Installation of Cisco Secure Acs Remote Agent for Windows

Installation and Configuration GuidOL-2891-01

C H A P T E R 2

e

eet

ithCS

Installation of Cisco Secure ACSRemote Agent for Windows

This chapter provides information about installing Cisco Secure ACS RemotAgent for Windows. It contains the following sections:

• System Requirements, page 2-1

• Network Requirements, page 2-2

• Installing a Remote Agent for Windows, page 2-3

• Uninstalling Cisco Secure ACS Remote Agent for Windows, page 2-6

• Uninstalling Cisco Secure ACS Remote Agent for Windows, page 2-6

• Windows Authentication from a Member Server, page 2-7

System RequirementsThe computer running Cisco Secure ACS Remote Agent for Windows must mthe minimum requirements detailed in the sections that follow.

Cisco Secure ACS RequirementsYou must use Cisco Secure ACS Remote Agent for Windows, version 3.2, wCisco Secure ACS Appliance, version 3.2. Other versions of Cisco Secure AAppliance are not supported.

2-1e for Cisco Secure ACS Remote Agents

Chapter 2 Installation of Cisco Secure ACS Remote Agent for WindowsNetwork Requirements

eet

se

e

dtheuvicepack

acks,

ng

ust

Sion

Hardware RequirementsThe computer running Cisco Secure ACS Remote Agent for Windows must mthe following minimum hardware requirements:

• Pentium III processor, 550 MHz or faster.

• 256 MB of RAM.

• At least 250 MB of free disk space.

Operating System RequirementsThe computer running Cisco Secure ACS Remote Agent for Windows must uan English-language version of Windows 2000 Server with Service Pack 3installed. Both the operating system and the applicable service pack must bEnglish-language versions.

Windows service packs can be applied either before or after installingCisco Secure ACS Remote Agent for Windows. If you do not install a requireservice pack before installing Cisco Secure ACS Remote Agent for Windows,Cisco Secure ACS Remote Agent for Windows installation program warns yothat the required service pack is not present on your server. If you receive a serpack message, continue the installation, and then install the required servicebefore starting user authentication with Cisco Secure ACS.

For the most recent information about tested operating systems and service psee theRelease Notes for Cisco Secure ACS Appliance. The current version of theRelease Notes are posted on Cisco.com (http://www.cisco.com).

Network RequirementsYour network must meet the following requirements before you begin installiCisco Secure ACS.

• The computer running Cisco Secure ACS Remote Agent for Windows mbe able to ping the Cisco Secure ACS Appliances that it supports.

• Gateway devices must permit traffic between the computer runningCisco Secure ACS Remote Agent for Windows and the Cisco Secure ACAppliance. Specifically, the remote agent must receive TCP communicat

2-2Installation and Configuration Guide for Cisco Secure ACS Remote Agents

OL-2891-01

Chapter 2 Installation of Cisco Secure ACS Remote Agent for WindowsInstalling a Remote Agent for Windows

t

egeP

res,

e

ere, be

on

s

o

on TCP ports you configure in CSAgent.ini. The default TCP ports, if allservices are used, are 2004, 2005, 2006, and 2007. The appliance musreceive TCP communication on TCP port 2003.

Note Using the CSAgent.ini file, you can configure the ports used by thremote agent to communicate with Cisco Secure ACS. If you chanthe ports used, configure intervening gateway devices to permit TCtraffic on the ports that you configure the remote agent to use. Fomore information about changing the ports that a remote agent usseeConfiguring a Remote Agent, page 4-1.

Installing a Remote Agent for WindowsUse this procedure to install Cisco Secure ACS Remote Agent for Windows.

Before You Begin

Determine the IP address of the Cisco Secure ACS Appliance that is to be thconfiguration provider for this remote agent. For more information aboutconfiguration providers, seeConfiguration Provider, page 1-3.

If you are installing Cisco Secure ACS Remote Agent for Windows on a membserver and want to authenticate users with a Windows domain user databasaware that after you have installed the remote agent you must perform theadditional Windows configuration discussed inWindows Authentication from aMember Server, page 2-7.

