You are on page 1of 29

White Paper

CiscoWorks LAN Management Solution Integration with


Cisco Secure Access Control Server

Introduction
CiscoWorks Common Services Software provides a robust security mechanism to manage identity
and access to the CiscoWorks applications, and data in a multi-user environment.

As CiscoWorks has powerful network management tools for device configuration and software
image management, unintended operations carried out by unauthorized users can cause
disruptions to your network and in turn have a severe impact on business-critical activities.
®
CiscoWorks addresses this requirement by integrating with Cisco Secure Access Control Server
(ACS) to provide improved access control by means of authentication, authorization, and
accounting (AAA).

This document explains in detail how to set up the Cisco Works server to integrate with Cisco
Secure ACS. It also gives information on the basic configuration steps to be executed with Cisco
Secure ACS.

Prerequisites
Before integrating your CiscoWorks Common Services Software with Cisco Secure ACS, you must
complete installing CiscoWorks Common Services Software and Cisco Secure ACS on the
appropriate servers and ensure that network connectivity exists between the two.

You need to have administrative privileges for Cisco Secure ACS and the CiscoWorks server to be
able to perform the procedures explained in this document.

CiscoWorks Common Services Software 3.0.5 supports the following versions of Cisco Secure
Access Control Server for Windows

Cisco Secure ACS 3.2


Cisco Secure ACS 3.2.3
Cisco Secure ACS 3.3.2
Cisco Secure ACS 3.3.3 (appliance/software)
Cisco Secure ACS 4.0(1) (appliance/software)

It is recommended that you install the Admin HTTPS PSIRT patch if you are using Cisco Secure
ACS 3.2.3.

To install the patch:

Go to http://www.cisco.com/public/sw-center/ciscosecure/cs-acs.shtml.
Click the Download Cisco Secure ACS Software (Windows) link. You can find the link to the
Admin HTTPS PSIRT patch in the table.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 29
White Paper

System Requirements for Cisco Secure ACS


The following is the minimum hardware requirement for installing Cisco Secure ACS:

Pentium III processor, 550 MHz or faster.


256 MB of RAM.
At least 250 MB of free disk space. If you are running your database on the same
computer, more disk space is required.
Minimum graphics resolution of 256 colors at 800 x 600 lines.

Operating System Requirements


On the computer running Cisco Secure ACS, use an English-language version of Windows 2000
Server with Service Pack 3 installed. Both the operating system and the applicable service pack
must be English-language versions.

Network and Port Requirements


Ensure that the gateway devices between AAA clients and Cisco Secure ACS allow
communication over the required ports. These ports are needed to support the applicable AAA
protocol (RADIUS or TACACS+) for Cisco Secure ACS to provide AAA services to AAA clients.
Table 1 provides a list of port numbers to be allowed by the gateway devices.

Table 1. Port Numbers Allowed by the Gateway Devices

Feature/Protocol UDP or TCP Ports

RADIUS authentication and authorization UDP 1645, 1812

RADIUS accounting UDP 1646, 1813

TACACS+ TCP 49

Cisco Secure Database Replication TCP 2000

RDBMS Synchronization with synchronization partners TCP 2000

User-Changeable Password Web application TCP 2000

Logging TCP 2001

Administrative HTTP port for new sessions TCP 2002

Administrative HTTP port range TCP Configurable; default


1024 through 65535

Cisco Secure ACS can be accessed across remote machines from the browser; it uses port
number 2002 for its communication.

Cisco Secure ACS and CiscoWorks Common Services Software cannot coexist on the
same server because of port number conflicts.

To find out more about how to install, maintain, and operate Cisco Secure ACS, refer to the online
user guide found at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm.

Components Used
The following applications and tools are used in the scenario explained in this document:

CiscoWorks Common Services—Admin Module


Cisco Secure Access Control Server (ACS)

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 29
White Paper

Background Information
CiscoWorks Common Services Software supports two modes of access control for authentication,
authorization, and accounting:

ACS Mode—Provides AAA by integrating with Cisco Secure ACS.


Non-ACS Mode—Provides only authentication services by integrating with the following
Pluggable Authentication Modules (PAMs):
CiscoWorks Local

IBM Secure Way Directory

Kerberos Login

Local UNIX System

Local NT System

MS Active Directory

Netscape Directory

Radius

TACACS+

This document provides step-by-step procedures for setting up your CiscoWorks server for ACS
mode. It also provides step-by-step instructions for setting up Cisco Secure ACS to integrate with
the CiscoWorks server.

