| One issue that you face when storing the user information and passwords in the local database is the strength of the user passwords. The longer the user has the same password, the weaker it becomes. Because of this vulnerability with keeping the same password for a long time, you want to provide the user with a way to change his or her password on a regular basis. This can be done with ACS by installing a User Changeable Password (UCP) module. This module is available on the ACS CD if you have purchased the full product, or in the folder that you extracted ACS to if you are using a trial download. Note the following specific information regarding the UCP web page: The UCP web page requires users to login. The password required is the PAP password for the user account. UCP authenticates the user with CiscoSecure ACS and then allows the user to specify a new password. UCP changes both the PAP and CHAP passwords for the user to the password submitted. Communication between UCP and CiscoSecure ACS is protected with 128-bit encryption. To further increase security, we recommend implementing SSL to protect communication between web browsers and UCP.[1] To install and run the UCP module, the system that it is placed on must run Microsoft Internet Information Services (IIS) 5.0. It does not need to be on the same server as ACS, but it must be able to reach the ACS device on the network. Preparing the Web Server Before you can install the UCP module, you must prepare your web server. The web server needs to perform Secure Sockets Layer (SSL) encryption, or the users' passwords can be seen in clear text when changed. In addition to the server enrolling and obtaining certificates to be used for the encryption, you also need to prepare the server by creating two virtual directories. By creating two virtual directories, one called secure, the other named securecgi-bin, the secure directory includes the HTML code for the UCP and the securecgi-bin directory includes the executable files for the UCP. After you have prepared your web server, you need to do a little more configuration in ACS if the UCP module is not going to be installed on the same device. You also need to assign permissions to the personal directories. If permissions are set incorrectly, the UCP module might not operate correctly. The following steps from the Installation and User Guide for Cisco Secure ACS User-Changeable Passwords[2] guide you through the process of preparing the web server: Step 1. | Make sure the web server uses Microsoft IIS 5.0. IIS 5.0 is included with Windows 2000.
| Step 2. | In the file system directory that the web server uses as its home directory, create the following two directories:
- - secure This directory contains the HTML files used by UCP. You can use a name different from secure. You use the name you choose later in Step 3 of this procedure and twice more in "Installing UCP the Module."
- - securecgi-bin This directory contains the executable CGI files used by UCP. You can use a name different from securecgi-bin. You use the name you choose in Step 4 of this procedure and twice more in "Installing UCP Module."
If the home directory of the web server is C:\Inetpub\wwwroot, use My Computer to add the directories to C:\Inetpub\wwwroot.
NOTE To determine the home directory, see the properties of the default web site for Microsoft IIS. | Step 3. | In Microsoft IIS, add a virtual directory for the HTML files used by UCP. Use the following information when you create the virtual directory:
- - Virtual Directory Alias A name for the virtual directory, which corresponds to the secure directory created in Step 2. We recommend that you use secure. This alias is a component in the URL used to access UCP, so a short but descriptive alias can help users remember the URL.
- - Web Site Content Directory The directory specified must match the secure directory created in Step 2. The default directory from Step 2 is C:\Inetpub\wwwroot\secure.
- - Access Permissions Give this virtual directory read permissions. No other permissions are necessary. For information about creating virtual directories, see Microsoft IIS documentation, available at http://www.microsoft.com/windows2000/en/server/iis/.
| Step 4. | Add a virtual directory for the CGI executable files used by UCP. Use the following information when you create the virtual directory:
- - Virtual Directory Alias A name for the virtual directory, which corresponds to the securecgi-bin directory created in Step 2. We recommend that you use securecgi-bin.
- - Web Site Content Directory The directory specified must match the securecgi-bin directory created in Step 2. The default directory from Step 2 is C:\Inetpub\wwwroot\securecgi-bin.
- - Access Permissions Give this virtual directory read and execute permissions. No other permissions are necessary. For information about creating virtual directories, see Microsoft IIS documentation, available at http://www.microsoft.com/windows2000/en/server/iis/.
| Step 5. | If the web server runs IIS 6.0, you must configure IIS to allow unknown CGI extensions. To do so, use the Web Service Extension page in the IIS Manager window and set the status of Allow Unknown CGI Extensions to "Allowed."
| Step 6. | If you use the IIS Lockdown Tool to help secure your Microsoft IIS 5.0 web server, be sure that the Lockdown Tool allows executable files to run. If its executable files cannot run, UCP fails and users cannot change passwords.
|
Preparing ACS for UCP If you are placing the UCP on a different device, you need to enable the ACS to accept password change requests from the server with the UCP installed. To do so, these steps guide you through the process[3]: Step 1. | Log in to the HTML interface of the CiscoSecure ACS that you want UCP to send user password changes to.
