PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003
[LEFT][CODE]http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml[/CODE][B]Cisco 4400 Series Wireless LAN Controllers[/B]
[B]Document ID: 72013[/B]
[B]Contents[/B]
[INDENT] [B] Introduction
[/B] [B] Prerequisites
Requirements
Components Used
Network Diagram
Conventions
[/B] [B] Windows Enterprise 2003 Setup with IIS, Certificate Authority, DNS, DHCP (DC_CA)
DC_CA (wirelessdemoca)
[/B] [B] Windows Standard 2003 Setup with Cisco Secure ACS 4.0
Basic Installation and Configuration
Cisco Secure ACS 4.0 Installation
[/B] [B] Cisco LWAPP Controller Configuration
Create the Necessary Configuration for WPAv2/WPA
[/B] [B] PEAP Authentication
Install the Certificate Templates Snap-in
Create the Certificate Template for the ACS Web Server
Enable the New ACS Web Server Certificate Template
[/B] [B] ACS 4.0 Certificate Setup
Configure Exportable Certificate for ACS
Install the Certificate in ACS 4.0 Software
[/B] [B] CLIENT Configuration for PEAP using Windows Zero Touch
Perform a Basic Installation and Configuraiton
Install the Wireless Network Adapter
Configure the Wireless Network Connection
Problem: Odyssey Client Prompts Three Times for Token Authentication Platform
PEAP Authentication Fails with ACS Server
[/B] [B] Cisco Support Community - Featured Conversations
[/B] [B] Related Information [/B] [/INDENT][B] Introduction [/B]
This document describes how to configure secure wireless access using Wireless LAN controllers, Microsoft Windows 2003 software and Cisco Secure Access Control Server (ACS) 4.0 via Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.
[B]Note: [/B]For information about the deployment of secure wireless, refer to the [URL="http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx"]Microsoft Wi-Fi web site[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG] and [URL="http://newsroom.cisco.com/dlls/fspnisapi0b73.html"]Cisco SAFE Wireless Blueprint[/URL].
[B] Prerequisites [/B]
[B] Requirements [/B]
There is an assumption that the installer has knowledge of basic Windows 2003 installation and Cisco controller installation as this document only covers the specific configurations to facilitate the tests.
For initial installation and configuration information for the Cisco 4400 Series Controllers, refer to the [URL="http://www.cisco.com/en/US/docs/wireless/controller/4400/quick/guide/ctrlv32.html"]Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers[/URL]. For initial installation and configuration information for the Cisco 2000 Series Controllers, refer to the [URL="http://www.cisco.com/en/US/docs/wireless/controller/2000/quick/guide/hah_20qs.html"]Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers[/URL].
Microsoft Windows 2003 installation and configuration guides can be found at [URL="http://technet2.microsoft.com/WindowsServer/en/library/c68efa05-c31e-42c9-aed6-0391130ceac21033.mspx?mfr=true"]Installing Windows Server 2003 R2[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG].
Before you begin, install the Microsoft Windows Server 2003 with SP1 operating system on each of the servers in the test lab and update all Service Packs. Install the controllers and lightweight access points (LAPs) and ensure that the latest software updates are configured.
[B]Important:[/B] At the time of this writing, SP1 is the latest Microsoft Windows Server 2003 update, and SP2 with update patches is the latest software for Microsoft Windows XP Professional.
Windows Server 2003 with SP1, Enterprise Edition, is used so that autoenrollment of user and workstation certificates for PEAP authentication can be configured. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve security by automatically expiring and renewing certificates.
[B] Components Used [/B]
The information in this document is based on these software and hardware versions:
[LIST][*] Cisco 2006 or 4400 Series Controller that runs 3.2.116.21[*] Cisco 1131 Lightweight Access Point Protocol (LWAPP) AP[*] Windows 2003 Enterprise with Internet Information Server (IIS), Certificate Authority (CA), DHCP, and Domain Name System (DNS) installed[*] Windows 2003 Standard with Access Control Server (ACS) 4.0[*] Windows XP Professional with SP (and updated Service Packs) and wireless network interface card (NIC) (with CCX v3 support) or third party supplicant.[*] Cisco 3560 Switch[/LIST]
[B] Network Diagram [/B]
This document uses this network setup:
[B]Cisco Secure Wireless Lab Topology[/B]
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-1.gif[/IMG]
The primary purpose of this document is to provide you the step-by-step procedure to implement the PEAP under Unified Wireless Networks with ACS 4.0 and the Windows 2003 Enterprise server. The main emphasis is on auto-enrollment of the client so that the client auto-enrolls and takes the certificate from the server.
