|
|
This chapter describes the basic operation of each of the configuration areas of the CiscoSecure ACS 2.1 for Windows NT. It also provides additional information about each function or attribute.
Note Your browser must be running either Microsoft Internet Explorer 3.02 or higher or Netscape Navigator 3.0 or higher. The Enable Java and Java Script functions must be enabled.
Before completing any of the tasks in this chapter, you must have:
The navigation bar is a column of buttons at the far left of the CiscoSecure ACS display. Each of the buttons represents a particular area or function that you can configure. Depending on your access control requirements, you might not need to configure all of the areas. This chapter has a section for each of the areas of configuration or operation with step-by-step details of the general operation. The following software features correspond to the navigation bar buttons:
The order to follow for configuration depends on your preferences and needs.
Select User Setup to perform the following tasks:
To view a list of all user accounts, follow these steps:
Step 2 Click List All Users. A list of all existing user accounts, enabled and disabled, displays in the right window.
Step 3 (Optional) Click one user's name to view or edit the information for that individual user.
To find a user account, follow these steps:
Step 2 Enter the name in the User: field and click Find. You can use wildcard characters (*) in this field. The status (enabled or disabled) and group to which the user belongs display in the right window.
Step 3 (Optional) Click the user's name to view or edit the information for that user.
Step 2 Enter a name in the User field.
Note Usernames must be 1 to 32 characters in length and cannot contain any of the following special characters: #~^*?,:;|"
Step 3 Click Add/Edit. The Edit window opens. The username being added or edited appears at the top of the window.
Enter the following information for the user as applicable:
Note You must click Submit to have this action take effect.
Note This item can contain up to five user-configurable fields. See the section "Interface Configuration" for information on how to display and configure these fields.
Edit or enter the following information for the user:
You can configure the NAS to ask for a PAP password first, and then a CHAP password. Then if a user dials in using a PAP password, they will authenticate. To do this, enter the following line in the NAS configuration file:
Note The Password and Confirm Password fields are required for all authentication methods except the Windows NT User Database.
Note The dial-up user must have configured software that supports callback.
Network Access Restrictions lets you permit or deny a user access to a specified server or specified ports on the server. If you are using NAS access, the NAS (Telnet/Login/Exec) Access Control window displays. Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
If you are using dial-up, the Dial-up (PPP/ARAP) Access Control window displays.
Select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
For CiscoSecure ACS purposes, a session is any type of user connection supported by RADIUS or TACACS+; for example, PPP, NAS prompt, Telnet, ARAP, and IPX/SLIP. All counts are based on user and group names only. The CiscoSecure ACS 2.1 for Windows NT does not support any differentiation by type of session—all sessions are counted as the same. To illustrate, a user with a Max Session count of one who is dialed in to a NAS with a PPP session, will be refused a connection if that user then tries to Telnet to a location whose access is controlled by the same ACS.
Note Each CiscoSecure ACS server holds its own individual Max Session counts. There is no mechanism for the CiscoSecure ACS 2.1 for Windows NT to share Max Session counts across multiple servers. Thus, if two CiscoSecure ACSes are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals.
If the Max Sessions area is not displayed, click Interface Configuration: Advanced Options: Max Sessions.
There are three options for User Max Sessions:
The default setting is Use Group Setting.
If set by the administrator, the CiscoSecure ACS allows the user whatever value the User Max Sessions parameter is set to. This always takes precedence over the Group settings. For example, if the group Sales has a Max Sessions value of only 10, but a user in the group Sales, John, has a User Max Sessions value of Unlimited, John is still allowed an unlimited number of sessions.
Enter the information for expiration of this user's account:
When you have finished configuring the user information, click the Cisco logo to return to the CiscoSecure ACS main menu.
To delete a user account from the CiscoSecure database:
Step 2 In the User field, enter the complete username to be deleted.
Step 3 Click Add/Edit.
Step 4 At the bottom of the User Setup window, click Delete.
The following information applies when you have a TACACS+ NAS configured. If this field does not display, click Interface Configuration: Advanced Options: Advanced TACACS+ Settings.
