Administering and Troubleshooting Cisco Secure ACS for Windows

Administering and Troubleshooting Cisco Secure?ACS for Windows

Once installed, Cisco Secure ACS is configured and administered using a web browser through the HTML interface, enabling easy configuration from any host on the LAN or WAN. The Cisco Secure ACS HTML interface uses HTML and some Java functions for ease of use. This program design keeps the interface straightforward and responsive. Figure 4-5 shows the Cisco Secure ACS HTML interface.

Figure 4-5: Cisco Secure ACS HTML interface

From the HTML interface, you can easily view and edit user and group information, stop and restart services, add or change remote administrators, modify AAA client information, back up the system, view reports, and more. Reports track connection activities, show users who are logged in, list any failed authentication and authorization attempts, and show a history of the recent tasks of administrators.

The HTML interface has three vertical frames that perform the following functions:

Navigation bar
Configuration area
Display area

Figure 4-6 shows the three frames of the ACS HTML configuration screen.

Figure 4-6: ACS configuration screen

Navigation Bar

The navigation bar, the gray frame on the left of the browser window, contains the task buttons. Each button changes the configuration area (second panel) to a section of the Cisco Secure ACS application. This frame doesn’t change; it always contains the following buttons:

User Setup	Add and edit user profiles.
Group Setup	Configure network services and protocols for user groups.
Network Configuration	Add and edit network access devices.
System Configuration	Configure database information and accounting.
Interface Configuration	Display or hide product features and options.
Administration Control	Define and configure access policies.
External User Databases	Configure external databases for authentication.
Reports And Activity	Display various accounting and logging summaries.
Online Documentation	View the Cisco Secure ACS User Guide.

Configuration Area

The Configuration Area, middle frame, displays web pages that belong to one of the sections represented by the buttons in the navigation bar. The configuration area is where you add, edit, or delete program setup information. For example, in Figure 4-6, it’s possible to find a particular user and change their user information.

Most configuration pages have an appropriate Submit button at the bottom that’s used to confirm your changes. Figure 4-7 shows the Submit button options. The Submit + Restart button is used for those configuration changes that require stopping and restarting the services. If you don’t click the Submit button or click the Cancel button, the changes won’t be saved.

Figure 4-7: Configuration Area Submit and Cancel buttons

Display Area

The Display Area, right-side frame, shows one of the following options, depending on the button selected in the navigation bar.

Online Help	Basic help about the page currently shown in the Configuration Area. This help isn’t intended to be in-depth information but, instead, basic information about the topic in the middle frame. For more detailed information, click Section Information at the bottom of the page to go to the applicable part of Online Documentation.
Reports Or Lists	Displays available lists or reports, including accounting summary reports. Most listings are hyperlinks to the specific configuration views, so clicking the link enables you to edit that item.
System Messages	Displays system and error messages after you submit your changes, indicating the nature of the problem. Any incorrect information remains in the Configuration Area for easy review and correction.

Accessing the HTML Interface

The HTML interface can be reached by using a web browser from anywhere on the network at either of the following URLs. The first two lines show the syntax, while the last two are examples.

http://windows-server-IP-address:2002
http://windows-server-host-name:2002
http://192.168.1.3:2002
http://wilson:2002

If Cisco Secure ACS is installed on the local server you’re accessing with a web browser, it’s possible to use either of the following two URLs. These commands take advantage of default naming and addressing standards.

http://localhost:2002
http://127.0.0.1:2002

Remote administrative sessions always require a login using a valid administrator name and password, as configured in the Administration Control section.

To access the Cisco Secure ACS configuration HTML interface, follow these steps:

Open a web browser.
In the Address or Location bar in the web browser, type the applicable URL.
If the Cisco Secure ACS for Windows 2000/NT Login page appears, follow these steps:
1. Type a valid Cisco Secure ACS administrator name in the User name box.
2. Type a valid administrator password in the Password box.
3. Click the Login button.

The Cisco Secure ACS for Windows 2000/NT initial page appears, as shown earlier in Figure 4-5.

Logging Off the HTML Interface

Click the Logoff button to end the ACS session. Failure to do so might allow unauthorized access by someone using the web browser after you, or even unauthorized access through the HTTP port left open to support the administrative session. Cisco Secure ACS can timeout unused administrative sessions.

Remote Administrative Session Issues

Many organization security policies wouldn’t allow remote access to resources like the Cisco Secure ACS server. For this reason, various technologies are designed to keep outsiders safely outside the network. The nature of these technologies is often inconsistent with the ACS architecture.

While this isn’t always practical, the recommendation is that remote administration sessions not have any of the following technologies between the administration browser and the Cisco Secure ACS server.

HTTP proxy server
NAT gateway
Firewall devices

Each of these technologies can interfere with or prevent connection between the browser and the ACS server. Because these are common technologies, particularly when accessing the ACS server from outside the network, the following explanations and suggestions might be useful.

HTTP Proxy Servers

Because of the way proxy servers work between clients and servers, a web browser configured to use a proxy server for a remote administrative session will appear to Cisco Secure ACS server as originating from the IP address of the proxy server, not the address of the remote workstation. ACS remote administrative session tracking requires that each browser resides on a workstation with a unique IP address. ACS administrative sessions using a proxy-enabled web browser is neither tested nor supported.

Suggestion: If the web browser is configured to use a proxy server, disable HTTP proxying before attempting the remote Cisco Secure ACS administrative session.