[B]Note: [/B]In order to add Wi-Fi Protected Access (WPA)/WPA2 with Temporal Key Integrity Protocol (TKIP)/Advanced Encryption Standard (AES) to Windows XP Professional with SP, refer to [URL="http://support.microsoft.com/default.aspx?scid=kb;en-us;893357"]WPA2/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG].
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
[B] Conventions [/B]
Refer to the [URL="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml"]Cisco Technical Tips Conventions[/URL] for more information on document conventions.
[B] Windows Enterprise 2003 Setup with IIS, Certificate Authority, DNS, DHCP (DC_CA) [/B]
[B] DC_CA (wirelessdemoca) [/B]
DC_CA is a computer that runs Windows Server 2003 with SP1, Enterprise Edition, and performs these roles:
[LIST][*] A domain controller for the [B]wirelessdemo.local[/B] domain that runs IIS[*] A DNS server for the [B]wirelessdemo.local[/B] DNS domain[*] A DHCP server[*] Enterprise root CA for the [B]wirelessdemo.local[/B] domain[/LIST]
Complete these steps in order to configure DC_CA for these services:
[LIST=1][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t2"]Perform a basic installation and configuration.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t3"]Configure the computer as a domain controller.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t4"]Raise the domain functional level.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t5"]Install and configure DHCP.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t6"]Install certificate services.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t7"]Verify Administrator permissions for certificates.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t8"]Add computers to the domain.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t9"]Allow wireless access to computers.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t10"]Add users to the domain.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t11"]Allow wireless access to users.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t12"]Add groups to the domain.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t13"]Add users to the WirelessUsers group.[/URL][*] [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t14"]Add client computers to the WirelessUsers group.[/URL][/LIST]
[B] Step 1: Perform Basic Installation and Configuration [/B]
Complete these steps:
[LIST=1][*] Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone server.[*] Configure the TCP/IP protocol with the IP address of [B]172.16.100.26[/B] and the subnet mask of [B]255.255.255.0[/B].[/LIST]
[B] Step 2: Configure the Computer as a Domain Controller [/B]
Complete these steps:
[LIST=1][*] In order to start the Active Directory Installation wizard, choose [B]Start > Run[/B], type [B]dcpromo.exe[/B], and click [B]OK[/B].[*] On the Welcome to the Active Directory Installation Wizard page, click [B]Next[/B].[*] On the Operating System Compatibility page, click [B]Next[/B].[*] On the Domain Controller Type page, select [B]Domain Controller for a new Domain[/B] and click [B]Next[/B].[*] On the Create New Domain page, select [B]Domain in a new forest[/B] and click [B]Next[/B].[*] On the Install or Configure DNS page, select [B]No, just install and configure DNS on this computer[/B] and click [B]Next[/B].[*] On the New Domain Name page, type [B]wirelessdemo.local[/B] and click [B]Next[/B].[*] On the NetBIOS Domain Name page, enter the Domain NetBIOS name as [B]wirelessdemo[/B] and click [B]Next[/B].[*] In the Database and Log Folders Locations page, accept the default Database and Log Folders directories and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-2.gif[/IMG][*] In the Shared System Volume page, verify that the default folder location is correct and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-3.gif[/IMG][*] On the Permissions page, verify that [B]Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems[/B] is selected and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-4.gif[/IMG][*] On the Directory Services Restore Mode Administration Password page, leave the password boxes blank and click [B]Next[/B].[*] Review the information on the Summary page and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-5.gif[/IMG][*] When you are done with the Active Directory installation, click [B]Finish[/B].[*] When prompted to restart the computer, click [B]Restart Now[/B].[/LIST]
[B] Step 3: Raise the Domain Functional Level [/B]
Complete these steps:
[LIST=1][*] Open the [B]Active Directory Domains and Trusts[/B] snap-in from the [B]Administrative Tools[/B] folder [B](Start > Programs > Administrative Tools > [B]Active Directory Domains and Trusts[/B])[/B], and then right-click the domain computer [B]DC_CA.wirelessdemo.local[/B].[*] Click [B]Raise Domain Functional Level[/B], and then select [B]Windows Server 2003[/B] on the Raise Domain Functional Level page.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-6.gif[/IMG][*] Click [B]Raise[/B], click [B]OK[/B], and then click [B]OK[/B] again.[/LIST]
[B] Step 4: Install and Configure DHCP [/B]
Complete these steps:
[LIST=1][*] Install [B]Dynamic Host Configuration Protocol (DHCP)[/B] as a [B]Networking Service[/B] component by using [B]Add or Remove Programs[/B] in the Control Panel.[*] Open the [B]DHCP[/B] snap-in from the [B]Administrative Tools[/B] folder [B](Start > Programs > Administrative Tools > DHCP)[/B], and then highlight the DHCP server, [B]DC_CA.wirelessdemo.local[/B].[*] Click [B]Action[/B], and then click [B]Authorize[/B] in order to authorize the DHCP service.[*] In the console tree, right-click [B]DC_CA.wirelessdemo.local[/B], and then click [B]New Scope[/B].[*] On the Welcome page of the New Scope wizard, click [B]Next[/B].[*] On the Scope Name page, type [B]CorpNet[/B] in the Name field.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-7.gif[/IMG][*] Click [B]Next[/B] and fill in these parameters:
[LIST][*] Start IP address—[B]172.16.100.1[/B][*] End IP address—[B]172.16.100.254[/B][*] Length—[B]24[/B][*] Subnet mask—[B]255.255.255.0[/B][/LIST]
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-8.gif[/IMG]
[*] Click [B]Next[/B] and enter [B]172.16.100.1[/B] for the Start IP address and [B]172.16.100.100[/B] for the End IP address to be excluded. Then click [B]Next[/B]. This reserves the IP addresses in the range from 172.16.100.1 to 172.16.100.100. These reserve IP addresses are not allotted by the DHCP server.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-9.gif[/IMG][*] On the Lease Duration page, click [B]Next[/B].[*] On the Configure DHCP Options page, choose [B]Yes, I want to configure these options now[/B] and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-10.gif[/IMG][*] On the Router (Default Gateway) page add the default router address of [B]172.16.100.1[/B] and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-11.gif[/IMG][*] On the Domain Name and DNS Servers page, type [B]wirelessdemo.local[/B] in the Parent domain field, type [B] 172.16.100.26[/B] in the IP address field, and then click [B]Add[/B] and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-12.gif[/IMG][*] On the WINS Servers page, click [B]Next[/B].[*] On the Activate Scope page, choose [B]Yes, I want to activate this scope now[/B] and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-13.gif[/IMG][*] When you finish with the New Scope Wizard page, click [B]Finish[/B].[/LIST]
[B] Step 5: Install Certificate Services [/B]
Complete these steps:
[B]Note: [/B]IIS must be installed before you install Certificate Services and the user should be part of the Enterprise Admin OU.
[LIST=1][*] In Control Panel, open [B]Add or Remove Programs[/B], and then click [B]Add/Remove Windows Components[/B].[*] In the Windows Components Wizard page, choose [B]Certificate Services[/B], and then click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-14.gif[/IMG][*] On the CA Type page, choose [B]Enterprise root CA[/B] and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-15.gif[/IMG][*] In the CA Identifying Information page, type [B]wirelessdemoca[/B] in the Common name for this CA box. You can also enter the other optional details. Then click [B]Next[/B] and accept the defaults on the Certificate Database Settings page.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-16.gif[/IMG][*] Click [B]Next[/B]. Upon completion of the installation, click [B]Finish[/B].[*] Click [B]OK[/B] after you read the warning message about installing IIS.[/LIST]
[B] Step 6: Verify Administrator Permissions for Certificates [/B]
Complete these steps:
[LIST=1][*] Choose [B]Start > Administrative Tools > Certification Authority[/B].[*] Right-click [B]wirelessdemoca CA[/B] and then click [B]Properties[/B].[*] On the Security tab, click [B]Administrators[/B] in the [B]Group or User names[/B] list.[*] In the Permissions or Administrators list, verify that these options are set to [B]Allow[/B]:
[LIST][*] Issue and Manage Certificates[*] Manage CA[*] Request Certificates[/LIST]
If any of these are set to Deny or are not selected, set the permission to [B]Allow[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-17.gif[/IMG]
[*] Click [B]OK[/B] to close the wirelessdemoca CA Properties dialog box, and then close Certification Authority.[/LIST]
[B] Step 7: Add Computers to the Domain [/B]
Complete these steps:
[B]Note: [/B]If the computer is already added to the domain, proceed to [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t10"]Add Users to the Domain[/URL].
