Installation and user guide for cisco secure acs

No other permissions are necessary. For information about creating virtual directories, see Microsoft documentation for the version of IIS you are using. We recommend that you use securecgi-bin. Step 5 If the web server runs IIS 6. If its executable files cannot run, UCP fails and users cannot change passwords. Step 3 Make sure the Distributed Systems Settings check box is selected. Step 4 Click Submit.

Step 5 Click Network Configuration. We recommend using the web server hostname; however, you can include additional useful information, such as "UCP" to readily identify the UCP web server. Use dotted decimal format. Note We recommend enabling SSL. Step 1 Obtain a certificate from a certificate authority. Step 2 After you have received your certificate from the certificate authority, install the certificate on your web server.

For information about installing a certificate, see Microsoft documentation for the version of IIS that you are using. Links that use http in the URL do not work on a secure directory. Step 1 At the web server that you want to install UCP on, log in as the local administrator. The setup program exits.

TXT file, those options occur now. For procedures, see Windows Authentication Configuration. Use this procedure to reinstall or upgrade Cisco Secure ACS if you want to preserve all existing configuration and database information. Close all applications or command windows that are accessing any directory contained in the Cisco Secure ACS directory. The installation cannot succeed if another process is using the CiscoSecure ACS directory or any of its subdirectories. If you want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform additional Windows configuration.

Note If the computer does not have a required service pack installed, a dialog box may appear. Step 7 Select the Yes, import the existing configuration check box. Step 9 If you want to change the installation location, follow these steps:. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.

Note The installation location must be on a drive local to the computer. Step 11 For each option you want, select the corresponding check box. The actions associated with each option occur after the setup program finishes. Step 13 Click Finish. If you did not and you want to make the HTML interface available, you can either reboot the computer or type net start csadmin at a DOS prompt. Note If you previously configured Cisco Secure ACS services to run using a specific username, that configuration was lost during the reinstallation.

Use this procedure to reinstall or upgrade Cisco Secure ACS if you do not intend to preserve the existing configuration and database information. To reinstall or upgrade Cisco Secure ACS without preserving the existing configuration or CiscoSecure user database, follow these steps:. Step 7 Clear the Yes, import the existing configuration check box. Note Be sure that the Yes, import the existing configuration check box is cleared, not checked; otherwise, the existing configuration and CiscoSecure user database are preserved.

Step 10 If you want to change the installation location, follow these steps:. If you want to allow access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, select the Yes, refer to "Grant dialin permission to user" setting check box. Step 17 For each feature you want to enable, select the corresponding check box.

The setup program uses the server's default printer to print the configuration. To telnet to the network device you specified in Step 15 , click Telnet Now.

Step 24 For each option you want, select the corresponding check box. Step 26 Click Finish. If Cisco Secure ACS is to use Windows databases to authenticate users, additional configuration is required for reliable user authentication and group mapping.

Requirements vary depending upon whether you have installed Cisco Secure ACS on a domain controller or member server. When Cisco Secure ACS runs on a domain controller and you need to authenticate users with a Windows user database, the additional configuration required varies, depending upon your Windows networking configuration.

Some of the steps below are always applicable when Cisco Secure ACS runs on a domain controller; other steps are required only in certain conditions, as noted at the beginning of the step. Perform only those steps that always apply and that apply to your Windows networking configuration.

To satisfy Windows requirements for authentication requests, Cisco Secure ACS must specify the Windows workstation that the user is attempting to log into.

Because Cisco Secure ACS cannot determine this information from authentication requests sent by AAA clients, it uses a generic workstation name for all requests. In the local domain and in each trusted domain and child domain that Cisco Secure ACS will use to authenticate users, ensure both of the following:.

Step 2 Verify Server Service Status. The services list alphabetically. Note This step is required only if Cisco Secure ACS authenticates users who belong to trusted domains or child domains. For more information, see Microsoft. Step 4 Create User Account.

Tip If you have upgraded or reinstalled Cisco Secure ACS and you completed this step for the previous installation, it is required only if you want to use a different user account to run Cisco Secure ACS services.

In the domain of the domain controller running Cisco Secure ACS, you must have a domain user account that can be used to run Cisco Secure ACS services as explained in later steps of this procedure.

Do both of the following:. Create a domain user account. The user account does not require any particular group membership in the domain. If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems related to failed Cisco Secure ACS authentication attempts.

To the user account you create, grant "Read all properties" permission for all Active Directory folders containing users that Cisco Secure ACS must be able to authenticate. Granting permissions for Active Directory folders is done by accessing Active Directory using the Microsoft Management Console and configuring the security properties for the folders containing users who are to be authenticated by Cisco Secure ACS.

Tip You can access the security properties of an Active Directory folder containing users by right-clicking the folder, selecting Properties, and clicking the Security tab. Click Add to include the username. For more information, see Windows Server Active Directory.

Step 5 Configure Local Security Policies. For the user account created in the preceding step, add the user to the following local security policies:. For more information, see Configuring Local Security Policies.

Step 6 Configure Services. Configure all Cisco Secure ACS services to run as the user you added to the security policies in the preceding step. If you configure such features using hostnames rather than IP addresses and DNS does not operate correctly, those features may fail, as would authentication requests sent to Active Directory.