To install Cisco Secure ACS Remote Agent for Windows, follow these steps:

Step 1 Using the local administrator account, log in to the Microsoft Windows serverwhich you want to install Cisco Secure ACS.

Step 2 Insert the Cisco Secure ACS CD into a CD-ROM drive on the Microsoft Windowserver.

Result:If the CD-ROM drive supports the Windows autorun feature, the CiscSecure ACS Appliance dialog box appears.


OL-2891-01


loge orn,

ionthe

e

he

Note If the computer does not have a required service pack installed, a diabox may appear. Windows service packs can be applied either beforafter installing Cisco Secure ACS. You can continue with the installatiobut the required service pack must be applied after the installation iscomplete; otherwise, Cisco Secure ACS may not function reliably.

Step 3 If the Cisco Secure ACS Appliance dialog box appears, clickCancel.

Step 4 On the Cisco Secure ACS Appliance CD, locate the Windows remote agentsubdirectory.

Step 5 From the Windows remote agent subdirectory, runSetup.exe .

Result:The Welcome dialog box displays basic information about the setupprogram.

Step 6 After you have read the information in the Welcome dialog box, clickNext >.

Result:The Choose Destination Location dialog box appears. Under DestinatFolder, the installation location appears. This is the drive and path to which setup program installs Cisco Secure ACS Remote Agent for Windows.

Step 7 If you want to change the installation location, follow these steps:

a. Click Browse.

Result:The Choose Folder dialog box appears. The Path box contains thinstallation location.

b. Change the installation location. You can either type the new location in tPath box or use the Drives and Directories lists to select a new drive anddirectory.

Note The installation location must be on a drive local to the Windowsserver.

c. Click OK .

Note If you specified a folder that does not exist, the setup programdisplays a dialog box to confirm the creation of the folder. Tocontinue, clickYes.


OL-2891-01


n

ACS

or

seces.

ber, you

Result:In the Choose Destination Location dialog box, the new installatiolocation appears under Destination Folder.

Step 8 Click Next >.

Result:The Agent Services dialog box lists options supported byCisco Secure ACS Remote Agent for Windows:

• Logging Service

• Windows Authentication Service

Step 9 Select the agent services you want to use, and then clickNext >.

Result:The Configuration Provider dialog box appears.

Step 10 In the Hostname box, type the hostname or IP address of the Cisco SecureAppliance that should control the configuration of this remote agent.

Note If you type a hostname, be sure either that DNS is operating correctlythat the appliance hostname is in the local hosts file.

Step 11 Click Next >.

Result:The setup program installs Cisco Secure ACS Remote Agent forWindows.

The Setup Complete dialog box lists options for restarting the computer.

Step 12 Select the reboot option you want.

Note Rebooting is required to complete installation successfully. If you chonot to reboot now, do so before attempting to use remote agent servi

Step 13 Click Finish.

Result:The setup program exits. If you chose to reboot the computerautomatically, Windows restarts.

Step 14 If you have installed Cisco Secure ACS Remote Agent for Windows on a memserver and want to authenticate users with a Windows domain user databasemust perform the additional Windows configuration discussed inWindowsAuthentication from a Member Server, page 2-7.


OL-2891-01

Chapter 2 Installation of Cisco Secure ACS Remote Agent for WindowsUninstalling Cisco Secure ACS Remote Agent for Windows

r

on

gent

Note If you are reinstalling the remote agent after uninstalling it, previousconfiguration of the remote agent service was lost during theuninstallation. For more information, seeWindows Authentication froma Member Server, page 2-7.

Uninstalling Cisco Secure ACS Remote Agent forWindows

Use Windows Control Panel to uninstall Cisco Secure ACS Remote Agent foWindows. No special steps are required.

Note If you do not intend to reinstall Cisco Secure ACS Remote Agent for Windowsthis computer, remove the applicable remote agent configurations from allCisco Secure ACS Appliances.

Upgrading Cisco Secure ACS Remote Agent forWindows

The upgrade process consists of uninstalling the old version of the remote aand installing the new version.


