windows NT User Database are added to the CiscoSecure ACS 2.0 User Database as members of group 0, Windows NT Users. You can reassign them to another group later.
Group Setup
You can configure the following items in Group Setup for the Windows NT Users group:
If "Time of Day Access" is to be used, enable the feature by clicking Setup Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
If using ISDN, the particular ISDN Calling Line ID (CLID) for the entire group can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from locations with known CLIDs.
To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.
Note If this option is checked and no group-level filter is defined, a user-level filter
must be defined for every member of that group, or authentication fails for users without
a valid filter.
Enable PPP-IP if the NAS is going to support dial-up clients running IP over a PPP (async or ISDN) connections (configured within the NAS Configuration button if not displayed).
Enable and enter the "IP Pool" name defined on the NAS. If the default pool will be used or if defined at the client, leave the field blank.
Enable PPP-IPX if the NAS is going to support dial-up clients running IPX over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable Shell (Exec) if Telnet sessions shall be run by the client or if the CiscoSecure ACS will also be used for router management (configure within the NAS Configuration button if not displayed).
Service Configuration
You can configure these items from Service Configuration:
The check box "Check Windows NT User Database for usernames not found in the CiscoSecure ACS" controls how the CiscoSecure ACS handles the situation when a username is not found in the CiscoSecure ACS 2.0 User Database.
If the option is not checked, then only the CiscoSecure ACS 2.0 User Database is searched for a matching username. If no matching username exists in the CiscoSecure ACS 2.0 User Database, then the authentication fails.
Check this option to ensure that all authentications without a matching usernames in the CiscoSecure ACS 2.0 User Database are checked against the Windows NT User Database. If this authentication succeeds, then a record will automatically be generated in the CiscoSecure Database for that user indicating that they are Windows NT users and that Windows NT should be used for their password authentication. User records added to the database in this way will automatically be made members of the group "Windows NT Users."
Check Grant dial-up permission to indicate whether the CiscoSecure ACS should check the user's Windows NT permissions for dial-up users.
If the option is checked, then the CiscoSecure ACS verifies that dial-up permission granted for this user in the Windows NT User Database. Authentication for users without dial-up permission on the Windows NT server fails even if they use the correct password.
Token Server Configuration
NoneToken Card severs are not used in this configuration.
Administration Control
None.
NAS Configuration
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that PAP is used because the Windows NT User Database is being utilized.
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter this command under each interface used for dial-in access:
ppp authentication pap
Client Configuration
The client can be an async or ISDN client. For an ISDN client, be sure it is configured to use PAP.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP and/or IPX for "allowed network protocols" under "Server Types"
If using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
Note The NAS must include the necessary configuration parameters to support IP
Pools.
To set up single login functionality, under the Network Configuration, install the Client for Microsoft Networks and set the Primary Network Logon for "Windows Logon"
For single login, in the properties for Client for Microsoft Networks, don't enable "Log on to Windows NT Domain" but do enter the desired domain in the Windows NT Domain field
When making a connection, enter the same username and password being used for the user account in the Windows NT User Database
For single login, select the "save password" check box in the Connect to dialog box. If the password is not saved, you probably do not have the Windows 95 service pack installed.
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
All of the benefits of the Windows NT operating system such as PDC/BDC database replication and distribution can be leveraged.
This configuration requires the use of PAP as the Authentication protocol because it is not possible to store CHAP passwords in the Windows NT User Database.
Enable the right to "log on locally" for the Domain Users to allow all users to authenticate against the Windows NT User Database.
Allow the users across a trusted domain to also authenticate by configuring the right for those accounts to "log on locally" on the same Windows NT Server where the CiscoSecure ACS has been installed.
Enable the Grant dial-up permission from the dial-up menu if you want to be able to enable or disable user login privileges from Windows NT.
Note The ability to control access with the "Grant dial-in permission" right does not span
across trusted domains.
Dial-Up Using the CiscoSecure ACS 2.0 User Database with TACACS+
This configuration would be used where administrators want a higher level of authentication security such as CHAP or increased speed of authentication/authorization processing. This method would be used by service providers when transaction speed is critical. This would also be utilized in corporations where the added level of security for one time passwords (OTPs) with CHAP is worth sacrificing for a single login to a Windows NT domain.
Windows NT Server Configuration
NoneUsers do not need to exist in the Windows NT User Database unless they need to log into the Windows NT network after accessing the IP network.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS for Windows NT.
