User Guide for Cisco Secure Access Control System 5.3 April 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Service Request CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 xxv ACS Distributed Deployment 1-2 ACS 4.x and 5.
Contents Policy Terminology 3-3 Simple Policies 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Authorization Policy Rules 3-12 Service Selection Policy 3-12 Simple Service Selection 3-12 Rules-Based Service Selection 3-13 Access Services and Service Selection Scenarios First-Match Rule Tables 3-14 Policy Conditions 3-16 Policy Re
Contents Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flow 4-16 Adding a Host to an Internal Identity Store 4-17 Configuring an LDAP External Identity Store for Host Lookup 4-17 Configuring an Identity Group for Host Lookup Network Access Requests Creating an Access Service for Host Lookup 4-18 Configuring an Identity Policy for Host L
Contents My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding the Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface 5-18 Supported ACS Objects 5-18 Creating Import Files 5-20 Downloading the Template from the Web Interface 5-21 Understanding the CSV Templates 5-21 Creating the Import File 5-22 Common Errors 5-25 Concurrency Conflict Errors 5-2
Contents Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operations for Network Resources and Users Exporting Network Resources and Users 7-10 Creating, Duplicating, and Editing Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying Network Device Properties 7-14 Deleting Network Devices 7-17 Configuring a Default Network Device 7-17 Working with External Proxy Servers 7-19 Creating, Duplicating, and Editing External Proxy Servers Deleting External Proxy Servers 7-2
Contents Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Using a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating External LDAP Identity Stores 8-23 Configuring an External LDAP Server Connection 8-24 Configuring External LDAP Directory Organization 8-26 Deleting External LDAP Identity Stores 8-30 Configuring LDAP Groups 8-30 Viewing LDAP Attributes 8
Contents Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers 8-60 Configuring CA Certificates 8-65 Adding a Certificate Authority 8-66 Editing a Certificate Authority and Configuring Certificate Revocation Lists Deleting a Certificate Authority 8-68 Exporting a Certificate Authority 8-69 Configuring Certi
Contents Deleting an Authorizations and Permissions Policy Element Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Access Policies 10-1 Policy Creation Flow 10-1 Network Definition and Policy Goals 10-2 Policy Elements in the Policy Creation Flow Access Service Policy Creation 10-4 Service Selection Policy Creation 10-4 Customizing a Policy 9-32 10-3 10-4 Configuring the Service Selection Policy 10-5 Configuring a Simple Service Selection Policy 10-6 Service Selection Poli
Contents Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pages 10-45 Egress Policy Matrix Page 10-45 Editing a Cell in the Egress Policy Matrix 10-46 Defining a Default Policy for Egress Policy Page 10-46 NDAC Policy Page 10-47 NDAC Policy Properties Page 10-48 Network Device Access EAP-FAST Settings Page 10-50 Maximum User Sessions 10-50
Contents Understanding Alarm Schedules 12-9 Creating and Editing Alarm Schedules 12-9 Assigning Alarm Schedules to Thresholds 12-10 Deleting Alarm Schedules 12-11 Creating, Editing, and Duplicating Alarm Thresholds 12-11 Configuring General Threshold Information 12-13 Configuring Threshold Criteria 12-14 Passed Authentications 12-14 Failed Authentications 12-16 Authentication Inactivity 12-18 TACACS Command Accounting 12-19 TACACS Command Authorization 12-20 ACS Configuration Changes 12-21 ACS System Diagn
Contents Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Reports 13-13 Understanding the Report_Name Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconnecting Active RADIUS Sessions Customizing Reports 13-20 Restoring Reports 13-20 13-18 Viewing Reports 13-21 About Standard Viewer 13-21 About Interactive Viewer 13-21 About Interactive Viewer’s Context Menus 13-21 Navigating Reports 13-23 Using the Table of Contents 13-23 Exporting Report
Contents Organizing Report Data 13-41 Displaying and Organizing Report Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Displaying Report Items 13-44 Hiding Columns 13-44 Displaying Hidden Columns 13-45 Merging Columns 13-45 Selecting a Column from a Merged Column 13-46 Sorting Data 13-47 Sorting a Single Column 13-47 Sorting Multiple Columns 13-47 Grouping Data 13-48 Adding Groups 13-50 Grouping Data Based on Date or Time 13-50 Removing an Inner Group 13-51 Creati
Contents Modifying Charts 13-76 Filtering Chart Data 13-76 Changing Chart Subtype 13-77 Changing Chart Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer Available Diagnostic and Troubleshooting Tools Connectivity Tests 14-1 ACS Support Bundle 14-1 Expert Troubleshooter 14-2 Performing Connectivity Tests 14-1 14-1 14-3 Downloading ACS Support Bundles for Diagnostic Information 14-4 Working with Expert Troubleshooter 14-5 Troubleshooting RADIUS Authentications 14-6
Contents Configuring System Alarm Settings Configuring Alarm Syslog Targets 15-17 15-17 Configuring Remote Database Settings CHAPTER 16 Managing System Administrators 15-17 16-1 Understanding Administrator Roles and Accounts Understanding Authentication 16-3 16-2 Configuring System Administrators and Accounts 16-3 Understanding Roles 16-3 Permissions 16-4 Predefined Roles 16-4 Changing Role Associations 16-5 Administrator Accounts and Role Association 16-6 Creating, Duplicating, Editing, and
Contents Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instance 17-13 Deleting a Secondary Instance 17-13 Activating a Secondary Instance 17-14 Registering a Secondary Instance to a Primary Instance 17-14 Deregistering Secondary Instances from the Distributed System Management Page Deregistering a Secondary Instance from the Deployment Operations Page 17-17 Promoting a Secondary Instance from the Distributed System Management Page Promoting a Secondary Instance from the
Contents Configuring Local Server Certificates 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Protocols Generating Self-Signed Certificates 18-16 Generating a Certificate Signing Request 18-17 Binding CA Signed Certificates 18-17 Editing and Renewing Certificates 18-18 Deleting Certificates 18-19 Exporting Certificates 18-20 Viewing Outstanding Signing Requests 18-20 18-15 Configuring Logs 18-21 Configuring Remote Log Targets 18-21 Deleting a
Contents Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logging Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Target 19-10 Viewing Log Messages 19-10 Debug Logs 19-11 ACS 4.x Versus ACS 5.
Contents Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self-Signed Certificate Generation B-10 Certificate Generation B-10 Exporting Credentials B-11 Credentials Distribution B-12 Hardware Replacement and Certificates B-12 Securing the Cryptographic Sensitive Material B-12 Private Keys and
Contents EAP Authentication with RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD EAP- MSCHAPv2 Flow in ACS 5.
Contents User Guide for Cisco Secure Access Control System 5.
Preface Revised: April 17, 2014 This guide describes how to use Cisco Secure Access Control System (ACS) 5.3. Audience This guide is for security administrators who use ACS, and who set up and maintain network and application security. Document Conventions This guide uses the convention whereby the symbol ^ represents the key labeled Control. For example, the key combination ^z means hold down the Control key while you press the z key.
Preface Caution Timesaver Note Means reader be careful. You are capable of doing something that might result in equipment damage or loss of data. Means the described action saves time. You can save time by performing the action described in the paragraph. Means reader take note. Notes identify important information that you should reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document.
Preface Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 2 Product Documentation Document Title Available Formats Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3 http://www.cisco.com/en/US/products/ps9911/ products_licensing_information_listing.html License and Documentation Guide for the Cisco http://www.cisco.
Preface User Guide for Cisco Secure Access Control System 5.
CH A P T E R 1 Introducing ACS 5.3 This section contains the following topics: • Overview of ACS, page 1-1 • ACS Distributed Deployment, page 1-2 • ACS Management Interfaces, page 1-3 Overview of ACS ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications.
Chapter 1 Introducing ACS 5.3 ACS Distributed Deployment ACS provides advanced monitoring, reporting, and troubleshooting tools that help you administer and manage your ACS deployments. For more information on the monitoring, reporting, and troubleshooting capabilities of ACS, see Chapter 11, “Monitoring and Reporting in ACS.”. For more information about using ACS for device administration and network access scenarios, see Chapter 4, “Common Scenarios Using ACS.
Chapter 1 Introducing ACS 5.3 ACS Licensing Model ACS 4.x did not provide incremental replication, only full replication, and there was service downtime for replication. ACS 5.3 provides incremental replications with no service downtime. You can also force a full replication to the secondary instance if configuration changes do not replicate it.
Chapter 1 Introducing ACS 5.3 ACS Management Interfaces ACS Web-based Interface You can use the ACS web-based interface to fully configure your ACS deployment, and perform monitoring and reporting operations. The web interface provides a consistent user experience, regardless of the particular area that you are configuring. The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer, versions 7.x, 8.x, and 9.x and Firefox version 3.x and 4.x.
Chapter 1 Introducing ACS 5.3 Hardware Models Supported by ACS For information about using the CLI, see the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.3. Related Topic • ACS Web-based Interface, page 1-4 ACS Programmatic Interfaces ACS 5.3 provides web services and command-line interface (CLI) commands that allow software developers and system integrators to programmatically access some ACS features and functions. ACS 5.
Chapter 1 Introducing ACS 5.3 Hardware Models Supported by ACS User Guide for Cisco Secure Access Control System 5.
CH A P T E R 2 Migrating from ACS 4.x to ACS 5.3 ACS 4.x stores policy and authentication information, such as TACACS+ command sets, in the user and user group records. In ACS 5.3, policy and authentication information are independent shared components that you use as building blocks when you configure policies. The most efficient way to make optimal use of the new policy model is to rebuild policies by using the building blocks, or policy elements, of the new policy model.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utility completes the data migration process in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the objects that you want to export into 5.3. The Migration utility analyses the objects, consolidates the data, and exports it.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Before You Begin Note You must install the latest patch for the supported migration versions listed here. Also, if you have any other version of ACS 4.x installed, you must upgrade to one of the supported versions and install the latest patch for that version before you can migrate to ACS 5.3. Before You Begin Before you migrate data from ACS 4.x to ACS 5.3, ensure that you: • Check for database corruption issues in the ACS 4.x source machine.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In ACS 5.3, you define authorizations, shell profiles, attributes, and other policy elements as independent, reusable objects, and not as part of the user or group definition. Table 2-1 describes where you configure identities, network resources, and policy elements in ACS 5.3. Use this table to view and modify your migrated data identities. See Chapter 3, “ACS 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.3 (continued) To configure... In ACS 4.x, choose... In ACS 5.3, choose... Command sets (command authorization sets) One of the following: Policy Elements > Authorization You can add command sets as results in authorization policy and Permissions > Device Administration > Command Set rules in a device administration access service.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.3 (continued) To configure... In ACS 4.x, choose... In ACS 5.3, choose... Downloadable ACLs Shared Profile Components Policy Elements > Authorization You can add downloadable ACLs (DACLs) to a network access and Permissions > Named authorization profile.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you have ACS 3.x deployed in your environment, you cannot directly migrate to ACS 5.3. You must do the following: Step 1 Upgrade to a migration-supported version of ACS 4.x. See Supported Migration Versions, page 2-2 for a list of supported migration versions. Step 2 Check the upgrade paths for ACS 3.x: • For the ACS Solution Engine, see: http://www.cisco.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform bulk import of data into ACS 5.3. For more information on performing bulk import of ACS objects, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ cli_imp_exp.html#wp1056244. The data from your other AAA servers is now available in ACS 5.3. User Guide for Cisco Secure Access Control System 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration User Guide for Cisco Secure Access Control System 5.
CH A P T E R 3 ACS 5.x Policy Model ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the presentation of policy elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based policy model instead of the group-based model used in the 4.x versions. This section contains the following topics: Note • Overview of the ACS 5.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For example, we use the information described for the group-based model: If identity-condition, restriction-condition then authorization-profile In ACS 5.3, you define conditions and results as global, shared objects. You define them once and then reference them when you create rules. ACS 5.3 uses the term policy elements for these shared objects, and they are the building blocks for creating rules.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Policy Terminology Table 3-2 describes the rule-based policy terminology. Table 3-2 Rule-Based Policy Terminology Term Description Access service Sequential set of policies used to process access requests. ACS 5.x allows you to define multiple access services to support multiple, independent, and isolated sets of policies on a single ACS system.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies You can configure all of your ACS policies as rule-based policies. However, in some cases, you can choose to configure a simple policy, which selects a single result to apply to all requests without conditions. For example, you can define a rule-based authentication policy with a set of rules for different conditions; or, if you want to use the internal database for all authentications, you can define a simple policy.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Types of Policies Table 3-3 describes the types of policies that you can configure in ACS. The policies are listed in the order of their evaluation; any attributes that a policy retrieves can be used in any policy listed subsequently. The only exception is the Identity group mapping policy, which uses only attributes from identity stores.
Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices that connect to the network and for network administrators who administer network devices. In ACS 5.x, authentication and authorization requests are processed by access services.
Chapter 3 ACS 5.x Policy Model Access Services Table 3-5 describes an example of a set of access services. Table 3-5 Access Service List Access Service A for Device Administration Access Service B for Access to 802.1X Agentless Hosts Access Service C for Access from 802.
Chapter 3 ACS 5.x Policy Model Access Services ACS accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS and TACACS+ servers in ACS for ACS to forward requests to them. You can define the timeout period and the number of connection attempts.
Chapter 3 ACS 5.x Policy Model Access Services ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See Configuring General Access Service Properties, page 10-13 for information on how to configure a RADIUS proxy service. For more information on proxying RADIUS and TACACS+ requests, see RADIUS and TACACS+ Proxy Requests, page 4-29.
Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequence—Sequences of the identity databases. The sequence is used for authentication and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple identity methods as the result of the identity policy. You define the identity methods in an identity sequence object, and the methods included within the sequence may be of any type.
Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity group mapping policy is a standard policy. Conditions can be based on attributes or groups retrieved from the external attribute stores only, or from certificates, and the result is an identity group within the identity group hierarchy. If the identity policy accesses the internal user or host identity store, then the identity group is set directly from the corresponding user or host record.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy Terminology, page 3-3 • Authorization Profiles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-world problem is that, in day-to-day operations, you often need to grant policy waivers or policy exceptions. A specific user might need special access for a short period of time; or, a user might require some additional user permissions to cover for someone else who is on vacation.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, ACS decides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The protocol used for the request, TACACS+ or RADIUS. • Request Attributes—RADIUS or TACACS+ attributes in the request. • Date and Time—The date and time ACS receives the request. • Network Device Group—The network device group that the AAA client belongs to.
Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest access in one access service, the policy is divided into three access services. First-Match Rule Tables ACS 5.3 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables contain conditions and results. Conditions can be either simple or compound.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Column Description Status You can define the status of a rule as enabled, disabled, or monitored: • Enabled—ACS evaluates an enabled rule, and when the rule conditions match the access request, ACS applies the rule result. • Disabled—The rule appears in the rule table, but ACS skips this rule and does not evaluate it. • Monitor Only—ACS evaluates a monitored rule.
Chapter 3 ACS 5.x Policy Model Authorization Profiles for Network Access Policy Conditions You can define simple conditions in rule tables based on attributes in: • Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects.
Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes You can define multiple authorization profiles as a network access policy result. In this way, you maintain a smaller number of authorization profiles, because you can use the authorization profiles in combination as rule results, rather than maintaining all the combinations themselves in individual profiles.
Chapter 3 ACS 5.x Policy Model Policies and Network Device Groups Related Topics • Managing Users and Identity Stores, page 8-1 • Policy Terminology, page 3-3 • Types of Policies, page 3-5 Policies and Network Device Groups You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, the NDGs associated with that device are retrieved and compared against those in the policy table.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 3-2 illustrates what this policy rule table could look like. Figure 3-2 Sample Rule-Based Policy Each row in the policy table represents a single rule. Each rule, except for the last Default rule, contains two conditions, ID Group and Location, and a result, Authorization Profile. ID Group is an identity-based classification and Location is a nonidentity condition.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Table 3-8 Added users to the internal ACS identity store or add external identity stores. See Creating Internal Users, page 8-11, Managing Identity Attributes, page 8-7, or Creating External LDAP Identity Stores, page 8-26.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics • Policy Terminology, page 3-3 • Policy Conditions, page 3-16 • Policy Results, page 3-16 • Policies and Identity Attributes, page 3-17 User Guide for Cisco Secure Access Control System 5.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies User Guide for Cisco Secure Access Control System 5.
CH A P T E R 4 Common Scenarios Using ACS Network control refers to the process of controlling access to a network. Traditionally a username and password was used to authenticate a user to a network. Now a days with the rapid technological advancements, the traditional method of managing network access with a username and a password is no longer sufficient. The ways in which the users can access the network and what they can access have changed considerably.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network services and resources (including devices, such as IP phones, printers, and so on). ACS 5.3 is a policy-based access control system that allows you to create complex policy conditions and helps you to comply with the various Governmental regulations.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corresponding permit or deny setting for the command is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single permit or deny result for the command is returned, as described in these conditions: • If an explicit deny-always setting exists in any command set, the command is denied.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration Step 5 Configure an access service policy. See Access Service Policy Creation, page 10-4. Step 6 Configure a service selection policy. See Service Selection Policy Creation, page 10-4. Step 7 Configure an authorization policy (rule table). See Configuring a Session Authorization Policy for Network Access, page 10-29. Command Authorization This topic describes the flow for an administrator to issue a command to a network device.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the configuration flow to define TACACS+ custom attributes and services. Step 1 Create a custom TACACS+ condition to move to TACACS+ service on request. To do this: a. Go to Policy Elements > Session Conditions > Custom and click Create. b. Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Note During password-based access (or certificate-based access), the user is not only authenticated but also authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to-end flow for password-based network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. To configure password-based network access: Step 1 Configure network devices and AAA clients. a.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Table 4-1 Network Access Authentication Protocols Protocol Action PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. EAP-FAST 1. In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings. 2. For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. 3.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication in ACS 5.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access You can configure two types of certificates in ACS: Note • Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates. • Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure policy elements. See Managing Policy Conditions, page 9-1, for more information. You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5, for details. Step 5 Create an access service. See Configuring Access Services, page 10-11, for more information. Step 6 In the Allowed Protocols Page, choose EAP-TLS.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Validating an LDAP Secure Authentication Connection You can define a secure authentication connection for the LDAP external identity store, by using a CA certificate to validate the connection. To validate an LDAP secure authentication connection using a certificate: Step 1 Configure an LDAP external identity store. See Creating External LDAP Identity Stores, page 8-26.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication Bypass (Host Lookup) and the Guest VLAN access by using web authentication. ACS 5.3 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x times out on a port, the port can move to an open state if Host Lookup is configured and succeeds.
Chapter 4 Common Scenarios Using ACS Agentless Network Access • Internal users • Active Directory You can access the Active Directory via the LDAP API. You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store. ACS uses the MAC format (XX-XX-XX-XX-XX-XX) and no other conversions are possible.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check You may not want to copy the CallingStationID attribute value to the System UserName attribute value. When the Process Host Lookup option is checked, ACS uses the System UserName attribute that was copied from the RADIUS User-Name attribute.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Agentless Network Access Flow This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. Perform these tasks in the order listed to configure agentless network access in ACS: Step 1 Configure network devices and AAA clients.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 10-8.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Previous Step: Network Devices and AAA Clients, page 7-5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LDAP Identity Stores, page 8-26 • Deleting External LDAP Identity Stores, page 8-33 Configuring an Identity Group for Host Lookup Network Access Requests To configure an identity group for Host Lookup network access requests: Step 1 Choose Users and Identi
Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access, and check Identity and Authorization. The group mapping and External Policy options are optional. d. Make sure you select Process Host Lookup. If you want ACS to detect PAP or EAP-MD5 authentications for MAC addresses (see PAP/EAP-MD5 Authentication, page 4-15), and process it like it is a Host Lookup request (for example, MAB requests), complete the following steps: e.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests To configure an authorization policy for Host Lookup requests: Step 1 Choose Access Policies > Access Services > Authorization. See Configuring a Session Authorization Policy for Network Access, page 10-29, for details. Step 2 Select Customize to customize the authorization policy conditions. A list of conditions appears.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols ACS 5.3 supports the following protocols for inner authentication inside the VPN tunnel: • RADIUS/PAP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported VPN Network Access Servers ACS 5.3 supports the following VPN network access servers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network Access, page 4-20 • Supported Authentication Protocols, page 4-21 • Supported Identity Stores, page 4-21 • Supported VPN Clients, page 4-22 • Configuring VPN Remote Access Service, page 4-22 Supported VPN Clients ACS 5.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network Access, page 4-20 • Supported Authentication Protocols, page 4-21 • Supported Identity Stores, page 4-21 • Supported VPN Network Access Servers, page 4-22 • Supported VPN Clients, page 4-22 • Configuring VPN Remote Access Service, page 4-22 ACS and Cisco Security Group Access Note ACS requires an additional feature license to enable Security Group Access capabilities.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access 6. Configuring EAP-FAST Settings for Security Group Access. 7. Creating an Access Service for Security Group Access. 8. Creating an Endpoint Admission Control Policy. 9. Creating an Egress Policy. 10. Creating a Default Policy. Adding Devices for Security Group Access The RADIUS protocol requires a shared secret between the AAA client and the server.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices consider only the SGT value; the name and description of a security group are a management convenience and are not conveyed to the devices. Therefore, changing the name or description of the security group does not affect the generation ID of an SGT. To create a security group: Step 1 Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups and click Create.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access To configure an NDAC policy for a device: Step 1 Choose Access Policies > Security Group Access Control > Security Group Access > Network Device Access > Authorization Policy. Step 2 Click Customize to select which conditions to use in the NDAC policy rules. The Default Rule provides a default rule when no rules match or there are no rules defined. The default security group tag for the Default Rule result is Unknown.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next. The Access Services Properties page appears. Step 6 In the Authentication Protocols area, check the relevant protocols for your access service. Step 7 Click Finish. Creating an Endpoint Admission Control Policy After you create a service, you configure the endpoint admission control policy. The endpoint admission control policy returns an SGT to the endpoint and an authorization profile.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access The first row (topmost) of the matrix contains the column headers, which display the destination SGT. The first column (far left) contains the row titles, with the source SG displayed. At the intersection of these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and Source. All other cells are internal matrix cells that contain the defined SGACL.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests To create a default policy: Step 1 Choose Access Policies > Security Group Access Control > Egress Policy then choose Default Policy. Step 2 Fill in the fields as in the Default Policy for Egress Policy page. Step 3 Click Submit.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receives the following packets from the NAS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2. Receives the following packets from the remote RADIUS server and returns them to the NAS: • Access-Accept • Access-Reject • Access-Challenge • Accounting-Response 3.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests The TACACS+ proxy feature in ACS supports the following protocols: • PAP • ASCII • CHAP • MSCHAP authentications types Related Topics • RADIUS and TACACS+ Proxy Requests, page 4-29 • Supported RADIUS Attributes, page 4-31 • Configuring Proxy Service, page 4-32 Supported RADIUS Attributes The following supported RADIUS attributes are encrypted: • User-Password • CHAP-Password • Message-Authenticator • MPPE-Send-Key
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service To configure proxy services: Step 1 Configure a set of remote RADIUS and TACACS+ servers. For information on how to configure remote servers, see Creating, Duplicating, and Editing External Proxy Servers, page 7-19. Step 2 Configure an External proxy service. For information on how to configure a External proxy service, see Configuring General Access Service Properties, page 10-13.
CH A P T E R 5 Understanding My Workspace The Cisco Secure ACS web interface is designed to be viewed using Microsoft Internet Explorer 7.x, 8.x, and 9.x and Mozilla Firefox 3.x and 4.x. The web interface not only makes viewing and administering ACS possible, but it also allows you to monitor and report on any event in the network. These reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and so on.
Chapter 5 Understanding My Workspace Task Guides Table 5-1 Welcome Page (continued) Field Description Policy Setup Steps Opens the Task Guide for policy setup. This scenario guides you through the steps that are required to set up ACS policies. New in ACS 5 Options in this section link to topics in the ACS online help. Click an option to open the online help window, which displays information for the selected topic.