The details for setting up the CiscoWorks server for non-ACS mode are not covered in this
document. For more information, refer to the online user guide at
http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht
ml.

Fallback Option
In case of failure of the chosen authentication, CiscoWorks provides a fallback option to the
CiscoWorks Local mode. By default the admin user is added to the fallback option.

Debugging
Logging can be enabled or disabled by choosing the true or false option on the login mode page.

The logs are written into the stdout.log file under the location $NMSROOT/MDC/tomcat/logs.

For all the non-ACS mode modules, the user needs to enter the credentials, log out, and log in
again for the changes to take effect.

To understand more about how to maintain and operate CiscoWorks Common Services Software,
refer to the online user guide at
http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht
ml.

Integration with Cisco Secure ACS for Authentication, Accounting, and


Authorization
The following are the three major tasks involved in integrating CiscoWorks Common Services
Software with Cisco Secure ACS for AAA:

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 29
White Paper

Cisco Secure ACS initial setup—Adding the ACS administrator user and AAA clients in
Cisco Secure ACS.
AAA mode configuration in CiscoWorks Common Services—Specifying the Cisco Secure
ACS credentials in CiscoWorks Common Services.
User configuration in Cisco Secure ACS—Adding users and defining roles in Cisco Secure
ACS.

Cisco Secure ACS Initial Setup


You need to complete the following tasks in Cisco Secure ACS before you can integrate with your
CiscoWorks server:

Add a Cisco Secure ACS user with administrator privileges


Add your CiscoWorks server as an AAA client
Add the network devices to be managed by your CiscoWorks server as AAA clients in
Cisco Secure ACS

Adding an ACS user with administrator privileges


When you log in to Cisco Secure ACS, the screen shown in Figure 1 appears.

Figure 1. Cisco Secure ACS Home Page

You must have an administrator account configured prior to accessing Cisco Secure ACS
from any remote machine.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 29
White Paper

Administrators are the only users of the Cisco Secure ACS HTML interface. To access the
Cisco Secure ACS HTML interface from a browser on a remote machine, you must log in to
Cisco Secure ACS using an administrator account.
If Cisco Secure ACS is so configured, access to the application from the server itself may
also require a browser.

Cisco Secure ACS administrator accounts are unique to Cisco Secure ACS. They are not
related to other administrator accounts, such as Windows users with administrator privileges.

In the HTML interface, an administrator can configure any of the features provided in Cisco
Secure ACS; however, the ability to access various parts of the HTML interface can be
limited by the administrative user.
Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user
accounts or username and password authentication. Cisco Secure ACS stores accounts
created for authentication of network service requests and those created for Cisco Secure
ACS administrative access in separate internal databases.
To add a Cisco Secure ACS administrator account, follow these steps:

Step 1. In the navigation bar, click Administration Control.

Step 2. Click Add Administrator.

The Add Administrator page appears.


Step 3. Complete the boxes in the Administrator Details table:

a. In the Administrator Name box, type the login name (up to 32 characters) for the new
Cisco Secure ACS administrator account.
b. In the Password box, type the password (up to 32 characters) for the new Cisco Secure
ACS administrator account.
c. In the Confirm Password box, type the password a second time.
Step 4. To select all privileges, including user group editing privileges for all user groups, click
Grant All.

All privilege options are selected. All user groups move to the Editable groups list.
Step 5. To grant user and user group editing privileges, follow these steps:

a. Select the desired check boxes under User & Group Setup.
b. To move a user group to the Editable groups list, select the group in the Available groups
list, and then click --> (the right arrow button).
The selected group moves to the Editable groups list.

c. To remove a user group from the Editable groups list, select the group in the Editable
groups list, and then click <-- (the left arrow button).
The selected group moves to the Available groups list.

d. To move all user groups to the Editable groups list, click >>.
The user groups in the Available groups list move to the Editable groups list.

e. To remove all user groups from the Editable groups list, click <<.
The user groups in the Editable groups list move to the Available groups list.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 29
White Paper

Step 6. To grant any of the remaining privilege options, in the Administrator Privileges table,
select the applicable check boxes.

Step 7. Click Submit.

Cisco Secure ACS saves the new administrator account. The new account appears in the list of
administrator accounts on the Administration Control page.

For more information on administrative accounts and policies, refer to


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/a.htm.

Adding your CiscoWorks server as an AAA client


To add your CiscoWorks server as an AAA client in Cisco Secure ACS, use the following steps:

Step 1. In the Cisco Secure ACS navigation bar, click Network Configuration.