Use TACACS+ Enable control with Exec session to control administrator access. It is primarily used for router management control. Select the Max Privilege level you want this user to have. See your NAS documentation for information on privilege levels. Enter and confirm a control password for this user. This password is used in addition to the regular authentication.
TACACS+ Outbound Password enables a NAS to authenticate itself to another NAS/client via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP and results in the CiscoSecure ACS password being given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.
Click Group Setup to perform the following tasks:
To list all users in a specified group:
Step 2 From the drop-down menu, select the group to list.
Step 3 Click Users in Group. The User List and the Edit windows open. You can view, modify, or delete a user by clicking on the user's name in the list.
To assign or edit a group's authorization and authentication settings, follow these steps:
Note Depending on the features that are enabled in the Interface Configuration: Advanced Settings window, Quick Link buttons will appear at the top of the Group Setup window. Click the applicable button to go directly to the appropriate location.
Step 2 In the drop-down list, select the applicable group.
Step 3 Click Edit Settings. The Edit window opens.
Step 4 Complete the Group Setup section.
Before you configure Group Setup it is important to understand how this window functions. Group Setup is dynamically built depending on the configuration of your NAS and the security protocols being used. There are six basic sections to Group Setup:
1. General information that applies to both TACACS+ and all instances of RADIUS
5. RADIUS (Cisco Vendor Specific Attribute)
The General Information is always displayed. Token card information is displayed if a token card external user database is configured. The combination of TACACS+ and RADIUS sections that are displayed depends on how your access server is configured. If one NAS is configured within CiscoSecure and is running TACACS+, only the following subsections are displayed:
If a second NAS is using RADIUS (IETF), the following subsections are displayed:
Note When RADIUS (Cisco) or RADIUS (Ascend) is selected for a NAS, RADIUS (IETF) attributes are available because they are the base set of attributes used to configure the first 74 attributes for all RADIUS vendors.
The content of these subsections is dynamic. Only the attributes selected from the Interface Configuration: TACACS+ (Cisco) or RADIUS (IETF) section are displayed. This allows you to select and display only those attributes you want. You can change what is displayed in each of the subsections by selecting a security protocol from the Protocol Configuration Options in the NAS Configuration window.
Network Access Restrictions provide an automated method of making access control decisions on the following:
Follow these steps to permit or deny a group access to a specified server or specified ports on the server based on a definable filter.
Step 2 From the Dial-Up (PPP/ARAP) Access Control drop-down box, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations.
Group Max Sessions configuration is split in two. The first section is for the group level settings:
The second is for users within the group Settings for Users of this Group:
Note The default setting for Group Max Sessions is Infinite (disabled) for both the group and the user within the group.
Token Card Caching—Click this check box to allow the token to be cached. This lets you use a second B channel without having to enter a second one-time password (OTP). You can configure token caching on a per-session basis or with a specified duration for which the token is cached.
These parameters are displayed only if the NAS has been configured to use TACACS+. The default service-protocol settings displayed for TACACS+ are:
To display or hide additional services or protocols, click Interface Configuration: TACACS+ (Cisco).
Select the services and protocols to be authorized for the Group by checking the box next to the protocol-service. Below each service-protocol, select the attributes to further define the authorization for that protocol-service. In the case of access control lists (ACLs) and IP address pools, the name of the ACL or pool as defined on the NAS should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.) Leave blank if the default (as defined on the NAS) should be used. More information about attributes can be found in the appendix of this document or your NAS documentation.
Note You can define and download an ACL. Click Interface Configuration: TACACS+ (Cisco) and click Display a Window for each service selected in which you can enter customized TACACS+ options. A box opens under each service-protocol allowing you to define an Access Control List.
When configuring Shell (Exec), you can define the Cisco IOS commands and arguments to be permitted or denied. Click the box to enable the command, enter the name of the command, define its arguments using standard permit or deny syntax, and define whether Unlisted Arguments are to be permitted or denied. You can enter any number of commands. To add fields, submit the changes for the first commands and reenter Group Setup. The submitted commands appear and additional fields become available.