OL-2891-01

Chapter 2 Installation of Cisco Secure ACS Remote Agent for WindowsWindows Authentication from a Member Server

se

ant

er

,em of

lanrformioning

To upgrade Cisco Secure ACS Remote Agent for Windows software, follow thesteps:

Step 1 Remove the old version of the remote agent by performing the steps inUninstalling Cisco Secure ACS Remote Agent for Windows, page 2-6.

Step 2 Using the version of Cisco Secure ACS Remote Agent for Windows that you wto upgrade to, perform the steps inInstalling a Remote Agent for Windows,page 2-3.

Windows Authentication from a Member ServerUsing Cisco Secure ACS Remote Agent for Windows, a Cisco Secure ACSAppliance can authenticate users against both types of Windows domain usdatabases: Security Accounts Manager (SAM) user databases and ActiveDirectory user databases. For either type of Windows domain user databaseCisco Secure ACS forwards authentication requests to the remote agent. Thremote agent submits authentication requests to the Windows operating systethe server on which the remote agent is installed. If you have installedCisco Secure ACS Remote Agent for Windows on a member server and you pto use a Windows domain user database to authenticate users, you must peadditional Windows configuration to ensure that Windows permits authenticatto occur from the member server. To do so, complete the steps in the followprocedures:

• Verifying Domain Membership, page 2-8

• Configuring Security for the Remote Agent Service, page 2-8

• Configuring Active Directory for EAP-TLS, page 2-15


OL-2891-01


amemay

low

er

r

ain,

bermainusingerver.

Verifying Domain MembershipOne common configuration error that prevents Windows authentication is theerroneous assignment of the member server to a workgroup with the same nas the Windows domain that you want to use to authenticate users. While thisseem obvious, we recommend that you verify that the computer running theremote agent is a member server of the correct domain.

To verify domain membership of the computer running the remote agent, folthese steps:

Step 1 From the Windows desktop of the server running the remote agent, right-clickMyComputer and from the shortcut menu selectProperties.

Result:The System Properties panel appears.

Step 2 Select theNetwork Identification tab.

Step 3 Verify that the Domain box displays the name of the domain that the computrunning Cisco Secure ACS should be a member of.

Note If the Workgroup box appears instead of the Domain box, the membeserver is not a member of a domain.

Step 4 If the computer running the remote agent is not a member of the correct domchange the server identification, as applicable.

Configuring Security for the Remote Agent ServiceIf you have installed Cisco Secure ACS Remote Agent for Windows on a memserver, the member server must pass Windows authentication requests to a docontroller. For these requests to succeed, the remote agent must submit thema user account that has certain security privileges enabled on the member s


OL-2891-01


eCS.

sse

orountthe

oukeent

. To

Note If you use Active Directory to authenticate users, determine whether ActiveDirectory is configured to use Pre-Windows 2000 Compatible Mode. If all ActivDirectory trees containing users that will be authenticated by Cisco Secure Aare configured to use this mode, the steps in this procedure are not required

Before You Begin

If you have upgraded or reinstalled the remote agent and you completed thiprocedure previously, Step 1 through Step 6 apply to you only if you want to ua different user account to run the remote agent service.

To configure the remote agent service, follow these steps:

Step 1 In the domain that the computer running Cisco Secure ACS Remote Agent fWindows is a member of, create a domain user account. This is the user accthat you will use to run the remote agent service. To determine which domaincomputer running the remote agent belongs to, seeVerifying DomainMembership, page 2-8.

Tip Give the user account an easily recognizable name, like “CSACS”. If yenable audit policies, Event Viewer entries with this username will mait easier to diagnose permissions problems related to failed remote agauthentication attempts.

Step 2 Using the local administrator account, log in to the computer runningCisco Secure ACS Remote Agent for Windows.

Step 3 Add the user account you created in Step 1 to the local Administrators groupdo so, follow these steps:

a. ChooseStart > Settings > Control Panel > Administrative Tools >Computer Management.

Tip If Control Panel is not expanded on the Start menu, chooseStart >Settings > Control Panel, double-clickAdministrative Tools, and thendouble-clickComputer Management.

Result:The Computer Management window appears.


OL-2891-01


r

you

n,

theentain

e.

b. Under the Tree tab, double-clickLocal Users and Groups, and then clickGroups.