NAS Configuration
You can configure the following items from the NAS configuration window:
Note If the first NAS that clients will be dialing into was set up during the installation of
the CiscoSecure ACS, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and the CiscoSecure ACS, called a "key"
Select TACACS+ (Cisco) as the security control protocol
Click TACACS+ (Cisco) under the Protocol Configuration Options to select the Service/Protocol to be configurable for a group
Note You must also enable PPP LCP when selecting any PPP protocol.
User Setup
You can configure the following from the User Setup window:
Add a user to the CiscoSecure ACS 2.0 User Database.
Select CiscoSecure Database as the method for password authentication and enter/reconfirm a password in the first set of the CiscoSecure ACS User Database password fields.
Assign the user to a group. Windows NT Users could be used, but it is recommended to use a different group such as group 1.
Note All groups can be renamed, but the CiscoSecure ACS tracks all groups by their
original number.
If using ISDN, the particular ISDN Calling Line ID (CLID) can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from a particular location. User definitions entered here will override the Group Setup definition.
If a particular IP address is to be assigned to the user, enter it in the Static IP Address field.
If conditions for expiration should be set for the user, configure them by selecting the appropriate parameters.
Group Setup
You can configure the following from the group window:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
If using ISDN, the particular ISDN Calling Line ID (CLID) for the entire group can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from locations with known CLIDs.
To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.
Note If this option is checked and no group-level filter is defined, a user-level filter
must be defined for every member of that group, or authentication fails for users without
a valid filter.
Enable PPP-IP if the NAS is going to support dial-up clients running IP over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable and enter the "IP Pool" name defined on the NAS. If the default pool will be used or if defined at the client, leave the field blank.
Enable PPP-IPX if the NAS is going to support dial-up clients running IPX over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable Shell (Exec) if Telnet sessions shall be run by the client or if the CiscoSecure ACS will also be used for router management (configure within the NAS Configuration button if not displayed).
Service Configuration
These items are configured from Service Configuration:
Do not check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up the CiscoSecure ACS to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
NoneToken Card severs are not used in this configuration.
NAS Configuration
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter this command under each interface used for dial-in access:
ppp authentication chap
Client Configuration
The client can be an async or ISDN client.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP and/or IPX for "allowed network protocols" under "Server Types"
If using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
When making a connection, enter the username and password entered in the CiscoSecure ACS 2.0 User Database
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
This configuration can support PAP or CHAP as the authentication protocol because it is possible to store PAP and CHAP passwords in the CiscoSecure ACS 2.0 User Database. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS Configuration listed above.
Logging onto a Windows NT Network is a second step as single login cannot be achieved if CHAP is a requirement.
Dial-Up Using SDI Token Card Server with TACACS+
This configuration outlines the ability to implement the CiscoSecure ACS with the SDI Ace token card server. Administrators who want to increase and utilize the added level of security of a token card can do so with the SDI Ace server for authentication while still allowing the CiscoSecure ACS to authorize the services after a successful authentication.
Windows NT Server Configuration
The following information represents the parameters that are configured from within the Windows NT Server:
The client software for the SDI Ace Security server must be installed on the same Windows NT Server that the CiscoSecure ACS is on. The ACE Security server can be connected to the LAN or accessed remotely. The ACE Security server configuration file sdiconf.rec must reside in the \Winnt\systems32 directory to correctly configure the client portion of the SDI software. Refer to the SDI Ace Security server manual on proper installation.
Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS for Windows NT.
NAS Configuration
You can configure the following items from the NAS configuration screen:
Note If the first NAS that clients will be dialing into was set up during the installation of
the CiscoSecure ACS, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and the CiscoSecure ACS, called a "key"
Select TACACS+ (Cisco) as the security control protocol
Click TACACS+ (Cisco) under the Protocol Configuration Options to select the Service/Protocol to be configurable for a group
Note You must also enable PPP LCP when selecting any PPP protocol.
User Setup
The following should be configured in the CiscoSecure ACS from User Setup:
Enter a Username and click Add.
Select Token Card Server as the method for password authentication.
The option to use a CHAP/ARAP password with a Token card is supported and can be entered/reconfirmed in the password fields.
Assign the user to a group. "Windows NT Users" could be used, but it is recommended to use a different group such as "Group 1."
If using ISDN, the particular ISDN Calling Line ID (CLID) can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from a particular location. User definitions entered here will override the Group Setup definition.
If a particular IP address is to be assigned to the user, enter it in the Static IP Address field.
If conditions for expiration should be set for the user, configure them by selecting the appropriate parameters.
Group Setup
These items should be configured in Group Setup:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
If using ISDN, the particular ISDN Calling Line ID (CLID) for the entire group can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from locations with known CLIDs.