Chapter 5 Understanding My Workspace Using the Web Interface Table 5-2 My Account Page Field Description General Read-only fields that display information about the currently logged-in administrator: Change Password • Administrator name • Description • E-mail address, if it is available Displays rules for password definition according to the password policy. To change your password: Assigned Roles 1. In the Password field, enter your current password. 2.
Chapter 5 Understanding My Workspace Using the Web Interface Logging In To log in to the ACS web interface for the first time after installation: Step 1 Enter the ACS URL in your browser, for example https://acs_host/acsadmin, where /acs_host is the IP address or Domain Name System (DNS) hostname. The login page appears. Step 2 Enter ACSAdmin in the Username field; the value is not case-sensitive. Step 3 Enter default in the Password field; the value is case-sensitive.
Chapter 5 Understanding My Workspace Using the Web Interface Step 7 See Installing a License File, page 18-35 to install a valid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful, the following error message appears: Invalid username or password specified. The Username and Password fields are cleared. Step 8 Re-enter the valid username and password, and click Login.
Chapter 5 Understanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 shows the overall design of the ACS web interface. Figure 5-1 ACS Web Interface The interface contains: • Header, page 5-6 • Navigation Pane, page 5-7 • Content Area, page 5-8 Header Use the header to: • Identify the current user (your username) • Access the online help • Log out • Access the About information, where you can find information about which ACS web interface version is installed.
Chapter 5 Understanding My Workspace Using the Web Interface Navigation Pane Use the navigation pane to navigate through the drawers of the web interface (see Figure 5-3). Figure 5-3 Navigation Pane Table 5-3 describes the function of each drawer. Table 5-3 Navigation Pane Drawers Drawer Function My Workspace Access the Task Guide and Welcome page with shortcuts to common tasks and links to more information. See Chapter 5, “Understanding My Workspace” for more information.
Chapter 5 Understanding My Workspace Using the Web Interface The options listed beneath drawers in the navigation pane are organized in a tree structure, where appropriate. The options in the tree structure are dynamic and can change based on administrator actions. Creating, deleting, or renaming objects in the content area can change the option display in the navigation pane.
Chapter 5 Understanding My Workspace Using the Web Interface Web Interface Location Your current location in the interface appears at the top of the content area. Figure 5-5 shows that the location is the Policy Elements drawer and the Network Devices and AAA Clients page. Using this location as an example, ACS documentation uses this convention to indicate interface locations—Policy Elements > Policy Conditions > Network Devices and AAA Clients > Location.
Chapter 5 Understanding My Workspace Using the Web Interface Table 5-4 Common Content Area Buttons and Fields for List Pages Button or Field Description Rows per page Use the drop-down list to specify the number of items to display on this page. Options: Go • 10—Up to 10. • 25—Up to 25. • 50—Up to 50. • 100—Up to 100. Click to display the number of items you specify in the Rows per page field.
Chapter 5 Understanding My Workspace Using the Web Interface Table 5-4 Common Content Area Buttons and Fields for List Pages (continued) Button or Field Description Page num of n Enter the number of the page you want to display in the content area of the list page, where num is the page you want to display, then click Go. Not available for tree table pages. Direction arrows Click the arrows on the lower right side of the content area to access the first page, previous page, next page, or last page.
Chapter 5 Understanding My Workspace Using the Web Interface Filtering Large lists in a content area window or a secondary window (see Figure 5-9) can be difficult to navigate through and select the data that you want. You can use the web interface to filter data in these windows to reduce the data that appears in a list, based on criteria and conditions that you choose. Table 5-5 describes the filtering options. Note Not all filtering options are available in all fields.
Chapter 5 Understanding My Workspace Using the Web Interface For pages that do not have a Name or Description column, the sorting mechanism may be supported in the left-most column of the page, or the Description column. Place your cursor over a column heading to determine if sorting is available for a column. If sorting is available, the cursor turns into a hand and the text Click to sort appears.
Chapter 5 Understanding My Workspace Using the Web Interface Figure 5-9 Secondary Window In addition to selecting and filtering data, you can create a selectable object within a secondary window.
Chapter 5 Understanding My Workspace Using the Web Interface Figure 5-10 Table 5-6 Transfer Box Transfer Box Fields and Buttons Field or Button Description Available List of available items for selection. Selected Ordered list of selected items. Right arrow (>) Click to move one selected item from the Available list to the Selected list. Left arrow (<) Click to move one selected item from the Selected list to the Available list.
Chapter 5 Understanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10). You use them to select active times for a policy element from a grid, where each row represents a day of the week and each square in a row represents an hour in a day. Click one square to make one hour active. Table 5-7 describes the Schedule box options.
Chapter 5 Understanding My Workspace Using the Web Interface Directly above the rule table are two display options: • Standard Policy—Click to display the standard policy rule table. • Exception Policy—Click to display the exception policy rule table, which takes precedence over the standard policy rule table content.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Related Topic • ACS 5.x Policy Model Importing and Exporting ACS Objects through the Web Interface You can use the import functionality in ACS to add, update, or delete multiple ACS objects at the same time. ACS uses a comma-separated values (CSV) file to perform these bulk operations. This .csv file is called an import file. ACS provides a separate .
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Table 5-9 lists the ACS objects, their properties, and the property data types. The import template for each of the objects contains the properties described in this table. Note The limitations given in Table 5-9 is applicable only to the internal database users and not applicable to the external database (AD, LDAP, or RSA) users.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Table 5-9 ACS Objects – Property Names and Data Types (continued) Property Name Property Data Type peerAZNTTL (Optional) Integer. envDataTTL (Optional) Integer. Session timeout (Optional) Integer. List of NDG names (Optional) String. Object Type: Identity Group Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must download the import file templates from the ACS web interface. To download the import file templates for adding internal users: Step 1 Log into the ACS 5.3 web interface. Step 2 Choose Users and Identity Stores > Internal Identity Stores > Users. The Users page appears. Step 3 Click File Operations.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface For example, the internal user Add template contains the fields described in Table 5-10: Table 5-10 Internal User Add Template Header Field Description name:String(64):Required Username of the user. description:String(1024) Description of the user. enabled:Boolean (True,False):Required Boolean field that indicates whether the user must be enabled or disabled.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Figure 5-12 Step 4 Add Users – Import File Save the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in the ACS store, the import process overwrites the existing records in the internal store with the records from the .csv file. This operation replaces the records that exist in ACS with the records from the .csv files.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Figure 5-13 Note Update Users–Import File The second column, Updated name, is the additional column that you can add to the Update template. Deleting Records from the ACS Internal Store You can use this option to delete a subset of records from the ACS internal store. The records that are present in the .csv file that you import are deleted from the ACS internal store.
Chapter 5 Understanding My Workspace Common Errors Common Errors You might encounter these common errors: • Concurrency Conflict Errors, page 5-25 • Deletion Errors, page 5-26 • System Failure Errors, page 5-27 • Accessibility, page 5-27 Concurrency Conflict Errors Concurrency conflict errors occur when more than one user tries to update the same object. When you click Submit and the web interface detects an error, a dialog box appears, with an error message and an OK button.
Chapter 5 Understanding My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanation You attempted to edit or duplicate an item that is referencing an item that another user deleted while you tried to submit your change. Recommended Action Click OK to close the error message and display the previous page, the Create page or the Edit page. Your attempted changes are not saved, nor do they appear in the page.
Chapter 5 Understanding My Workspace Accessibility System Failure Errors System failure errors occur when a system malfunction is detected. When a system failure error is detected, a dialog box appears, with an error message and OK button. Read the error message, click OK, and perform the recommended action. Possible error messages, explanations, and recommended actions are: Error Message The following System Failure occurred: . Where description describes the specific malfunction.
Chapter 5 Understanding My Workspace Accessibility • Color used as an enhancement of information only, not as the only indicator. For example, required fields are associated with a red asterisk. • Confirmation messages for important settings and actions. • User-controllable font, size, color, and contrast of the entire web interface. Keyboard and Mouse Features You can interact with the ACS 5.3 web interface by using the keyboard and the mouse to accomplish actions.
CH A P T E R 6 Post-Installation Configuration Tasks This chapter provides a set of configuration tasks that you must perform to work with ACS.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Perform System Administration Tasks Configuring ACS to Perform System Administration Tasks Table 6-2 lists the set of system administration tasks that you must perform to administer ACS. Table 6-2 System Administration Tasks Step No. Task Drawer Refer to... Step 1 Install ACS license. System Administration > Configuration > Licensing Licensing Overview, page 18-34. Step 2 Install system certificates.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Perform System Administration Tasks Table 6-2 System Administration Tasks (continued) Step No. Task Drawer Step 8 Add users or hosts to the internal • For internal identity stores: identity store, or define external Users and Identity Stores > identity stores, or both. Internal Identity Stores • Refer to... • For internal identity stores: – Creating Internal Users, page 8-11.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Manage Access Policies Configuring ACS to Manage Access Policies Table 6-3 lists the set of tasks that you must perform to manage access restrictions and permissions. Table 6-3 Managing Access Policies Step No. Task Drawer Refer to... Step 1 Define policy conditions. Policy Elements > Session Conditions Managing Policy Conditions, page 9-1. Step 2 Define authorization and permissions.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Table 6-4 Monitoring and Troubleshooting Configuration (continued) Step No. Task Drawer Refer to... Step 4 Enable system alarms and specify how you would like to receive notification. Monitoring Configuration > System Configuration > System Alarm Settings Configuring System Alarm Settings, page 15-17. Step 5 Define schedules and create threshold alarms.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network User Guide for Cisco Secure Access Control System 5.
CH A P T E R 7 Managing Network Resources The Network Resources drawer defines elements within the network that issue requests to ACS or those that ACS interacts with as part of processing a request. This includes the network devices that issue the requests and external servers, such as a RADIUS server that is used as a RADIUS proxy. This drawer allows you to configure: • Network Device Groups—Logically groups the network devices, which you can then use in policy conditions.
Chapter 7 Managing Network Resources Network Device Groups Network Device Groups In ACS, you can define network device groups (NDGs), which are sets of devices. These NDGs provide logical grouping of devices, for example, Device Location or Type, which you can use in policy conditions. When the ACS receives a request for a device, the network device groups associated with that device are retrieved and compared against those in the policy table.
Chapter 7 Managing Network Resources Network Device Groups Table 7-1 Description Device Groups - General Page Field Descriptions (Optional) Enter a description for the NDG. Root Node Enter the name of the root node associated with the NDG. The NDG is structured as an Name/Parent inverted tree, and the root node is at the top of the tree. The root node name can be the same as the NDG name. The NDG name is displayed when you click an NDG in the Network Resources drawer. Step 4 Click Submit.
Chapter 7 Managing Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy You can arrange the network device group node hierarchy according to your needs by choosing parent and child relationships for new, duplicated, or edited network device group nodes. You can also delete network device group nodes from a hierarchy.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy To delete a network device group from within a hierarchy: Step 1 Choose Network Resources > Network Device Groups. The Network Device Groups page appears. Step 2 Click Location, Device Type, or another previously defined network device group in which you want to edit a network device group node. The Network Device Groups node hierarchy page appears.
Chapter 7 Managing Network Resources Network Devices and AAA Clients You must install Security Group Access license to enable Security Group Access options. The Security Group Access options only appear if you have installed the Security Group Access license. For more information on Security Group Access licenses, see Licensing Overview, page 18-34. Viewing and Performing Bulk Operations for Network Devices You can view the network devices and AAA clients.
Chapter 7 Managing Network Resources Network Devices and AAA Clients – Device Type You can specify full IP address, or IP address with wildcard “*” or, with IP address range, such as [15-20] in the IP address search field. The wildcard “*” and the IP range [15-20] option can be specified in all the 4 octets of IP address. The Equals option only is listed in the search condition when searching by IP address.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Step 2 Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3 Click Go. A list of records that match your filter criterion appears. You can export this list to a .csv file. Step 4 Click Export to export the records to a .csv file. A system message box appears, prompting you for an encryption password to encrypt the .csv file during file transfer.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Step 3 Click any one of the following operations if you have previously created a template-based .csv file on your local disk: • Add—Adds the records in the .csv file to the records currently available in ACS. • Update—Overwrites the records in ACS with the records from the .csv file. • Delete—Removes the records in the .csv file from the list in ACS. Step 4 Click Next to move to the next page.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Exporting Network Resources and Users To export a list of network resources or users: Step 1 Click Export on the Users, Network Devices, or MAC Address page of the web interface. The Network Device page appears. Step 2 Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3 Click Go. A list of records that match your filter criterion appears.
