Acs

White Paper

CiscoWorks LAN Management Solution Integration with Cisco Secure Access Control Server Introduction CiscoWorks Common Services Software provides a robust security mechanism to manage identity and access to the CiscoWorks applications, and data in a multi-user environment. As CiscoWorks has powerful network management tools for device configuration and software image management, unintended operations carried out by unauthorized users can cause disruptions to your network and in turn have a severe impact on business-critical activities. ®

CiscoWorks addresses this requirement by integrating with Cisco Secure Access Control Server (ACS) to provide improved access control by means of authentication, authorization, and accounting (AAA). This document explains in detail how to set up the Cisco Works server to integrate with Cisco Secure ACS. It also gives information on the basic configuration steps to be executed with Cisco Secure ACS.

Prerequisites Before integrating your CiscoWorks Common Services Software with Cisco Secure ACS, you must complete installing CiscoWorks Common Services Software and Cisco Secure ACS on the appropriate servers and ensure that network connectivity exists between the two. You need to have administrative privileges for Cisco Secure ACS and the CiscoWorks server to be able to perform the procedures explained in this document. CiscoWorks Common Services Software 3.0.5 supports the following versions of Cisco Secure Access Control Server for Windows Cisco Secure ACS 3.2 Cisco Secure ACS 3.2.3 Cisco Secure ACS 3.3.2 Cisco Secure ACS 3.3.3 (appliance/software) Cisco Secure ACS 4.0(1) (appliance/software) It is recommended that you install the Admin HTTPS PSIRT patch if you are using Cisco Secure ACS 3.2.3. To install the patch: Go to http://www.cisco.com/public/sw-center/ciscosecure/cs-acs.shtml. Click the Download Cisco Secure ACS Software (Windows) link. You can find the link to the Admin HTTPS PSIRT patch in the table.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 29

White Paper

System Requirements for Cisco Secure ACS The following is the minimum hardware requirement for installing Cisco Secure ACS: Pentium III processor, 550 MHz or faster. 256 MB of RAM. At least 250 MB of free disk space. If you are running your database on the same computer, more disk space is required. Minimum graphics resolution of 256 colors at 800 x 600 lines. Operating System Requirements On the computer running Cisco Secure ACS, use an English-language version of Windows 2000 Server with Service Pack 3 installed. Both the operating system and the applicable service pack must be English-language versions. Network and Port Requirements Ensure that the gateway devices between AAA clients and Cisco Secure ACS allow communication over the required ports. These ports are needed to support the applicable AAA protocol (RADIUS or TACACS+) for Cisco Secure ACS to provide AAA services to AAA clients. Table 1 provides a list of port numbers to be allowed by the gateway devices. Table 1.

Port Numbers Allowed by the Gateway Devices

Feature/Protocol

UDP or TCP

Ports

RADIUS authentication and authorization

UDP

1645, 1812

RADIUS accounting

UDP

1646, 1813

TACACS+

TCP

49

Cisco Secure Database Replication

TCP

2000

RDBMS Synchronization with synchronization partners

TCP

2000

User-Changeable Password Web application

TCP

2000

Logging

TCP

2001

Administrative HTTP port for new sessions

TCP

2002

Administrative HTTP port range

TCP

Configurable; default 1024 through 65535

Cisco Secure ACS can be accessed across remote machines from the browser; it uses port number 2002 for its communication. Cisco Secure ACS and CiscoWorks Common Services Software cannot coexist on the same server because of port number conflicts. To find out more about how to install, maintain, and operate Cisco Secure ACS, refer to the online user guide found at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm.

Components Used The following applications and tools are used in the scenario explained in this document: CiscoWorks Common Services—Admin Module Cisco Secure Access Control Server (ACS)

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 2 of 29

White Paper

Background Information CiscoWorks Common Services Software supports two modes of access control for authentication, authorization, and accounting: ACS Mode—Provides AAA by integrating with Cisco Secure ACS. Non-ACS Mode—Provides only authentication services by integrating with the following Pluggable Authentication Modules (PAMs): CiscoWorks Local
      

IBM Secure Way Directory Kerberos Login Local UNIX System Local NT System MS Active Directory Netscape Directory Radius TACACS+