To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.
Note If this option is checked and no group-level filter is defined, a user-level filter
must be defined for every member of that group, or authentication fails for users without
a valid filter.
If using ISDN, enable the use of token caching to for the CiscoSecure ACS to store the password to authenticate the second B channel when it is brought into service. There are two methods to chose from for token caching. Choose Session if the second B-channel service will be dynamically going up and down. Choose Duration if both B channels are to be brought in and stay in service. The time entered in this field is how long the CiscoSecure ACS will cache the password.
Enable PPP-IP if the NAS is going to support dial-up clients running IP over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable and enter the "IP Pool" name defined on the NAS. If the default pool will be used or if defined at the client, leave the field blank.
Enable PPP-IPX if the NAS is going to support dial-up clients running IPX over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable Shell (Exec) if Telnet sessions shall be run by the client or if the CiscoSecure ACS will also be used for router management (configure within the NAS Configuration button if not displayed).
Service Configuration
These items are configured from Service Configuration:
Do not check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up the CiscoSecure ACS to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
You can configure the following from Token Server Configuration:
Click Token Server Configuration to allow the CiscoSecure ACS to support the SDI token card.
NAS Configuration
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter this command under each interface used for dial-in access:
ppp authentication chap
Client Configuration
The client can be an async or ISDN client.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS, then, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP and/or IPX for "allowed network protocols" under "Server Types"
If using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
When making a connection, you must enter the username and the token OTP password using the correct convention to authenticate successfully
If using PAP: In the username field enter the username and in the password field enter the token card PIN and OTP
If using CHAP: In the username field enter the username followed by a asterisk (*) with the token card PIN and OTP (for example, jsmith*1234123456) and in the password field enter the CHAP password
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
This configuration can support PAP or CHAP as the authentication protocol because it is possible to store a CHAP passwords in the CiscoSecure ACS for token card support. To use PAP authentication on the NAS, substitute the word PAP in place of CHAP in the NAS Configuration listed above.
Logging onto a Windows NT Network is a second step as single login cannot be achieved if token card authentication is a requirement.
Dial-Up Using the CiscoSecure ACS 2.0 User Database with RADIUS (Cisco)
This dial-up configuration would be used by administrators who want to use RADIUS authentication/authorization processing. Administrators who need to support non-Cisco equipment would probably use RADIUS. The CiscoSecure ACS supports IETF, Cisco, and ascend RADIUS attributes.
Note Radius function support requires Cisco IOS Release 11.2 or higher to be running on
your NAS.
Windows NT Server Configuration
NoneUsers do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.
NAS Configuration
You can configure the following items from the NAS Configuration screen:
Note If the first NAS that clients will be dialing into was set up during the installation of
CiscoSecure, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and CiscoSecure, called a "key"
Select RADIUS (Cisco) as the security control protocol
Click RADIUS (Cisco) under the Protocol Configuration Options and verify the vender specific attribute (26) is selected
Click RADIUS (IETF) under the Protocol Configuration Options to select the Service/Protocol to be configurable for a group
User Setup
The following should be configured in CiscoSecure from User Setup:
Add a user to the CiscoSecure ACS 2.0 User Database.
Select CiscoSecure ACS 2.0 User Database as the method for Password authentication and enter/reconfirm a password in the first set CiscoSecure ACS 2.0 User Database password fields.
Assign the user to a group. "Windows NT Users" could be used, but it is recommended to use a different group such as "Group 1."
If conditions for expiration should be set for the user, configure them by selecting the appropriate parameters.
If a particular IP address is to be assigned to the user, enter it in the Static IP Address field.
Group Setup
These items should be configured in Group Setup for the desired group:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
Do one of the following:
Enable attribute 006 and select "Framed" and enable attribute 007 and select "PPP" for the NAS to support dial-up clients running IP over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable attribute 006 and select "Login" for the NAS to support dial-up clients running Shell(exec) connections (async or ISDN) (configure within the NAS Configuration button if not displayed).
Service Configuration
These items are configured from Service Configuration:
Do not check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up CiscoSecure to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
NoneToken Card severs are not used in this configuration.
