Cisco Acs 57 User Guide

							7   
Managing Users and Identity Stores
Managing External Identity Stores
ACS 5.7 stores users with passcode in a cache. User and passcode are entered into the cache after successful authentication 
with the RSA SecurID server. Upon authentication with the RSA SecurID server, ACS tries first to search for the authenticating 
user and passcode in the cache. If not found, ACS authenticates with the RSA SecurID server.
The passcode cache in ACS is available for a configurable amount of time from 1 to 300 seconds. The RSA SecurID server 
passcode entry in the cache is available for the amount of time that you configure. Within this period of time, the user can access 
the internet with the same passcode.
Creating and Editing RSA SecurID Token Servers
ACS 5.7 supports RSA SecurID Token Servers for authenticating users for the increased security that one-time passwords 
provide. RSA SecurID token servers provide two-factor authentication to ensure the authenticity of users. 
To authenticate users against an RSA identity store, you must first create an RSA SecurID Token Server in ACS and configure 
the realm, ACS instance, and advanced settings.
ACS 5.7 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS 
instances.
Note: You must obtain the sdconf.rec file from the RSA SecurID server administrator and store it in ACS.
To create or edit an RSA SecurID token server:
1.Choose Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers.
The RSA SecurID Token Servers page appears.
2.Click Create.
You can also click the identity store name that you want to modify, or check the box next to the name and click Edit.
3.Complete the fields in the RSA Realm Settings tab as described in Table 55 on page 71.
4.Click the ACS Instance Settings tab. See Configuring ACS Instance Settings, page 72 for more information.
5.Click the Advanced tab. See Configuring Advanced Options, page 74 for more information.
6.Click Submit to create an RSA SecurID store.
Ta b l e 5 5 R S A  R e a l m  S e t t i n g s  Ta b
Option Description
General
Name Name of the RSA realm.
Description (Optional) The description of the RSA realm.
Server Connection
Server Timeout n seconds ACS waits for n seconds to connect to the RSA SecurID token server before timing out.
Reauthenticate on Change 
PINCheck this check box to reauthenticate on change PIN.
Realm Configuration File
Import new ‘sdconf.rec’ file Click Browse to select the sdconf.rec file from your machine.
Node  Secret  Status Once the user is first authenticated against RSA SecurID Token Server, the Node Secret Status 
is shown as Created. 
						

							7
Managing Users and Identity Stores
 
Managing External Identity Stores
The RSA SecurID Token Server page appears with the configured servers.
Related Topics:
RSA SecurID Server, page 69
Configuring ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Configuring ACS Instance Settings
The ACS Instance Settings tab appears with the current list of ACS instances that are active in the system. You cannot add or 
delete these entries. However, you can edit the available RSA Realm settings for each of these ACS instances.
Table 56 on page 72 describes the fields in the ACS Instance Settings tab.
You can edit the settings of the ACS instances that are listed on this page. To do this:
1.Check the check box next to the ACS instance that you want to edit and click Edit.
The ACS instance settings dialog box appears. This dialog box contains the following tabs:
RSA Options File—See Editing ACS Instance Settings, page 72 for more information.
Reset Agents Files—See Editing ACS Instance Settings, page 72 for more information.
2.Click OK.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Editing ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Editing ACS Instance Settings
You can edit the ACS instance settings to:
Enable the RSA Options File, page 73
Reset Agent Files, page 73
Table 56 ACS Instance Settings Tab
Option Description
ACS Instance Name of the ACS instance.
Options File Name of the options file.
Node Secret Status Status of Node Secret. This can be one of the following:
Created
Not created 
						