These parameters are displayed only when the NAS has been configured to use RADIUS (IETF). Table 8-1 gives the default attribute settings for IETF RADIUS:
Note RADIUS attributes are sent as a profile for each user from the CiscoSecure ACS to the requesting NAS. To display or hide any of these attributes, see the section "TACACS+ or RADIUS Protocol Configuration Options."
Select the attributes to be authorized for the Group by checking the box next to the attribute, then define the authorization for the attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.
The RADIUS (IETF) and RADIUS (Cisco) parameters are displayed only if a NAS has been configured to use RADIUS (Cisco). RADIUS (Cisco) represents the Cisco Vendor Specific Attribute (VSA) IETF number 26. Therefore, when configuring RADIUS (Cisco), both IETF and Cisco VSA apply. The default attribute setting displayed for RADIUS (Cisco) is Cisco VSA, which are packed as RADIUS VSAs (attribute number 26 using Cisco's Vendor ID of 9).
Note To hide or display additional IETF attributes, see "TACACS+ or RADIUS Protocol Configuration Options."
Step 2 For the Cisco VSA, enter the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.
Note The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.
The RADIUS (IETF) and RADIUS (Ascend) parameters are displayed only if a NAS has been configured to use RADIUS (Ascend). RADIUS (Ascend) represents the Ascend proprietary attributes. Therefore, when configuring RADIUS (Ascend), both IETF and Ascend apply (proprietary attributes override IETF when conflicting).
The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.
To display additional, or hide any/all of these IETF attributes, see "TACACS+ or RADIUS Protocol Configuration Options."
Step 2 For the Ascend attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field next to it. More information about attributes can be found in the appendix of this document or your NAS documentation.
Note The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.
Step 3 Click Submit + Restart. The group attributes are applied and services are restarted. The Edit window opens. (Click Submit if you want to save your changes and apply them later by restarting the services.)
Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services. This will affect the Max Sessions counter.
Step 4 Verify that your changes were applied by selecting the group and click Edit Settings. View the settings.
To rename a group, follow these steps:
Step 2 Select a group from the drop-down list.
Step 3 Click Rename Group.
Step 4 Enter the new name in the Group field.
Step 5 Click Rename Group. The Select window opens with the new group name selected.
Note The group remains in the same position in the list box. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group.
The NAS you use with the CiscoSecure ACS must be configured and active on the network. To configure the NAS, follow these steps:
Step 2 Click Add New Access Server.
Step 3 Enter the Access Server Hostname.
Step 4 Enter the Access Server IP address.
Step 5 Enter the Key value (this is the secret value shared between the NAS and CiscoSecure).
Step 6 Select a security protocol from the Authenticate Using drop-down list.
Step 7 Select single TCP connection to configure CiscoSecure ACS to use this feature if it is configured on the NAS.
Step 8 Click Submit + Restart.
Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services. This will affect the Max Sessions counter.
You can also configure specific security protocol attributes to be used by CiscoSecure. Click the button for the specific protocol you want to configure. A list of attributes appears.
Attributes marked with an asterisk (*) are configured on the NAS and cannot be changed from the CiscoSecure user interface. Attributes with a check box to the left can be enabled by checking the box or disabled by clearing the box.
Note You must select attributes from these lists before they are available for use in User Setup or Group Setup. The RADIUS (IETF) attributes are shared among all the RADIUS vendors. You must configure the first 74 RADIUS attributes from RADIUS (IETF).
To edit the configuration of a NAS that is listed in the Select window, follow these steps:
Step 2 Click the name of the NAS to edit. The Edit window opens.
Step 3 Change the following information as applicable:
Step 4 Select single TCP connection to configure CiscoSecure ACS to use this feature if it is configured on the NAS.
Step 5 To immediately apply the changes, click Submit + Restart; to restart the services and apply the changes later, click Submit.
Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services. This will affect the Max Sessions counter.
For more information on Network Configuration, see the chapter "Distributed Systems."
To edit your current CiscoSecure configuration, click System Configuration. The Select window opens. Select one of the following:
Note If CiscoSecure Database Replication or RDBMS Synchronization is not displayed, click Interface Configuration: Advanced Options and enable both the feature you want and Distributed System Settings.
