Cisco Secure ACS operates on Windows 2000 Server or NT 4.0 Server as a service. Cisco Secure ACS can operate on Windows 2000 Advanced Server and Windows 2000 Datacenter Server implementations if Microsoft Clustering Services are not installed. Cisco Secure ACS can run on a domain controller or a member server.
Remembering the performance issues just covered, the Windows server computer must meet the following minimum hardware, operating system (OS), and third-party software requirements.
Intel class Pentium 550 MHz PC or compatible
256MB of RAM
250MB of free disk space or more if you’re running your database on the same machine
Minimum resolution of 256 colors at 800 x 600 or lines
The server must be running a functioning English-language version of one of the following Microsoft Windows OSs:
Windows 2000 Server with Service Pack 1 or Service Pack 2 installed
Windows 2000 Advanced Server with Service Pack 1 or Service Pack 2 installed (Microsoft Clustering Services must not be installed)
Windows 2000 Datacenter Server with Service Pack 1 or Service Pack 2 installed (Microsoft Clustering Services must not be installed)
Windows NT Server 4.0 with Service Pack 6a installed
While, technically, Windows service packs can be applied either before or after installing Cisco Secure ACS, if the service packs are installed before the Cisco Secure ACS software, the process will go more smoothly. If not, the Cisco Secure ACS installation program displays warnings that the required service pack isn’t present. If a service pack message is displayed, continue the installation, and then install the required service pack before starting user authentication with Cisco Secure ACS.
The server must have a compatible web browser installed. Both Java and JavaScript must be enabled for any web browsers to be used to administer Cisco Secure ACS. Cisco Secure ACS has been tested with the following browsers:
Microsoft Internet Explorer versions 5.0 and 5.5
Netscape Communicator version 4.76
Cisco IOS v11.1 (TACACS+)
Cisco IOS v11.2 (RADIUS)
The following network requirements should be in place before you begin to install Cisco Secure ACS:
A web browser meeting the previous third-party software requirements must be properly installed on any Windows server to be used to administer Cisco Secure ACS.
For full TACACS+ and RADIUS support on any Cisco IOS devices, make sure the AAA clients are running Cisco IOS Release 11.2 or later.
Make sure any non-Cisco IOS AAA clients can be configured with TACACS+ or RADIUS support, or both.
Make sure the Windows server can ping the AAA clients.
For Cisco Secure ACS to use the Grant Dial-In Permission To User feature when authorizing Windows network users, this option must be selected in the Windows NT User Manager or Windows 2000 Active Directory Users And Computers for the applicable user accounts.
Make sure all network cards in the server that will host the Cisco Secure ACS software are enabled. Disabled NICs will slow installation because of delays caused by Microsoft CryptoAPI.
Make sure any dial-in, VPN, or wireless clients can successfully connect to the applicable AAA clients.
As with any major change to a server, backing up the Windows server installation, including the Windows Registry, makes sense. When upgrading or reinstalling Cisco Secure ACS, note the following issues:
Back up the Cisco Secure ACS configuration and database, and then copy the backup file to a drive other than one that’s local to the Cisco Secure ACS server.
When upgrading Cisco Secure ACS, the backup created can’t be used after a successful upgrade. This backup only provides a recovery option for the previous Cisco Secure ACS installation.
The ACS Backup feature temporarily stops any Cisco Secure ACS services during the backup.
During new Cisco ACS installations or any upgrades and reinstallations that don’t preserve the existing configuration, specific information about your Windows server and an AAA client on your network need to be entered. Collect the applicable information before beginning the installation procedure. Upgrades or Cisco Secure ACS reinstallations intended to preserve the existing configuration and database don’t require this information.
To collect information required during the installation of Cisco Secure ACS, follow these steps:
For the first AAA client to be configured to use Cisco Secure ACS’s AAA services, determine which AAA protocols and vendor-specific attributes you want to implement.
TACACS+ (Cisco IOS)
RADIUS (Cisco Aironet)
RADIUS (Cisco BBSM)
RADIUS (Cisco IOS/PIX)
RADIUS (Cisco VPN 3000)
RADIUS (Cisco VPN 5000)
RADIUS (IETF)
RADIUS (Ascend)
RADIUS (Juniper)
RADIUS (Nortel)
Record the name of the AAA client.
Record the IP address of the AAA client.
Record the Windows 2000/NT server IP address.
Record the TACACS+ or RADIUS key (shared secret).