NAS Configuration
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum RADIUS requirements for a Cisco 2509. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.
aaa new-model
aaa authentication login default radius
aaa authentication ppp default radius
aaa authorization exec radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
radius-server host <ip_address>
radius-server key <key>
enable secret <password>
aaa authentication login no_radius enable
line con 0
login authentication no_radius
Enter this command under each interface used for dial-in access:
ppp authentication chap
Client Configuration
The client can be an async or ISDN client.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP for "allowed network protocols" under "Server Types"
If using an IP pool (not assigning the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
When making a connection, enter the username and password entered in the CiscoSecure ACS 2.0 User Database
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
Administrators limited by the configurability of RADIUS as compared to TACACS+ will be able to define additional functionality by way of RADIUS (Cisco) which enables the vender specific attribute (VSA). The free form text box allows administrator to configure Cisco AV pairs to add more configurability to their environment.
This configuration can support PAP or CHAP as the authentication protocol because it is possible to store PAP and CHAP passwords in the CiscoSecure ACS 2.0 User Database. To use PAP authentication, substitute the word PAP in place of CHAP in the Network Access Server Configuration listed above.
Logging onto a Windows NT Network is a second step as single login cannot be achieved if CHAP is a requirement.
Dial-Up for an ARAP Client Using the CiscoSecure ACS 2.0 User Database with TACACS+
This section outlines what requirements are necessary to configure a client using ARAP with TACACS+ and assumes that the necessary [non-AAA] ARAP configuration parameters are already configured on the NAS.
Note When you use ARAP, the NAS must be running Cisco IOS Release 11.1.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.
NAS Configuration
You can configure the following items from the NAS configuration screen:
Note If the first NAS that clients will be dialing into was set up during the installation of
CiscoSecure, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and CiscoSecure, called a "key"
Select TACACS+ (Cisco) as the security control protocol
Click TACACS+ (Cisco) under the Protocol Configuration Options and select the ARAP Protocol
User Setup
The following should be configured in CiscoSecure from User Setup:
Add a user to the CiscoSecure ACS 2.0 User Database.
Select CiscoSecure ACS 2.0 User Database as the method for Password authentication and enter/reconfirm a password in the first set CiscoSecure ACS 2.0 User Database password fields.
Assign the user to a group. "Windows NT Users" could be used, but it is recommended to use a different group such as "Group 1."
If conditions for expiration should be set for the user, configure them here.
Group Setup
These items should be configured in Group Setup for the desired group:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
Enable ARAP to allow the NAS to support dial-up clients.
Service Configuration
The following should be configured in CiscoSecure from Service Configuration:
Do not check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up CiscoSecure to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Administration Control
These items are configured from Administration Control:
To enable the ability to configure the CiscoSecure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. Enter the administrators username and password. This username and password has no association with the dial-up authentication username and password.
NAS Configuration
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use ARAP for a Cisco 2509.
aaa new-model
aaa authentication arap default tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter these commands under each line used for dial-in access with ARAP:
autoselect arap
arap enable
Client Configuration
The client configured in this example is a MacIntosh Power PC running MAC/OS 7.5.5 and using the AppleTalk Remote Access v2.1 software.
From the Remote Access Client software, create a new profile and configure the following in the "Connect As" section:
Enter the username
Enter the password
Enter the dial number
Click Connect to initiate a call
Router Management Using the CiscoSecure ACS 2.0 User Database with TACACS+
This section outlines how to enhance the security to be able to access the router or NAS configuration. Implementing command authorizations along with administrative privilege levels can further secure access to the router's configuration. This method would be used by IS managers to control and monitor the administration activity of their routers and NASes.
Windows NT Server Configuration
NoneUsers do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.
NAS Configuration
You can configure the following items from the NAS configuration screen:
Note If the first NAS that clients will be dialing into was set up during the installation of
CiscoSecure, all of the information in this section should already be complete.
Add or edit a NAS
Enter the name of the NAS
Enter the IP address of the NAS
Enter the secret shared between the NAS and CiscoSecure, called a "key"
Select TACACS+ (Cisco) as the security control protocol
Click TACACS+ (Cisco) under the Protocol Configuration Options to select the Service/Protocol to be configurable for a group
To be able to access and configure a router or NAS remotely, the Shell (exec) Service must be checked
Note You must also enable PPP LCP when selecting any PPP protocol.
User Setup
The following should be configured in CiscoSecure from User Setup:
Add a user to the CiscoSecure ACS 2.0 User Database.
Select CiscoSecure ACS 2.0 User Database as the method for Password authentication and enter/reconfirm a password in the first set CiscoSecure ACS 2.0 User Database password fields.
Assign the user to a group. "Windows NT Users" could be used, but it is recommended to use a different group such as "Group 1."
If using ISDN, the particular ISDN Calling Line ID (CLID) can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from a particular location. User definitions entered here will override the Group Setup definition.
If a particular IP address is to be assigned to the user, enter it in the Static IP Address field.