To restart or stop services, click Service Control. Click one of the following:
To set the files to which start/stop events are logged, click Logging.
Remote Logging allows accounting information to be sent to one central location: Click one of the following options:
Note This field does not have the same function as Send Accounting Information: Local/Remote. Click Network Configuration and add or edit a distribution table to view information on sending accounting packets to the local or remote AAA server.
Database replication lets you enable and schedule the method and times that the CiscoSecure ACS database is replicated by sending or receiving information from another CiscoSecure ACS database.
Note If this time is set too low, replication might be incomplete; if it is set too high, replication might interfere with users' ability to authenticate if usernames are added frequently.
For more information on Database Replication, see the chapters "Database Information Management" and "Distributed Systems."
You can propagate changes from user and group setup information to other databases using RDBMS Synchronization.
For more information on RDBMS Synchronization, see the chapters "Database Information Management" and "Distributed Systems."
The Interface Configuration window lets you display or hide fields in the other parts of the HTML user interface. The information for hidden fields will still be stored in the CiscoSecure ACS, but you will not be able to see them unless you check the item here. This allows you to hide unused fields and view a clearer interface. You can configure the following items from the Interface Configuration window:
You can define up to five fields to contain information that you want to view for each user. The fields you define in this section will appear in the Supplementary User Information section at the top of the User Setup window. To define the fields, click Display and enter a Field Name in each applicable box.
These fields display only if you have configured a NAS with the applicable protocol. This lets you select the AV pairs you want to appear as a configurable option in the Group Setup window. Click the applicable option and click Submit. See the section "Group Setup" for more information on these fields.
Click the check boxes of the items you want to have displayed in the applicable area of the GUI; clear the check boxes of the items you want to hide.
You can administer CiscoSecure from any workstation in the network as long as the workstation is running a compatible browser. See the section "System Requirements" in the chapter "Overview" for a list of compatible browsers. The address to enter in the remote administrator's browser is: http:// Windows NT server ip-address:2002. The port number, 2002, is dynamically changed after the initial login of a remote administrator.
Remote administrators can use a firewall protected dial-in connection, but this is not recommended or supported. Leaving a port open for remote administration could compromise network security.
To enable remote administration from a workstation or remote client:
Step 2 Click Add new administrator.
(a). Administrator Name—User identification for the administrator to log into CiscoSecure
(b). Password—Password used by the administrator to log in
(c). Confirm Password—Confirmation of the administrator password
Note This password is for a remote administrator to access the CiscoSecure interface. It has no connection with the user passwords for authentication, authorization, and accounting (AAA) services.
Step 3 Click Submit to save these changes and stop and start the appropriate services.
An administrative login can be terminated by setting the idle timeout. This parameter applies to the browser session only. It does not apply to the dial-in session. The browser connection with CiscoSecure is terminated if there is no activity for the specified period of time.
When this check box is checked, the browser, when it connects to the CSAdmin server, goes directly to the CiscoSecure ACS welcome screen without the administrator having to enter a valid administrator name and password.
If this check box is cleared and the form is submitted, the browser is sent a page that requires the user to log in using a valid administration name and password. The user cannot progress to the welcome screen until a valid administrator name and password pair is supplied.
Note If there are no administrator accounts defined on the CSAdmin server, the browser always goes to the welcome page, no matter what the state of the Allow Automatic Local Login check box. This prevents a situation in which the local browser is locked out of the CSAdmin server because there are no administrator accounts.
The preferred way to end a remote browser session or a local browser session where login is required (the Allow Auto Local Login check box is clear) is to click Logout at the top right corner of any of the title bars, or to go back to the welcome screen by clicking the CiscoSecure logo and then clicking Logout. This releases the administration session in the server and closes any back door left open on the session's port. When you have logged out this way, you can close the browser or leave it running, as required.
The following items can be configured for the Access Policy:
You can change an administrator's password or delete an existing administrator.
Step 2 Click an existing administrator name in the list. The Edit window opens.
Step 3 Enter a new password for the selected administrator. You must enter the password twice for confirmation.
Step 4 Click Submit to update the password now.
Step 2 Click an existing administrator name in the list. The Edit window opens.
