Tải bản đầy đủ - 0 (trang)
Chapter 6. Getting Familiar with CSACS

Chapter 6. Getting Familiar with CSACS

Tải bản đầy đủ - 0trang

WindowsServer."IfyouareusingaCiscoSecureSolution

Engine,youmighthavesomeslightdifferences.Allinall,the

HTMLinterfaceoftheCiscoSecureSolutionEngineandthe

softwareversionofACSforWindowsServershouldbecloseto

identical.



NavigatingtheHTMLInterface

IfthisisyourfirsttimeusingACS,itisimportanttotakethe

timetolearnhowtonavigatetheinterface.

NotethatthemainwebpageofACSisdividedintoframes.You

accessdifferentmenuitemsontheleft-handsideofthepage,

performconfigurationinthemiddle,andhaveaccesstosome

helpontheright-handside.

Becauseyouusethemenuagreatdealinyouconfigurations,

thenextsectionslookateachmenuitemandwhattypesof

configurationcanbeperformedateachlevel.



UserSetup

WhenyouselecttheUserSetupmenuitem,yourmiddleframe

changestothe"select"screen.Here,youcandoafewthings.

Youcanaddanewuser,searchforanexistinguser,findusers

alphabeticallyornumerically,orsimplylistallusersatone

time.UserSetupisseeninFigure6-1.



Figure6-1.UserSetup



[Viewfullsizeimage]



Tobeginyourconfiguration,addausername.Todoso,follow

thesesteps:

Step1. Enterausername;forourexample,useaaauserand

selecttheAdd/Editbutton.

Step2. Now,youcanedituserattributes.Movingfromtopto

bottom,youcandisableauseraccount,enter

supplementaryinformation,andconfiguretheuser's

passwords.Figure6-2displaystheoptionfor

authenticatingagainstaWindowsNT/2000databaseor

theCiscoSecureDatabase.



Figure6-2.AuthenticationLocationOptions

[Viewfullsizeimage]



Step3. Enterthepasswordciscoforthisuser.Optionally,you

couldselecttheoptiontousetheWindowsdatabase.

ThedefaultistochecktheCiscoSecuredatabase.

Here,youcanalsodistinguishwhichgrouptheuseris

amemberof.Bynotspecifyingagroup,theuseris

placedinthedefaultgroup(group0).Youcanhavethe

sameattributestoconfigureinthegroupsetupasyou

haveintheindividualusersetup;however,user

configurationsoverridethatofthegroupofwhichthey

areamember.

WithinUserSetup,youcanalsoconfigurecallback

settings,IPaddressassignment,andaccountdisable

properties.Someofthemoreadvanceduserattributes

andconfigurationsarediscussedinChapter7,

"ConfiguringUserAccounts."

Step4. ClickSubmittocreateyourfirstAAAuserinACS.



Becauseyouhavenotselectedagroup,thisuseris

placedinthedefault(group0)group.



NOTE

ByselectingtheListAllUsersbuttonaftercreatingyouruser,

youshouldseeasingleuserentryontheright-handsideofthe

ACSinterface.Thisensuresthattheentryhasbeensuccessfully

created.



GroupSetup

Tobeginyourconfiguration,recapwhatyouhaveconfigured

thusfar.Youhaveausercalledaaauserwhohasapasswordof

ciscoandisplacedinthedefaultgroup.Thisuseris

authenticatedtotheCiscoSecuredatabaseonly.Toexamine

thegroupthatthisuserisin,followthesesteps:

Step1. SelecttheGroupSetupmenuitem.Youaregiventhree

optionsthere.Figure6-3showstheseoptions.



Figure6-3.GroupSetup

[Viewfullsizeimage]



TheoptionsareUsersinGroup,EditSettings,and

RenameGroup.UsersinGrouplistsalloftheusers

thatareassignedtothegroupthatisvisibleinthe

drop-downmenu.Atotalof500groupsnumbered0

through499exist.

Step2. ToviewthegroupsettingsthatyourfirstAAAuserisa

memberof(bydefault),simplyselectthe0:Default

GroupandthenselectEditSettings.Thisselection

changesthemainwindow,andyouarenowinthe

GroupConfigurationsection.ThisisseeninFigure6-4.



Figure6-4.ConfiguringtheDefaultGroup

[Viewfullsizeimage]



Youcannoteafewhighlightswhileyouarehere.Firstofall,

takealookatjumptoatthetopofthescreen.Thisfeatureisa

realtimesaver.TryitoutafewtimesbyjumpingtotheIP

addressassignmentsectionandthenbacktoaccess

restrictions.Noticethatinthegroupconfigurationyouhavethe

abilitytoconfiguretime-of-dayaccessrestrictions.Thisisnot

availableattheuserlevel.YoucanalsoconfigureCallback,IP

Assignment,andTACACS+settings.UnderTACACS+Settings

youcanconfigureshellcommandauthorizations,applyprivilege

levels,setauto-commands,andsoon.Thesetypesof

configurationsarediscussedinChapter8,"ConfiguringUser

Groups,"andChapter10,"ConfiguringSharedProfile

Components."



NOTE

SomeofthefieldsmightnotbevisibleineithertheGroup

SetuporUserSetup.AsyoubecomemorefamiliarwithACS,

youwillbeabletoenableordisablecertainfieldsateitherthe



grouplevelortheuserlevel.Thiscapabilityisexplainedin

detailinChapter7andChapter8,sodonotworryifsomeof

theitemsdiscussedinthischapterarenotvisibleinyouACS

device.



Whenyoumakegroupchanges,youarerequiredtosubmitand

restarttheACSservices.Yourchangesdonottakeplaceuntil

youhavedoneso.Ifyouaremakingmultiplechangestoa

group,itisbesttosubmitwithoutrestartaftereachchange

untilyouhavecompletedallchanges,andthenrestarttheACS

services.



SharedProfileComponents

SharedProfileComponentsallowsyoutospecifyShell

CommandAuthorizationSetsandPIXShellCommand

AuthorizationSets.Bycreatingthesecommandauthorization

sets,youcancontrolthecommandsausercanexecuteona

devicebyapplyingthecommandauthorizationsettotheuser

profileintheTACACS+settings,oratthegrouplevel.Figure65displaystheSharedProfilesComponentsconfigurationmenu.

Bydefault,youcanselectShellCommandAuthorizationSets

andPIXShellCommandAuthorizationSets.Optionally,youcan

configureDownloadableACLsorManagementCenter

AuthorizationSets.Fortheseoptionstobevisible,youmust

selectthemintheInterfaceConfigurationpage.



Figure6-5.SharedProfileComponents



[Viewfullsizeimage]



AnotherbenefittotheSharedProfileComponentsconfiguration

pageistheabilitytoconfigureSharedNetworkAccess

Restrictions.

Byselectingoneoftheselinks,forexample,ShellCommand

AuthorizationSets,youaretakentotheconfigurationpagefor

thissharedprofilecomponent.Thisconfigurationisdiscussedin

Chapter10.Youcanseewhatthisconfigurationpagelookslike

inFigure6-6.Asyoucantell,atthispoint,nonearedefined.



Figure6-6.ShellCommandAuthorizationSets



[Viewfullsizeimage]



NetworkConfiguration

TheNetworkConfigurationsectioniswhereyouadd,delete,or

modifysettingsforAAAclients.Atleastoneentryinthissection

shouldbeplacedthereduringinstallofACS.Youcanseethisin

Figure6-7.TheAAAclientisthedeviceyouaddedduringthe

install.TheAAAserveristheWindowsserver,orrathertheACS

serveritself,thatisenteredhereduringtheserverinstallation.



Figure6-7.NetworkConfiguration



[Viewfullsizeimage]



Byselectingthatentry,notethatyoucancontroltheIPaddress

ofthedevice,key,andauthenticationmethod.Youcanalsosee

atotaloffourcheckboxesinFigure6-8.Theyareasfollows:

SingleConnectTACACS+AAAClient(Recordstopin

accountingonfailure)SingleConnectTACACS+AAA

ClientallowsasingleTCPconnectionbetweenthisAAA

clientandACS.Thenormaloperationistoestablisha

separateTCPconnectionforeachrequest.Forexample,if

youareusingTACACS+,andyouhaveauserthatconnects

totheAAAclient,whenauthenticationoccurs,aTCP

connectionisestablished.Whenanotheruserconnects,

anothersessionisestablishedandsoon.Thiseliminates

thosemultipleTCPsessions.However,thisisnot

recommendedunlesstheconnectionbetweentheTACACS+

AAAclientandACSisextremelyreliable.Ifyoudecideto

usethisoption,andtheconnectionbetweentheACSand



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 6. Getting Familiar with CSACS

Tải bản đầy đủ ngay(0 tr)

×