The Network Configuration page opens (Figure 2).


Step 2. Do one of the following:

If you are using network device groups (NDGs), click the name of the NDG to which the
AAA client is to be assigned. Then, click Add Entry below the AAA Clients table.
To add an AAA client when you have not enabled NDGs, click Add Entry below the AAA
Clients table.
The Add AAA Client page appears.
Step 3. In the AAA Client Hostname box, type the name of your CiscoWorks server (up to 32
characters).

Step 4. In the AAA Client IP Address box, enter the IP address of your CiscoWorks server.

Step 5. In the Key box, type the shared secret key that your CiscoWorks server and Cisco Secure
ACS use to encrypt the data (up to 32 characters).

For correct operation, the identical key must be configured on the AAA client and Cisco
Secure ACS. Keys are case sensitive.

Step 6. If you are using NDGs, from the Network Device Group list, select the name of the NDG
to which your CiscoWorks server should belong, or select Not Assigned to set your
CiscoWorks server to be an independent AAA client.

Step 7. From the Authenticate Using list, select the network security protocol used by the AAA
client.

Step 8. If you want a single connection from an AAA client, rather than a new one for every
TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in
accounting on failure) check box.

Step 9. If you want to log watchdog packets, select the Log Update/Watchdog Packets from
this AAA Client check box.

Step 10. If you want to log RADIUS tunneling accounting packets, select the Log
RADIUS tunneling Packets from this AAA Client check box.

Step 11. If you want to track session state by username rather than port number, select
the Replace RADIUS Port info with Username from this AAA check box.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 29
White Paper

If you select this option, Cisco Secure ACS cannot determine the number of user
sessions for each user. Each session uses the same session identifier, the username; therefore,
the Max Sessions feature is ineffective for users accessing the network through an AAA client with
this feature selected.

Step 12. If you want to save your changes and apply them immediately, click Submit +
Restart.

Restarting the service clears the Logged-in User report and temporarily interrupts all
Cisco Secure ACS services. This affects the Max Sessions counter.

If you want to save your changes and apply them later, click Submit. When you are ready to
implement the changes, click System Configuration, click Service Control, and then click
Restart.

For more information on AAA client configuration for Cisco Secure ACS, refer to
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm.

Figure 2. Cisco Secure ACS Network Configuration Page

Adding your Network devices as AAA clients in Cisco Secure ACS


Apart from adding your CiscoWorks server as an AAA client, you also need to add the devices to
be managed by the CiscoWorks server as AAA clients to Cisco Secure ACS.

When you are integrating with Cisco Secure ACS, your devices will not be visible from your
CiscoWorks server if you have not added them as AAA clients in Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 29
White Paper

For more information on adding network device groups and AAA client configuration, refer to the
“Network Configuration” section of the Cisco Secure ACS User Guide found at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm.

AAA Mode Configuration in CiscoWorks Common Services


The next step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to
change the AAA mode of the CiscoWorks Common Services server using the following steps:

Step 1. Log in to the CiscoWorks Common Services server and launch the CiscoWorks Common
Services server security configuration page as shown in Figure 3.

Figure 3. CiscoWorks Home Page

The Common Services Security configuration page appears.

Figure 4. CiscoWorks Server Security Setup Page

Step 2. On the Security page, select the AAA Mode Setup link from the TOC menu on the left
side of the page (Figure 4).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 29
White Paper

Figure 5. CiscoWorks AAA Mode Setup Page

Step 3. Go to the ACS mode configuration page by selecting the ACS radio button (Figure 5). The
page shown in Figure 6 appears.

Figure 6. ACS Mode Configuration Page

Step 4. Enter the following details into the fields A, B, C, and D indicated in Figure 6:

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 29
White Paper

A—Server Details

Hostname
Cisco Works Common Services Software supports up to three backup servers. When the
primary Cisco Secure ACS fails, the AAA requests are redirected to the secondary or
backup servers. You can have multiple backup servers for a higher level of redundancy.
It is not mandatory to have all three Cisco Secure ACS servers. You can still have a single
primary server.
When you have multiple Cisco Secure ACS servers for backup, ensure that the
configurations on all servers are synchronized.

If you enter the hostname instead of the ACS server IP in Solaris, make sure the
hostname is available in the /etc/hosts table. ACS TACACS+ Port: Port number 49 is utilized by
Cisco Secure ACS for the TACACS+ communication.