Tip If Local Groups and Users does not appear under the Tree tab,double-clickSystem Tools.

Result:The Name column lists the local groups available on the computerunning the remote agent.

c. Double-clickAdministrators .

Result:The Administrators Properties dialog box appears.

d. Click Add. . ..

Result:The Select Users or Groups dialog box appears.

e. In the box below the Add button, type the username for the user accountcreated in Step 1.

Note The usernamemust be in domain-qualified format. For example, ifyou created a user named “CSACS” in the “CORPORATE” domaitype “CORPORATE\CSACS”.

f. Click Check Names.

Result:The Enter Network Password dialog box appears. This is becauselocal administrator account of the member server running the remote agshould not have permission to access user account information on the domcontroller.

g. In the Connect as box, type a domain-qualified username.

Note The username provided must exist in the domain specified in StepFor example, if the domain specified is “CORPORATE” and“echamberlain” is a valid user in that domain, type“CORPORATE\echamberlain”.

h. In the Password box, type the password for the user account specified inStep e.


OL-2891-01


e.

ir

i. Click OK .

Result:Windows verifies the existence of the username provided in StepThe Enter Network Password dialog box closes.

j. In Select Users or Groups dialog box, clickOK .

Result:The Select Users or Groups dialog box closes.

Windows adds the username to the Members list on the AdministratorsProperties dialog box.

k. Click OK .

Result:The Administrators Properties dialog box closes.

l. Close the Computer Management window.

Result:The user account you created in step 1 is assigned to the localAdministrators group.

Step 4 ChooseStart > Settings > Control Panel > Administrative Tools > LocalSecurity Policy.

Tip If Control Panel is not expanded on the Start menu, chooseStart >Settings > Control Panel, double-clickAdministrative Tools, and thendouble-clickLocal Security Policy.

Result:The Local Security Settings window appears.

Step 5 In the Name column, double-clickLocal Policies, and then double-clickUserRights Assignment.

Result:The Local Security Settings window displays a list of policies with theassociated settings. The two policies that you must configure are:

• Act as part of the operating system

• Log on as a service

Step 6 For theAct as part of the operating systempolicy and again for theLog on asa service policy, follow these steps:

a. Double-click the policy name.

Result:The Local Policy Setting dialog box appears.

b. Click Add. . ..

Result:The Select Users or Groups dialog box appears.


OL-2891-01


you

n,

theentain

c.

c.

ng

olicy

c. In the box below the Add button, type the username for the user accountcreated in Step 1.


d. Click Check Names.

Result:The Enter Network Password dialog box appears. This is becauselocal administrator account of the member server running the remote agshould not have permission to access user account information on the domcontroller.

e. In theConnect as box, type a domain-qualified username.

Note The username provided must exist in the domain specified in StepFor example, if the domain specified is “CORPORATE” and“echamberlain” is a valid user in that domain, type“CORPORATE\echamberlain”.

f. In the Password box, type the password for the user account specified inStep e.

g. Click OK .

Result:Windows verifies the existence of the username provided in StepThe Enter Network Password dialog box closes.

h. In the Select Users or Groups dialog box, clickOK .

Result:The Select Users or Groups dialog box closes.

Windows adds the username to the Assign To list in the Local Policy Settidialog box.

i. Click OK .

Result:The Local Policy Setting dialog box closes. The domain-qualifiedusername specified in Step c appears in the settings associated with the pyou have configured.

j. Verify that the username specified in Step c appears in the Local Settingcolumn for the policy you modified. If it does not, repeat these steps.


OL-2891-01


ting

ter

in

6

es

ct

eut

Tip To see the username you added, you may have to widen the Local Setcolumn.

Note The Effective Setting column does not dynamically update. Thisprocedure includes later verification steps for ensuring that theEffective Setting column contains the required information.

Result:After you have configured both theAct as part of the operating systempolicy and theLog on as a service policy, the user account created in Step 1appears in the Local Setting column for the policy you configured.

Step 7 Verify that the security policy settings you changed are in effect on the compurunning the remote agent. To do so, follow these steps:

a. Close the Local Security Settings window.

