AAA Server Configuration

AAA Server Configuration

Cisco Secure ACS must be configured on a Windows 2000/NT or UNIX server to support either TACACS+ (Cisco preferred) or RADIUS authentication. The next lines demonstrate installing Cisco Secure ACS v2.6 for Windows 2000/NT, which is the latest version at press time. The example assumes a TACACS+ implementation. This information is included as representative of the process, but it’s important to make sure you have the latest instructions matching the platform and version of the Cisco Secure ACS software.

To get the latest instructions, go to the Cisco web site at and search for IOS auth-proxy, and then scan for a document referring to Implementing Authentication Proxy. While searching for Implementing Authentication Proxy could be more direct, the former also includes Command Reference listings and examples for working with other firewall features you might find useful.

The configuration steps are as follows:

  1. Open a web browser.

  2. In the address or location bar in the web browser, type the applicable URL, using the IP of a remote server, or either http://localhost:2002 or http:// if you’re working directly on the server.

  3. If the Cisco Secure ACS for Windows 2000/NT login page appears, follow these steps:

    • Type a valid Cisco Secure ACS administrator name in the User Name box.

    • Type a valid administrator password in the Password box.

    • Click the Login button.

    • The Cisco Secure ACS for Windows 2000/NT initial page appears (Figure 8-5).

      Click To expand
      Figure 8-5: Cisco Secure ACS for Windows opening screen

  4. Click the Interface Configuration option on the left side of the opening screen. The three-column format of the screen includes links for help on the right-hand side, if necessary.

  5. From the Interface Configuration screen, select TACACS+ (Cisco IOS). Note, this is also where you could choose a RADIUS (IETF) implementation. Figure 8-6 shows the Interface Configuration screen.

    Click To expand
    Figure 8-6: Interface Configuration screen showing the TACACS+ and RADIUS options

  6. On the resulting screen, scroll down in the center column until you can see the .New Services section (Figure 8-7). Select (check) the Group option for the first blank row, and then type auth-proxy in the Service column. Leave the Protocol column blank. Do not click the Submit button yet.

    Click To expand
    Figure 8-7: TACACS+ configuration page showing the New Services section

  7. Further down the same screen, in the Advanced Configuration Options (Figure 8-8), select the Display window for each service selected in which you can enter customized TACACS+ attributes. Look over the other choices, including the option to create a time-of-day schedule for services. Click the Submit button.

    Click To expand
    Figure 8-8: Advanced TACACS+ configuration options

  8. Return to the button bar on the left side of the screen and click the Group Settings option. When the next screen appears, choose Edit Settings. You’ll be editing the default group settings, but you can use the drop-down list to select a particular group.

  9. Find and select the Auth-Proxy option. This is several sections down in the center panel.

  10. The authentication proxy features require a per-user downloadable user profile configuration on the AAA server. When the user uses the auth-proxy feature to access the network, the appropriate profile is downloaded and becomes a series of temporary ACL entries on the firewall router. The following is an example of what a user profile looks like on a TACACS server.

    default authorization = permit
    key = test
    user = newuser1 {
    login = cleartext test
    service = auth-proxy
    proxyacl#1="permit tcp any any eq 69"
    proxyacl#2="permit icmp any host"
    proxyacl#3="permit tcp any any eq ftp"
    proxyacl#4="permit tcp any any eq ftp-data"
    proxyacl#5="permit tcp any any eq telnet"
    proxyacl#6="permit tcp any any eq smtp"
  11. This profile can be created at this point using a type of access control list. Remember the following:

    • Use the proxyacl#n attribute when configuring the access lists in the profile

    • for both RADIUS and TACACS+ attribute-value (AV) pairs.

    • Note, the proxyacl#n values are numbered sequentially

    • The privilege level must be set to 15 for all users.

    • Each user profile access list entry can contain only the permit keyword.

    • Use the any keyword for the source address in each entry. The source address of the host making the authentication proxy request will replace the any keyword when the user profile is downloaded to the firewall.

    In the box following the auth-proxy selection, type the following lines. These lines enable new users to create ICMP, TCP, and UDP sessions.

    proxyacl#1=permit icmp any any
    proxyacl#2=permit tcp any any
    proxyacl#3=permit udp any any
  12. Figure 8-9 shows the completed entries and the various activation buttons. Click the Submit + Restart button when the entry is complete.

    Click To expand
    Figure 8-9: Downloadable profile entries and activation buttons


    The techniques and exact commands for creating these user downloadable profiles vary with the OS platform and the version of the software. Always check the online documentation before proceeding.

Part III: Virtual Private Networks (VPNs)