B—Login
ACS Admin Name—Enter the administrator user name that you would use to log in to Cisco
Secure ACS.
ACS Admin Password—Enter the administrator password that you would use to log in to
Cisco Secure ACS.
ACS Shared Key—Enter the shared secret key that you entered in Cisco Secure ACS while
adding the CiscoWorks Common Services server as an AAA client.

C—Application Registration
You can choose to register all installed applications with Cisco Secure ACS by selecting the check
box under Application Registration. But you need to know about the following before registering the
applications with Cisco Secure ACS:

Authorization in CiscoWorks is done based on tasks available for every application.


The task definition and task to role mapping are available in three XML files. They are:

<App name>TaskDefinition.xml

<App name>RoleDefinition.xml

<App name>Tasks.xml
By default five predefined roles are available.
However, Cisco Secure ACS provides the feature of customized roles, wherein you can
create a new role or edit the privileges of the predefined roles.
In case of an application being reregistered from Common Services, the custom roles (if
any) created for that application would be lost.
The application registration from the AAA Mode Setup will reregister all the installed
applications to Cisco Secure ACS, which will cause the custom roles (if any) to be lost.
But this mass application registration can be avoided by using the command-line interface
(CLI) script AcsRegCli.pl.

D—ACS Communication on HTTPS


Cisco Secure ACS supports secured communication through the Secure Sockets Layer
(SSL) mode.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 29
White Paper

HTTP/HTTPS mode is used for device cache initialization, application registration, and
administration purposes.
Select the check box option under ACS Communication on HTTPS when Cisco Secure
ACS is configured to work in HTTPS mode.
When you select HTTPS mode, make sure that the backup servers are also in HTTPS
mode.

The SSL mode is not applicable to the TACACS+ or RADIUS security protocols, which
are used for authentication and authorization between AAA clients and the server.

Refer to Appendix A of this document for information on selecting HTTPS mode and installing
security certificates on Cisco Secure ACS.

Step 5. Apply the changes after filling in the required parameters in the AAA mode page. On
applying the changes, you see the window shown in Figure 7, which displays the
summary of the login module changes done.

Figure 7. CiscoWorks Login Module Change Summary Page

In Figure 7, A refers to the registration status of the individual CiscoWorks applications


installed on the server; B is to remind you to ensure that the System Identity User is configured in
CiscoWorks Common Services and in Cisco Secure ACS (with System Administrator privileges);
and C informs you that you must restart Daemon Manager for the changes to take effect (after you
restart the daemons, all authentication and authorization requests for the CiscoWorks server will
be handled by Cisco Secure ACS).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 29
White Paper

To configure the System Identity User:

Step 1. Go to Common Services > Server > Security > Multi-Server Trust Management >
System Identity Setup. Set up a System Identity User.

Step 2. Go to Common Services > Server > Security > Single-Server Management > Local
User Setup. Ensure that the System Identity User is a local user with all the roles.

Step 3. Create a superuser role in Cisco Secure ACS that has full access rights to CiscoWorks
applications.

Step 4. Add the System Identity User configured in CiscoWorks Common Services to Cisco
Secure ACS and ensure that the System Identity User is part of the superuser group.

Step 5. Restart Daemon Manager for the changes to take effect.

After you restart the daemons, all authentication requests for the CiscoWorks server are handled
by Cisco Secure ACS.

User Configuration in Cisco Secure ACS


The final step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to
configure the CiscoWorks users within Cisco Secure ACS.

Cisco Secure ACS allows you to define access permissions and policies for the registered
CiscoWorks applications on a per user basis or user group basis.

Refer to the following sections of the Cisco Secure ACS User Guide for more information on
managing users and user groups:

User Group Management—


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/g.ht
m
User Management—
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/u.ht
m
When adding the user, you can configure access policies to define what the user is authorized to
do depending on the role. Table 2 lists the predefined roles provided for CiscoWorks applications
when registered with Cisco Secure ACS.

Table 2. Predefined Roles for CiscoWorks Applications in Cisco Secure ACS

Approver Approver Role

Help Desk Help Desk Role

Network Administrator Network Administrator Role

Network Operator Network Operator Role

System Administrator System Administrator Role

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 29
White Paper

Figure 8 shows a subset of tasks that can be allowed or disallowed to be performed by a user
based on his or her role.

Figure 8. A Subset of Tasks That Can Be Allowed or Disallowed Based on the User’s Role

The list of tasks may vary with the CiscoWorks applications registered with Cisco Secure ACS.