If conditions for expiration should be set for the user, configure them by selecting the appropriate parameters.
Under the "Advanced Tacacs+ Settings," enabling the TACACS+ Enable Control will authenticate the user by privilege level. Enter/reconfirm a password to be used when accessing the "enable mode" on the router/NAS.
Group Setup
These items should be configured in Group Setup for the desired group:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
If using ISDN, the particular ISDN Calling Line ID (CLID) for the entire group can be entered in the Rem_Addr filter field to limit a user's access to only be permitted if calling from locations with known CLIDs.
To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.
Note If this option is checked and no group-level filter is defined, a user-level filter
must be defined for every member of that group, or authentication fails for users without
a valid filter.
Enable PPP-IP if the NAS is going to support dial-up clients running IP over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable and enter the "IP Pool" name defined on the NAS. If the default pool will be used or if defined at the client, leave the field blank.
Enable PPP-IPX if the NAS is going to support dial-up clients running IPX over a PPP (async or ISDN) connections (configure within the NAS Configuration button if not displayed).
Enable Shell (Exec) for Telnet sessions to be run by the client and allow CiscoSecure to be used for router management (configure within the NAS Configuration button if not displayed).
Authorization privilege level can be assigned for the Group in the Shell(exec) section.
In conjunction with the proper command authorization configuration on the router/NAS (see Router/NAS Configuration below), Cisco IOS commands may be permitted or denied in the Group Setup of CiscoSecure ACS.
Select the Permit/Deny radio button on the Unmatched IOS Commands section to handle the authorization of any command not specified for the group.
Click the Command box and enter the command in the field underneath to authorize. Add the argument(s) of the command to either allow it to be permitted or denied (for example, for the command SHOW, the argument syntax would be:
permit running-configuration
deny ip routes
deny interface ethernet 0
Select the radio button to permit/deny all unlisted argument for the command being configured.
To enter another command, click Submit and then click Edit Group Settings. Scroll down and configure another command for authorization until all of your commands to authorize have been entered. Click Submit and Restart for the changes to take effect.
Service Configuration
These items are configured from Service Configuration:
Do not check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up CiscoSecure to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
NoneToken Card severs are not used in this configuration.
Router/NAS Configuration
There are several Cisco IOS configurations for the router/NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements for a Cisco 2509 with the ability to do authorization on NAS commands executedand privilege-level authentication. Note that CHAP can be used because the CiscoSecure ACS 2.0 User Database is being utilized.
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authentication enable default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa authorization commands <0-15> tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands start-stop tacacs+
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter this command under each interface used for dial-in access:
ppp authentication chap
Client Configuration
The client can be an async or ISDN client or reside on the network.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS, then, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP and/or IPX for "allowed network protocols" under "Server Types"
If using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
When making a connection, enter the username and password entered in the CiscoSecure ACS 2.0 User Database
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
The Admin Accounting Report under the Reports & Activity button in the CiscoSecure ACS HTML interface captures the command activity and logs the information in a.CSV.
By default, privilege levels 0 and 15 are present in IOS. Other privilege levels may be defined on the router/NAS to further control authorization.
This configuration can support PAP or CHAP as the authentication protocol because it is possible to store PAP and CHAP passwords in the CiscoSecure ACS 2.0 User Database. To use PAP authentication, substitute the word PAP in place of CHAP in the Network Access Server Configuration listed above.
Logging onto a Windows NT Network is a second step as single login cannot be achieved if CHAP is a requirement.
PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+
This is a typical configuration that would be used in a Windows NT network residing behind a PIX firewall using only the Windows NT User Database to maintain authentication information. This configuration is compatible with businesses with a significant investment or strategic direction based on Windows NT. This configuration makes it possible to:
Control connectivity through a PIX firewall using Windows NT for authentication and CiscoSecure for authorization
Windows NT Server Configuration
This requires the most configuration of Windows NT server environment because of the high level of dependency on Windows NT management functions. These items are configured from the User Manager on your Window NT server that is running CiscoSecure.
The user must exist in the Windows NT User Database on the same server as the CiscoSecure ACS.
The user must belong to a Windows NT group that includes the policy "Log on Locally."
The user's profile does not have "change password at next login" or "disable account."
Enable the Grant dial-up permission from the dial-up menu if you want to be able to enable or disable user access privileges from Window NT. This is optional.
Callback number should not be configured.
CiscoSecure ACS Configuration
The following information represents the parameters that are configured from within the CiscoSecure ACS HTML interface.