Chapter 7 Managing Network Resources Network Devices and AAA Clients The first page of the Create Network Device process appears if you are creating a new network device. The Network Device Properties page for the selected device appears if you are duplicating or editing a network device. Step 3 Modify the fields as required. For field descriptions, see Configuring Network Device and AAA Clients, page 7-11. Step 4 Click Submit. Your new network device configuration is saved.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one: • Legacy TACACS+ Single Connect Support • TACACS+ Draft Compliant Single Connect Support If you disable this option, a new TCP connection is used for every TACACS+ request.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description Specifies the expiry time for the peer authorization policy. ACS returns this information to the Download peer device in the response to a peer policy request. The default is 1 day. authorization policy every: Weeks Days Hours Minutes Seconds Download SGACL lists Specifies the expiry time for SGACL lists.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description RADIUS Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol. CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700.
Chapter 7 Managing Network Resources Configuring a Default Network Device Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description Download environment data every: Weeks Days Hours Minutes Seconds Specifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day. Re-authentication every: Weeks Days Hours Minutes Seconds Specifies the dot1x (.1x) reauthentication period.
Chapter 7 Managing Network Resources Configuring a Default Network Device Choose Network Resources > Default Network Device to configure the default network device. The Default Network Device page appears, displaying the information described in Table 7-6. Table 7-6 Default Network Device Page Option Description Default Network Device The default device definition can optionally be used in cases where no specific device definition is found that matches a device IP address.
Chapter 7 Managing Network Resources Working with External Proxy Servers Table 7-6 Default Network Device Page (continued) Option Description Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications. Each key must be unique and be distinct from the RADIUS shared key. You can configure these shared keys for each AAA Client. Key Encryption Key (KEK) Used to encrypt the Pairwise Master Key (PMK).
Chapter 7 Managing Network Resources Working with External Proxy Servers Step 2 Do one of the following: • Click Create. • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate. • Click the external proxy server name that you want to edit, or check the check box next to the name and click Edit. The External Proxy Servers page appears. Step 3 Table 7-7 Edit fields in the External Proxy Servers page as shown in Table 7-7.
Chapter 7 Managing Network Resources Working with External Proxy Servers Note If you want ACS to forward unknown RADIUS attributes you have to define VSAs for proxy.
Chapter 7 Managing Network Resources Working with External Proxy Servers User Guide for Cisco Secure Access Control System 5.
CH A P T E R 8 Managing Users and Identity Stores Overview ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. When a host connects to the network through ACS requesting access to a particular network resource, ACS authenticates the host and decides whether the host can communicate with the network resource. To authenticate and authorize a user or host, ACS uses the user definitions in identity stores.
Chapter 8 Managing Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity group to which users belong Configurable components are: • Enable password for TACACS+ authentication • Sets of identity attributes that determine how the user definition is displayed and entered Cisco recommends that you configure identity attributes before you create users.
Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Two-Factor Authentication You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external identity stores use an OTP that provides greater security.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Sequences You can configure a complex condition where multiple identity stores and profiles are used to process a request. You can define these identity methods in an Identity Sequence object. The identity methods within a sequence can be of any type. The identity sequence is made up of two components, one for authentication and the other for retrieving attributes.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores • Note Authentication information ACS 5.3 supports authentication for internal users against the internal identity store only.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Groups You can assign each internal user to one identity group. Identity groups are defined within a hierarchical structure. They are logical entities that are associated with users, but do not contain data or attributes other than the name you give to them. You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics • Managing Users and Identity Stores, page 8-1 • Managing Internal Identity Stores, page 8-4 • Performing Bulk Operations for Network Resources and Users, page 7-8 • Identity Groups, page 8-3 • Creating Identity Groups, page 8-6 • Deleting an Identity Group, page 8-7 Deleting an Identity Group To delete an identity group: Step 1 Select Users and Identity Stores > Identity Groups.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Standard Attributes Table 8-1 describes the standard attributes in the internal user record. Table 8-1 Standard Attributes Attribute Description Username ACS compares the username against the username in the authentication request. The comparison is case-insensitive. Status • Enabled status indicates that the account is active. • Disabled status indicates that authentications for the username will fail.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores In ACS 5.3, you can configure identity attributes that are used within your policies, in this order: 1. Define an identity attribute (using the user dictionary). 2. Define custom conditions to be used in a policy. 3. Populate values for each user in the internal database. 4. Define rules based on this condition. As you become more familiar with ACS 5.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-2 Password Complexity Tab (continued) Option Description Password may not contain the username Whether the password may contain the username or reverse username. Password may not contain ‘cisco’ Check to specify that the password cannot contain the word cisco. Password may not contain Check to specify that the password does not contain the string that you enter.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-3 Advanced Tab Options Description Password must be different from the previous n versions. Specifies the number of previous passwords for this user to be compared against. The number of previous passwords include the default password as well. This option prevents the users from setting a password that was recently used. Valid options are 1 to 99.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores • Click the username that you want to modify, or check the check box next to the name and click Edit. • Check the check box next to the user whose password you want to change, then click Change Password. The Change Password page appears. Step 3 Table 8-4 Complete the fields as described in Table 8-4 to change the internal user password.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description Description (Optional) Description of the user. Identity Group Click Select to display the Identity Groups window. Choose an identity group and click OK to configure the user with a specific identity group. Password Information This section of the page appears only when you create an internal user.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description Date Created Display only. The date and time when the user’s account was created, in the format Day Mon dd hh:mm:ss UTC YYYY, where: Date Modified Step 5 • Day = Day of the week.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 4 Click OK. The Internal Users page appears without the deleted users.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Creating Hosts in Identity Stores To create, duplicate, or edit a MAC address and assign identity groups to internal hosts: Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal Hosts page appears, listing any configured internal hosts. Step 2 Click Create. You can also: • Check the check box next to the MAC address you want to duplicate, then click Duplicate.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-6 Internal Hosts Properties Page (continued) Option Description Date Created Display only. The date that the host account was created, in the format Day Mon dd hh:mm:ss UTC YYYY, where: Date Modified Step 4 • Day = Day of the week.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Deleting Internal Hosts To delete a MAC address: Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal MAC List page appears, with any configured MAC addresses listed. Step 2 Check one or more of the check boxes next to the internal hosts you want to delete. Step 3 Click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 4 Click OK.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores • Policies and Identity Attributes, page 3-17 • Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Management Hierarchy Management Hierarchy enables the administrator to give access permission to the internal users or internal hosts according to their level of hierarchy in the organizations management hierarchy.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores The administrator can configure any level of hierarchy while defining management centers or AAA client locations. The syntax for ManagementHierarchy attribute is: : : Examples: 1. Location:All Locations:ManagementCenter1 2. Location:All Locations:ManagementCenter1:Customer 1 The administrator can configure multiple values for management hierarchy.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics Configuring and Using HostIsInManagement Hierarchy Attributes, page 8-21. Configuring and Using HostIsInManagement Hierarchy Attributes To configure and use HostIsInManagementHierarchy attribute, complete the following steps: Step 1 Create ManagementHierarchy and HostIsInManagementHierarchy attributes for internal hosts. See Configuring Internal Identity Attributes, page 18-11.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Managing External Identity Stores ACS 5.3 integrates with external identity systems in a number of ways. You can leverage an external authentication service or use an external system to obtain the necessary attributes to authenticate a principal, as well to integrate the attributes into an ACS policy.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Configuring LDAP Groups, page 8-33 • Viewing LDAP Attributes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storing and organizing information about a computer network's users and network resources. You can use the directory service to manage user access to these resources. The LDAP directory service is based on a client-server model.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.3 supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server. For example, as when the server is down or is otherwise unreachable by ACS. To use this feature, you must define primary and secondary LDAP servers, and you must set failover settings.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LDAP server to return bind (authentication) errors are: – Filtering errors—A search using filter criteria fails. – Parameter errors—Invalid parameters were entered. – User account is restricted (disabled, locked out, expired, password expired, and so on). The following errors are logged as external resource errors, indicating a possible problem with the LDAP server: • A connection error occurred.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Unsigned Integer 32 • IPv4 Address For unsigned integers and IPv4 attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails or if no values are retrieved for the attributes, ACS logs a debug message, but does not fail the authentication or the lookup process.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Note Continue with Configuring an External LDAP Server Connection, page 8-27. NAC guest Server can also be used as an External LDAP Server. For procedure to use NAC guest server as an External LDAP Server: http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/ g_sponsor.html#wp1070105.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-7 LDAP: Server Connection Page (continued) Option Description Anonymous Access Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured accessible to any unauthenticated client.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-7 LDAP: Server Connection Page (continued) Option Description Admin DN Enter the domain name of the administrator; that is, the LDAP account which, if bound to, permits searching for all required users under the User Directory Subtree and permits searching groups.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page Option Description Schema Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have several values for the objectClass attribute, some of which are unique to the subject, some of which are shared with other object types. This box should contain a value that is not shared.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page (continued) Option Description Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: o=corporation.com If the tree containing subjects is the base DN, enter: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page (continued) Option Description Username Prefix\Suffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropriate text to remove domain prefixes from usernames.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Configuring LDAP Groups, page 8-33 • Deleting External LDAP Identity Stores, page 8-33 Deleting External LDAP Identity Stores You can delete one or more external LDAP identity stores simultaneously. To delete an external LDAP identity store: Step 1 Select Users and Identity Stores > External Identity Stores > LDAP.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Viewing LDAP Attributes Use this page to view the external LDAP attributes. Step 1 Select Users and Identity Stores > External Identity Stores > LDAP. Step 2 Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and then click the Directory Attributes tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means the switch port to which these devices attach cannot authenticate them using the 802.1X exchange of device or user credentials and must revert to an authentication mechanism other than port-based authentication (typically endpoint MAC address-based) in order for them to connect to the network.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-1 LDAP Interface Configuration in NAC Profiler Step 5 Click Update Server. Step 6 Click the Configuration tab and click Apply Changes. The Update NAC Profiler Modules page appears. Step 7 Click Update Modules to enable LDAP to be used by ACS. You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Configuration > Endpoint Profiles > View/Edit Profiles List. A list of profiles in a table appears. Step 3 Click on the name of a profile to edit it. Step 4 In the Save Profile page, ensure that the LDAP option is enabled by clicking the Yes radio button next to it, if it is not already done as shown in Figure 8-2. Figure 8-2 Step 5 Configuring Endpoint Profiles in NAC Profiler Click Save Profile.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores To edit the NAC Profiler template in ACS: Step 1 Choose Users and Identity Stores > External Identity Stores > LDAP. Step 2 Click on the name of the NAC Profiler template or check the check box next to the NAC Profiler template and click Edit. The Edit NAC Profiler definition page appears as shown in Figure 8-3. Figure 8-3 Step 3 Edit NAC Profiler Definition - General Page Click the Server Connection tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-5 Test Bind to Server Dialog Box For more information, see Creating External LDAP Identity Stores, page 8-26. Note Step 6 The default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco NAC Profiler Installation and Configuration Guide at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/ p_ldap31.html#wp1057155.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Number of Subjects: 100 • Number of Directory Groups: 6 Figure 8-7 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler).