Once you have created the user or user group, you need to set the CiscoWorks Common Services
specific policies to assign the following:

CiscoWorks Common Services role of the user


Device or device groups that can be managed by the user or user groups

Authorization per user group


Following are the steps for editing a user group to configure the authorization policies for
CiscoWorks Common Services:

Step 1. Go to the Cisco Secure ACS Group Setup page, choose a user group, and click the Edit
Setting button.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 29
White Paper

Figure 9. Cisco Secure ACS Group Setup Page

Step 2. Under the TACACS+ setting, you can view all the CiscoWorks applications registered
with Cisco Secure ACS and the related attributes.

For each registered CiscoWorks application, you can choose any of the following three
TACACS+ settings while assigning a role to the user group for the devices or device
groups to be managed. The options are:
None—No role assigned.
Assign a <UserRole> for any Network Device—You can assign any one of the predefined
(or custom created) roles to the user group for all devices. When you choose this option,
the user will have the privileges of performing all the tasks defined for the selected role on
all devices defined as AAA clients in Cisco Secure ACS.
Assign a <UserRole> on a per Network Device Group basis—You can choose this option
when you want to assign different roles for the user group for different sets of devices or
device groups. For example, you can choose this option when you want to assign the
administrator role for the user group for one device group and assign the operator role to
the same user group for another device group.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 29
White Paper

Figure 9 shows an example for a user being assigned the role of System Administrator for the
device group NDG1, the role of Network Operator for the device group NDG2, and the role of Help
Desk for the device group NDG1.

Authorization per user


Following are the steps for editing an individual user’s settings to configure the authorization
policies for CiscoWorks Common Services:

Step 1. Before you can edit the user settings, make sure that you have selected the Per-user
TACACS+/RADIUS Attributes option for the CiscoWorks applications registered with
Cisco Secure ACS.

Go to the ACS Interface Configuration > Advanced options to select the Per-user
TACACS+/RADIUS Attributes option.
Select the check box next to Per-user TACACS+/RADIUS Attributes under the
Advanced Options configuration page and click the Submit button to save the changes
as shown in Figure 10.

Figure 10. Cisco Secure ACS Interface Configuration—Advanced Options

Step 2. After selecting the Per-user TACACS+/RADIUS Attributes check box under the Advanced
Options, select the user-level TACACS+ services from Interface Configuration >
TACACS+ (Cisco IOS) (Figure 11).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 15 of 29
White Paper

Figure 11. Cisco Secure ACS Interface Configuration—TACACS+ Services

Step 3. Select the check boxes under the User column for the required applications and click the
Submit button to save changes as shown in Figure 11.

Step 4. After you select the per user interface configurations, go the User Setup page to edit the
settings for the selected user to define the access policies for CiscoWorks applications
registered with Cisco Secure ACS.

As you see in Figure 12, the per user setup also provides the same three options as the
groups setup for defining the role and associating the device groups that the user can
manage.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 16 of 29
White Paper

Figure 12. Cisco Secure ACS User Setup

Step 5. After assigning the roles and device groups to the user, click the Submit button to save
the changes.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 17 of 29
White Paper

Appendix A

Generating Certificates in Cisco Secure ACS for SSL Mode


You can use the Cisco Secure ACS Certificate Setup pages to install digital certificates to support
the HTTPS protocol for secure access to the Cisco Secure ACS HTML interface.

HTTP/HTTPS protocol is used for the following operations between the CiscoWorks server and
Cisco Secure ACS:

Import/export device groups


Import/export devices
Audit requests
Initialize device cache (which in turn calls import devices)
Register/unregister applications

Perform the following procedure to install a server certificate for your Cisco Secure ACS. You can
perform certificate enrollment to support the HTTPS protocol for the HTML interface to Cisco
Secure ACS. There are three basic options by which you can install the server certificate; you may:

Obtain a certificate from a certificate authority (CA)


Use an existing certificate from local machine storage
Generate a self-signed certificate

Installing the Certificate from Local Machine Storage


Before you install the certificate, you must have a server certificate for Cisco Secure ACS. With
Cisco Secure ACS, certificate files must be in Base64-encoded X.509. If you do not already have a
server certificate in storage, refer to the procedure in the “Generating a Certificate Signing
Request” section in the Cisco Secure ACS User Guide or use another means to obtain a certificate
for installation.

If you are installing a server certificate that replaces an existing server certificate, the installation
could affect the configuration of the CTL and CRL settings of Cisco Secure ACS. After you have
installed a replacement certificate, you should determine whether you need to reconfigure any CTL
or CRL settings.