							7   
Managing Users and Identity Stores
Managing External Identity Stores
Enable the RSA Options File
You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the 
RSA agent and the RSA servers in the realm.
Table 57 on page 73 describes the fields in the RSA Options File tab.
Do one of the following:
Click OK to save the configuration.
Click the Reset Agent Files tab to reset the secret key information or the status of active and inactive servers in the realm.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Reset Agent Files
Use this page to reset the following:
Node Secret key file, to ensure that communication with the RSA servers is encrypted.
Status of the servers in the realm.
1.Choose either of the following options:
To reset node secret on the agent host, check the Remove secure id file on submit check box.
If you reset the node secret on the agent host, you must reset the agent host’s node secret in the RSA server.
To reset the status of servers in the realm, check the Remove sdstatus.12 file on submit check box.
Ta b l e 5 7 R S A  O p t i o n s  F i l e  Ta b
Option Description
The RSA options file (sdopts.rec) may be enabled on each ACS instance to control the routing priorities for connections 
between the RSA agent and the RSA servers in the realm. For detailed description of the format of the sdopts.rec, please 
refer to the RSA Documentation.
Use the Automatic Load Balancing status maintained by 
the RSA AgentChoose this option to use the automatic load balancing status 
that the RSA agent maintains.
Override the Automatic Load Balancing status with the 
sdopts.rec file selected belowChoose this option to use the automatic load balancing status 
that is specified in the sdopts.rec file.
Current File Lists the sdopts.rec file that is chosen currently.
Time stamp Time when sdopts.rec file was last modified.
File Size Size of the sdopts.rec file.
Import new ‘sdopts.rec’ file Click Browse to import the new sdopts.rec file from your hard 
drive.
Note: Changes will not take effect until the page which launched this popup is submitted. 
						

							7
Managing Users and Identity Stores
 
Managing External Identity Stores
2.Click OK.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Configuring Advanced Options
Use this page to do the following:
Define what an access reject from an RSA SecurID token server means to you.
Enable identity caching—Caching users in RSA is similar to caching users in RADIUS token with the logic and the purpose 
of the caching being the same. The only difference is that in RSA there is no attribute retrieval for users and therefore no 
caching of attributes. The user who is authenticated is cached, but without any attributes.
Enable passcode caching—This option stores the passcodes after the first successful authentication with an RSA secure ID 
token server and uses the cached user credentials for the subsequent authentications if they happens within the configured 
time period. 
To configure advanced options for the RSA realm:
1.Do one of the following:
Click the Treat Rejects as Authentication failed radio button—ACS interprets this as an authentication reject from an RSA 
SecurdID store and consider this as an authentication failure.
Click the Treat Rejects as User not found radio button—ACS interprets this as an authentication reject from an RSA SecurID 
store and consider this as “user not found.”
2.Check the Enable identity caching check box.
Enable identity caching to allow ACS to process requests that are not authenticated through the RSA server.
The results obtained from the last successful authentication are available in the cache for the specified time period.
3.Enter the aging time in minutes.
The identity cache stores the results of a successful login only for the time period specified here. The default value is 120 
minutes. The valid range is from 1 to 1440 minutes.
4.Check the Enable passcode caching check box.
Enable passcode caching to allow ACS to cache the passcodes and allow users to access the network with the same 
passcode for the specified time period.
5.Enter the aging time in seconds.
The passcode cache stores the results of a successful login only for the time period specified here. The default value is 30 
seconds. The valid range is from 1 to 300 seconds. 
6.Click Submit. 
						

							7   
Managing Users and Identity Stores
Managing External Identity Stores
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
RADIUS Identity Stores
RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store, which is part of ACS, connects 
to the RADIUS server.
RADIUS servers are servers that come with a standard RADIUS interface built into them and other servers that support the 
RADUIS interface. ACS 5.7 supports any RADIUS RFC 2865-compliant server as an external identity store. ACS 5.7 supports 
multiple RADIUS token server identities.
For example, the RSA SecurID server and SafeWord server. RADIUS identity stores can work with any RADIUS Token server that 
is used to authenticate the user. RADIUS identity stores use the UDP port for authentication sessions. The same UDP port is 
used for all RADIUS communication.
Note: For ACS to successfully send RADIUS messages to a RADIUS-enabled server, you must ensure that the gateway devices 
between the RADIUS-enabled server and ACS allow communication over the UDP port. You can configure the UDP port through 
the ACS web interface.
This section contains the following topics:
Supported Authentication Protocols, page 75
Failover, page 76
Password Prompt, page 76
User Group Mapping, page 76
Groups and Attributes Mapping, page 76
RADIUS Identity Store in Identity Sequence, page 76
Authentication Failure Messages, page 77
Username Special Format with Safeword Server, page 77
User Attribute Cache, page 77
Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
Supported Authentication Protocols
ACS supports the following authentication protocols for RADIUS identity stores:
RADIUS PAP
TACACS+ ASCII/PAP
PEAP with inner EAP-GTC 
						

