Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers
Cisco Secure ACS 3.0 for Windows 2000/NT Servers is easy to install and configure. This section presents a brief overview of the essential installation steps. The following discussion is based on a Point-to-Point Protocol (PPP) dialup user being authenticated against Cisco Secure ACS for Windows using the Windows NT or Windows 2000 user database, via the TACACS+ protocol.
The Cisco Secure ACS for Windows installation can be condensed to the following steps:
Step 1 |
|
Configure the Windows NT or Windows 2000 server to work with Cisco Secure ACS for Windows. |
Step 2 |
|
Verify a basic network connection from the Windows NT or Windows 2000 server to the network access server using ping and Telnet. |
Step 3 |
|
Install Cisco Secure ACS for Windows on the Windows NT or Windows 2000 server following the Windows NT or Windows 2000 installation shield. |
Step 4 |
|
Configure Cisco Secure ACS for Windows via the web browser interface. |
Step 5 |
|
Configure the network access server for AAA. |
Step 6 |
|
Verify correct installation and operation. |
Configuring the Server
The first step to follow when installing Cisco Secure ACS for Windows is to configure Windows NT or Windows 2000 for Cisco Secure ACS for Windows by performing the following steps:
Step 1 |
|
Determine whether the host server is a domain controller or a member server. This decision must be made based on the design of the Windows NT or Windows 2000 server architecture of your company. |
Step 2 |
|
Configure Windows NT or Windows 2000 User Manager. |
Step 3 |
|
Use Windows NT or Windows 2000 services to control ACS. |
Cisco does not recommend that you install Cisco Secure ACS for Windows on PDCs or BDCs. These Windows authentication devices can become very busy and are frequent targets of network attacks. Placing Cisco Secure ACS for Windows on one of these devices exposes it to potential compromise and possible service delays.
Verifying Connections Between Windows Server and Other Network Devices
Verify that the NAS or router can ping the Windows NT or Windows 2000 server that will host Cisco Secure ACS for Windows. This verification will simplify installation and eliminate problems when configuring Cisco Secure ACS for Windows and devices that interface with it.
Cisco Secure ACS for Windows is easy to install from a CD-ROM. It installs like any other Windows application, using an InstallShield template. Before you begin the installation, ensure that you have the network access server information, such as host name, IP address, and TACACS+ key. Be sure that the version of Java that is identified in the installation manual is installed on the server before you begin the installation process.
NOTE
Beginning with Cisco Secure ACS for Windows version 3.1, Cisco no longer supports running Cisco Secure ACS for Windows on a Windows NT 4.0 server.
Installing Cisco Secure ACS for Windows on the Server
Follow the InstallShield template instructions as listed below:
Step 1 |
|
Select and configure the database. |
Step 2 |
|
Configure Cisco Secure ACS for Windows for the NAS or router using the web browser. |
Step 3 |
|
Configure the NAS or router for Cisco Secure ACS for Windows. |
Configuring Cisco Secure ACS for Windows Using the Web Browser
After you successfully install Cisco Secure ACS for Windows, an ACS Admin icon appears on the Windows NT or 2000 desktop. You configure and manage Cisco Secure ACS for Windows through the web-based GUI. The GUI is designed using frames, so you must view it with a supported web browser.
Cisco Secure ACS for Windows supports only HTML; a web browser is the only way to configure it. Cisco Secure ACS for Windows supports the following browsers:
Microsoft Internet Explorer version 5.0 and above for Microsoft Windows
Netscape Communicator version 4.76 and above for Microsoft Windows
Continue the initial configuration of Cisco Secure ACS for Windows as follows:
Step 1 |
|
Select the icon to launch the browser with the address http://127.0.0.1:2002/. |
http://ip address:2002/ and http://host name:2002/ also work.
Step 2 |
|
Perform required tasks to establish users and groups, and to configure network and system settings as outlined in the section of this chapter titled, "Administering and Troubleshooting Cisco Secure ACS for Windows." |
Configuring Remaining Devices for AAA
You must configure the NAS, routers, and switches to work with Cisco Secure ACS for Windows. Router configuration is described in Chapter 6, "Cisco IOS Firewall Authentication Proxy."
You may also need to configure a token card server to work with Cisco Secure ACS for Windows to perform AAA.
The following are some of the possible configuration combinations in which Cisco Secure ACS for Windows is used to perform AAA. In each configuration, each of the devices must be configured to work with Cisco Secure ACS for Windows.
Dialup using the Windows NT or Windows 2000 user database with TACACS+
Dialup using the Cisco Secure ACS for Windows user database with TACACS+
Dialup using a token card server with TACACS+
Dialup using the Cisco Secure ACS for Windows user database with RADIUS (Cisco)
Dialup for an AppleTalk Remote Access Protocol (ARAP) client using the Cisco Secure ACS for Windows user database with TACACS+
Router management using the Cisco Secure ACS for Windows user database with TACACS+
PIX Firewall authentication/authorization using the Windows NT or Windows 2000 user database with TACACS+
Verify Correct Installation and Operation
Verification of correct installation begins by checking to see whether Cisco Secure ACS services are running or stopped by accessing the Service Control page. You can do that by following these steps:
Step 1 |
|
In the navigation bar, click System Configuration. |
Step 2 |
|
Click Service Control to display the status of the Cisco Secure ACS for Windows services. |
Next, you need to test authentication and authorization from one of your devices that has been configured to use the server. A good test is to use a Telnet connection to a router that has been configured for AAA on its VTY lines.
Step 1 |
|
Connect to the router though Telnet. |
Step 2 |
|
Enter your username and password when prompted by the system. |
Step 3 |
|
Verify that you are granted the level of access control you expected to receive based on the username you used. |
Step 4 |
|
If there are any problems, verify the configuration on the router and double-check the Cisco Secure ACS for Windows settings that you established for the test user. |