To install an existing certificate for use on Cisco Secure ACS, use the following steps:

Step 1. In the navigation bar, click System Configuration.

Step 2. Click ACS Certificate Setup.

Step 3. Click Install ACS Certificate.

Cisco Secure ACS displays the Install ACS Certificate page (Figure 13).
Step 4. You must specify whether Cisco Secure ACS reads the certificate from a specified file or
uses a certificate already in storage on the local machine. Do one of the following:

To specify that Cisco Secure ACS reads the certificate from a specified file, select the Read
certificate from file option, and then type the full directory path and filename of the
certificate file in the Certificate file box.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 18 of 29
White Paper

To specify that Cisco Secure ACS uses a particular existing certificate from local machine
certificate storage, select the Use certificate from storage option, and then type the
certificate CN (common name/subject name) in the Certificate CN box.
Step 5. If you generated the request using Cisco Secure ACS, in the Private key file box, type the
full directory path and name of the file that contains the private key.

Step 6. In the Private key password box, type the private key password.

Step 7. Click Submit.

Figure 13. Cisco Secure ACS System Configuration—Installing New Certificate

Generating a Self-Signed Certificate


Installing self-signed certificates is a way for administrators to meet this requirement, managing
the certificate without having to interact with a CA to obtain and install the certificate for Cisco
Secure ACS.

The self-signed certificate feature in Cisco Secure ACS allows the administrator to generate the
self-signed digital certificate and use it for the Protected Extensible Authentication Protocol (PEAP)
or for HTTPS support in Web administration service.

To generate a self-signed certificate, use the following steps:

Step 1. In the navigation bar, click System Configuration.

Step 2. Click ACS Certificate Setup.

Step 3. Click Generate Self-Signed Certificate.

Cisco Secure ACS displays the Generate Self-Signed Certificate edit page (Figure 14).
Step 4. In the Certificate subject box, type the certificate subject in the form cn=XXXX. You can
enter additional information here. For information, refer to the “Self-Signed Certificate
Configuration Options” section in the Cisco Secure ACS User Guide.

Step 5. In the Certificate file box, type the full path and filename for the certificate file.

Step 6. In the Private key file box, type the full path and filename for the private key file.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 19 of 29
White Paper

Step 7. In the Private key password box, type the private key password.

Step 8. In the Retype private key password box, retype the private key password.

Step 9. In the Key length box, select the key length.

Step 10. In the Digest to sign with box, select the hash digest to be used to encrypt the key.

Step 11. To install the self-signed certificate when you submit the page, select the Install
generated certificate option.

Step 12. Click Submit.

The specified certificate and private key files are generated and stored, as specified. The
certificate becomes operational, if you also selected the Install Generated Certificate option, only
after you restart Cisco Secure ACS services.

Figure 14. Cisco Secure ACS System Configuration—Generate Self-Signed Certificate

For more information on Cisco Secure ACS authentication and certificates, refer to the Cisco
Secure ACS User Guide at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sau.htm#w
p326973.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 20 of 29
White Paper

Appendix B

CiscoWorks User Roles and Tasks


To use CiscoWorks, you must have a valid login, which is a combination of a username and a
password. When you are assigned a username and password, you are also assigned to one or
more of these roles:

Help Desk (default role for all users)—Can access network status information only. Can
access persisted data on the system but cannot perform any action on a device or
schedule a job that will reach the network.
Approver—Can approve all tasks.
Network Operator—Can perform all Help Desk tasks. Can do tasks related to network data
collection but cannot perform any task that requires write access on the network.
Network Administrator—Can perform all Network Operator tasks. Can perform tasks that
result in a network configuration change.
System Administrator—Can perform all CiscoWorks system administration tasks.

These roles determine which CiscoWorks applications, tools, and product features you are allowed
to access. Roles are not set up hierarchically, with each role including all the privileges of the role
“below” it. Instead, these roles provide access privileges based on user needs.

CiscoWorks when integrated with Cisco Secure ACS for authentication, authorization, and
accounting provides you the options to add new or custom roles and also to modify the predefined
role definitions and tasks.

Editing CiscoWorks Predefined Roles


To modify the CiscoWorks roles and privileges on Cisco Secure ACS:

Step 1. Select Shared Profile Components > CiscoWorks Common Services and click the
roles that you want to modify.

Step 2. Select or deselect any of the Common Services tasks that suit your business workflow
and needs.