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Event Delivery Method and Active Response, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1 at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The AD user password change using the above methods must follow the AD password policy. You must check with your AD administrator to know the complete AD password policy rule.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened: Note Protocol Port number LDAP 389/udp SMB 445/tcp KDC 88/(tcp/udp) Global catalog 3268/tcp KPASS 464/tcp NTP 123/udp Dial-in users are not supported by AD in ACS.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Attribute Retrieval for Authorization You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level for the user or machine.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machine authentication to user authentication and authorization process. The most common usage of MAR is to fail authentication of users whose host machine does not successfully authenticate. The MAR is effective for all authentication protocols.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores AD Group Machine Authentication Required … ATZ profile Engineers Yes … VLAN X Managers No … VLAN B … … … DENY ACCESS The Engineers' rule is an example of MAR rule that only allows engineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an example of an exemption from MAR.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Active Directory are supported on the following servers: • Windows server 2003 • Windows server 2003 R2 • Windows server 2008 • Windows server 2008 R2 ACS does not support Dial-in users on Windows 2000.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Joining ACS to an AD Domain After you configure the AD identity store in ACS through the ACS web interface, you must submit the configuration to join ACS to the AD domain. For more information on how to configure an AD identity store, see Configuring an AD Identity Store, page 8-48. Note The Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational unit (OU).
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-10 Active Directory: General Page (continued) Option Description Username Predefined user in AD. AD account required for domain access in ACS should have either of the following: • Add workstations to domain user right in corresponding domain.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Save Changes to save the configuration, join the ACS to the specified AD domain with the configured credentials, and start the AD agent. • Discard Changes to discard all changes. • If AD is already configured and you want to delete it, click Clear Configuration after you verify that: – There are no policy rules that use custom conditions based on the AD dictionary.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest. If you have more groups that are not displayed, use the search filter to refine your search and click Go. Step 3 Enter the AD groups or select them from the list, then click OK. To remove an AD group from the list, click an AD group, then click Deselect.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-11 Active Directory: Attributes Page Option Description Name of example Subject to Enter the name of a user or computer found on the joined domain. You can enter the user’s or Select Attributes the computer’s CN or distinguished name. The set of attributes that are displayed belong to the subject that you specify. The set of attributes are different for a user and a computer.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. AD Deployments with Users Belonging to Large Number of Groups In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large number of groups (more than 50 groups).
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores RSA SecurID Server ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication consists of the user’s personal identification number (PIN) and an individually registered RSA SecurID token that generates single-use token codes based on a time code algorithm. A different token code is generated at fixed intervals (usually each at 30 or 60 seconds).
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the requested loads on the RSA SecurID servers in the realm. However, you do have the option to manually balance the load. You can specify which server each of the agent hosts must use and assign a priority to each server so that the agent host directs authentication requests to some servers more frequently than others.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-12 RSA Realm Settings Tab Option Description Import new ‘sdconf.rec’ file Click Browse to select the sdconf.rec file from your machine. Node Secret Status Once the user is first authenticated against RSA SecurID Token Server, the Node Secret Status is shown as Created. Step 4 Click the ACS Instance Settings tab. See Configuring ACS Instance Settings, page 8-57 for more information.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server, page 8-54 • Configuring ACS Instance Settings, page 8-57 • Configuring Advanced Options, page 8-59 Configuring ACS Instance Settings The ACS Instance Settings tab appears with the current list of ACS instances that are active in the system. You cannot add or delete these entries. However, you can edit the available RSA Realm settings for each of these ACS instances. .
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Enable the RSA options file You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the realm. Table 8-14 describes the fields in the RSA Options File tab. Table 8-14 RSA Options File Tab Option Description The RSA options file (sdopts.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the following options: • To reset node secret on the agent host, check the Remove securid file on submit check box. If you reset the node secret on the agent host, you must reset the agent host’s node secret in the RSA server. • Step 2 To reset the status of servers in the realm, check the Remove sdstatus.12 file on submit check box. Click OK.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • RSA SecurID Server, page 8-54 • Creating and Editing RSA SecurID Token Servers, page 8-55 • Configuring ACS Instance Settings, page 8-57 • Editing ACS Instance Settings, page 8-57 • Editing ACS Instance Settings, page 8-57 RADIUS Identity Stores RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store, which is part of ACS, connects to the RADIUS server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.3 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server. Password Prompt RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS web interface.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores RADIUS Identity Store in Identity Sequence You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server, you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format. This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Create. You can also: • Check the check box next to the identity store you want to duplicate, then click Duplicate. • Click the identity store name that you want to modify, or check the box next to the name and click Edit. Step 3 Complete the fields in the General tab. See Configuring General Settings, page 8-64 for a description of the fields in the General tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-16 RADIUS Identity Server - General Tab (continued) Option Description Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the primary RADIUS identity server fails.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-16 RADIUS Identity Server - General Tab (continued) Option Description Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the secondary RADIUS identity server before it determines that the connection to the secondary server has failed. Valid options are from 1 to 300. The default value is 5.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a request, RADIUS attributes are returned along with the response. You can make use of these RADIUS attributes in policy rules. In the Directory Attributes tab, you can specify the RADIUS attributes that you use in policy rule conditions. ACS maintains a separate list of these attributes.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates • Configuring Shell Prompts, page 8-66 • Configuring Advanced Options, page 8-68 Configuring Advanced Options In the Advanced tab, you can do the following: • Define what an access reject from a RADIUS identity server means to you. • Enable identity caching. Table 8-18 describes the fields in the Advanced tab of the RADIUS Identity Servers page.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). Digital certificates do not require the sharing of secrets or stored database credentials.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 4 Click Submit. The new certificate is saved. The Trust Certificate List page appears with the new certificate. Related Topics • User Certificate Authentication, page B-6 • Overview of EAP-TLS, page B-6 Editing a Certificate Authority and Configuring Certificate Revocation Lists Use this page to edit a trusted CA (Certificate Authority) certificate. Step 1 Select Users and Identity Stores > Certificate Authorities.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Table 8-20 Edit Certificate Authority Properties Page (continued) Option Description Certificate Revocation List Configuration Use this section to configure the CRL. Download CRL Check this box to download the CRL. CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses HTTP. Retrieve CRL ACS attempts to download a CRL from the CA.
Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles Related Topic • Overview of EAP-TLS, page B-6 Exporting a Certificate Authority To export a trust certificate: Step 1 Select Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. Step 2 Check the box next to the certificates that you want to export. Step 3 Click Export.
Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles To create, duplicate, or edit a certificate authentication profile: Step 1 Select Users and Identity Stores > Certificate Authentication Profile. The Certificate Authentication Profile page appears. Step 2 Do one of the following: • Click Create. • Check the check box next to the certificate authentication profile that you want to duplicate, then click Duplicate.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must first define them in an identity store sequence, and then specify the identity store sequence in the identity policy.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the following: • Click Create. • Check the check box next to the sequence that you want to duplicate, then click Duplicate. • Click the sequence name that you want to modify, or check the check box next to the name and click Edit. The Identity Store Sequence Properties page appears as described in Table 8-22.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Table 8-22 Identity Store Sequence Properties Page (continued) Option Description Advanced Options Break sequence If this option is selected and if an authentication attempt against current Identity Store results in process error, the flow breaks the Identity Stores sequence. The flow then continues to the Fail-Open option configured in the Identity Policy. The same applies to attribute retrieval.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Internal Identity Stores, page 8-4 • Managing External Identity Stores, page 8-22 • Configuring Certificate Authentication Profiles, page 8-72 • Creating, Duplicating, and Editing Identity Store Sequences, page 8-74 User Guide for Cisco Secure Access Control System 5.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences User Guide for Cisco Secure Access Control System 5.
CH A P T E R 9 Managing Policy Elements A policy defines the authentication and authorization processing of clients that attempt to access the ACS network. A client can be a user, a network device, or a user associated with a network device. Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design and how it is implemented in ACS.
Chapter 9 Managing Policy Elements Managing Policy Conditions You can map users and hosts to identity groups by using the group mapping policy. You can include identity groups in conditions to configure common policy conditions for all users in the group. For more information about creating identity groups, see Managing Identity Attributes, page 8-7. • Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 device hierarchies.
Chapter 9 Managing Policy Elements Managing Policy Conditions • Deleting a Session Condition, page 9-6 • Managing Network Conditions, page 9-6 See Chapter 3, “ACS 5.x Policy Model” for information about additional conditions that you can use in policy rules, although they are not configurable. Creating, Duplicating, and Editing a Date and Time Condition Create date and time conditions to specify time intervals and durations. For example, you can define shifts over a specific holiday period.
Chapter 9 Managing Policy Elements Managing Policy Conditions Table 9-1 Date and Time Properties Page (continued) Option Description Duration Start Click one of the following options: • Start Immediately—Specifies that the rules associated with this condition are valid, starting at the current date.
Chapter 9 Managing Policy Elements Managing Policy Conditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and identity dictionaries contain a large number of attributes. To use any of these attributes as a condition in a policy rule, you must first create a custom condition for the attribute. In this way, you define a smaller subset of attributes to use in policy conditions, and present a smaller focused list from which to choose condition types for rule tables.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 4 Click Submit. The new custom session condition is saved. The Custom Condition page appears with the new custom session condition. Clients that are associated with this condition are subject to it for the duration of their session.
Chapter 9 Managing Policy Elements Managing Policy Conditions ACS offers three types of filters: • End Station Filter—Filters end stations, such as a laptop or printer that initiates a connection based on the end station’s IP address, MAC address, CLID number, or DNIS number. The end station identifier can be the IP address, MAC address, or any other string that uniquely identifies the end station.
Chapter 9 Managing Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Network Conditions, page 9-8 • Exporting Network Conditions, page 9-9 • Creating, Duplicating, and Editing End Station Filters, page 9-9 • Creating, Duplicating, and Editing Device Filters, page 9-12 • Creating, Duplicating, and Editing Device Port Filters, page 9-14 Importing Network Conditions You can use the bulk import function to import the contents from the following netwo
Chapter 9 Managing Policy Elements Managing Policy Conditions Timesaver Instead of downloading the template and creating an import file, you can use the export file of the particular filter, update the information in that file, save it, and reuse it as your import file. Exporting Network Conditions ACS 5.3 offers you a bulk export function to export the filter configuration data in the form of a .csv file.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 5 Click Submit to save the changes. Related Topics • Managing Network Conditions, page 9-6 • Importing Network Conditions, page 9-8 • Creating, Duplicating, and Editing Device Filters, page 9-12 • Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining IP Address-Based End Station Filters You can create, duplicate, and edit the IP addresses of end stations that you want to permit or deny access to.
Chapter 9 Managing Policy Elements Managing Policy Conditions Defining MAC Address-Based End Station Filters You can create, duplicate, and edit the MAC addresses of end stations or destinations that you want to permit or deny access to. To do this: Step 1 From the MAC Address tab, do one of the following: • Click Create. • Check the check box next to the MAC address-based end station filter that you want to duplicate, then click Duplicate.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS number of the destination machine. You can optionally set this field to ANY to refer to any DNIS number. Note Step 4 You can use ? and * wildcard characters to refer to any single character or a series of one or more successive characters respectively. Click OK.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 5 Click Submit to save the changes. Related Topics • Managing Network Conditions, page 9-6 • Importing Network Conditions, page 9-8 • Creating, Duplicating, and Editing End Station Filters, page 9-9 • Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining IP Address-Based Device Filters You can create, duplicate, and edit the IP addresses of network devices that you want to permit or deny access to.