[LIST=1][*] Open the [B]Active Directory Users and Computers[/B] snap-in.[*] In the console tree, expand [B]wirelessdemo.local[/B].[*] Right-click [B]Users[/B], click [B]New[/B], and then click [B]Computer[/B].[*] In the New Object – Computer dialog box, type the name of the computer in the Computer name field and click [B]Next[/B]. This example uses the computer name [B]Client[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-18.gif[/IMG][*] In the Managed dialog box, click [B]Next[/B].[*] In the New Object – Computer dialog box, click [B]Finish[/B].[*] Repeat steps 3 through 6 in order to create additional computer accounts.[/LIST]
[B] Step 8: Allow Wireless Access to Computers [/B]
Complete these steps:
[LIST=1][*] In the Active Directory Users and Computers console tree, click the [B]Computers[/B] folder and right-click on the computer for which you want to assign wireless access. This example shows the procedure with computer [B]Client[/B] which you added in Step 7. Click [B]Properties[/B], and then go to the [B]Dial-in [/B]tab.[*] Choose [B]Allow access[/B] and click [B]OK[/B].[/LIST]
[B] Step 9: Add Users to the Domain [/B]
Complete these steps:
[LIST=1][*] In the Active Directory Users and Computers console tree, right-click [B]Users[/B], click [B]New[/B], and then click [B]User[/B].[*] In the New Object – User dialog box, type the name of the Wireless user. This example uses the name [B]WirelessUser[/B] in the First name field, and[B] WirelessUser[/B] in the User logon name field. Click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-19.gif[/IMG][*] In the New Object – User dialog box, type a password of your choice in the Password and Confirm password fields. Clear the [B]User must change password at next logon[/B] check box, and click [B]Next[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-20.gif[/IMG][*] In the New Object – User dialog box, click [B]Finish[/B].[*] Repeat steps 2 through 4 in order to create additional user accounts.[/LIST]
[B] Step 10: Allow Wireless Access to Users [/B]
Complete these steps:
[LIST=1][*] In the [B]Active Directory Users and Computers[/B] console tree, click the [B]Users[/B] folder, right-click [B]WirelessUser[/B], click [B]Properties[/B], and then go to the Dial-in tab.[*] Choose [B]Allow access[/B] and click [B]OK[/B].[/LIST]
[B] Step 11: Add Groups to the Domain [/B]
Complete these steps:
[LIST=1][*] In the [B]Active Directory Users and Computers[/B] console tree, right-click [B]Users[/B], click [B]New[/B], and then click [B]Group[/B].[*] In the New Object – Group dialog box, type the name of the group in the Group name field and click [B]OK[/B]. This document uses the group name [B]WirelessUsers[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-21.gif[/IMG][/LIST]
[B] Step 12: Add Users to the WirelessUsers Group [/B]
Complete these steps:
[LIST=1][*] In the details pane of Active Directory Users and Computers, double-click on the group [B]WirelessUsers[/B].[*] Go to the Members tab and click [B]Add[/B].[*] In the Select Users, Contacts, Computers, or Groups dialog box, type the name of the users that you want to add to the group. This example shows how to add the user [B]wirelessuser[/B] to the group. Click [B]OK[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-22.gif[/IMG][*] In the Multiple Names Found dialog box, click [B]OK[/B]. The WirelessUser user account is added to the WirelessUsers group.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-23.gif[/IMG][*] Click [B]OK[/B] in order to save changes to the WirelessUsers group.[*] Repeat this procedure to add more users to the group.[/LIST]
[B] Step 13: Add Client Computers to the WirelessUsers Group [/B]
Complete these steps:
[LIST=1][*] Repeat steps 1 and 2 in the [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t13"]Add Users to the WirelessUsers Group[/URL] section of this document[*] In the Select Users, Contacts, or Computers dialog box, type the name of the computer that you want to add to the group. This example shows how to add the computer named [B]Client[/B] to the group.