							7
Managing Users and Identity Stores
 
Managing External Identity Stores
EAP-FAST with inner EAP-GTC
Failover
ACS 5.7 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary 
RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server.
Password Prompt
RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS 
web interface.
User Group Mapping
To provide the per-user group mapping feature available in ACS 4.x, ACS 5.7 uses the attribute retrieval and authorization 
mechanism for users that are authenticated with a RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\
] 
cisco-av-pair attribute with the following value: 
ACS:CiscoSecure-Group-Id=N, where N can be any ACS group number from 0 through 499 that ACS assigns to the user. 
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group 
mapping rules.
Groups and Attributes Mapping
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions 
for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring 
the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define 
policy conditions.
Note: You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to 
return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
You can use the attribute subscription feature of ACS 5.7 to receive RADIUS identity store attributes can on the ACS response 
to the device. The following RADIUS attributes are returned:
Attributes that are listed in the RADIUS RFS
Vendor-specific attributes
The following attribute types are supported:
String
Unsigned Integer
IP Address
Enumeration
If an attribute with multiple values is returned, the value is ignored, and if a default value has been configured, that value is 
returned. However, this attribute is reported in the customer log as a problematic attribute.
RADIUS Identity Store in Identity Sequence
You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the 
RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without 
authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server.  
						

							7   
Managing Users and Identity Stores
Managing External Identity Stores
RADIUS servers return an Access-Reject message for all error cases. For example, when a user is not found in the RADIUS 
server, instead of returning a User Unknown status, the RADIUS server returns an Access-Reject message. 
You can, however, enable the Treat Rejects as Authentication Failure or User Not Found option available in the RADIUS identity 
store pages of the ACS web interface.
Authentication Failure Messages
When a user is not found in the RADIUS server, the RADIUS server returns an Access-Reject message. ACS provides you the 
option to configure this message through the ACS web interface as either Authentication Failed or Unknown User. 
However, this option returns an Unknown User message not only for cases where the user is not known, but for all failure cases.
Table 58 on page 77 lists the different failure cases that are possible with RADIUS identity servers.
Username Special Format with Safeword Server
Safeword token server supports authentication with the following username format:
Username—Username, OTP
ACS parses the username and converts this to:
Username—Username
Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server, 
you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format. 
This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server.
User Attribute Cache
RADIUS token servers, by default, do not support user lookups. However, the user lookup functionality is essential for the 
following ACS features:
Table 58 Error Handling
Cause of Authentication Failure Failure Cases
Authentication FailedUser is unknown.
User attempts to login with wrong passcode.
User logon hours expired.
Process FailedRADIUS server is configured incorrectly in 
ACS.
RADIUS server is unavailable.
RADIUS packet is detected as malformed.
Problem during sending or receiving a packet 
from the RADIUS server.
Ti m e o u t .
Unknown User Authentication failed and the 'Fail on Reject' 
option is set to false. 
						