Step 3 Click Delete. A delete confirmation window opens.
Step 4 Click OK to delete the selected administrator.
Click External User Databases to configure the following features:
For more information on External User Databases, see the chapter "User Databases."
In CiscoSecure ACS, an unknown user is defined as one for whom no account has been created within the CiscoSecure ACS database.
To specify how the CiscoSecure ACS should handle users who are not in the CiscoSecure ACS database, follow these steps:
Step 2 Click Unknown User Policy.
Step 3 In the Configure Unknown User Policy window, click one of the following:
Step 4 Click Submit.
For more information on Unknown User Policy, see the chapter "Sophisticated Unknown User Handling."
While Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the NAS remain with CiscoSecure ACS. Basically, the external user database simply authenticates the user and CiscoSecure ACS then provides the additional authorization information that is sent to the NAS in the RADIUS or TACACS+ response packet (see External Database Group Mapping below).
The Database Group Mappings window allows you to enable the CiscoSecure ACS to map an appropriate authentication/authorization group profile to each external user database. Because the only data items common to both the CiscoSecure ACS database and the third-party database are username and password, external users databases can be used only for authentication.
The CiscoSecure ACS supports group-access profiles for external user database mapping so that you can specify a different access profile for each individual external user database. Because it is a native Windows NT application, the CiscoSecure ACS provides even greater configurability of group access profile mapping when using Windows NT as an external user database The CiscoSecure ACS can extract a substantial amount of data on each user from the API calls, including the user's Windows NT Domain and, within that domain, the groups to which the user belongs. The CiscoSecure ACS allows you to map group access profiles to Windows NT domains or to groups within domains.
For more information on external user databases, see the chapter "Sophisticated Unknown User Handling."
To specify a token card database mapping for a group, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the name of the external user database to be used:
Step 4 Click the number of the group to be authenticated using this source. For example, Group 0 (x users) where x is the number of users assigned to the group. See the section "Group Setup" for more information.
Step 5 Click Submit.
To map a group to the Windows NT database, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click Windows NT to authenticate a user from an existing entry in the Windows NT user database located on the same machine as the CiscoSecure server. There is also an entry in the CiscoSecure ACS database used for other CiscoSecure ACS services. A window with a list of domain configurations opens.
Step 4 Click New Configuration to add a domain or click the name of the domain to configure.
Step 5 If you are adding a domain configuration, do one of the following:
You can use this field to enter a domain you know is trusted, even though one has not been returned on the display. When you reboot a Windows NT server, there are a few minutes of delay during which the browser "warms up." Asking for all trusts at this time might not return the entire list correctly.
Additionally, if a trusted host is down, its name will not display, so you will not be able to add group mappings for it. The Domain field allows you to manually enter the name of an unlisted trusted domain. See your Microsoft documentation for more information on Trust Relationships.
Step 6 Click Submit. The service restarts and the Domain Configurations window opens. The name of the new configuration is listed.
Step 7 To edit an existing configuration, click its name in the Domain Configurations window. The Mappings for Domain: domainname window opens where domainname is the name of the configuration you are editing.
Step 8 Click Add Mapping. The Create New Mapping for Domain domainname window opens.
Step 9 In the CiscoSecure group scroll box, click the name of the group to which you want to map this configuration; for example, Group 0. See the section "Group Setup" for information on renaming a group.
Step 10 Click Submit.
Step 11 The Mappings for Domain: domainname window opens again, this time listing the mapping you just created.
To edit the mapping for a domain, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click Windows NT. The Domain Configurations window opens.
Step 4 To edit a domain, click the name of the domain you want to edit. The Mappings for Domain domainname window opens. This window displays a list of the NT groups you have configured for this domain and the CiscoSecure group to which it is mapped.
(a). To edit the mapping, click the name of the Windows NT group to be edited. The Edit mapping for Domain domainname window opens.
(b). In the CiscoSecure group scroll box, click the name of the group to which this NT group should be mapped, then click Submit.