This document provides step-by-step procedures for setting up your CiscoWorks server for ACS mode. It also provides step-by-step instructions for setting up Cisco Secure ACS to integrate with the CiscoWorks server. The details for setting up the CiscoWorks server for non-ACS mode are not covered in this document. For more information, refer to the online user guide at http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht ml. Fallback Option In case of failure of the chosen authentication, CiscoWorks provides a fallback option to the CiscoWorks Local mode. By default the admin user is added to the fallback option. Debugging Logging can be enabled or disabled by choosing the true or false option on the login mode page. The logs are written into the stdout.log file under the location $NMSROOT/MDC/tomcat/logs. For all the non-ACS mode modules, the user needs to enter the credentials, log out, and log in again for the changes to take effect. To understand more about how to maintain and operate CiscoWorks Common Services Software, refer to the online user guide at http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht ml.

Integration with Cisco Secure ACS for Authentication, Accounting, and Authorization The following are the three major tasks involved in integrating CiscoWorks Common Services Software with Cisco Secure ACS for AAA:

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 3 of 29

White Paper

Cisco Secure ACS initial setup—Adding the ACS administrator user and AAA clients in Cisco Secure ACS. AAA mode configuration in CiscoWorks Common Services—Specifying the Cisco Secure ACS credentials in CiscoWorks Common Services. User configuration in Cisco Secure ACS—Adding users and defining roles in Cisco Secure ACS. Cisco Secure ACS Initial Setup You need to complete the following tasks in Cisco Secure ACS before you can integrate with your CiscoWorks server: Add a Cisco Secure ACS user with administrator privileges Add your CiscoWorks server as an AAA client Add the network devices to be managed by your CiscoWorks server as AAA clients in Cisco Secure ACS Adding an ACS user with administrator privileges When you log in to Cisco Secure ACS, the screen shown in Figure 1 appears. Figure 1.

Cisco Secure ACS Home Page

You must have an administrator account configured prior to accessing Cisco Secure ACS from any remote machine.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 4 of 29

White Paper

Administrators are the only users of the Cisco Secure ACS HTML interface. To access the Cisco Secure ACS HTML interface from a browser on a remote machine, you must log in to Cisco Secure ACS using an administrator account. If Cisco Secure ACS is so configured, access to the application from the server itself may also require a browser. Cisco Secure ACS administrator accounts are unique to Cisco Secure ACS. They are not related to other administrator accounts, such as Windows users with administrator privileges. In the HTML interface, an administrator can configure any of the features provided in Cisco Secure ACS; however, the ability to access various parts of the HTML interface can be limited by the administrative user. Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user accounts or username and password authentication. Cisco Secure ACS stores accounts created for authentication of network service requests and those created for Cisco Secure ACS administrative access in separate internal databases. To add a Cisco Secure ACS administrator account, follow these steps: Step 1. In the navigation bar, click Administration Control. Step 2. Click Add Administrator. The Add Administrator page appears. Step 3. Complete the boxes in the Administrator Details table: a. In the Administrator Name box, type the login name (up to 32 characters) for the new Cisco Secure ACS administrator account. b. In the Password box, type the password (up to 32 characters) for the new Cisco Secure ACS administrator account. c. In the Confirm Password box, type the password a second time. Step 4. To select all privileges, including user group editing privileges for all user groups, click Grant All. All privilege options are selected. All user groups move to the Editable groups list. Step 5. To grant user and user group editing privileges, follow these steps: a. Select the desired check boxes under User & Group Setup. b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (the right arrow button). The selected group moves to the Editable groups list. c. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (the left arrow button). The selected group moves to the Available groups list. d. To move all user groups to the Editable groups list, click >>. The user groups in the Available groups list move to the Editable groups list. e. To remove all user groups from the Editable groups list, click <<. The user groups in the Editable groups list move to the Available groups list.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 5 of 29