Chapter 9 Managing Policy Elements Managing Policy Conditions • Check the check box next to the name-based device filter that you want to edit, then click Edit. A dialog box appears. Step 2 Click Select to choose the network device that you want to filter. Step 3 Click OK.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 3 Step 4 • Check the check box next to the device port filter that you want to edit, then click Edit. • Click Export to save a list of device port filters in a .csv file. For more information, see Exporting Network Conditions, page 9-9. • Click Replace from File to perform a bulk import of device port filters from a .csv import file. For more information, see Importing Network Conditions, page 9-8.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 3 Check the Port check box and enter the port number. This field is of type string and can contain numbers or characters. You can use the following wildcard characters: • ?—match a single character • *—match a set of characters For example, the string “p*1*” would match any word that starts with the letter “p” and contains the number 1, such as port1, port15, and so on. Step 4 Click OK.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining NDG-Based Device Port Filters You can create, duplicate, and edit the network device group type and the port to which you want to permit or deny access. To do this: Step 1 From the Network Device Group tab, do one of the following: • Click Create. • Check the check box next to the NDG-based device port filter that you want to duplicate, then click Duplicate.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Authorization Profiles for Network Access You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Specifying Authorization Profiles Use this tab to configure the name and description for a network access authorization profile. Step 1 Step 2 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: • Create to create a new network access authorization definition. • Duplicate to duplicate a network access authorization definition.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-5 Authorization Profile: Common Tasks Page Option Description ACLS Downloadable ACL Name Includes a defined downloadable ACL. See Creating, Duplicating, and Editing Downloadable ACLs, page 9-31 for information about defining a downloadable ACL. Filter-ID ACL Includes an ACL Filter ID. Proxy ACL Includes a proxy ACL. Voice VLAN Permission to Join Select Static. A value for this parameter is displayed.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-6 Authorization Profile: RADIUS Attributes Page (continued) Option Description RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your network.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Creating and Editing Security Groups Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, duplicate, and edit security groups. When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions The Common Tasks tab allows you to select and configure the frequently used attributes for the profile. The attributes that are included here are those defined by the TACACS protocol draft specification that are specifically relevant to the shell service. However, the values can be used in the authorization of requests from other services. The Custom Attributes tab allows you to configure additional attributes.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining General Shell Profile Properties Use this page to define a shell profile’s general properties. Step 1 Step 2 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one of the following: • Click Create. • Check the check box next to the shell profile that you want to duplicate and click Duplicate.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-9 Shell Profile: Common Tasks Option Description Privilege Level Default Privilege (Optional) Enables the initial privilege level assignment that you allow for a client, through shell authorization. If disabled, the setting is not interpreted in authorization and permissions. The Default Privilege Level specifies the default (initial) privilege level for the shell profile.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-9 Shell Profile: Common Tasks Option Description Timeout (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed timeout in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to define custom attributes for the shell profile. This tab also displays the Common Tasks Attributes that you have chosen in the Common Tasks tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions After you create command sets, you can use them in authorizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23. Note Command sets support TACACS+ protocol attributes only.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-11 Command Set Properties Page Field Description Name Name of the command set. Description (Optional) The description of the command set. Permit any Check to allow all commands that are requested, unless they are explicitly denied in the Grant table. command that is not Uncheck to allow only commands that are explicitly allowed in the Grant table.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Related Topics • Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 • Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23 • Deleting an Authorizations and Permissions Policy Element, page 9-32 • Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23 Creating, Duplicating, and Editing Downloadable ACLs You can define dow
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions – Click Start Export to export the DACLs without any encryption. Step 3 Table 9-12 Enter valid configuration data in the required fields as shown in Table 9-12, and define one or more ACLs by using standard ACL syntax. Downloadable ACL Properties Page Option Description Name Name of the DACL. Description Description of the DACL. Downloadable ACL Content Define the ACL content.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Configuring Security Group Access Control Lists Security group access control lists (SGACLs) are applied at Egress, based on the source and destination SGTs. Use this page to view, create, duplicate and edit SGACLs. When you modify the name or content of an SGACL, ACS updates its generation ID. When the generation ID of an SGACL changes, the relevant Security Group Access network devices reload the content of the SGACL.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions User Guide for Cisco Secure Access Control System 5.
CH A P T E R 10 Managing Access Policies In ACS 5.3, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request. For a basic workflow for configuring policies and all their elements, see Flows for Configuring Services and Policies, page 3-19.
Chapter 10 Managing Access Policies Policy Creation Flow In short, you must determine the: • Details of your network configuration. • Access services that implement your policies. • Rules that define the conditions under which an access service can run.
Chapter 10 Managing Access Policies Policy Creation Flow Policy Elements in the Policy Creation Flow The web interface provides these defaults for defining device groups and identity groups: • All Locations • All Device Types • All Groups The locations, device types, and identity groups that you create are children of these defaults. To create the building blocks for a basic device administration policy: Step 1 Step 2 Step 3 Create network resources. In the Network Resources drawer, create: a.
Chapter 10 Managing Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Policy Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an access policy that includes identity groups and privileges.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy If you have implemented Security Group Access functionality, you can also customize results for authorization policies. Caution If you have already defined rules, be certain that a rule is not using any condition that you remove when customizing conditions. Removing a condition column removes all configured conditions that exist for that column.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Table 10-2 Rule-based Service Selection Policy Page Option Description Policy type Defines the type of policy to configure: Status • Select one result—Results apply to all requests. • Rule-based result selection—Configuration rules apply different results depending on the request. Current status of the rule that drives service selection. The rule statuses are: • Enabled—The rule is active.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined. When you create rules, remember that the order of the rules is important.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy • The Default Rule—You can change only the access service. See Table 10-3 for field descriptions: Table 10-3 Service Selection Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: • Enabled—The rule is active.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-based Policy page. To display this page, click Hit Count on the Rule-based Policy page. Table 10-4 Hit Count Page Option Description Hit Counts Reset Last time hit counts were Displays the date and time of the last hit count reset for this policy.
Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and authorization policies for requests. You can create separate access services for different use cases; for example, device administration, wireless network access, and so on. When you create an access service, you define the type of policies and policy structures that it contains; for example, policies for device administration or network access.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-5 Default Access Service - General Page (continued) Option Description Identity Check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service, to map groups and attributes that are retrieved from external identity stores to the identity groups in ACS.
Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the following: • Click Create. • Check the check box next to the access service that you want to duplicate; then click Duplicate. • Click the access service name that you want to modify; or, check the check box next to the name and click Edit. • Click the access service name in the left navigation tab. The Access Service Properties General page appears. • If you are creating a new access service: a.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-6 Access Service Properties—General Page (continued) Option Description Description Description of the access service. Access Service Policy Structure Based on service template Creates an access service containing policies based on a predefined template. This option is available only for service creation. Based on existing service Creates an access service containing policies based on an existing access service.
Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Configuring Access Service Allowed Protocols, page 10-15 • Configuring Access Services Templates, page 10-19 Configuring Access Service Allowed Protocols The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-TLS Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how ACS verifies user identity as presented in the EAP Identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-FAST (continued) PAC Options • Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day. • Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Preferred EAP protocol Select the preferred EAP protocol from the following options available: • EAP-FAST • PEAP • LEAP • EAP-TLS • EAP-MD5 This option helps ACS to be flexible to work with old supplicants (end devices) which are not capable of sending No-Acknowledgement, when a particular protocol is not implemented.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-8 Access Services Templates Template Name Access Service Type Device Admin Simple Device Admin Command Auth Protocols Policies Conditions Results Device Administration PAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, Shell profile NDG:Device Type, Time and Date Device Administration PAP/ASCII Identity None - Simple Authorization Identity group, NDG:Location, Command se
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Access Service Policies You configure access service policies after you create the access service: • Viewing Identity Policies, page 10-21 • Configuring Identity Policy Rule Properties, page 10-24 • Configuring a Group Mapping Policy, page 10-26 • Configuring a Session Authorization Policy for Network Access, page 10-29 • Configuring a Session Authorization Policy for Network Access, page 10-29 • Configuring She
Chapter 10 Managing Access Policies Configuring Access Service Policies In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them. Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy.
Chapter 10 Managing Access Policies Configuring Access Service Policies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity, where is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 10-9.
Chapter 10 Managing Access Policies Configuring Access Service Policies • Creating Policy Rules, page 10-37 • Duplicating a Rule, page 10-38 • Editing Policy Rules, page 10-38 • Deleting Policy Rules, page 10-39 For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for Host Lookup Requests, page 4-20.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-11 Option Identity Rule Properties Page Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which can be used in authorization policy rules. If you created an access service that includes a group mapping policy, you can configure and modify this policy.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-13 Rule-based Group Mapping Policy Page Option Description Policy type Defines the type of policy to configure: • Simple—Specifies the results to apply to all requests. • Rule-based—Configure rules to apply different results depending on the request. Caution Status If you switch between policy types, you will lose your previously saved policy configuration. Current status of the rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies • Deleting Policy Rules, page 10-39 Related Topics • Viewing Identity Policies, page 10-21 • Configuring a Session Authorization Policy for Network Access, page 10-29 • Configuring a Session Authorization Policy for Network Access, page 10-29 • Configuring Shell/Command Authorization Policies for Device Administration, page 10-34 Configuring Group Mapping Policy Rule Properties Use this page to create, duplicate, or edit a
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring a Session Authorization Policy for Network Access When you create an access service for network access authorization, it creates a Session Authorization policy. You can then add and modify rules to this policy to determine the access permissions for the client session. You can create a standalone authorization policy for an access service, which is a standard first-match rule table.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-15 Network Access Authorization Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Network Access Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine access permissions in a network access service. Step 1 Select Access Policies > Access Services > > Authorization, and click Create, Edit, or Duplicate.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A device administration authorization policy determines the authorizations and permissions for network administrators. You create an authorization policy during access service creation. See Configuring General Access Service Properties, page 10-13 for details of the Access Service Create page. Use this page to: • View rules. • Delete rules.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a device administration access service. Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or Duplicate. The Device Administration Authorization Rule Properties page appears as described in Table 10-18.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-19 Device Administration Authorization Exception Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies To configure rules, see: • Creating Policy Rules, page 10-37 • Duplicating a Rule, page 10-38 • Editing Policy Rules, page 10-38 • Deleting Policy Rules, page 10-39 Configuring Authorization Exception Policies An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to grant provisional access to visitors or increase the level of access to specific users.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-20 Network Access Authorization Exception Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies Creating Policy Rules When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found. The Default Rule provides a default policy in cases where no rules are matched or defined.
Chapter 10 Managing Access Policies Configuring Access Service Policies Duplicating a Rule You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. Note You cannot duplicate the Default rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies Step 4 Click OK. The Policy page appears with the edited rule. Step 5 Click Save Changes to save the new configuration. Step 6 Click Discard Changes to cancel the edited information. Related Topics • Creating Policy Rules, page 10-37 • Duplicating a Rule, page 10-38 • Deleting Policy Rules, page 10-39 Deleting Policy Rules Note You cannot delete the Default rule.
Chapter 10 Managing Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound conditions in a policy rule page; you cannot define them as separate condition objects.
Chapter 10 Managing Access Policies Configuring Compound Conditions Table 10-21 Supported Dynamic Attribute Mapping in Policy Compound Condition Operand1 Operand2 Example String attribute String attribute — Integer attribute Integer attribute — Enumeration attribute Enumeration attribute — Boolean attribute Boolean attribute — IP address attribute IP address attribute — Hierarchical attribute String attribute NDG:Customer vs.
Chapter 10 Managing Access Policies Configuring Compound Conditions Figure 10-2 Compound Expression - Atomic Condition Single Nested Compound Condition Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators.
Chapter 10 Managing Access Policies Configuring Compound Conditions Figure 10-4 Multiple Nested Compound Expression Compound Expression with Dynamic value You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected as operand. See Figure 10-5 for an example. Figure 10-5 Compound Expression Builder with Dynamic Value User Guide for Cisco Secure Access Control System 5.
Chapter 10 Managing Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-40 • Using the Compound Expression Builder, page 10-44 Using the Compound Expression Builder You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder contains two sections: a predicate builder to create primary conditions and controls for managing the expression.
Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-40 • Types of Compound Conditions, page 10-41 Security Group Access Control Pages This section contains the following topics: • Egress Policy Matrix Page, page 10-45 • Editing a Cell in the Egress Policy Matrix, page 10-46 • Defining a Default Policy for Egress Policy Page, page 10-46 • NDAC Policy Page, page 10-47 • NDAC Policy Properties Page, page 10-48 • N
Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topic • Creating an Egress Policy, page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the corresponding source and destination security group. To display this page, choose Access Policies > Security Group Access Control > Egress Policy, select a cell, then click Edit.
Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a Security Group Access environment. The NDAC policy handles: • Peer authorization requests from one device about its neighbor. • Environment requests (a device is collecting information about itself). The policy returns the same SGT for a specific device, regardless of the request type.
Chapter 10 Managing Access Policies Security Group Access Control Pages Table 10-27 Rule-Based NDAC Policy Page Option Description Policy type Defines the type of policy to configure: • Simple—Specifies the result to apply to all requests. • Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Status Rule statuses are: Name • Enabled—The rule is active.