							7
Managing Users and Identity Stores
 
Managing External Identity Stores
PEAP session resume—Happens after successful authentication during EAP session establishment
EAP/FAST fast reconnect—Happens after successful authentication during EAP session establishment
T+ Authorization—Happens after successful T+ Authentication
ACS caches the results of successful authentications to process user lookup requests for these features. For every successful 
authentication, the name of the authenticated user and the retrieved attributes are cached. Failed authentications are not written 
to the cache.
The cache is available in the memory at runtime and is not replicated between ACS nodes in a distributed deployment. You can 
configure the time to live (TTL) limit for the cache through the ACS web interface. You must enable the identity caching option 
and set the aging time in minutes. The cache is available in the memory for the specified amount of time.
Passcode Caching
Passcode caching enables the user to perform more than one authentication with an RADIUS identity server using the same 
passcode.
ACS 5.7 stores users with passcode in a cache. User and passcode are entered into the cache after successful authentication 
with the RADIUS Identity Server. Upon authentication with the RADIUS identity server, ACS tries first to search for the 
authenticating user and passcode in the cache. If not found, ACS authenticates with the RADIUS identity server.
The passcode cache in ACS is available for a configurable amount of time from 1 to 300 seconds. The RADIUS identity server 
passcode entry in the cache is available for the amount of time that you configure. Within this period of time, the user can access 
the internet with the same passcode.
Creating, Duplicating, and Editing RADIUS Identity Servers
ACS 5.7 supports the RADIUS identity server as an external identity store for the increased security that one-time passwords 
provide. RADIUS identity servers provide two-factor authentication to ensure the authenticity of the users. 
To authenticate users against a RADIUS identity store, you must first create the RADIUS identity server in ACS and configure 
the settings for the RADIUS identity store. ACS 5.7 supports the following authentication protocols:
RADIUS PAP
TACACS+ ASCII\PAP
PEAP with inner EAP-GTC
EAP-FAST with inner EAP-GTC
For a successful authentication with a RADIUS identity server, ensure that:
The gateway devices between the RADIUS identity server and ACS allow communication over the UDP port.
The shared secret that you configure for the RADIUS identity server on the ACS web interface is identical to the shared 
secret configured on the RADIUS identity server.
To create, duplicate, or edit a RADIUS Identity Server:
1.Choose Users and Identity Stores > External Identity Stores > RADIUS Identity Servers.
The RADIUS Identity Servers page appears with a list of RADIUS external identity servers.
2.Click Create. You can also:
Check the check box next to the identity store you want to duplicate, then click Duplicate.
Click the identity store name that you want to modify, or check the box next to the name and click Edit. 
						

							7   
Managing Users and Identity Stores
Managing External Identity Stores
3.Complete the fields in the General tab. See Configuring General Settings, page 79 for a description of the fields in the 
General tab.
4.Yo u  c a n :
Click Submit to save the RADIUS Identity Server.
Click the Shell Prompts tab. See Configuring Shell Prompts, page 81 for a description of the fields in the Shell Prompts tab.
Click the Directory Attributes tab. See Configuring Directory Attributes, page 82 for a description of the fields in the 
Directory Attributes tab.
Click the Advanced tab. See Configuring Advanced Options, page 83 for a description of the fields in the Advanced tab.
5.Click Submit to save the changes.
Related Topics
RADIUS Identity Stores, page 75
Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
Configuring General Settings
Table 59 on page 80 describes the fields in the General tab of the RADIUS Identity Servers page. 
						

							8
Managing Users and Identity Stores
 
Managing External Identity Stores
Table 59 RADIUS Identity Server - General Tab
Option Description
Name Name of the external RADIUS identity server.
Description (Optional) A brief description of the RADIUS identity server.
SafeWord Server Check this check box to enable a two-factor authentication using a 
SafeWord server.
Server Connection
Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a 
backup server in case the primary RADIUS identity server fails. 
If you enable the secondary server, you must configure the parameters for 
the secondary RADIUS identity server and must choose one of the 
following options:
Always Access Primary Server First—Select this option to ensure that 
ACS always accesses the primary RADIUS identity server first before 
the secondary server is accessed.
Failback To Primary Server After n Minutes—Select this option to set 
the number of minutes ACS can use the secondary server for 
authentication. 
After this time expires, ACS should again attempt to authenticate 
using the primary server. The default value is 5 minutes.
Primary Server
Server IP Address IP address of the primary RADIUS identity server.
Shared Secret Shared secret between ACS and the primary RADIUS identity server.
A shared secret is an expected string of text, which a user must provide 
before the network device authenticates a username and password. The 
connection is rejected until the user supplies the shared secret.
Authentication  Port Port number on which the RADIUS primary server listens. Valid options are 
from 1 to 65,535. The default value is 1812.
Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the primary 
RADIUS identity server before it determines that the connection to the 
primary server has failed. Valid options are from 1 to 300. The default 
value is 5.
Connection Attempts Specifies the number of times that ACS should attempt to reconnect 
before contacting the secondary RADIUS identity server or dropping the 
connection if no secondary server is configured. Valid options are from 1 
to 10. The default value is 3.
Secondary Server
Server IP Address IP address of the secondary RADIUS identity server.
Shared Secret Shared secret between ACS and the secondary RADIUS identity server. 
The shared secret must be identical to the shared secret that is configured 
on the RADIUS identity server.
A shared secret is an expected string of text, which a user must provide 
before the network device authenticates a username and password. The 
connection is rejected until the user supplies the shared secret.