Step 3. Click Submit.

Refer to Figure 15 (the check boxes represent the respective tasks applicable to the application).
The user can select or unselect the tasks and customize the default roles.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 21 of 29
White Paper

Figure 15. Shared Profile Components—Modifying CiscoWorks Common Services for Defined User Roles

Adding a New User Role


To add a new CiscoWorks user role on Cisco Secure ACS:

Step 1. Select Shared Profile Components > <CiscoWorks Application> and click the Add
button to add a new role.

The new role definition page will appear as shown in Figure 16.
Step 2. Select or deselect any of the Common Services tasks that suit your business workflow
and the needs of the new role.

Step 3. Click Submit.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 22 of 29
White Paper

Figure 16. Shared Profile Components—Adding a New CiscoWorks Common Services User Role

Logs and Reports


Cisco Secure ACS logs a variety of user and system activities. Depending on the log, and how you
have configured Cisco Secure ACS, logs can be recorded in different formats with different
attributes.

You can facilitate logging using the logging configuration options in the System Configuration page
(Figure 17). Refer to the “System Configuration” section in the Cisco Secure ACS User Guide at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sba.htm#w
p222166 for more information.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 23 of 29
White Paper

Figure 17. System Configuration—Logging

Cisco Secure ACS provides the following three logs, which can be useful when you are debugging
user activities and events related to CiscoWorks:

Passed Authentications—Contains the details of passed authentication.


Failed Attempts—Contains the information for failed authentication and authorizations.
TACACS+ Administration—Audit records.

The reports and logs can be viewed from the Cisco Secure ACS Reports and Activity page (Figure
18).

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 24 of 29
White Paper

Figure 18. Reports and Activity

Application Registration from CLI


You can reregister the CiscoWorks applications with Cisco Secure ACS from the AAA Mode Setup
page in CiscoWorks Common Services, which will cause the custom roles (if any) to be lost.
However, this mass application registration can be avoided by using the CLI script AcsRegCli.pl.
CiscoWorks Common Services Software 3.0.5 provides a CLI script that you can use to register
individual applications.

The location of the script is $NMSROOT\bin\AcsRegCli.pl. Following are the optional parameters
available when running the script from the CLI, :

AcsRegCli.pl –register <App-name>


The following are the available <App-name> options:

cwhp—Common Services
rme—Resource Management Essentials
CM—Campus Manager
dfm—Device Fault Manager
CiscoView—CiscoView
ipm—Internetwork Performance Monitor

AcsRegCli.pl–register all
This option is similar to the application registration from the GUI, where all the installed
applications are registered with Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 25 of 29
White Paper

Appendix C

FAQ on Troubleshooting CiscoWorks Common Services Integration with Cisco Secure ACS
1. Question: I have configured my CiscoWorks server to integrate with Cisco Secure ACS for
AAA. When I log in to CiscoWorks, the authentication succeeds but all the buttons are
disabled/grayed-out. How do I troubleshoot this issue?
Answer:

Step 1. Check whether you have restarted the daemons using:

Windows net stop crmdmgtd, net start crmdmgtd

Solaris /etc/init.d/dmgtd stop, /etc/init.d/dmgtd start

Step 2. If the preceding solution doesn’t solve the problem, then check the Cisco Secure ACS
user configuration to see whether a role has been assigned to the user.

2. Question: I have provided the Cisco Secure ACS credentials in my CiscoWorks Common
Services AAA mode page and restarted the daemons. When I try to log in as a user in Cisco
Secure ACS I get an authentication failed message. How do I troubleshoot this issue?
Answer:

Step 1. Check whether the CiscoWorks server is up and running.

Step 2. Check the Failed Attempts log in Cisco Secure ACS. If it says “Bad request from NAS”, it
means the CiscoWorks server has not been added as an AAA client to Cisco Secure
ACS. Please refer to the section “Adding your CiscoWorks server as an AAA client” in this
document.

Step 3. If the message is “Password Mismatch”, then check whether the Cisco Secure ACS
administrator password and shared secret key entered in the CiscoWorks Common
Services AAA mode page are correct.

3. Question: I have integrated my CiscoWorks Common Services server with Cisco Secure ACS
and have assigned appropriate roles to the user. But I am not able to see the devices added
in the Device Credentials Registry (DCR) at all, and the list is always empty. What do I need
to do?
Answer:

To view the devices added to DCR, you need to add the devices as AAA clients to Cisco Secure
ACS.