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-24.gif[/IMG][*] Click [B]Object Types[/B], clear the [B]Users[/B] check box, and then check [B]Computers[/B].
[IMG]http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-25.gif[/IMG][*] Click [B]OK[/B] twice. The CLIENT computer account is added to the WirelessUsers group.[*] Repeat the procedure to add more computers to the group.[/LIST]
[B] Windows Standard 2003 Setup with Cisco Secure ACS 4.0 [/B]
Cisco Secure ACS is a computer that runs Windows Server 2003 with SP1, Standard Edition, that provides RADIUS authentication and authorization for the controller. Complete the procedures in this section in order to configure ACS as a RADIUS server:
[B] Basic Installation and Configuration [/B]
Complete these steps:
[LIST=1][*] Install Windows Server 2003 with SP1, Standard Edition, as a[B] member server[/B] named [B]ACS[/B] in the [B]wirelessdemo.local[/B] domain.
[B]Note: [/B]The ACS server name appears as cisco_w2003 in the remaining configurations. Substitute ACS or cisco_w2003 on the remaining lab setup.[*] For the local area connection, configure the TCP/IP protocol with the IP address of [B]172.16.100.26[/B], the subnet mask of [B]255.255.255.0[/B], and the DNS server IP address of [B]127.0.0.1[/B].[/LIST]
[B] Cisco Secure ACS 4.0 Installation [/B]
[B]Note: [/B]Refer to the [URL="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/installation/guide/windows/install.html"]Installation Guide for Cisco Secure ACS 4.0 for Windows[/URL] for more information on how to configure Cisco Secure ACS 4.0 for Windows.
Complete these steps:
[LIST=1][*] Use a Domain Administrator account in order to login to the computer named ACS to install Cisco Secure ACS.
[B]Note: [/B]Only installations performed at the computer where you install Cisco Secure ACS are supported. Remote installations performed using Windows Terminal Services or products such as Virtual Network Computing (VNC) are not tested, and are not supported.[*] Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.[*] If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS for Windows Server dialog box appears.
[B]Note: [/B]If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after you install Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete. Otherwise, Cisco Secure ACS might not function reliably.[*] Perform one of these tasks:
[LIST][*] If the Cisco Secure ACS for Windows Server dialog box appears, click [B]Install[/B].[*] If the Cisco Secure ACS for Windows Server dialog box does not appear, run [B]setup.exe[/B], located in the root directory of the Cisco Secure ACS CD.[/LIST]
[*] The Cisco Secure ACS Setup dialog box displays the software license agreement.[*] Read the software license agreement. If you accept the software license agreement, click [B]Accept[/B].
The Welcome dialog box displays basic information about the setup program.[*] After you have read the information in the Welcome dialog box, click [B]Next[/B].[*] The Before You Begin dialog box lists items that you must complete before you continue with the installation. If you have completed all items listed in the Before You Begin dialog box, check the corresponding box for each item and click [B]Next[/B].
[B]Note: [/B]If you have not completed all items listed in the Before You Begin dialog box, click [B]Cancel[/B] and then click [B]Exit Setup[/B]. After you complete all items listed in the Before You Begin dialog box, restart the installation.[*] The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path where the setup program installs Cisco Secure ACS.[*] If you want to change the installation location, complete these steps:
[LIST=1][*] Click [B]Browse[/B]. The Choose Folder dialog box appears. The Path box contains the installation location.[*] Change the installation location. You can either type the new location in the Path box or use the Drives and Directories lists to select a new drive and directory. The installation location must be on a drive local to the computer.
[B]Note: [/B]Do not specify a path that contains a percent character, "%". If you do so, the installation might appear to continue properly but fails before it completes.[*] Click [B]OK[/B].