Result:The window closes. This is the only way to refresh the informationthe Effective Setting column.

b. Open the Local Security Settings window again. To do so, chooseStart >Programs > Administrative Tools > Local Security Policy.

c. In the Name column, double-clickLocal Policies, and then double-clickUserRights Assignment.

Result:The Local Security Settings window displays an updated list ofpolicies with their associated settings.

d. For theAct as part of the operating systempolicy and again for theLog onas a servicepolicy, verify that the username you added to the policy in Stepappears in the Effective Setting column.

Note If the username you configured the policies to include in Step 6 donot appear in the Effective Setting column for both policies, theremay be security policy settings on the domain controller that confliwith the local setting. Resolve the conflict by configuring securitypolicies on the domain controller to allow the local settings to be theffective settings for these two policies. For more information aboconfiguring security policies on the domain controller, see yourMicrosoft documentation.


OL-2891-01


CS,

ree.f the

the

:

d

t

n,

for

Result:The user account created in Step 1 has the required privileges to runCisco Secure ACS services and support Windows authentication.

Step 8 Close the Local Security Settings window.

Step 9 Continuing as the local administrator on the computer running Cisco Secure AchooseStart > Settings > Control Panel > Administrative Tools > Services.

Tip If Control Panel is not expanded on the Start menu, chooseStart >Settings > Control Panel, double-clickAdministrative Tools, and thendouble-clickServices.

Result:The Services window displays a list of service groups and a list of allregistered services for the current group. The list of service groups is labeled TThe registered services for the current group appear in the list to the right oTree list.

Step 10 In the Tree list, clickServices (local).

Result:The Windows service installed to support the remote agent appears inlists of services as CiscoSecure ACS Agent. The service name isCSAgent .

Step 11 Configure the CiscoSecure ACS Agent service. To do so, follow these steps

a. In the list of services, right-click the CiscoSecure ACS Agent service, anfrom the shortcut menu, chooseProperties.

Result:The Computer Browser Properties (Local Computer) dialog boxappears.

b. Select theLog On tab.

c. Select theThis account option.

d. In the box next to theThis accountoption, type the username for the accouncreated in Step 1.


e. In the Password box and in the Confirm Password box, type the passwordthe user account created in Step 1.


OL-2891-01


the

ng.

ing.

nt

atedyredr

gthatfor

he

f. Click Apply.

Note If a confirmation dialog box appears, clickOK .

Result:The CiscoSecure ACS Agent service is configured to run using theprivileges of the user account created in Step 1.

Step 12 Restart the CiscoSecure ACS Agent service. To do so, follow these steps:

a. On the Computer Browser Properties (Local Computer) dialog box, selectGeneral tab.

b. Click Stop.

Result:The Service Control dialog box appears while the service is stoppi

c. Click Start.

Result:The Service Control dialog box appears while the service is start

Result:The remote agent service runs using the privileges of the user accoucreated in Step 1.

Configuring Active Directory for EAP-TLSIf Cisco Secure ACS runs on a member server and any user is to be authenticusing EAP-TLS, you must complete additional configuration in Active Directorof the domain containing Cisco Secure ACS. The username that you configuto run all Cisco Secure ACS services must also have permission to read useproperties in Active Directory, else EAP-TLS authentication fails. To theusername you created inVerifying Domain Membership, page 2-8, you mustgrant “Read all properties” permission for all Active Directory folders containinusers that will authenticate with EAP-TLS. This must be the same usernameyou configured Cisco Secure ACS services to run as. Granting permissions Active Directory folders is done by accessing Active Directory using theMicrosoft Management Console and configuring the security properties for tfolders containing users who are to be authenticated by EAP-TLS.


OL-2891-01


ng
Tip You can access the security properties of an Active Directory folder containiusers by right-clicking the folder, selectingProperties, and clicking theSecuritytab. ClickAdd to include the username that is used to run Cisco Secure ACSservices.
For more information about configuring Active Directory permissions, seeMicrosoft Active Directory documentation forWindows 2000 Server.


OL-2891-01

Installation of Cisco Secure Acs Remote Agent for Windows

Documents

Transcript of Installation of Cisco Secure Acs Remote Agent for Windows