|
|
The CiscoSecure ACS interface is designed to be viewed using Microsoft Internet Explorer 3.02 or later, Netscape Navigator 3.0 or later, and Netscape Communicator. Earlier versions of Explorer and Navigator do not support the frame technology used by the CiscoSecure ACS interface.
The design primarily uses HTML with some Java functions that contribute to ease of use. These design decisions keep the responsiveness of the interface high and the interface straightforward. Because of this, it is necessary to configure the browser to support Java.
The web-based interface not only makes viewing and editing user and group information possible, it also allows you to restart the service, add remote administrators, change NAS information, and view reports from anywhere on the network. These reports track connection activity, show which users are currently logged in, and list the failed authentication and authorization attempts.
To access the CiscoSecure ACS web-based interface, enter one of the following uniform resource locators (URLs) on the address line of a browser:
From the browser at the server on which the CiscoSecure ACS is installed:
From a browser on a remote workstation:
Note You must configure an administrator's username and password in the CiscoSecure ACS to access the interface remotely from a machine other than the local Windows NT Server in the Administration Control window of the user interface.
After the CiscoSecure ACS has been installed, you configure and manage it through the web-based HTML interface. The user interface is designed using frames, so you must view it with either Microsoft Internet Explorer 3.02 or later, Netscape Navigator 3.0.1 or later, or Netscape Communicator. The user interface allows you to easily modify the authentication and authorization parameters of any user or group in the CiscoSecure ACS from any connection on your LAN or WAN.
You can configure and perform almost all functions for the CiscoSecure ACS through the user interface, including:
The user interface displays a help screen of specific information. If more extensive information is needed, click Section Information to see the related point in the online documentation.
To access the CiscoSecure ACS GUI, enter one of the following addresses on the address line of your browser:
From a browser on a remote workstation connected to your network:
Note To connect to the CiscoSecure ACS user interface from a LAN or dialup connection, you must have a username and password entered in the CiscoSecure Administration Control window.
You can configure the CiscoSecure ACS 2.1 for Windows NT user interface to display or hide the options of your choice. See the section "Interface Configuration" in the chapter "Step-by-Step Configuration for the CiscoSecure ACS" for instructions.
The layout of the screens is broken down into three vertical sections.
Note At the bottom of each section, a submit button is positioned to accept the changes defined in this area. If the submit button is not selected, the changes are not kept.
The overriding methodology of the interface is centered on ease of use. The intricate concepts of network security are presented from a user-centered perspective. This section describes implicit and explicit relationships among the different components that comprise network security.
A user belongs to one group. Some parameters are configurable at the user level, such as static IP address, password, and expiration. However, most of the TACACS+ and RADIUS attributes are configured at the group level. This methodology was adopted for two reasons. First is performance. To maximize performance (transactions per second), user and group information should be cached in RAM. To prevent the product requirements of RAM from being unreasonable, storage of every possible user attribute is not optimal. Second, configuring every parameter at the user level also does not scale when there are a large number of users in the database. Therefore, the CiscoSecure ACS makes available typical user-configurable parameters at the user level, and the remainder at the group level. This balances scalability and performance with user-configurable granularity. A user who has an atypical configuration requirement can also be the sole member of a group with unique settings.
To maintain ease of use and robust functionality, the default configuration options under Group Setup support the most common applications of the product. The entire itemization of every TACACS+ and RADIUS attribute is not listed. Within the CiscoSecure ACS, there is an option to select from a list, those attributes that should be displayed (make available to configure) under the Group Setup screens. This means it is possible to configure the configuration screens. Therefore, if an attribute is desired but not listed under Group Setup, or there are default options under Group Setup that are not used, you can display or hide them in the Interface Configuration window of the CiscoSecure ACS user interface. See the "Interface Configuration" section of this chapter.
The CiscoSecure ACS can simultaneously communicate with different access devices with one of four different protocol selections:
When adding or configuring a NAS, a pull down menu with four choices appears. The CiscoSecure ACS can communicate with a NAS with any of these choices. TACACS+ and RADIUS (IETF) are the protocols with attributes defined by the IETF. RADIUS (Cisco) is the RADIUS (IETF) support plus IETF attribute 26, the Vendor Specific Attribute (VSA) for Cisco. It is under the VSA that any TACACS+ command can be sent to an access device through RADIUS. RADIUS (Ascend) is the RADIUS (IETF) support plus the Ascend proprietary attributes. Note that some of the proprietary attributes conflict with the IETF attributes. When selected, the proprietary attributes prevail.
In line with the selection of attributes in Group Setup, it is possible to introduce the ability to control the usage of each TACACS+ service by the time-of-day and day-of-week. An example would be that Exec (Telnet) access would be restricted to business hours, but PPP-IP access would be permitted all week long.
The default setting for Group Setup is that time of day access can be controlled for all services as part of authentication. However, it is possible to display a time of day access grid for every service and override the default. This contributes to keeping the Group Setup easy to manage, while making the function available for the most sophisticated environments.
This is limited to TACACS+ because it has the ability to separate the processes of authentication and authorization. RADIUS time-of-day access is for all services. If both TACACS+ and RADIUS are being used simultaneously, the default time-of-day access applies to both. This provides a common method to control access regardless of the access control protocol.
The CiscoSecure ACS can also display a custom command field for each service. This free-form text field makes it possible to make specialized configurations that are downloaded for a particular service for users in a particular group; for example, the ability to define an Access Control List (ACL) at the ACS. The IP addresses to which a user of a group is limited is downloaded to the access device at the time of authentication and authorization. After a user of that group ends the session to that access device, the ACL is eliminated until a user of that group accesses the device again.
This feature is not limited just to ACLs; it can be used to send many TACACS+ commands to the access device for that service, provided the device supports the command and the command's syntax was entered properly. This feature is disabled by default, but can be easily enabled in the same manner as the attributes and time-of-day access.
This display lets you configure the CiscoSecure ACS user interface. Note that even if you enable a protocol, you still need to have a NAS configured with this protocol in order for the protocol information to display.
This section allows you to add or edit up to five User Defined Fields that will display in the User Setup window. You can enter up to five fields that you want to display for each user. For example, you could add the user's company name, department, billing information, and so on. These fields will also be available to be included in the Accounting logs.
These sections allow you to display or hide TACACS+ or RADIUS administrative and accounting options. You can reduce the complexity of the entry screens by turning off the features that you do not use.
Note The interface will still display any options that you have turned off on this page if that section is enabled or has a nondefault value. This stops settings that are active from being hidden from view. If you subsequently disable the setting, it will then be hidden.
This feature lets you determine which advanced features will appear on the CiscoSecure ACS interface. You can reduce the complexity of the entry screens by turning off the features that you do not use. Many of these options are not displayed unless they are enabled.
Note The interface will still display any options that you have turned off if that section is enabled or has a nondefault value. This stops settings that are active from being hidden from view. If you subsequently disable the setting, it will then be hidden.
Posted: Tue Jan 21 03:26:47 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.