[B]Note: [/B]If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. In order to continue, click [B]Yes[/B].[/LIST]
[*] In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.[*] Click [B]Next[/B].[*] The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the Cisco Secure user database only, or also with a Windows user database.
[B]Note: [/B]After you install Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows user databases.[*] If you want to authenticate users with the Cisco Secure user database only, choose the [B]Check the Cisco Secure ACS database only[/B] option.[*] If you want to authenticate users with a Windows Security Access Manager (SAM) user database or Active Directory user database in addition to the Cisco Secure user database, complete these steps:
[LIST=1][*] Choose the [B]Also check the Windows User Database[/B] option.[*] The [B]Yes, refer to "Grant dialin permission to user" setting[/B] check-box becomes available.
[B]Note: [/B]The Yes, refer to "Grant dialin permission to user" setting check-box applies to all forms of access controlled by Cisco Secure ACS, not just dial-in access. For example, a user who accesses the network through a VPN tunnel does not dial into a network access server. However, if the [B]Yes, refer to "Grant dialin permission to user"[/B] setting box is checked, Cisco Secure ACS applies the Windows user dial-in permissions in order to determine whether to grant the user access to the network.[*] If you want to allow access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, check the [B]Yes, refer to "Grant dialin permission to user" setting[/B] box.[/LIST]
[*] Click [B]Next[/B].[*] The setup program installs Cisco Secure ACS and updates the Windows registry.[*] The Advance Options dialog box lists several features of Cisco Secure ACS that are not enabled by default. For more information about these features, refer to the [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_installation_guides_list.html"]User Guide for Cisco Secure ACS for Windows Server, version 4.0[/URL].
[B]Note: [/B]The listed features appear in the Cisco Secure ACS HTML interface only if you enable them. After installation, you can enable or disable them on the Advanced Options page in the Interface Configuration section.[*] For each feature you want to enable, check the corresponding box.[*] Click [B]Next[/B].[*] The Active Service Monitoring dialog box appears.
[B]Note: [/B]After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.[*] If you want Cisco Secure ACS to monitor user authentication services, check the [B]Enable Login Monitoring[/B] box. From the Script to Execute list, choose the option you want applied in the event of authentication service failure:
[LIST][*] [B]No Remedial Action[/B]—Cisco Secure ACS does not run a script.
[B]Note: [/B]This option is useful if you enable event mail notifications.[*] [B]Reboot[/B]—Cisco Secure ACS runs a script that reboots the computer that runs Cisco Secure ACS.[*] [B]Restart All[/B]—Cisco Secure ACS restarts all Cisco Secure ACS services.[*] [B]Restart RADIUS/TACACS+[/B]—Cisco Secure ACS restarts only the RADIUS and TACACS+ services.[/LIST]
[*] If you want Cisco Secure ACS to send an e-mail message when service monitoring detects an event, check the [B]Mail Notification[/B] box.[*] Click [B]Next[/B].[*] The Database Encryption Password dialog box appears.
[B]Note: [/B]The Database Encryption Password is encrypted and stored in the ACS registry. You might need to reuse this password when critical problems arise and the database needs to be accessed manually. Keep this password at hand so that Technical Support can gain access to the database. The password can be changed each expiration period.[*] Enter a password for database encryption. The password needs to be at least eight characters long and needs to contain both characters and digits. There are no invalid characters.[*] Click [B]Next[/B].[*] The setup program finishes and the Cisco Secure ACS Service Initiation dialog box appears.[*] For each Cisco Secure ACS Services Initiation option you want, check the corresponding box. The actions associated with the options occur after the setup program finishes.
[LIST][*] [B]Yes, I want to start the Cisco Secure ACS Service now[/B]—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the computer or start the CSAdmin service.[*] [B]Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation[/B]—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.[*] [B]Yes, I want to view the Readme File[/B]—Opens the README.TXT file in Windows Notepad.[/LIST]
[*] Click [B]Next[/B].[*] If you selected an option, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.[*] Click [B]Finish[/B].
[B]Note: [/B]The rest of the configuration is documented under the section for the EAP type that is configured.[/LIST]
[/LEFT]