4. Question: When I perform an application registration, I am getting the error message


“Application <App-name> registration: Failure on Primary ACS Server”. What could be the
problem?
Answer:

Step 1. Check whether the CiscoWorks server is up and running.

Step 2. Check whether the Cisco Secure ACS administrator password specified in the
CiscoWorks Common Services AAA mode page is correct.

Step 3. Check or uncheck the Connect to ACS in HTTPS mode check box in the Common
Services AAA mode page depending on the HTTP/HTTPS mode of Cisco Secure ACS.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 26 of 29
White Paper

5. Question: I see an “initdevicecache failed” message in my log. What do I infer from this error
message?
Answer:

This message can be caused by the following reasons:

SSL mismatch between Cisco Secure ACS and CAM


Cisco Secure ACS administrator username/password conflict

To troubleshoot this, see the preceding question

6. Question: How do I unregister an application? I do not see any option available from the GUI.
Answer:

There is no way of unregistering an application from the front end, but you can register or
unregister applications from the back end using the ACSRegCli script located at
$NMSROOT\www\classpath\com\cisco\nm\cmf\security. You can register or unregister all
applications as follows:

java ACSRegCli registerAll


java ACSRegCli unregisterAll
You can register or unregister a single application as follows:

java ACSRegCli register Appname


java ACSRegCli unregister Appname
ACSRegCLI.pl is available with CiscoWorks Common Services 3.0 SP2 and later only.

7. Question: How do I get the CAM debugging log to work?


Answer:

On Windows:
Run the following command from the CLI:

$NMSRoot/MDC/bin/ccraccess – updateLog Core cam DEBUG

The logs are located at $NMSRoot/MDC/log.

On Solaris:
Set LD_LIBRARY_PATH to the value found in the md.properties file.

The file is available at /opt/CSCOpx/lib/classpath.

8. Question: Are there any backend script or command-line interface options to change the
login module from Cisco Secure ACS to CiscoWorks Local?
Answer:

ResetLoginModule.pl, located at NMSROOT/bin, can be used to reset the login module back to the
CiscoWorks Common Services Local login module from Cisco Secure ACS. Make sure you first
stop the daemons on your CiscoWorks server prior to executing the script.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 27 of 29
White Paper

9. Question: I have installed several CiscoWorks applications on the CiscoWorks server. I have
configured the user in Cisco Secure ACS, and I am seeing the respective roles of the user
being applied in CiscoWorks. However, all the buttons are grayed out for all the applications
pages.
Answer:

Similar to assigning a user role to the CiscoWorks Common Services application (using either the
Group or User setup), you must explicitly assign a user role to each of the other registered
applications. Please refer to the section “User Configuration in Cisco Secure ACS” in this
document.

10. Question: Where do I specify the fallback user for ACS mode?
Answer:

The fallback option for ACS mode can be given in the non-ACS TACACS+ mode setup page.

To add the fallback users in Cisco Secure ACS, execute the following steps:

Step 1. Select non-ACS mode.

Step 2. Select TACACS+ and click Change.

Step 3. Specify the fallback users in the Login fallback options text field.

Step 4. Click OK.

Step 5. Select ACS mode.

Step 6. Enter the required values.

Step 7. Click Apply.

11. Question: I have specified a user under the fallback option for Cisco Secure ACS, but I am
not seeing the fallback option from Cisco Secure ACS to CiscoWorks Local working for the
authorization request. What could be wrong?
Answer:

The fallback option in Cisco Secure ACS is only for authentication where the requests are
redirected to the CiscoWorks server; there is no fallback option for the authorization requests
(authorization would now be handled by the local user account on the CiscoWorks server).

12. Question: After I integrate CiscoWorks Common Services with Cisco Secure ACS,
CTMJrmServer does not come up when I restart Daemon Manager. What could be wrong?
Answer:

The System Identity User may not be properly configured in CiscoWorks Common Services

Check whether the System Identity User configured in CiscoWorks Common Services and
in Cisco Secure ACS is the same.
Check whether the System Identity User configured in the CiscoWorks server has
appropriate privileges. If it does not have the appropriate privileges, the error message
“Authorization failed for the job browser task” appears in the daemons.log file.
Check whether the System Identity User has the Network Administrator role, and restart
Daemon Manager to fix the issue.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 28 of 29
White Paper

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL


ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST
TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT
ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND
ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE
FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed


by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX
operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND


SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND
THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

Printed in USA C11-393030-00 03/07

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 29 of 29