NAS Configuration
You can configure the following items from the NAS configuration screen:
Note If the first PIX that clients will using was set up during the installation of
CiscoSecure, all of the information in this section should already be complete.
Add or edit a PIX (NAS)
Enter the name of the PIX (NAS)
Enter the IP address of the PIX (NAS)
Enter the secret shared between the PIX (NAS) and CiscoSecure, called a "key"
Select TACACS+ (Cisco) as the security control protocol
User Setup
Not NecessaryUsers successfully authenticated against the Windows NT User Database are added to the CiscoSecure ACS 2.0 User Database so they may be reassigned to groups with different authorizations levels later.
Group Setup
These items should be configured in Group Setup for the Windows NT Users group:
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
Enable Shell (Exec) to allow Telnet sessions to be run by the client for FTP and HTTP.
Service Configuration
These items are configured from Service Configuration:
Check the box for "Check Windows NT Database for usernames not found in CiscoSecure." This will set up CiscoSecure to make sure every authentication request is verified by Windows NT. All users assume the Group authorizations of "Windows NT Users" which is the default for users without an entry in the CiscoSecure ACS 2.0 User Database.
Check "Grant dial-up permission" if the administrator desires to maintain the ability to enable/disable the privilege of dial-up connectivity from within Windows NT. This will make it possible to prevent certain users from gaining privileges from within Windows NT as mentioned in the above Windows NT Configuration section.
Token Server Configuration
NoneToken Card severs are not used in this configuration.
Note Administration through a firewall is not supported. CiscoSecure can only be
managed from the same side of the firewall.
PIX Configuration
This configuration is for PIX firewall and allows "any" inbound traffic (HTTP, FTP, Telnet) as long as the user is authenticated and authorized. Notations have been added to this configuration to allow variations to be configured to deny authentication and/or authorization. A simple diagram of the PIX network is present below:
outside inside
Client ------ PIX firewall ------- CiscoSecure
PIX Version 4.0.3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
no failover
names
syslog output 20.7
no syslog console
syslog host 198.92.55.241
interface ethernet outside auto
interface ethernet inside auto
ip address inside 198.92.55.46 255.255.255.0
ip address outside 200.200.201.100 255.255.255.0
arp timeout 14400
global 1 198.92.55.1-198.92.55.254
nat 0 0.0.0.0 0.0.0.0
static 198.92.55.43 198.92.55.43
static 198.92.55.44 198.92.55.44
static 198.92.55.45 198.92.55.45
static 198.92.55.241 198.92.55.241
conduit 198.92.55.43 21 tcp 0.0.0.0 0.0.0.0 <--- for user from outside ftp to inside host 198.92.55.43 >
conduit 198.92.55.43 80 tcp 0.0.0.0 0.0.0.0 <--- for user from outside http to inside host 198.92.55.43 >
conduit 198.92.55.45 23 tcp 0.0.0.0 0.0.0.0 <--- for user from outside Telnet to inside host 198.92.55.45 >
tacacs-server host 198.92.55.43 nas01 <--- Configuration for any inbound package using TACACS+ for authentication !against AAA server at 198.92.55.43 with tacacs key nas01 >
aaa authentication any inbound 198.92.55.43 255.255.255.255 tacacs+ <--- Authenticate any inbound package access !to 198.92.55.43 using TACACS+. "any" could change to ftp, http, or telnet>
aaa authentication any inbound 198.92.55.45 255.255.255.255 tacacs+
aaa authorization any inbound 198.92.55.43 255.255.255.255 <--- Authorize any inbound package access to !198.92.55.43 using TACACS+. "any" could change to ftp, http, or telnet >
http 198.92.55.0 255.255.255.0
http 194.0.20.0 255.255.255.0
http 200.200.201.0 255.255.255.0
no snmp-server location
no snmp-server contact
telnet 198.92.55.104 255.255.255.0
telnet 200.200.201.2 255.255.255.0
mtu outside 1500
mtu inside 1500
Client Configuration
NoneProxy support may need to be set up on the browser.
No other particular client configuration is necessary for this application.
Comments
Consider the following:
All of the benefits of the Windows NT operating system such as PDC/BDC database replication and distribution can be leveraged.
Enable the right to "log on locally" for the Domain Users to allow all users to authenticate against the Windows NT User Database.
Allow the users across a trusted domain to also authenticate by configuring the right for those accounts to "log on locally" on the same Windows NT Server where the CiscoSecure ACS has been installed.
Note The ability to control access with the "Grant dial-in permission" right does not span
across trusted domains.
