Installing CiscoSecure ACS 3.0

Database replication

Scheduled ACS system backup and the ability to restore from the backup file

These and other features give you totally granular control over the AAA process, putting the matter of user access in your hands. In addition, CSNT gives you the tools you need to completely monitor the CSNT server and manipulate the user database.

And there’s more! CS ACS 3.0.2 also has the following features and capabilities:

802.1x support

LEAP support

Extensible Authentication Protocol (EAP) support (EAP-MD5, EAP-TLS)

Command authorization sets

MS-CHAP version 2 support

Per-user access control lists

Shared network access restrictions (NARs)

Wildcards in NARs

Multiple devices per AAA client configuration

Multiple LDAP lookups and LDAP failover

User-defined RADIUS vendor-specific attributes (VSAs)

Installing CiscoSecure ACS 3.0

Want it short and sweet? The CS ACS installation can be condensed into the following steps:

1.Verify that the NAS and the Windows server can communicate over a LAN using TCP/IP. Ping will work just fine for this job.

2.Install the ACS 3.0 ACS on the Windows 2000 server platform. Although this supposedly works with Windows NT 4.0, it is recommended that you use a Windows 2000 server.

3.Disable IAS on the Windows 2000 server (if it’s running), or the Cisco RADIUS server will not work.

4.Bring up the web browser interface of the ACS server.

5.Configure the NAS for AAA using TACACS+ and/or RADIUS.

6.Verify the installation and operation of the NAS and ACS server.

Exercise 3.1 assumes that step 1 has been completed and gets right into the installation of the ACS software.

80 Chapter 3 Configuring CiscoSecure ACS and TACACS+

E X E R C I S E 3 . 1

CiscoSecure ACS 3.0 Installation

After you bring up and test network connectivity between the Windows server and the NAS server, install the ACS on the Windows server using the following steps:

1.Once you click the Setup file, the ACS program displays the Before You Begin screen:

This screen asks you to verify that you have some basic configuration on the NAS before the ACS is installed. Be sure you don’t miss the note about the minimum IOS Version on the NAS—especially if you’re studying for your SECUR exam!

2.After you’ve completed the basic configuration needed to install the ACS, click Next and the Authentication Database Configuration screen appears:

E X E R C I S E 3 . 1 ( c o n t i n u e d )

This is where you choose to use a local database on the ACS server or use the Windows server database.

3.Next, you’ll be prompted to configure the ACS to talk to the NAS on the CiscoSecure ACS Network Access Server Details screen:

Look at the bottom right-hand corner of the screen. See that Explain button? If you click it, an Explanation of CiscoSecure ACS Network Access Server Details screen appears:

82 Chapter 3 Configuring CiscoSecure ACS and TACACS+

E X E R C I S E 3 . 1 ( c o n t i n u e d )

The Explanation screen can be unbelievably helpful to you. Yes! A help screen that is actually helpful—what do you know? Read through this information, and you’ll learn what each file in the Details screen requires. On the CiscoSecure ACS Network Access Server Details screen, I entered the name of the NAS and the IP address of the NAS F0/0 interface. For the key, I just made up a unique and extremely hard key to break.

4.The next screen, Advanced Options, asks you to enter any advanced information to be displayed when using the ACS user interface:

E X E R C I S E 3 . 1 ( c o n t i n u e d )

Again, to find out why you would choose each option, click the Explain button in the bottom left-hand corner. The Explanation of Advanced Options Configuration screen appears. Believe it—this is actually another helpful help screen—really!

5.The next screen, Active Service Monitoring, gives you an opportunity to configure monitoring on the ACS as shown here:

84 Chapter 3 Configuring CiscoSecure ACS and TACACS+

E X E R C I S E 3 . 1 ( c o n t i n u e d )

The Active Service Monitoring screen provides a great way to set up your e-mail notification in case of failure. The Explain button in the bottom left-hand corner describes what the options are, but you probably won’t need to go there because they’re really self-explanatory.

6.The Network Access Server Configuration screen allows you to configure the ACS so that it configures the NAS server. This is so much easier than the local authentication configuration that you did in the last chapter!

Again, clicking that Explain button in the bottom right-hand corner displays additional information:

E X E R C I S E 3 . 1 ( c o n t i n u e d )

7.Next you’ll see the Enable Secret Password screen. It asks you for the enable secret password of the NAS and explains what the ACS installation is trying to accomplish:

8.This next screen, Access Server Configuration, tells you that the ACS will show you how to configure the NAS, step by step. Nice!

86 Chapter 3 Configuring CiscoSecure ACS and TACACS+

E X E R C I S E 3 . 1 ( c o n t i n u e d )

9.Just click Next to see the configuration you need to type into the NAS on the NAS Configuration screen:

10.Keep scrolling down and you can see the entire configuration you need to configure on the NAS. The last two configuration screens appear as follows: