ACS for VPN3000 Settings instance

This document provides a way to set up a AAA service for VPN3000 using the Cisco Secure ACS Server:

Overview: Cisco Secure ACS is a AAA server. The so-called AAA, refers to:

Authentication (authentication): When NAS (Network access server network access servers) receives a user-authenticated request, it sends the information over UDP 1645 to the RADIUS server, and the server checks the user database to determine whether it is an authorized user. If so, the information is returned to the NAS for validation. (Reference: RFC 2058)

Accounting (Accounting): If necessary, the NAS can send information about the duration of the connection, traffic, and so forth to the RADIUS server for recording as a billing reference when the user connects to the end. (Reference: RFC 2059)

Authorization (Authorization): A RADIUS server can also qualify services that users can access.

The AAA server and NAS can also communicate through the tacacs+ (TCP 49) protocol. The Cisco Secure ACS (Access control Server) supports the radius and tacacs+ protocols. Cisco VPN3030 only supports RADIUS protocols. It is important to note that RADIUS is a non-standard protocol, and each manufacturer has its own different implementations, so it is necessary to customize the protocol for different NAS. RADIUS protocols have been customized for a variety of devices in ACS, such as RADIUS (IOS Devices) radius (VPN3000) and radius (Microsoft), and so on.

By introducing a AAA server, you can:

1. Resolve the user limit: For example, VPN3030 only supports the definition of 500 users, with ACS can support more users

2. Billing: ACS recorded user connection time, traffic and other information can be used for billing information

3. Enhanced security: You can restrict the services that users access; Logs that users access can be used for security audits

4. Ease of management: User defined for a set of devices without having to set up and maintain separate

I. ACS INSTALLATION:

System requirements: PII300 above cpu/256m memory/windows Server English (do not install SP)

Note 1:acs v2.5 has problems running on a Windows 2000 system with an SP installed and requires v3.0 to resolve

Note 2: You can install the user self-modify password (Web) interface module, but the module requires IIS. Running IIS on a Windows system that does not install an SP has serious security issues, so this installation chooses not to install the module and IIS.

Use the Install Program on the ACS CD to complete the installation interactively. The main options are:

1. Whether to keep the existing database: The new Installation Answer "No", upgrade the installation answer "yes".

2. Import configuration: If you want to import a saved configuration answer yes.

3. Use only ACS user databases or Windows system user databases: Select the ACS only user database for this installation, as appropriate.

4. "Authenticate Users Using" authentication protocol: "Radius (Cisco VPN 3000)" is selected.

5. "Access server name" Access Servers Name: Enter "VPN3030".

6. "Access server IP Address" Access server IP addresses: enter "10.1.1.18".

7. IP address of the "Windows NT server IP Addresses" ACS server: Automatically set to "10.1.1.51" (native address).

8. Key shared by "tacacs+ or RADIUS Key": Enter "Cisco".

9. Select the properties to display: All selected.

"Remedial action on log-in failure" Logon failure measures: Script to Exec: *restart all

After installation, ACS is administered through the Web interface: http://127.0.0.1:2002 (or real IP), and note that you do not need to log on when you manage on this computer.

Two. ACS Configuration:

Login to ACS Web Admin interface: http://10.1.1.51:2002.

Check network configuration: Select Network Configuration and click "VPN3030" to check or repair the definition of Access server during the installation (see the previous section for parameters).

Check interface configuration: Select Interface Configuration, click "Radius Cisco VPN 3000", and if you need to set the user group's VPN3000 proprietary properties via ACS, check the group [26] The Vendor-specific property, which can then be set in the group properties. To set the VPN3000 proprietary properties for a particular user, you will also need to select Per-user Tacacs+/radius Attributes in interface configuration/advanced options. In general, it is more convenient and recommended to manage these properties through the Group property pages in VPN3030. Some properties, such as setting a specific IP address for a user, do not belong to the proprietary properties of VPN3000, and therefore do not need to enable VENDOR-SPEC.