VPDN Using the CiscoSecure ACS 2.0 User Database with TACACS+
This is a typical configuration that would be used to create secure connections over a public infrastructure. The CiscoSecure ACS can be used to provide authentication, authorization, and accounting for Virtual Private Dial-Up Networking (VPDN), using the L2F tunnelling protocol. This is a method likely to be used by service providers to create the service and by the corporate customer who would procure it. Both require an ACS on both the NAS and Home Gateway locations for this configuration.
The CiscoSecure ACS is used at the originating end of the VPDN tunnel (the site the VPDN user dials into, often called the "ISP NAS" end of the VPDN tunnel) and at the end point of the tunnel (the private network that terminates the VPDN tunnel, often called "Home Gateway" end).
Figure 2-1 VPDN and CiscoSecure
Note The terminology for VPDN commonly uses "domain" to represent the corporate
home gateway, this is not associated with the Windows NT "domain" nomenclature. For
this example, in an effort to avoid confusion, the VPDN "domain" shall be referred to as
"VPDNdomain" to prevent confusion.
The concept of creating a tunnel is best broken down into two major steps after the client dials in:
Creating a tunnel
The ISP NAS uses the VPDNdomain to get information from the ACS (ISP) about where the tunnel should be built to for that user (Tunnel ID and Host Gateway Address).
The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS/router (Home Gateway).
The NAS/router (Home Gateway) forwards the information (Tunnel ID) to the ACS (Home Gateway) to authenticate the request.
When the information (Tunnel ID) is validated, the tunnel has been created.
Client authentication and authorization
The ISP NAS requests authentication of the user by the ACS (Home Gateway).
The ACS (Home Gateway) returns authentication and authorization responses to the ISP NAS.
When validated, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (Home Gateway).
Windows NT Server Configuration (ISP)
NoneUsers do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
CiscoSecure ACS Configuration (ISP)
The following should be configured in the CiscoSecure ACS HTML interface for Windows NT at the ISP end of the VPDN connection.
NAS Configuration
You can configure these items in the NAS Configuration section:
Note If the first ISP NAS that clients will be dialing into was set up during the installation
of the CiscoSecure ACS, all of the NAS information in this section should already be
complete.
Add or edit a NAS.
Enter the name of the NAS (this is only for identification by the administrator).
Enter the IP address of the NAS.
Enter the secret shared between the NAS and CiscoSecure, called a "key".
Select TACACS+ as the security control protocol.
Under NAS Configuration, click on TACACS+ Protocol Configuration Option.
Enable the box next to PPP-VPDN and click Submit. This will display the PPP-VPDN option under Group Setup when it is time to configure that section.
User Setup
These items should be configured in User Setup:
Add a user to the CiscoSecure ACS 2.0 User Database for authentication. This username will actually be the name of the VPDNdomain, for this example use CISCO. A password is needed to submit the user but is not actually used for authentication, so enter a fictitious password. Do not configure any other parameters.
Assign the user to Group 1.
Add a second user to the CiscoSecure ACS 2.0 User Database for authentication. This username will actually be the name of the "Tunnel ID", for this example use CISCO_TUNNEL. A legitimate password is needed for this entry, enter "cisco" for this example. Do not configure any other parameters.
Assign the second user to Group 1.
Group Setup
These items should be configured in Group Setup for the group "Group 1:"
Enable PPP-VPDN
Enter the Tunnel ID, which is the username CISCO_TUNNEL
Enter the IP address of the Home Gateway NAS/router
Service Configuration
These items are configured in the Service Configuration section:
Do not check the box for "Check Windows NT Database for first time dial-up clients. This will set up the CiscoSecure ACS to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
None.
NAS Configuration (ISP)
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use VPDN for a Cisco 2509:
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
enable vpdn
tacacs-server host <ip_address>
tacacs-server key <key>
enable secret <password>
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
Enter this command under each interface used for dial-in access:
ppp authentication chap
Windows NT Server Configuration (Home Gateway)
NoneUsers do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.
CiscoSecure ACS Configuration (Home Gateway)
The following should be configured in the CiscoSecure ACS HTML interface for Windows NT at the Home Gateway of the VPDN connection.
NAS Configuration
You can configure these items in the NAS Configuration section:
Note If the first Home Gateway NAS/router that clients will be dialing into was set up
during the installation of CiscoSecure, all of the NAS information in this section should
already be complete.