Note Only perform this step if, after performing the preceding steps, Windows authentication and group mapping for users who belong to trusted domains or child domains are unreliable. When Cisco Secure ACS runs on a member server and you need to authenticate users with a Windows user database, the additional configuration required varies, depending upon your Windows networking configuration.

Most of the steps below are always applicable when Cisco Secure ACS runs on a member server; other steps are required only in certain conditions, as noted at the beginning of the step. Step 1 Verify Domain Membership. One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users.

While this may seem obvious, we recommend that you verify that the computer running Cisco Secure ACS is a member server of the correct domain. Tip To determine domain membership of a computer, on the Windows desktop, right-click My Computer , select Properties , select the Network Identification tab, and read the information provided on that tab. Step 7 To change the installation location, enter the new path name or click the Browse button to select the drive and path where the setup program installs ACS.

The installation location must be on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder. If you do so, installation may appear to continue properly but will fail before it ends. Step 8 Click Next. Step 9 Choose an option for authentication users:.

The Yes, refer to "Grant dial-in permission to user" setting check box becomes available. This option applies to all forms of access that ACS controls; not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing in to a network access server; however, if you check Yes, refer to "Grant dial-in permission to user" setting , ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.

If you want to allow access by users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, check Yes, refer to "Grant dial-in permission to user" setting. Note After you have installed ACS, you can configure authentication support for all external user database types in addition to Windows user databases.

Step 10 Click Next. Step 11 Choose the features that you want to enable. Note After installation, you can enable or disable advanced features on the Advanced Options page in the Interface Configuration section. Step 12 Click Next. Step 13 Choose service monitoring features:.

From the Script to execute list, select the option that you want applied in the event of authentication service failure:. This option is useful if you enable event e-mail notifications.

Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section. Step 14 Click Next. Step 15 Enter a password for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters. You might have to reuse this password when critical problems arise and the database needs to be accessed manually.

Step 16 Click Next. Step 17 For each option that you require, check the corresponding check box. The actions that are associated with the options occur after the setup program ends:. TXT in Windows Notepad. Step 18 Click Next. If you so chose, the ACS services start. Step 19 Click Finish. The setup program exits. TXT file, those options occur now. Step 20 If you did not choose the options in Step 17 :. Note During installation a setup log text file, acssetup.

This log records each stage of the installation process that is completed, and can be used for troubleshooting. If you want ACS to authenticate users with a Windows domain user database, after you install ACS you must perform additional Windows configuration, which is discussed in Windows Authentication Configuration, page You can reinstall ACS over the same version that is already installed.

This procedure is also known as overinstalling ACS. Step 17 If the settings appear correctly, a t the Password is set successfully.

Result : The console displays a numbered list of time zones. Result : The console displays the new time zone. Step 20 At the Please note this is different from the administrator account, prompt, do one of the following:. Tip Only if you choose to use an NTP server, can you subsequently use the ntpsync command.

Result : The console displays a confirmation message reflecting your choice. Step 21 At the it is used to encrypt the Database. Step 22 At the Password is set successfully. For details, see Establishing a Serial Console Connection. Result : When the system boots, a Enter new GUI administrator name: prompt appears, prompt appears on the console. Step 2 At the Enter new password: prompt, enter the new administrator name, and press Enter.

Step 3 At the Enter new password again: prompt, enter the password you created during initial configuration, and press Enter. Step 5 Verify that the information on the screen is correct. After initial installation or re-imaging, unless you specified a GUI administrator account during the initial configuration using the setup script, only one administrator account exists: the CLI administrator account. This account allows access only through a serial console log in and CLI commands.

If you specified a GUI administrator account when prompted for one by the setup script, a GUI administrator account exists. However, before the designated GUI administrator user can use this account, you must unlock it by entering the unlock guiadmin command.

Step 1 Log in as the CLI administrator. Step 2 If a GUI administrator account was specified during initial configuration using the setup script, enter the unlock guiadmin command to unlock the GUI administrator account:. Step 3 If no GUI administrator account has been set up or you want to add additional GUI administrator accounts, at the command prompt, enter:.

Step 5 At the No change to the configuration. Step 6 At the Enter new password again: prompt, enter the new password again, and press Enter. Note The new GUI administrator account is not usable until you unlock it by entering the unlock guiadmin command. Step 2 Run the autorun. For example, enter download Step 5 At the system prompt, enter upgrade , and press Enter. Step 7 After the upgrade is completed, the appliance reboots automatically.

You must restart the CSAgent after the appliance reboots. At the system prompt, enter IP Address [xx. Step 6 At the Subnet Mask [xx. Step 7 After the upgrade is complete, the appliance reboots automatically. At the system prompt, enter start csagent , and press Enter. After you have successfully performed the procedures in this guide, ACS SE is installed and initially configured.

This entry identifies the Solution Engine machine. Download this chapter. Table Quick Reference Task. Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable.

Cisco Secure ACS: [version number]. Appliance Management Software: [version number]. Appliance Base Image: [version number]. CSA build [version number]: Patch: [version number]. Status: Appliance is functioning properly. The ACS Appliance has not been configured. Initialize Appliance.