posted on by

Installing Cisco Secure ACS for Windows

Filed under General
0

Understanding Your ACS System:

You can use ACS network security software to authenticate users by controlling access to an Authentication, Authorization, and Accounting (AAA) client—any one of many network devices that you can configure to defer authentication and authorization of network users to a AAA server. ACS operates as a set of Windows-based services that controls the authentication, authorization, and accounting of user access to networks.

ACS operates on Windows 2000 server and Windows 2003 server. ACS can run on a domain controller or a member server

Preparing to Install(System Requirements):

Hardware

Operating System

File System

Memory

Virtual Memory

Hard Drive Space

Third Party Software Requirements:

Web browsers and Java virtual machines

Novell Directory Server (NDS) clients

Token-card clients

Network and Port Requirements:

RADIUS authentication and authorization UDP 1645, 1812

RADIUS accounting UDP 1646, 1813

TACACS+ TCP 49

Cisco Secure Database Replication TCP 2000

RDBMS Synchronization with synchronization partners TCP 2000

User-Changeable Password web application TCP 2000

Logging TCP 2001

Administrative HTTP port for new sessions TCP 2002

Administrative HTTP port range TCP 1024 ,65535

Backing Up Data Before Installation:

Before you install or upgrade ACS, we strongly recommend that you back up the computer on which you install ACS by using a Windows backup utility of your choice. Include the Windows registry in the backup.

If you are upgrading or reinstalling ACS, use the ACS Backup feature to back up the ACS configuration and database, and then copy the backup file to a drive that is not local to the computer on which ACS is running

Disabling NetBIOS:

Since the evolution of Windows 2000, Domain Name Service (DNS) has become the default name-resolution method for windows-based networking. Although Windows 2000, Windows XP, and Windows Server 2003 provide the option of disabling NetBIOS over TCP/IP, many corporate networks are reluctant to do so because they still use legacy machines on their networks. ACS4.2 supports the Windows server with NetBIOS disabled. You must disable NetBT in Windows.

Installation and Upgrade Scenarios:

ACS for Windows supports the following upgrade scenarios:

•ACS 3.x to ACS 3.3.x—You can upgrade ACS 3.2.x or 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2) to ACS 3.3.3 or 3.3.4 on Windows.

•ACS 3.3.3 to 3.3.4— You can upgrade ACS 3.3.3 to ACS 3.3.4 on Windowss.

•ACS 3.3.x to ACS 4.1.1.23 or ACS 4.1.1.24— You can upgrade from ACS 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2, or 3.3.4) to ACS 4.1.1.23 or ACS 4.1.1.24 on Windows.

•ACS 4.0 to ACS 4.1.1.23 or ACS 4.1.1.24— You can upgrade from ACS 4.0 to ACS 4.1.1.23 or ACS 4.1.1.24 on Windows.

•ACS 4.1.1.23 or ACS 4.1.1.24 to ACS 4.1.3 or ACS 4.1.4— You can upgrade from ACS 4.1.1.23, 4.1.1.24, to ACS 4.1.3 or 4.1.4 on Windows.

•ACS 4.1 to ACS 4.2— You can upgrade from ACS 4.1.1.23, 4.1.1.24, 4.1.2, 4.1.3 or 4.1.4 to ACS 4.2 on Windows.

Installing Cisco Secure ACS for Windows:

Step 1Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2Insert the ACS CD into a CD-ROM drive on the computer.

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run Setup.exe, which resides in the root directory of the ACS CD.

Step 3In the Cisco Secure ACS for Windows dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but you must install the required service pack after the installation is complete; otherwise, ACS may not function reliably.

The Cisco Secure ACS v4.2 Setup dialog box displays the software license agreement.

Step 4If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays information about the setup program.

Step 5Read the information in the Welcome dialog box and click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 6Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 7Once you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Choose Destination Location dialog box appears.

Step 8To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.

Step 9Click Next.

The Authentication Database Configuration dialog box appears.