White Paper

Step 6. To grant any of the remaining privilege options, in the Administrator Privileges table, select the applicable check boxes. Step 7. Click Submit. Cisco Secure ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page. For more information on administrative accounts and policies, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/a.htm. Adding your CiscoWorks server as an AAA client To add your CiscoWorks server as an AAA client in Cisco Secure ACS, use the following steps: Step 1. In the Cisco Secure ACS navigation bar, click Network Configuration. The Network Configuration page opens (Figure 2). Step 2. Do one of the following: If you are using network device groups (NDGs), click the name of the NDG to which the AAA client is to be assigned. Then, click Add Entry below the AAA Clients table. To add an AAA client when you have not enabled NDGs, click Add Entry below the AAA Clients table. The Add AAA Client page appears. Step 3. In the AAA Client Hostname box, type the name of your CiscoWorks server (up to 32 characters). Step 4. In the AAA Client IP Address box, enter the IP address of your CiscoWorks server. Step 5. In the Key box, type the shared secret key that your CiscoWorks server and Cisco Secure ACS use to encrypt the data (up to 32 characters). For correct operation, the identical key must be configured on the AAA client and Cisco Secure ACS. Keys are case sensitive. Step 6. If you are using NDGs, from the Network Device Group list, select the name of the NDG to which your CiscoWorks server should belong, or select Not Assigned to set your CiscoWorks server to be an independent AAA client. Step 7. From the Authenticate Using list, select the network security protocol used by the AAA client. Step 8. If you want a single connection from an AAA client, rather than a new one for every TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in accounting on failure) check box. Step 9. If you want to log watchdog packets, select the Log Update/Watchdog Packets from this AAA Client check box. Step 10.

If you want to log RADIUS tunneling accounting packets, select the Log RADIUS tunneling Packets from this AAA Client check box.

Step 11.

If you want to track session state by username rather than port number, select the Replace RADIUS Port info with Username from this AAA check box.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 6 of 29

White Paper

If you select this option, Cisco Secure ACS cannot determine the number of user sessions for each user. Each session uses the same session identifier, the username; therefore, the Max Sessions feature is ineffective for users accessing the network through an AAA client with this feature selected. Step 12.

If you want to save your changes and apply them immediately, click Submit + Restart. Restarting the service clears the Logged-in User report and temporarily interrupts all

Cisco Secure ACS services. This affects the Max Sessions counter. If you want to save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. For more information on AAA client configuration for Cisco Secure ACS, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm. Figure 2.

Cisco Secure ACS Network Configuration Page

Adding your Network devices as AAA clients in Cisco Secure ACS Apart from adding your CiscoWorks server as an AAA client, you also need to add the devices to be managed by the CiscoWorks server as AAA clients to Cisco Secure ACS. When you are integrating with Cisco Secure ACS, your devices will not be visible from your CiscoWorks server if you have not added them as AAA clients in Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 7 of 29

White Paper

For more information on adding network device groups and AAA client configuration, refer to the “Network Configuration” section of the Cisco Secure ACS User Guide found at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm. AAA Mode Configuration in CiscoWorks Common Services The next step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to change the AAA mode of the CiscoWorks Common Services server using the following steps: Step 1. Log in to the CiscoWorks Common Services server and launch the CiscoWorks Common Services server security configuration page as shown in Figure 3. Figure 3.

CiscoWorks Home Page

The Common Services Security configuration page appears. Figure 4.

CiscoWorks Server Security Setup Page

Step 2. On the Security page, select the AAA Mode Setup link from the TOC menu on the left side of the page (Figure 4).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 8 of 29

White Paper

Figure 5.

CiscoWorks AAA Mode Setup Page

Step 3. Go to the ACS mode configuration page by selecting the ACS radio button (Figure 5). The page shown in Figure 6 appears. Figure 6.

ACS Mode Configuration Page

Step 4. Enter the following details into the fields A, B, C, and D indicated in Figure 6:

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 9 of 29

White Paper

A—Server Details Hostname Cisco Works Common Services Software supports up to three backup servers. When the primary Cisco Secure ACS fails, the AAA requests are redirected to the secondary or backup servers. You can have multiple backup servers for a higher level of redundancy. It is not mandatory to have all three Cisco Secure ACS servers. You can still have a single primary server. When you have multiple Cisco Secure ACS servers for backup, ensure that the configurations on all servers are synchronized. If you enter the hostname instead of the ACS server IP in Solaris, make sure the hostname is available in the /etc/hosts table. ACS TACACS+ Port: Port number 49 is utilized by Cisco Secure ACS for the TACACS+ communication. B—Login ACS Admin Name—Enter the administrator user name that you would use to log in to Cisco Secure ACS. ACS Admin Password—Enter the administrator password that you would use to log in to Cisco Secure ACS. ACS Shared Key—Enter the shared secret key that you entered in Cisco Secure ACS while adding the CiscoWorks Common Services server as an AAA client. C—Application Registration You can choose to register all installed applications with Cisco Secure ACS by selecting the check box under Application Registration. But you need to know about the following before registering the applications with Cisco Secure ACS: Authorization in CiscoWorks is done based on tasks available for every application. The task definition and task to role mapping are available in three XML files. They are:



<App name>TaskDefinition.xml <App name>RoleDefinition.xml <App name>Tasks.xml

By default five predefined roles are available. However, Cisco Secure ACS provides the feature of customized roles, wherein you can create a new role or edit the privileges of the predefined roles. In case of an application being reregistered from Common Services, the custom roles (if any) created for that application would be lost. The application registration from the AAA Mode Setup will reregister all the installed applications to Cisco Secure ACS, which will cause the custom roles (if any) to be lost. But this mass application registration can be avoided by using the command-line interface (CLI) script AcsRegCli.pl. D—ACS Communication on HTTPS Cisco Secure ACS supports secured communication through the Secure Sockets Layer (SSL) mode.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 10 of 29

White Paper

HTTP/HTTPS mode is used for device cache initialization, application registration, and administration purposes. Select the check box option under ACS Communication on HTTPS when Cisco Secure ACS is configured to work in HTTPS mode. When you select HTTPS mode, make sure that the backup servers are also in HTTPS mode. The SSL mode is not applicable to the TACACS+ or RADIUS security protocols, which are used for authentication and authorization between AAA clients and the server. Refer to Appendix A of this document for information on selecting HTTPS mode and installing security certificates on Cisco Secure ACS. Step 5. Apply the changes after filling in the required parameters in the AAA mode page. On applying the changes, you see the window shown in Figure 7, which displays the summary of the login module changes done. Figure 7.

CiscoWorks Login Module Change Summary Page

In Figure 7, A refers to the registration status of the individual CiscoWorks applications installed on the server; B is to remind you to ensure that the System Identity User is configured in CiscoWorks Common Services and in Cisco Secure ACS (with System Administrator privileges); and C informs you that you must restart Daemon Manager for the changes to take effect (after you restart the daemons, all authentication and authorization requests for the CiscoWorks server will be handled by Cisco Secure ACS).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 11 of 29

White Paper

To configure the System Identity User: Step 1. Go to Common Services > Server > Security > Multi-Server Trust Management > System Identity Setup. Set up a System Identity User. Step 2. Go to Common Services > Server > Security > Single-Server Management > Local User Setup. Ensure that the System Identity User is a local user with all the roles. Step 3. Create a superuser role in Cisco Secure ACS that has full access rights to CiscoWorks applications. Step 4. Add the System Identity User configured in CiscoWorks Common Services to Cisco Secure ACS and ensure that the System Identity User is part of the superuser group. Step 5. Restart Daemon Manager for the changes to take effect. After you restart the daemons, all authentication requests for the CiscoWorks server are handled by Cisco Secure ACS. User Configuration in Cisco Secure ACS The final step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to configure the CiscoWorks users within Cisco Secure ACS. Cisco Secure ACS allows you to define access permissions and policies for the registered CiscoWorks applications on a per user basis or user group basis. Refer to the following sections of the Cisco Secure ACS User Guide for more information on managing users and user groups: User Group Management— http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/g.ht m User Management— http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/u.ht m When adding the user, you can configure access policies to define what the user is authorized to do depending on the role. Table 2 lists the predefined roles provided for CiscoWorks applications when registered with Cisco Secure ACS. Table 2.

Predefined Roles for CiscoWorks Applications in Cisco Secure ACS

Approver

Approver Role

Help Desk

Help Desk Role

Network Administrator

Network Administrator Role

Network Operator

Network Operator Role

System Administrator

System Administrator Role

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 12 of 29

White Paper

Figure 8 shows a subset of tasks that can be allowed or disallowed to be performed by a user based on his or her role. Figure 8.

A Subset of Tasks That Can Be Allowed or Disallowed Based on the User’s Role

The list of tasks may vary with the CiscoWorks applications registered with Cisco Secure ACS. Once you have created the user or user group, you need to set the CiscoWorks Common Services specific policies to assign the following: CiscoWorks Common Services role of the user Device or device groups that can be managed by the user or user groups Authorization per user group Following are the steps for editing a user group to configure the authorization policies for CiscoWorks Common Services: Step 1. Go to the Cisco Secure ACS Group Setup page, choose a user group, and click the Edit Setting button.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 13 of 29

White Paper

Figure 9.

Cisco Secure ACS Group Setup Page

Step 2. Under the TACACS+ setting, you can view all the CiscoWorks applications registered with Cisco Secure ACS and the related attributes. For each registered CiscoWorks application, you can choose any of the following three TACACS+ settings while assigning a role to the user group for the devices or device groups to be managed. The options are: None—No role assigned. Assign a <UserRole> for any Network Device—You can assign any one of the predefined (or custom created) roles to the user group for all devices. When you choose this option, the user will have the privileges of performing all the tasks defined for the selected role on all devices defined as AAA clients in Cisco Secure ACS. Assign a <UserRole> on a per Network Device Group basis—You can choose this option when you want to assign different roles for the user group for different sets of devices or device groups. For example, you can choose this option when you want to assign the administrator role for the user group for one device group and assign the operator role to the same user group for another device group.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 14 of 29

White Paper

Figure 9 shows an example for a user being assigned the role of System Administrator for the device group NDG1, the role of Network Operator for the device group NDG2, and the role of Help Desk for the device group NDG1. Authorization per user Following are the steps for editing an individual user’s settings to configure the authorization policies for CiscoWorks Common Services: Step 1. Before you can edit the user settings, make sure that you have selected the Per-user TACACS+/RADIUS Attributes option for the CiscoWorks applications registered with Cisco Secure ACS. Go to the ACS Interface Configuration > Advanced options to select the Per-user TACACS+/RADIUS Attributes option. Select the check box next to Per-user TACACS+/RADIUS Attributes under the Advanced Options configuration page and click the Submit button to save the changes as shown in Figure 10. Figure 10.

Cisco Secure ACS Interface Configuration—Advanced Options

Step 2. After selecting the Per-user TACACS+/RADIUS Attributes check box under the Advanced Options, select the user-level TACACS+ services from Interface Configuration > TACACS+ (Cisco IOS) (Figure 11).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 15 of 29

White Paper

Figure 11.

Cisco Secure ACS Interface Configuration—TACACS+ Services

Step 3. Select the check boxes under the User column for the required applications and click the Submit button to save changes as shown in Figure 11. Step 4. After you select the per user interface configurations, go the User Setup page to edit the settings for the selected user to define the access policies for CiscoWorks applications registered with Cisco Secure ACS. As you see in Figure 12, the per user setup also provides the same three options as the groups setup for defining the role and associating the device groups that the user can manage.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 16 of 29

White Paper

Figure 12.

Cisco Secure ACS User Setup

Step 5. After assigning the roles and device groups to the user, click the Submit button to save the changes.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 17 of 29

White Paper

Appendix A Generating Certificates in Cisco Secure ACS for SSL Mode You can use the Cisco Secure ACS Certificate Setup pages to install digital certificates to support the HTTPS protocol for secure access to the Cisco Secure ACS HTML interface. HTTP/HTTPS protocol is used for the following operations between the CiscoWorks server and Cisco Secure ACS: Import/export device groups Import/export devices Audit requests Initialize device cache (which in turn calls import devices) Register/unregister applications Perform the following procedure to install a server certificate for your Cisco Secure ACS. You can perform certificate enrollment to support the HTTPS protocol for the HTML interface to Cisco Secure ACS. There are three basic options by which you can install the server certificate; you may: Obtain a certificate from a certificate authority (CA) Use an existing certificate from local machine storage Generate a self-signed certificate Installing the Certificate from Local Machine Storage Before you install the certificate, you must have a server certificate for Cisco Secure ACS. With Cisco Secure ACS, certificate files must be in Base64-encoded X.509. If you do not already have a server certificate in storage, refer to the procedure in the “Generating a Certificate Signing Request” section in the Cisco Secure ACS User Guide or use another means to obtain a certificate for installation. If you are installing a server certificate that replaces an existing server certificate, the installation could affect the configuration of the CTL and CRL settings of Cisco Secure ACS. After you have installed a replacement certificate, you should determine whether you need to reconfigure any CTL or CRL settings. To install an existing certificate for use on Cisco Secure ACS, use the following steps: Step 1. In the navigation bar, click System Configuration. Step 2. Click ACS Certificate Setup. Step 3. Click Install ACS Certificate. Cisco Secure ACS displays the Install ACS Certificate page (Figure 13). Step 4. You must specify whether Cisco Secure ACS reads the certificate from a specified file or uses a certificate already in storage on the local machine. Do one of the following: To specify that Cisco Secure ACS reads the certificate from a specified file, select the Read certificate from file option, and then type the full directory path and filename of the certificate file in the Certificate file box.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 18 of 29