NOTE If you are using the CiscoSecure Database Replication feature, the CiscoSecure ACS that UCP sends user password changes to should be a primary CiscoSecure ACS; otherwise, if the user database is replicated, user password changes are overwritten by the older information from the primary CiscoSecure ACS. | Step 2. | Click Interface Configuration, and then click Advanced Options. Result: The Advanced Options page appears.
| Step 3. | Make sure the Distributed Systems Settings check box is selected. This enables the AAA Servers table to appear in the Network Configurations section. This is seen in Figure 7-4.
Figure 7-4. Selecting Distributed System Settings 
| Step 4. | Click Submit.
| Step 5. | Click Network Configuration.
| Step 6. | If Network Device Groups (NDGs) are enabled, click the NDG that you want to add the UCP web server to.
| Step 7. | In the AAA Servers table, click Add Entry.
| Step 8. | In the AAA Server Name box, type the name you want to give to the UCP web server. We recommend using the web server host name; however, you can include additional useful information, such as UCP to readily identify the UCP web server. For example, if the web server host name is wwwin, you could type UCP-wwwin in the AAA Server Name box. This page is illustrated in Figure 7-5.
Figure 7-5. Adding an AAA Server to ACS 
| Step 9. | In the AAA Server IP Address box, type the IP address of the UCP web server. Use dotted decimal format.
NOTE The other settings on the Add AAA Server page are irrelevant to proper functioning of UCP. | Step 10. | Click Submit + Restart.
Result: CiscoSecure ACS is configured to recognize and respond to password change information from the web server you plan to install UCP on.
|
Enabling SSL on the Web Server In the section titled "User Changeable Passwords" earlier in the chapter, SSL was briefly mentioned. For those of you that are unfamiliar with SSL, SSL is a means of encrypting communication between the web server and the user that is changing their password. If the users that change passwords with the UCP exist on a trusted network, it might not be necessary to encrypt this traffic. It is my general recommendation to encrypt it anyhow. To configure the SSL portion on the web server, perform the following tasks[4]: Step 1. | Obtain a certificate from a certificate authority.
After you have received your certificate from the certificate authority, install the certificate on your web server. For information about installing a certificate, see Microsoft IIS documentation, available at http://www.microsoft.com/windows2000/en/server/iis/.
Following your Microsoft IIS documentation, activate SSL security on the web server. Keep in mind the following points when enabling SSL security:
- You can enable SSL security on the root of your web site or on one or more virtual directories. - After SSL is enabled and properly configured, only SSL-enabled clients can communicate with the SSL-enabled WWW directories. - URLs that point to documents on an SSL-enabled WWW folder must use https instead of http in the URL. Links that use http in the URL do not work.
|
Installing the UCP Module Now it's time to install the UCP module. This section assumes that you are installing the UCP from the ACS CD-ROM or the folder that ACS was extracted to. To begin the setup of the UCP module, follow these steps: Step 1. | Browse the ACS CD or the folder that ACS was extracted to for the folder named User Changeable Password.
| Step 2. | Double-click the Setup.exe icon to begin the install of the UCP module. You must have administrative rights on this machine to install the UCP module.
| Step 3. | When you begin the install, a dialog box appears to confirm your preparations. This is seen in Figure 7-6. Select all check boxes and then select Next.
Figure 7-6. Before You Begin (UCP) 
| Step 4. | Enter the path to the secure virtual directory that you created and select Next. This is seen in Figure 7-7.
Figure 7-7. Enter the Path to the secure Virtual Directory 
| Step 5. | Enter the path to the securecgi-bin virtual directory that you created and select Next. This is seen in Figure 7-8.
Figure 7-8. Enter the Path to the securecgi-bin Virtual Directory 
| Step 6. | Enter the URL for the HTML virtual directory. You might want to choose the default, which is the secure directory that you created. You usually do this if you are not using SSL. If you decide to use SSL, you need to change the beginning of the URL from HTTP:// to HTTPS://. This is seen in Figure 7-9.
Figure 7-9. Enter the URL for the HTML Virtual Directory 
| Step 7. | Select Next.
| Step 8. | You are then prompted for the URL to the securecgi-bin folder. You can choose the default; however, if you are using SSL, follow Step 3 and select Next. This is seen in Figure 7-10.
Figure 7-10. Enter the URL for the securecgi-bin HTML Virtual Directory 
| Step 9. | You then see a dialog box that indicates "Connecting to Cisco Secure Server." Enter the IP address to the ACS device here. Select Next.
| Step 10. | You then see the Setup Complete box and can select Finish to end the installation process.
|
Now that the UCP module is installed, you can test the functionality of the UCP module by creating a new user account in ACS. Then from a web browser on the network, access the URL of the UCP server. It should look something like this: http://10.1.1.100/secure/login.htm
This is the URL that users must access to change passwords. The users see a page that accepts a login, redirects them to a change password page, and applies the changed password. This works well; however, in a company with numerous employees the task of having users change their passwords becomes difficult. It might be a good idea to use corporate e-mail as a reminder to change passwords or to even include the change password URL on a commonly viewed intranet site. |
