|
This card contains instructions for installing and configuring a separate program to allow users to change their passwords using a web-based utility. It also contains information on how to change a password using the utility.
The Secure Socket Layer (SSL) protocol provides security for remote access data transfer between the web server and browser.
The SSL protocol protects data transfers, which can include passwords, between the CiscoSecure ACS user-changeable password HTML-based interface and your web browser. Use the SSL protocol for encrypted connections to your web server. This provides a high degree of security. Users can use their own web browsers to connect to a web utility program to change their CiscoSecure ACS database passwords. Therefore, all of the data traffic is vulnerable and should be encrypted.
The CiscoSecure ACS user-changeable password HTML interface communicates with the web server (for example, Microsoft IIS); and the web server, in turn, communicates with the CiscoSecure ACS database.
SSL works by requiring the web browser to authenticate only a server that has a signed key. You must obtain a certificate from a certificate authority such as VeriSign. VeriSign will assign your keys for a fee, provided you comply with certain requirements, or you can check with the manufacturer of your web server software.
If your browser supports only basic authentication, Cisco recommends that you also use SSL. You might also want to use SSL even if you use Windows NT Challenge Response, because SSL encrypts all data in the session.
To enable SSL security on a web server, follow these steps:
Step 1 Generate a key pair file and a request file. In the Microsoft Internet Server, click Key Manager.
Step 2 From the Key menu, click Create New Key.
Step 3 In the Create New Key and Certificate Request dialog box, fill in the requested information. After you fill out the form, click OK.
Step 4 When you are prompted, retype the password you typed in the form, and click OK. When the key has been created, a screen opens containing information about the new keys and how to obtain a certificate. Click OK.
Step 5 From the Key menu in Key Manager, click Export Key and then Backup File. Click OK to the warning dialog.
Step 6 Type the key name in the File Name box, and click Save. To save the new key from the Servers menu, select Commit Changes Now. When asked if you want to commit all changes now, click OK.
Step 7 Request a certificate from a certification authority and install the certificate on your server.
Step 8 Activate SSL security on a WWW service folder. Use a web browser to connect to the server. Click Maintenance: Web Admin Preferences: Ensure use of SSL secure channel. Click OK. This sets the Registry entry SSLRequired to 1. The Registry entry SSLRequired is in the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Inetsrv_NTAdmin
Keep in mind the following points when enabling SSL security:
For security purposes, do not leave your workstation while logged on to an administrative account or during an administrative session. See your Microsoft documentation for more detailed information.
To set up a virtual directory on the web server, follow these steps:
Step 1 In CiscoSecure ACS, click Interface Configuration: Distributed Systems Settings.
Step 2 Click Network Configuration: Add AAA Server.
Step 3 Click AAA Server: Add Entry and enter the IP address and other applicable information for the remote web server. Restart the server.
Step 4 Make sure Microsoft IIS 2.0 or later is installed on the server. Follow the instructions in your Microsoft documentation to add the following directories:
Step 5 Set the default document for the home page to login.htm.
To install the software on the web server, follow these steps:
Step 1 Use the Windows Explorer to locate the User-Changeable Password SETUP.EXE file. Double-click the SETUP.EXE file to run it.
Step 2 In the Before You Begin window, click the check boxes for items 1, 2, 3, 4, and 5. Click Next.
Step 3 In the Choose Destination Location window, select or enter the destination directory for the HTML files. Click Next.
Step 4 In the second Choose Destination Location window, select or enter the destination directory for the CGI script files. Click Next.
Step 5 In the Enter Information window, enter the IP address with the virtual directory of the Change Password logon web page that users will access. Excluding the virtual directory allows users to directly access the page. Click Next.
Step 6 In the second Enter Information window, enter the IP address of the virtual directory to which the physical CGI script directory maps. Click Next.
Step 7 In the Connecting to CiscoSecure Server window, enter the IP address of the server where CiscoSecure ACS resides. Click Next.
Step 8 In the Setup Complete window, click Finish. The installation is now complete.
To change your password, follow these steps:
Step 1 Log in to the web page your administrator has provided:
http:// name of your web server:
Step 2 Enter your username and password and click Submit. The Change Password window opens.
Step 3 The username you entered on the previous screen is displayed in the username field. Enter the following information:
Posted: Mon Nov 4 07:16:06 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.