White Paper

To specify that Cisco Secure ACS uses a particular existing certificate from local machine certificate storage, select the Use certificate from storage option, and then type the certificate CN (common name/subject name) in the Certificate CN box. Step 5. If you generated the request using Cisco Secure ACS, in the Private key file box, type the full directory path and name of the file that contains the private key. Step 6. In the Private key password box, type the private key password. Step 7. Click Submit. Figure 13.

Cisco Secure ACS System Configuration—Installing New Certificate

Generating a Self-Signed Certificate Installing self-signed certificates is a way for administrators to meet this requirement, managing the certificate without having to interact with a CA to obtain and install the certificate for Cisco Secure ACS. The self-signed certificate feature in Cisco Secure ACS allows the administrator to generate the self-signed digital certificate and use it for the Protected Extensible Authentication Protocol (PEAP) or for HTTPS support in Web administration service. To generate a self-signed certificate, use the following steps: Step 1. In the navigation bar, click System Configuration. Step 2. Click ACS Certificate Setup. Step 3. Click Generate Self-Signed Certificate. Cisco Secure ACS displays the Generate Self-Signed Certificate edit page (Figure 14). Step 4. In the Certificate subject box, type the certificate subject in the form cn=XXXX. You can enter additional information here. For information, refer to the “Self-Signed Certificate Configuration Options” section in the Cisco Secure ACS User Guide. Step 5. In the Certificate file box, type the full path and filename for the certificate file. Step 6. In the Private key file box, type the full path and filename for the private key file. All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 19 of 29

White Paper

Step 7. In the Private key password box, type the private key password. Step 8. In the Retype private key password box, retype the private key password. Step 9. In the Key length box, select the key length. Step 10.

In the Digest to sign with box, select the hash digest to be used to encrypt the key.

Step 11.

To install the self-signed certificate when you submit the page, select the Install generated certificate option.

Step 12.

Click Submit.

The specified certificate and private key files are generated and stored, as specified. The certificate becomes operational, if you also selected the Install Generated Certificate option, only after you restart Cisco Secure ACS services. Figure 14.

Cisco Secure ACS System Configuration—Generate Self-Signed Certificate

For more information on Cisco Secure ACS authentication and certificates, refer to the Cisco Secure ACS User Guide at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sau.htm#w p326973.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 20 of 29

White Paper

Appendix B CiscoWorks User Roles and Tasks To use CiscoWorks, you must have a valid login, which is a combination of a username and a password. When you are assigned a username and password, you are also assigned to one or more of these roles: Help Desk (default role for all users)—Can access network status information only. Can access persisted data on the system but cannot perform any action on a device or schedule a job that will reach the network. Approver—Can approve all tasks. Network Operator—Can perform all Help Desk tasks. Can do tasks related to network data collection but cannot perform any task that requires write access on the network. Network Administrator—Can perform all Network Operator tasks. Can perform tasks that result in a network configuration change. System Administrator—Can perform all CiscoWorks system administration tasks. These roles determine which CiscoWorks applications, tools, and product features you are allowed to access. Roles are not set up hierarchically, with each role including all the privileges of the role “below” it. Instead, these roles provide access privileges based on user needs. CiscoWorks when integrated with Cisco Secure ACS for authentication, authorization, and accounting provides you the options to add new or custom roles and also to modify the predefined role definitions and tasks. Editing CiscoWorks Predefined Roles To modify the CiscoWorks roles and privileges on Cisco Secure ACS: Step 1. Select Shared Profile Components > CiscoWorks Common Services and click the roles that you want to modify. Step 2. Select or deselect any of the Common Services tasks that suit your business workflow and needs. Step 3. Click Submit. Refer to Figure 15 (the check boxes represent the respective tasks applicable to the application). The user can select or unselect the tasks and customize the default roles.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 21 of 29

White Paper

Figure 15.