Step 10Choose an option. To authenticate users with:

The ACS internal database only, check Check the ACS Internal database only.

A Windows Security Access Manager (SAM) user database or AD user database in addition to the ACS internal database, check Also check the Windows User Database.

The Yes, refer to “Grant dial-in permission to user” check box is enabled when you select the Also check the Windows User Database option. This option applies to all forms of access that ACS controls; not just dial-in access. For example, a user who accesses your network through a VPN tunnel is not dialing in to a network access server; however, if you check Yes, refer to “Grant dial-in permission to user” check box, ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.

If you want to grant access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, check Yes, refer to “Grant dial-in permission to user” check box.

Step 11Click Next.

The setup program installs ACS and updates its configuration.

The Advanced Options dialog box appears.

Step 12Choose the features that you want to enable.

These features are not enabled by default; they appear in the ACS web interface

only if you enable them. To view the web interface:

In the navigation bar, click Interface Configuration.

Click Advanced Options.

The web interface appears.

Step 13Click Next.

The Active Service Monitoring dialog box appears.

Step 14Choose service monitoring features:

If you want ACS to monitor user authentication services, check Enable Login Monitoring. From the Script to execute list, choose the option that you want applied in the event of authentication service failure. The options are:

–No Remedial Action—ACS does not run a script. This option is useful if you enable event e-mail notifications.

–Reboot—ACS runs a script that reboots the computer that runs ACS.

–Restart All—ACS restarts all ACS services.

–Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.

If you want ACS to send an e-mail message when service monitoring detects an event, check the Enable Mail Notifications checkbox. The SMTP mail server and Mail account to notify fields are enabled. You must enter the following information:

–SMTP mail server – Name and domain of the mail server that is sending the notification.

–Mail account to notify- The e-mail address of the intended recipient.

Step 15Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 16You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 17Click Next.

The setup program ends and the Cisco Secure ACS Service Initiation dialog box appears.

Step 18For each option that you require, check the corresponding check box. The actions that are associated with the options occur after the setup program ends. The check boxes are:

•Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not check this check box, the ACS web interface is not available; unless you reboot the computer or start the CSAdmin service.

•Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS web interface in the default web browser for the current Windows user account.

•Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 19Click Next.

The ACS service installation starts. The Setup Complete dialog box displays information about the ACS web interface.

Step 20Click Finish.

The setup program exits. If, in Step 17, you chose the options to view the web interface or README.TXT file, those options become effective now.

Step 21If you did not choose the options in Step 17. To:

Start ACS services, reboot the computer, or type net start csadmin at a DOS prompt.

Access the ACS web interface, use the ACS Admin desktop icon, or use this URL in

a supported web browser: http://127.0.0.1:2002 (or) http://localhost:2002

Configuring Local Security Policies:

This procedure is required only if one of the following conditions is true. ACS runs on a:

Member server and must authenticate users with a Windows user database.

Domain controller and must authenticate users in trusted domains or child domains.

You should have already created a user account through which you run ACS.

Configuring ACS Services:

This procedure is required only if one of the following conditions is true. ACS runs on a:

Member server and must authenticate users with a Windows user database.

Domain controller and must authenticate users in trusted domains or child domains.

You should have already created a user account through which you run ACS and assigned it the permissions necessary to run ACS services.

ACS 3.x to 4.2 ODBC Logging Updates:

If you used ACS 3.x ODBC logging and upgraded to ACS 4.2 while preserving your data, you must update the ODBC tables so that the Structured Query Language (SQL) tables continue to work.

From ACS 4.0 and later versions, changes to the SQL database present all the ODBC fields as strings rather than numbers. Field types have changed from INTEGER to VARCHAR.

Logging In and Out of the System:

To access ACS: Open a web browser by using the uniform resource locator (URL) for the machine.

http://IP address:2002

http://hostname:2002

If ACS is configured to use SSL to protect administrative sessions, you can also access the web interface by specifying the HTTPS protocol in the URLs:

https://IP address:2002

https://hostname:2002

Tagged with  
,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>