Step 5 To add a new mapping, click Add mapping. The Create New Mapping for Domain: domainname window opens. In the CiscoSecure group: scroll box, select the CiscoSecure group to which this Windows NT domain should be mapped; for example, Group 1. If you do not want to assign this mapping to a group, you can leave this scroll box set to the default, <No Access>.
Step 6 In the Define Windows NT group set, Windows NT Groups scroll box, click the name of the NT group you want to assign to this mapping.
Step 7 Click the -> (right arrow) button to move your selection into the Selected column.
Step 8 When you have finished selecting all the groups you want, click Submit. The Mappings for Domain domainname window opens again with the new group mapping listed.
To delete an existing mapping configuration, follow these steps:
Step 2 Click Database Mappings.
Step 3 Click Windows NT. The Domain Configurations window opens.
Step 4 Click the name of the configuration to delete. The Mappings for Domain: domainname window opens (where domainname is the name of the configuration to delete).
Step 5 Click Delete Configuration.
Step 6 Click Submit.
To install CiscoSecure ACS support for any of the remote authentication sources follow these steps:
Step 2 Click Database Configuration. The External User Databases window opens.
Step 3 Click one of the following types of authentication to be used:
For the CiscoSecure ACS to interact with an external user database, two components are required; a source-specific CiscoSecure ACS DLL and the third-party authentication source API with which this communicates. However, for Windows NT and NDS authentication, the program interface for the external authentication is local to the CiscoSecure ACS system and is provided by the local operating system. In these cases, no further components are required. To communicate with each of the OTP servers, you must have software components provided by the OTP vendors installed, in addition to the CiscoSecure ACS components. You must also specify in User Setup that a token card server is to be used.
Note If you select one of the token card servers but token card support is disabled, you must restart the CSAdmin service to reload the token card DLL.
Step 4 The Database Configuration window opens. To delete a configuration, click Delete. To set up a configuration, click Configure.
If you selected CRYPTOCard, enter the following information:
If you selected Safe Word, enter the following information:
If you selected AXENT, enter the following information:
If you selected SDI, follow these steps:
Step 2 Run the Setup program of the ACE Client software (following the setup instructions). Do not restart your Windows NT server when installation is complete.
Step 3 Locate the ACE Server data directory, for example /sdi/ace/data.
Step 4 Get the file named sdconf.rec and place it in your Windows NT directory: %SystemRoot%\system32
Step 5 Make sure the ACE server host machine name is in the Windows NT local host's file:
\winnt\system32\drivers\etc\hosts
Step 6 Restart your Windows NT server.
Step 7 Verify connectivity by running the Test Authentication function of your ACE client application. You can run this from the Control Panel.
If you selected NDS Server Support, follow these steps:
Step 2 Click NDS Server Support.
Step 3 Enter a name for the configuration. This is for information purposes only.
Step 4 Enter the Tree name.
Step 5 Enter the full Context List, separated by dots (.). You can enter more than one context list. If you do, separate them with a comma and space. For example, if your Organization is Corporation, your Organization Name is Chicago, and you want to enter two Context names, Marketing and Engineering, you would enter:
You do not need to add users in the Context List.
Step 6 Click Submit. Changes take effect immediately; you do not need to restart the CiscoSecure ACS.
If you did not already do so during installation, you can enable your CiscoSecure ACS to grant dial-in permission to users. Follow these steps:
Step 2 Click Database Configuration.
Step 3 Click Windows NT.
Step 4 Click Configure.
Step 5 Check the Grant dialin permission to user check box.
Step 6 Click Submit.
Note Your Windows NT server must also be configured to allow grant dial-in permission to user. See your Microsoft documentation for more information.
Click Reports & Activity in the navigation bar to view reports. The Reports window opens. Select one of the following types of reports to view:
When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. The reports are named and listed by the date on which they were created; for example, 1997-12-04.csv was created on December 4, 1997. You can import these files into most database and spreadsheet applications.
The online documentation provides more detailed information about the configuration, operation, and concepts of CiscoSecure.
The Table of Contents opens in the left window.
Step 2 Click the applicable topic. The online documentation window opens.
Step 3 To print the online documentation, click in the right window, then click Print in your browser's navigation bar.
Posted: Tue Jan 21 03:47:44 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