Shared Profile Components—Modifying CiscoWorks Common Services for Defined User Roles

Adding a New User Role To add a new CiscoWorks user role on Cisco Secure ACS: Step 1. Select Shared Profile Components > and click the Add button to add a new role. The new role definition page will appear as shown in Figure 16. Step 2. Select or deselect any of the Common Services tasks that suit your business workflow and the needs of the new role. Step 3. Click Submit.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 22 of 29

White Paper

Figure 16.

Shared Profile Components—Adding a New CiscoWorks Common Services User Role

Logs and Reports Cisco Secure ACS logs a variety of user and system activities. Depending on the log, and how you have configured Cisco Secure ACS, logs can be recorded in different formats with different attributes. You can facilitate logging using the logging configuration options in the System Configuration page (Figure 17). Refer to the “System Configuration” section in the Cisco Secure ACS User Guide at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sba.htm#w p222166 for more information.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 23 of 29

White Paper

Figure 17.

System Configuration—Logging

Cisco Secure ACS provides the following three logs, which can be useful when you are debugging user activities and events related to CiscoWorks: Passed Authentications—Contains the details of passed authentication. Failed Attempts—Contains the information for failed authentication and authorizations. TACACS+ Administration—Audit records. The reports and logs can be viewed from the Cisco Secure ACS Reports and Activity page (Figure 18).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 24 of 29

White Paper

Figure 18.

Reports and Activity

Application Registration from CLI You can reregister the CiscoWorks applications with Cisco Secure ACS from the AAA Mode Setup page in CiscoWorks Common Services, which will cause the custom roles (if any) to be lost. However, this mass application registration can be avoided by using the CLI script AcsRegCli.pl. CiscoWorks Common Services Software 3.0.5 provides a CLI script that you can use to register individual applications. The location of the script is $NMSROOT\bin\AcsRegCli.pl. Following are the optional parameters available when running the script from the CLI, : AcsRegCli.pl –register <App-name> The following are the available <App-name> options: cwhp—Common Services rme—Resource Management Essentials CM—Campus Manager dfm—Device Fault Manager CiscoView—CiscoView ipm—Internetwork Performance Monitor AcsRegCli.pl–register all This option is similar to the application registration from the GUI, where all the installed applications are registered with Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 25 of 29

White Paper

Appendix C FAQ on Troubleshooting CiscoWorks Common Services Integration with Cisco Secure ACS 1.

Question: I have configured my CiscoWorks server to integrate with Cisco Secure ACS for AAA. When I log in to CiscoWorks, the authentication succeeds but all the buttons are disabled/grayed-out. How do I troubleshoot this issue?

Answer: Step 1. Check whether you have restarted the daemons using: Windows net stop crmdmgtd, net start crmdmgtd Solaris /etc/init.d/dmgtd stop, /etc/init.d/dmgtd start Step 2. If the preceding solution doesn’t solve the problem, then check the Cisco Secure ACS user configuration to see whether a role has been assigned to the user. 2.

Question: I have provided the Cisco Secure ACS credentials in my CiscoWorks Common Services AAA mode page and restarted the daemons. When I try to log in as a user in Cisco Secure ACS I get an authentication failed message. How do I troubleshoot this issue?

Answer: Step 1. Check whether the CiscoWorks server is up and running. Step 2. Check the Failed Attempts log in Cisco Secure ACS. If it says “Bad request from NAS”, it means the CiscoWorks server has not been added as an AAA client to Cisco Secure ACS. Please refer to the section “Adding your CiscoWorks server as an AAA client” in this document. Step 3. If the message is “Password Mismatch”, then check whether the Cisco Secure ACS administrator password and shared secret key entered in the CiscoWorks Common Services AAA mode page are correct. 3.

Question: I have integrated my CiscoWorks Common Services server with Cisco Secure ACS and have assigned appropriate roles to the user. But I am not able to see the devices added in the Device Credentials Registry (DCR) at all, and the list is always empty. What do I need to do?