NAT Gateway

If a remote session uses a web browser on a workstation behind a NAT gateway, the gateway substitutes a global “public” address for the workstation’s real local IP address. When ACS receives the HTTP requests, the NAT device’s public IP address conflicts with the workstation’s private IP address included in the content of the HTTP requests. Cisco Secure ACS won’t allow this.

If the Cisco Secure ACS server is behind a NAT gateway, you could try to configure the NAT gateway to forward all connections to port 2002 to the Cisco Secure ACS server, retaining the port 2002. In addition, all the ports allowed using the HTTP port allocation feature must be similarly mapped. Cisco hasn’t tested this and it doesn’t support this implementation.

Firewall Devices

Firewalls implementing NAT would fall into the last section. For firewalls not performing NAT, remote ACS administrative sessions conducted across the firewall will require additional configuration of both the ACS software and the firewall. This is necessary because ACS assigns a random HTTP port at the beginning of a remote administrative session.

The firewall must be configured to allow HTTP traffic across the range of ports ACS is configured to use. This can be configured using the HTTP port allocation feature to configure the range of TCP ports to be used by Cisco Secure ACS for remote administrative HTTP sessions. The firewall must also be configured to permit HTTP traffic through port 2002 because this is the port a remote web browser must access to initiate an administrative session.

To reduce the risk of malicious discovery of an active administrative port by an unauthorized user, keep the HTTP port range as narrow as possible. Any unauthorized user would have to impersonate, or “spoof,” the IP address of the legitimate remote host to use the active administrative session HTTP port.

Suggested Configuration Sequence

No single set of steps, or even order of steps, exists for configuring ACS. The size and topology of the network, the types of network access supported, and even the technological skills of the administrative staff will all be factors. The CCO latest documentation, and security alerts, as well as the ACS documentation feature, should always be consulted before and during the final implementation begins. The following sequence is keyed to the functions represented in the navigation toolbar.

Configure Administrators

Configure at least one administrator (Administration Control button), or there’s no remote administrative access and all configuration activity must be done from the server. The administrative policy and security policy should dictate the number and details of administrator accounts.

Configure the ACS Web Interface

You can configure ACS HTML interface (Interface Configuration button) to show only those features and controls you plan to use. This streamlines ACS, making it less difficult to use, less intimidating, and easier to train new administrators to use. The downside, of course, is that features and controls aren’t available and are possibly unknown to the staff because they aren’t present.

Aspects of the web interface that can be configured in this section include the following:

User Data Configuration Options You can add (or edit) up to five fields for recording information on each user.
Advanced Options Over 20 options ranging from User-Level Network Access Restrictions to Voice-over-IP (VoIP) Accounting options.
Protocol Configuration Options for TACACS+ Settings enable the display or hiding of TACACS+ administrative and accounting options.
Protocol Configuration Options for RADIUS Settings enable the display or hiding of RADIUS administrative and accounting options.

Figure 4-8 shows some of the configuration options available in setting up TACACS+.

Figure 4-8: Interface configuration setting TACACS+ features

Configure System

Figure 4-9 shows some of the dozen or more features that can be configured within the System Configuration section (System Configuration button). This is where the Logging options are made that can be used later to produce reports. ACS comprises several Windows NT/2000 services. The Service Control page provides basic status information about the services, and enables you to configure the service log files, and to stop or restart the services.

Figure 4-9: ACS System Configuration options

Configure Network

Figure 4-10 shows the network configuration (Network Configuration button) used to control distributed and proxied AAA functions. This section is used to establish the identity, location, and grouping of AAA clients and servers, and to determine what authentication protocols each is to employ.

Figure 4-10: Network configuration showing the NAS router and the AAA server

Configure External User Database

The External User Databases button is used to implement an external database to establish and maintain user authentication accounts. This configuration usually is based on the existing network administration mechanisms. In addition to implementing an external user database (or databases), this section is used to define requirements for ACS database replication, backup, and synchronization.

Configure Shared Profile Components

The Shared Profile Components section enables administrators to develop and name reusable, shared sets of authorization components, which might be applied to one or more users, or groups of users, and referenced by the assigned name within their profiles. These include network access restrictions (NARs), command authorization sets, and downloadable PIX ACLs.

NARs enable the administrator to define additional authorization conditions that must be met before a user can gain access to the network.
Command authorization sets provide a central mechanism to control the authorization of each command on each network device.
Downloadable PIX ACLs enable the creation of an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX firewalls that authenticate using the Cisco IOS/PIX protocol.

These shared profile components enhance the scalability of the selective authorization feature. Shared profile components, once configured, can be applied to many users or groups, and they eliminate having to configure the authorization explicitly for each user group for each possible command on each possible device.

Configure Groups

Figure 4-11 shows some of the features that can be assigned to groups (Group Setup button), much the same way group permissions are used in the Windows authentication model. It’s always easier to deal with group privileges, permissions, or features, and then make sure the appropriate users are in the correct groups. This not only facilitates setting up a new user, it also facilitates removing all of a user’s permissions and features when they leave the organization.

Figure 4-11: Example of group setup options

Configure Users

Figure 4-12 shows defining a User account (User Setup button). Once the groups are defined, it’s time to create the user accounts. Note, unlike the Windows groups methods, a user can belong to only one user group and user level settings always override group level settings.

Figure 4-12: User account entry screen

Configure Reports

The Reports And Activity section (Reports or Lists button) is used to specify the nature and scope of logging that ACS performs, which, ultimately, determine the reports that can be generated.