Add or edit a NAS
Enter the name of the NAS (this is only for identification by the administrator)
Enter the IP address of the NAS
Enter the secret shared between the NAS and CiscoSecure, called a "key"
Select TACACS+ as the security control protocol
User Setup
These items should be configured in User Setup:
Add a user to the CiscoSecure ACS 2.0 User Database for authentication. This username will be the used by the client. It needs to contain the VPDNdomain as the suffix following the "@". This needs to be the same VPDNdomain name as entered at the ISP ACS (username@CISCO for this example). Enter a client password.
Assign the username@CISCO to a group. "Windows NT Users" could be used, but it is recommended to use a different group such as "Group 2."
If using ISDN, the particular ISDN Calling Line ID (CLID) can be entered in the Rem_Adr filter field to limit a user's access to only be permitted if calling from a particular location. User definition overrides group definition.
If a particular IP address is to be assigned to the user, enter it in the Static IP Address field.
If conditions for expiration should be set for the user, configure them here.
Add a second user to the CiscoSecure User Database for authentication. This username will actually be the same name used at the ISP as the "Tunnel ID," for this example, we will use CISCO_TUNNEL. The same legitimate password is needed for this entry. Enter cisco for this example. Do not configure any other parameters.
Assign the second user to Group 1.
Group Setup
These items should be configured in Group Setup for the Group in which the user CISCO_TUNNEL has been placed, "Group 1" for example.
No parameters needs to be set for this group. CISCO_TUNNEL is only used for authentication of the tunnel.
These items should be configured in Group Setup for the Group where the user username@CISCO has been placed, "Group 2" for example.
If "Time of Day Access" is to be used, enable the feature by clicking Use as Default and highlighting with green the time/days access should be granted. Leaving this disabled grants access 24 hours/day all week long.
Enable PPP-IP if the NAS is going to support dial-up clients running IP over a PPP (async or ISDN) connections.
Enable PPP-IPX if the NAS is going to support dial-up clients running IPX over a PPP (async or ISDN) connections.
Enable and enter the "IP Pool" name defined on the NAS. If the default pool will be used or if defined at the client, leave the field blank.
If using ISDN, the particular ISDN Calling Line ID (CLID) for the entire group can be entered in the Rem_Adr filter field to limit a user's access to only be permitted if calling from locations with known CLIDs.
To enable group-level filtering, select the "Enable group level and Enforce User level filtering" check box.
Note If this option is checked and no group-level filter is defined, a user-level filter
must be defined for every member of that group, or authentication fails for users without
a valid filter.
Enable Shell (Exec) if Telnet sessions shall be run by the client or if the CiscoSecure ACS will also be used for router management.
Service Configuration
These items are configured in Service Configuration section:
Do not check the box for "Check Windows NT Database for first time dial-up clients. This will set up the CiscoSecure ACS to deny any user permission unless they have an active account in the CiscoSecure ACS 2.0 User Database.
Do not check "Grant dial-up permission."
Token Server Configuration
None.
Administration Control
These items are configured in Administration Control section:
To enable the ability to configure the CiscoSecure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. Enter the administrators username and password. This username and password has no association with the dial-up authentication username and password.
NAS/Router Configuration (Home Gateway)
There are several Cisco IOS configurations for the NAS depending on many influences such as network protocols, routing, where IP addresses are defined, and which interface access control lists are defined, to name just a few. This sample configuration represents the minimum TACACS+ requirements to use VPDN for a Cisco 2509.
Enter this command under each interface used for dial-in access:
ppp authentication chap
Client Configuration
The client can be an async or ISDN client.
The client must dial into the ISP NAS with the name defined at the Home Gateway ACS, username@CISCO for this example.
Windows 95 Client
These items are configured from the Dial-Up Networking section of Windows 95. Create and configure a connection with the dial number to the NAS. Once created, right-click on the Connection icon and select properties.
Click Server Type and select:
PPP as the "Type of Dial-Up Server"
Check "Log on to Network" under Advance options
Do not check "require encrypted password"
Check IP and/or IPX for "allowed network protocols" under "Server Types"
If using an IP pool on the NAS (not defining the IP address at the client), set TCP/IP settings to "server assigned IP Address" and "server assigned name server address"
When making a connection, enter the same username and password being used for the user account in the Windows NT User Database
Windows NT Workstation Client
Make sure:
When using Dial-up Networking with a Windows NT client, the Domain Name field must be blank before attempting to dial.
Comments
Consider the following:
This configuration (with PAP added to the Cisco IOS configuration on the NAS) can support PAP or CHAP as the authentication protocol because it is possible to store PAP and CHAP passwords in the CiscoSecure ACS 2.0 User Database.
Logging onto a Windows NT Network is a second step as single login cannot be achieved if CHAP is a requirement.