Answer: To view the devices added to DCR, you need to add the devices as AAA clients to Cisco Secure ACS. 4.

Question: When I perform an application registration, I am getting the error message “Application <App-name> registration: Failure on Primary ACS Server”. What could be the problem?

Answer: Step 1. Check whether the CiscoWorks server is up and running. Step 2. Check whether the Cisco Secure ACS administrator password specified in the CiscoWorks Common Services AAA mode page is correct. Step 3. Check or uncheck the Connect to ACS in HTTPS mode check box in the Common Services AAA mode page depending on the HTTP/HTTPS mode of Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 26 of 29

White Paper

5.

Question: I see an “initdevicecache failed” message in my log. What do I infer from this error message?

Answer: This message can be caused by the following reasons: SSL mismatch between Cisco Secure ACS and CAM Cisco Secure ACS administrator username/password conflict To troubleshoot this, see the preceding question 6.

Question: How do I unregister an application? I do not see any option available from the GUI.

Answer: There is no way of unregistering an application from the front end, but you can register or unregister applications from the back end using the ACSRegCli script located at $NMSROOT\www\classpath\com\cisco\nm\cmf\security. You can register or unregister all applications as follows: java ACSRegCli registerAll java ACSRegCli unregisterAll You can register or unregister a single application as follows: java ACSRegCli register Appname java ACSRegCli unregister Appname ACSRegCLI.pl is available with CiscoWorks Common Services 3.0 SP2 and later only. 7.

Question: How do I get the CAM debugging log to work?

Answer: On Windows: Run the following command from the CLI: $NMSRoot/MDC/bin/ccraccess – updateLog Core cam DEBUG The logs are located at $NMSRoot/MDC/log. On Solaris: Set LD_LIBRARY_PATH to the value found in the md.properties file. The file is available at /opt/CSCOpx/lib/classpath. 8.

Question: Are there any backend script or command-line interface options to change the login module from Cisco Secure ACS to CiscoWorks Local?

Answer: ResetLoginModule.pl, located at NMSROOT/bin, can be used to reset the login module back to the CiscoWorks Common Services Local login module from Cisco Secure ACS. Make sure you first stop the daemons on your CiscoWorks server prior to executing the script.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 27 of 29

White Paper

9.

Question: I have installed several CiscoWorks applications on the CiscoWorks server. I have configured the user in Cisco Secure ACS, and I am seeing the respective roles of the user being applied in CiscoWorks. However, all the buttons are grayed out for all the applications pages.

Answer: Similar to assigning a user role to the CiscoWorks Common Services application (using either the Group or User setup), you must explicitly assign a user role to each of the other registered applications. Please refer to the section “User Configuration in Cisco Secure ACS” in this document. 10. Question: Where do I specify the fallback user for ACS mode? Answer: The fallback option for ACS mode can be given in the non-ACS TACACS+ mode setup page. To add the fallback users in Cisco Secure ACS, execute the following steps: Step 1. Select non-ACS mode. Step 2. Select TACACS+ and click Change. Step 3. Specify the fallback users in the Login fallback options text field. Step 4. Click OK. Step 5. Select ACS mode. Step 6. Enter the required values. Step 7. Click Apply. 11. Question: I have specified a user under the fallback option for Cisco Secure ACS, but I am not seeing the fallback option from Cisco Secure ACS to CiscoWorks Local working for the authorization request. What could be wrong? Answer: The fallback option in Cisco Secure ACS is only for authentication where the requests are redirected to the CiscoWorks server; there is no fallback option for the authorization requests (authorization would now be handled by the local user account on the CiscoWorks server). 12. Question: After I integrate CiscoWorks Common Services with Cisco Secure ACS, CTMJrmServer does not come up when I restart Daemon Manager. What could be wrong? Answer: The System Identity User may not be properly configured in CiscoWorks Common Services Check whether the System Identity User configured in CiscoWorks Common Services and in Cisco Secure ACS is the same. Check whether the System Identity User configured in the CiscoWorks server has appropriate privileges. If it does not have the appropriate privileges, the error message “Authorization failed for the job browser task” appears in the daemons.log file. Check whether the System Identity User has the Network Administrator role, and restart Daemon Manager to fix the issue.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 28 of 29

White Paper

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Printed in USA

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

C11-393030-00 03/07

Page 29 of 29