Stimmen - 3, Durchschnittliche Bewertung: 4
(
)
)
|
Anleitung Zusammenfassung
Note If only one LEAP Proxy RADIUS Server configuration exists, the name of that configuration appears instead of the list. Proceed to the next step. Step 6 Click Configure. Step 7 In the following boxes, type the required information: • Primary Server Name/IP—IP address of the primary proxy RADIUS server. • Secondary Server Name/IP—IP address of the secondary proxy RADIUS server. • Shared Secret—The shared secret of the proxy RADIUS server. This must be identical to the shared secret with which the proxy RADIUS server is configured. • Authentication Port—The TCP port over which the proxy RADIUS server conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows NT/2000 server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication. For more information about the ports used by Cisco Secure ACS for RADIUS, see the “RADIUS” section on page 1-6. • Timeout (seconds):—The number of seconds Cisco Secure ACS waits before sending notification to the user that the authentication attempt has timed out. 11-46 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0 Chapter 11 Working with User Databases Token Server User Databases • Retries—The number of authentication attempts Cisco Secure ACS makes before failing over to the secondary proxy RADIUS server. • Failback Retry Delay (minutes)—The number of minutes after which Cisco Secure ACS attempts authentications using a failed primary proxy RADIUS server. Note If both the primary and the secondary servers fail, Cisco Secure ACS alternates between both servers until one responds. Step 8 Click Submit. Result: Cisco Secure ACS saves the proxy RADIUS token server database configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see the “Unknown User Processing” section on page 12-1. For more information about configuring user accounts to authenticate using this database, see Chapter 7, “Setting Up and Managing User Accounts.” Token Server User Databases Cisco Secure ACS supports the use of token servers for the increased security provided by one-time passwords (OTPs). This section includes the following topics: • About Token Servers and Cisco Secure ACS, page 11-48 • About Token Servers and Cisco Secure ACS, page 11-48 • RADIUS-Enabled Token Servers, page 11-49 • Token Servers with Vendor-Proprietary Interfaces, page 11-53 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0 11-47 Chapter 11 Working with User Databases Token Server User Databases About Token Servers and Cisco Secure ACS Cisco Secure ACS provides PAP authentication using token servers. Requests from the access device are first sent to Cisco Secure ACS. If Cisco Secure ACS has been configured to authenticate against a token server and finds the username, it forwards the authentication request to the token server. If it does not find the username, Cisco Secure ACS checks the database configured to authenticate unknown users. If the request for authentication is passed, the appropriate authorizations are forwarded to the access device along with the approved authentication. Cisco Secure ACS then maintains the accounting information. Cisco Secure ACS acts as a client to the token server. For the token servers supported, Cisco Secure ACS accomplishes this in one of two ways. The first method uses the token server’s RADIUS interface. For more information about Cisco Secure ACS support of token servers with a RADIUS interface, see the “RADIUS-Enabled Token Servers” section on page 11-49. For some token servers, Cisco Secure ACS uses the token server vendor’s proprietary API. For more information about Cisco Secure ACS support of token servers using the token server vendor’s proprietary API, see the “Token Servers with Vendor-Proprietary Interfaces” section on page 11-53. Token Servers and ISDN Cisco Secure ACS supports token caching for ISDN terminal adapters and routers. One inconvenience of using token cards for OTP authentication with ISDN is that each B channel requires its own OTP. Therefore, a user must enter at least 2 OTPs, plus any other login passwords, such as those for Windows NT/2000 networking. If the terminal adapter supports the ability to turn on and off the second B channel, users might have to enter many OTPs each time the second B channel comes into service. Cisco Secure ACS caches the token to help make the OTPs easier for users. This means that if a token card is being used to authenticate a user on the first B channel, a specified period can be set during which the second B channel can come into service without requiring the user to enter another OTP. To lessen the risk of unauthorized access to the second B channel, you can limit the time the second B channel is up. Furthermore, you can configure the s...