Chapter 10 Managing Access Policies Security Group Access Control Pages Note Table 10-28 Option For endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 10-31 for information about creating a session authorization policy. NDAC Policy Properties Page Description General Name Name of the rule.
Chapter 10 Managing Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses. To display this page, choose Access Policies > Security Group Access Control > Network Device Access. Table 10-29 Network Device Access EAP-FAST Settings Page Option Description EAP-FAST Settings Tunnel PAC Time To Live Time to live (TTL), or duration, of a PAC before it expires and requires replacing.
Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings You can configure maximum user session to impose maximum session value for each users. To configure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > Max Session User Settings. Step 2 Specify a Max User Session Value, for the maximum number of concurrent sessions permitted. Step 3 Check the Unlimited Sessions checkbox if you want the users to have unlimited sessions.
Chapter 10 Managing Access Policies Maximum User Sessions Table 10-30 Max User Session Global Settings Page Option Description General Name Name of the Identity Group. Description Description of the Identity Group. Max Session Group Settings Unlimited Session Check this checkbox if you want to provide unlimited session to the group. Max Session for Group Specify a value for the maximum number of concurrent sessions permitted for the group. Unlimited is selected by default.
Chapter 10 Managing Access Policies Maximum User Sessions Table 10-31 Max User Session Global Settings Page Option Description RADIUS Session Key Assignment Available Session Keys RADIUS sessions keys available for assignation.
Chapter 10 Managing Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to purge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users is displayed. Step 4 Click Purge All Sessions to purge all the user session logged in to the particular AAA client.
Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accounting requests should be sent to the same ACS server, else the Maximum Session feature will not work as desired.
Chapter 10 Managing Access Policies Maximum User Sessions User Guide for Cisco Secure Access Control System 5.
CH A P T E R 11 Monitoring and Reporting in ACS The Monitoring and Reports drawer appears in the primary web interface window and contains the Launch Monitoring & Report Viewer option. The Monitoring & Report Viewer provides monitoring, reporting, and troubleshooting capabilities for the ACS servers in your network. You can extract consolidated log, configuration, and diagnostic data from one or more ACS servers for advanced reporting and troubleshooting purposes.
Chapter 11 Monitoring and Reporting in ACS Authentication Records and Details • Support for non-English characters (UTF-8)—You can have non-English characters in: – Syslog messages—Configurable attribute value, user name, and ACS named configuration objects – GUI input fields – Query pages – Reports and Interactive Viewer – Alarms – Dashboard lookup – Failure reason text Note In Monitoring and Reports drawer pages, you can use the page area’s down arrow (v) to hide an area’s content, and the right ar
Chapter 11 Monitoring and Reporting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the following tabs. • General—The General tab lists the following: – Five most recent alarms—When you click the name of the alarm, a dialog box appears with the details and the status of the alarm. You can update the information in the Status tab of this dialog box to track the alarm. See Table 12-5 for a description of the fields in the Status tab.
Chapter 11 Monitoring and Reporting in ACS Working with Portlets – Authentication Snapshot—Provides a snapshot of authentications in the graphical and tabular formats for up to the past 30 days. In the graphical representation, the field based on which the records are grouped together is plotted on the X-axis and the authentications are plotted on the Y-axis.
Chapter 11 Monitoring and Reporting in ACS Working with Portlets Figure 11-1 Portlets Top 5 Alarms and My Favorite Reports appear in separate windows. You can edit each of these portlets separately. To edit a portlet, click the edit button ( ) at the upper-right corner of the window. The Monitoring & Report Viewer allows you to customize the information in the portlets to suit your needs. You can add, edit, and delete tabs; edit application settings in portlets; and delete portlets.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Related Topic • Dashboard Pages, page 11-2 • Running Authentication Lookup Report, page 11-6 Running Authentication Lookup Report When you run an Authentication Lookup report, consider the following: • If you have provided the Username or MAC Address value in the format aa-bb-cc-dd-ee-ff, an authentication report is run for this MAC address.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Step 5 Click Add Page. A new tab of your choice is created. You can add the applications that you most frequently monitor in this tab Adding Applications to Tabs To add an application to a tab: Step 1 From the Monitoring & Report Viewer > choose Monitoring and Reports > Dashboard. The Dashboard page appears. Step 2 Select the tab to which you want to add an application.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Changing the Dashboard Layout You can change the look and feel of the Dashboard. ACS provides you with nine different in-built layouts. To choose a different layout: Step 1 From the Monitoring & Report Viewer, choose Monitoring and Reports > Dashboard. The Dashboard page appears. Step 2 Select the tab whose layout you wish to change. Step 3 Click the Configure drop-down list at the upper-right corner of the Dashboard page.
CH A P T E R 12 Managing Alarms The Monitoring feature in ACS generates alarms to notify you of critical system conditions. The monitoring component retrieves data from ACS. You can configure thresholds and rules on this data to manage alarms. Alarm notifications are displayed in the web interface and you can get a notification of events through e-mail and Syslog messages. ACS filters duplicate alarms by default.
Chapter 12 Managing Alarms Understanding Alarms System Alarms System alarms notify you of critical conditions encountered during the execution of the ACS Monitoring and Reporting viewer. System alarms also provide informational status of system activities, such as data purge events or failure of the log collector to populate the View database. You cannot configure system alarms, which are predefined.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Notifying Users of Events When a threshold is reached or a system alarm is generated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can view the alarm details, add a comment about the alarm, and change its status to indicate that it is Acknowledged or Closed.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-2 Alarms Page (continued) Option Description Time Display only. Indicates the time of the associated alarm generation in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. • Mmm = Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. • dd = A two-digit numeric representation of the day of the month, from 01 to 31.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.3 Alarm Severity Configure Incremental Backup Data Repository as Remote Repository otherwise Warning backup will fail and Incremental backup mode will be changed to off. Configure Remote Repository under Purge Configuration which is used to take a Warning backup of data before purge. View database size exceeds the max limit of maxlimit GB.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.3 Alarm Severity Full Database Purge Backup failed: Exception Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recovery failed: Exception Details Critical View Compress Database rebuild operation has started.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.3 Alarm Severity Failed to load backup library. Scheduled backup of ACS configuration db failed. Critical Please check ADE.log for more details. Symbol lookup error. Scheduled backup of ACS configuration db failed. Please check ADE.log for more details. Critical Failed to perform ACS backup due to internal error. Please check ADE.log for more details.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note ACS cannot be used as a remote syslog server. But, you can use an external server as a syslog server. If you use an external server as a syslog server, no alarms can be generated in the ACS view as the syslog messages are sent to the external syslog server. If you want to generate the alarms in ACS view, set the logging option as localhost using CLI. To edit an alarm: Step 1 Select Monitoring and Reports > Alarms > Inbox.
Chapter 12 Managing Alarms Understanding Alarm Schedules • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules You can create alarm schedules to specify when a particular alarm threshold is run. You can create, edit, and delete alarm schedules. You can create alarm schedules to be run at different times of the day during the course of a seven-day week. By default, ACS comes with the non-stop alarm schedule. This schedule monitors events 24 hours a day, seven days a week.
Chapter 12 Managing Alarms Understanding Alarm Schedules Table 12-7 Option Alarm Schedules - Create or Edit Page Description Identification Name Name of the alarm schedule. The name can be up to 64 characters in length. Description A brief description of the alarm schedule; can be up to 255 characters in length. Schedule Click a square to select or deselect that hour. Use the Shift key to select or deselect a block starting from the previous selection.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Deleting Alarm Schedules Note Before you delete an alarm schedule, ensure that it is not referenced by any thresholds that are defined in ACS. You cannot delete the default schedule (nonstop) or schedules that are referenced by any thresholds. To delete an alarm schedule: Step 1 Choose Monitoring and Reports > Alarms > Schedules. The Alarm Schedules page appears.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-8 Step 2 Step 3 Step 4 Alarm Thresholds Page (continued) Option Description Category The alarm threshold category.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics • Configuring General Threshold Information, page 12-13 • Configuring Threshold Criteria, page 12-14 • Configuring Threshold Notifications, page 12-32 Configuring General Threshold Information To configure general threshold information, fill out the fields in the General Tab of the Thresholds page. Table 12-9 describes the fields. Table 12-9 General Tab Option Description Name Name of the threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Configuring Threshold Criteria ACS 5.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds You can specify one or more filters to limit the passed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the authentication records and only those records whose filter value matches the value that you specify are counted. If you specify multiple filters, only the records that match all the filter conditions are counted.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-10 Passed Authentications (continued) Option Description Device Group Click Select to choose a valid device group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Device IP Failed Authentication Count i.j.k.l 1 m.n.o.p 1 An alarm is triggered because at least one Device IP has greater than 10 failed authentications in the past 2 hours. Note You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-11 Failed Authentications (continued) Option Description ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds The aggregation job begins at 00:05 hours every day. From 23:50 hours, up until the time the aggregation job completes, the authentication inactivity alarms are suppressed. For example, if your aggregation job completes at 01:00 hours today, then the authentication inactivity alarms will be suppressed from 23:50 hours until 01:00 hours.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-13 TACACS Command Accounting Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: • Any • A number from 0 to 15. Filter User Click Select to choose or enter a valid username on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-14 TACACS Command Authorization Option Description Authorization Result Use the drop-down list box to select the authorization result on which you want to configure your threshold. Valid options are: • Passed • Failed Filter User Click Select to choose or enter a valid username on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-15 ACS Configuration Changes Option Description Change Use the drop-down list box to select the administrative change on which you want to configure your threshold. Valid options are: • Any • Create—Includes “duplicate” and “edit” administrative actions. • Update • Delete Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-16 ACS System Diagnostics Option Description Severity at and above Use the drop-down list box to choose the severity level on which you want to configure your threshold. This setting captures the indicated severity level and those that are higher within the threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-17 ACS Process Status Option Description Monitoring and Reporting Collector Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Alarm Manager Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Job Manager Check the check box to have this process monitored.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-18 ACS System Health Option Description Disk I/O Enter the percentage of disk usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/opt Enter the percentage of /opt disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-19 ACS AAA Health Option Description Average over the past Use the drop-down list box to select the amount of time you want to configure for your configuration, where is minutes and can be: • 15 • 30 • 45 • 60 RADIUS Throughput Enter the number of RADIUS transactions per second you want to set (lesser than or equal to the specified value) for your threshold configuration.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-20 RADIUS Sessions Option Description More than num authenticated sessions in the past 15 minutes, num—A count of authenticated sessions in the past 15 where accounting start event has not been received for a minutes. Device IP Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-21 Unknown NAD Option Description Unknown NAD count greater than num in the past time Minutes|Hours for a object, where: • num values can be any five-digit number greater than or equal to zero (0). • time values can be 1 to 1440 minutes, or 1 to 24 hours. • Minutes|Hours value can be Minutes or Hours.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds If, in the past four hours, RBACL drops have occurred for two different source group tags as shown in the following table, an alarm is triggered, because at least one SGT has a count greater than 10. SGT Count of RBACL Drops 1 17 3 14 You can specify one or more filters to limit the RBACL drop records that are considered for threshold evaluation.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds NAD-Reported AAA Downtime When ACS evaluates this threshold, it examines the NAD-reported AAA down events that occurred during the specified interval up to the previous 24 hours. The AAA down records are grouped by a particular common attribute, such as device IP address or device group, and a count of records within each of those groups is computed.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-24 NAD-Reported AAA Downtime Option Description Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold.
Chapter 12 Managing Alarms Deleting Alarm Thresholds Table 12-25 Thresholds: Notifications Page (continued) Option Description Email Notification Email Notification User List Enter a comma-separated list of e-mail addresses or ACS administrator names or both. Do one of the following: • Enter the e-mail addresses. • Click Select to enter valid ACS administrator names.
Chapter 12 Managing Alarms Configuring System Alarm Settings Configuring System Alarm Settings System alarms are used to notify users of: • Errors that are encountered by the Monitoring and Reporting services • Information on data purging Use this page to enable system alarms and to specify where alarm notifications are sent. When you enable system alarms, they are sent to the Alarms Inbox.
Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslog targets are the destinations where alarm syslog messages are sent. The Monitoring & Report Viewer sends alarm notification in the form of syslog messages. You must configure a machine that runs a syslog server to receive these syslog messages. To view a list of configured alarm syslog targets, choose Monitoring Configuration > System Configuration > Alarm Syslog Targets.
Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Table 12-27 Alarm Syslog Targets Create or Edit Page Option Description Use Advanced Syslog Options Port Port in which the remote syslog server listens. By default, it is set to 514. Valid options are from 1 to 65535. Facility Code Syslog facility code to be used for logging. Valid options are Local0 through Local7. Step 4 Click Submit.
CH A P T E R 13 Managing Reports The Monitoring & Report Viewer component of ACS collects log and configuration data from various ACS servers in your deployment, aggregates it, and provides interactive reports that help you analyze the data. The Monitoring & Report Viewer provides you integrated monitoring, reporting, and troubleshooting capabilities to efficiently manage your network and troubleshoot network-related problems.
Chapter 13 • Managing Reports Catalog—Monitoring & Reports > Reports > Catalog > For easy access, you can add reports to your Favorites page, from which you can customize and delete reports. You can customize the reports that must be shared within your group and add them to the Shared page. The Catalog pages provide a rich set of reports on log, diagnostic, and troubleshooting data retrieved from the ACS servers in your deployment.
Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in detail the following: • Working with Favorite Reports, page 13-3 • Sharing Reports, page 13-6 • Working with Catalog Reports, page 13-7 • Viewing Reports, page 13-21 • Formatting Reports in Interactive Viewer, page 13-27 • Organizing Report Data, page 13-41 • Hiding and Filtering Report Data, page 13-66 • Understanding Charts, page 13-75 Working with Favorite Reports You can add reports that you most freque
Chapter 13 Managing Reports Working with Favorite Reports Step 5 Click Add to Favorite. The report is added to your Favorites page. Related Topics • Working with Favorite Reports, page 13-3 • Viewing Favorite-Report Parameters, page 13-4 • Editing Favorite Reports, page 13-5 • Deleting Reports from Favorites, page 13-6 • Understanding the Report_Name Page, page 13-15 Viewing Favorite-Report Parameters Before you run your favorite report, you can view the parameters that are set and edit them.
Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you view the existing parameters in your favorite report, you can edit them. To edit the parameters in your favorite reports: Step 1 Choose Monitoring and Reports > Reports > Favorites. The Favorites page appears with a list of your favorite reports. Step 2 Check the check box next to the favorite report that you want to edit, then click Edit. The Edit Favorite Report page appears.
Chapter 13 Managing Reports Sharing Reports The report is generated in the page. Step 3 Click Launch Interactive Viewer for more options.
Chapter 13 Managing Reports Working with Catalog Reports Step 7 Click Save. The report is saved in your Shared folder and is available for all users. Working with Catalog Reports Catalog reports are system reports that are preconfigured in ACS.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category Access Service Authentication Summary Provides RADIUS and TACACS+ authentication summary information for a particular access service for a selected time period; along with a graphical representation.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category ACS System Diagnostics Provides system diagnostic details based on severity for a selected time period.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category Session Status Summary Provides the port sessions and status of a particular N/A network device obtained by SNMP. This report uses either the community string provided in the report or the community string configured in the web interface Monitoring And Reports -> Launch Monitoring And Report Viewer -> Monitoring Configuration -> SNMP Settings.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category RADIUS Terminated Sessions Provides all the RADIUS terminated session information for a selected time period. Passed authentications, RADIUS accounting TACACS Active Sessions Provides information on TACACS+ active sessions.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-3 Page (continued) Option Description Type Type of report. Modified At Time that the associated report was last modified by an administrator, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. • Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. • dd = A two-digit numeric representation of the day of the month, from 01 to 31.
Chapter 13 Managing Reports Working with Catalog Reports Step 2 Click the radio button next to the report name you want to run, then select one of the options under Run: • Run for Today—The report you specified is run and the generated results are displayed. • Run for Yesterday—The report you specified is run using the previous day’s values and the generated results are displayed. • Query and Run—The Run Report screen appears where you can enter parameters to use when generating the report.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-4 Reports > Report Types and Names AAA Protocol AAA Diagnostics Authentication Trend RADIUS Accounting RADIUS Authentication TACACS Accounting TACACS Authentication TACACS Authorization Access Service Access Service Authentication Summary Top N Authentications By Access Service ACS Instance ACS Administrator Entitlement ACS Administrator Logins ACS Configuration Audit ACS Health Summary ACS Instance Aut
Chapter 13 Managing Reports Working with Catalog Reports Table 13-4 Reports > Report Types and Names (continued) Session Directory RADIUS Active Sessions RADIUS Session History RADIUS Terminated Sessions TACACS Active Sessions TACACS Session History TACACS Terminated Sessions User Top N Authentications By User User Authentication Summary Related Topics • Working with Catalog Reports, page 13-7 • Understanding the Report_Name Page, page 13-15 Understanding the Report
Chapter 13 Managing Reports Working with Catalog Reports Table 13-5 Page (continued) Option Description Failure Reason Enter a failure reason name or click Select to enter a valid failure reason name on which to run your report. Protocol Use the drop down list box to select which protocol on which you want to run your report.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-5 Option Page (continued) Description Administrator Name Enter the administrator username, or click Select to select the administrator username, for which you want to run your report. Object Type Enter a valid object type on which you want to run your report. Object Name Enter the name, or click Select to select the object name, of the object on which you want to run your report.
Chapter 13 Managing Reports Working with Catalog Reports Enabling RADIUS CoA Options on a Device To view all the RADIUS Active Session reports you have to enable RADIUS CoA options on the device. To configure the RADIUS CoA options: Step 1 Configure MAB, 802.1X and Web Authentication on the NAD against ACS RADIUS Server. Step 2 Configure CoA on the NAD as follows, which is connected to the supplicant.
Chapter 13 Managing Reports Working with Catalog Reports Figure 13-2 Step 2 RADIUS Active Session Report Click the CoA link from the RADIUS session that you want to reauthenticate or terminate. The Change of Authorization Request page appears. Step 3 Select a CoA option from the CoA option drop-down list box shown in Figure 13-3. Valid options are: • Disconnect:None—Do not terminate the session. • Disconnect:Port Bounce—Terminate the session and restart the port.
Chapter 13 Managing Reports Working with Catalog Reports • Step 5 Shared secret mismatch See the Troubleshooting RADIUS Authentications, page 14-6 to troubleshoot a failed change of authorization attempt. A failed dynamic CoA will be listed under failed RADIUS authentications.
Chapter 13 Managing Reports Viewing Reports Step 3 Click Yes to confirm that you want to reset the System Report files to the factory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default. Viewing Reports This section describes how to view the reports and perform various tasks in Standard or Interactive Viewer. In Standard Viewer or Interactive Viewer, you can navigate to the report, print the data, and export the data to another format.
Chapter 13 Managing Reports Viewing Reports Figure 13-4 Context Menu for Column Data in Interactive Viewer Figure 13-5 shows the context menu you use to modify labels in Interactive Viewer. To display this menu, select and right-click a label. Use this menu to edit the label text or change the text alignment or font properties of the label.
Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the viewer, you see the first page of data. To view or work with data, you use tools that help you navigate the report. In the viewer, you can page through a report by using the paging tool shown in Figure 13-7. Using this tool, you can click an arrow to view the first or last page in the report, or move forward or back through the report page by page.
Chapter 13 Managing Reports Viewing Reports Figure 13-10 Table of Contents Expanded Entry To navigate to a specific page, click the related link. Exporting Report Data The viewer supports the ability to export report data to an Excel spreadsheet as a comma-separated values (.csv) file, pipe-separated values (.psv) file, or a tab-separated values (.tsv) file. You can select an option to export the column’s data type.
Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for any other spreadsheet. Step 1 In the viewer, select Export Data. The Export Data dialog box appears, as shown in Figure 13-12. Figure 13-12 The Export Data Dialog Box Available Result Sets lists the tables in the report. Available Columns lists the columns you can export from the specified table.
Chapter 13 Managing Reports Viewing Reports Printing Reports You can print a report that appears in the viewer in HTML or PDF format. Because you can modify the report in Interactive Viewer, Interactive Viewer supports printing either the original report or the report as you modify it. Step 1 In the viewer, select Print Report. The Print dialog box appears. Step 2 In Format field, select HTML or PDF. Step 3 In the Page Range field, select the pages you want to print. Step 4 Click OK.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navigate to the location where you want to save the file. Step 3 Type a file name and click Save. Step 4 Click OK on the confirmation message that appears. Formatting Reports in Interactive Viewer You can use the Interactive Viewer to format reports.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Select Change Text. The Edit Text dialog box appears. Step 3 Modify the text as desired and click Apply. Formatting Labels To modify the formatting of a label: Step 1 Click on the label and then select Style > Font. The Font dialog box appears. Step 2 Select the formats you desire, then click Apply. Formatting Data There are several ways to modify how the report data is formatted. You can: • Resize a column.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment To change the alignment of data in a column, right-click the column and select Alignment from the context menu. Then, choose one of the alignment options: Left, Center, or Right. Formatting Data in Columns The default formatting for column data comes from the data source. Typically, you modify the formatting of column data to enhance the appearance of the report.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Data Types In an information object, as in the relational databases on which information objects are based, all the data in a column is of the same data type, excluding the column header. The column can display numeric data, date-and-time data, or string data. Each data type has a range of unique formats. Numeric data, for example, can appear as currency, percentages, or numbers with decimal values.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Table 13-6 Data Types and Formats (continued) Data type Option Description String Unformatted String retains the default format set by the template or theme. Uppercase String displays in all uppercase, for example GREAT NEWS. Lowercase String displays in all lowercase, for example great news. Custom Format depends on the format code you type.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 7 In Negative Numbers, select an option for displaying negative numbers, by using either a minus sign before the number or parentheses around the number. Step 8 Click Apply. Formatting Fixed or Scientific Numbers or Percentages Step 1 Select a column that contains numeric data, then click Format. The Number column dialog box appears. Step 2 In Format Number as field, select Fixed, Scientific, or Percent.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code field, type a format pattern similar to those shown in Table 13-7. Step 4 Click Apply. Formatting String Data Step 1 To define the format for a column that contains string data, select the column, then click Format. The String column format appears. Step 2 Select an option from the drop-down list. See Table 13-6 for the standard string data type options. Step 3 Click Apply.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Table 13-9 Step 1 Results of Custom String Format Patterns Format pattern Data in the data source Results of formatting (@@@) @@@-@@@@ 6175551007 5551007 (617) 555-1007 ( ) 555-1007 (&&&) &&&-&&&& 6175551007 5551007 (617) 555-1007 () 555-1007 !(@@@) @@@-@@@@ 6175551007 5551007 (617) 555-1007 (555) 100-7 !(&&&) &&&-&&&& 6175551007 5551007 (617) 555-1007 (555) 100-7 !(@@@) @@@-@@@@ + ext 9 5551007 (555) 100-7 !(&&&) &
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Table 13-6 shows the standard date-and-time data type formats. Step 1 Select a column that contains date or time data, then click Format. The Date and Time Format window appears. Step 2 In Format Date or Time As field, select the desired option. Step 3 Click Apply. Formatting Custom Date and Time You can set custom date formats. Use custom date formatting, however, only if your report will be viewed in a single locale.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean expression evaluates to True or False. For example, you create a calculated column with the following expression: ActualShipDate <= TargetShipDate If the actual ship date is before or on the target ship date, the expression evaluates to True. If the actual ship date is after the target ship date, the expression evaluates to False.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figure 13-18 Conditional Formatting in Interactive Viewer You can affect the formatting of one column based on the value in another column. For example, if you select the CustomerName column, you can base the condition on the creditRank column so that conditional formatting applies to the customer name if the customer’s creditRank is a particular value.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer b. In the next field, use the drop-down list to select the operator to apply to the column you selected. You can select Equal to, Less than, Less than or Equal to, and so on. Depending on your selection, zero, one, or two fields appear to the right. If you selected Is Null, Is Not Null, Is True, or Is False, zero fields appear to the right.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional Formatting, choose Format, and set the formatting for the conditional text. You can set the font, font size, font color, and background color. You also can specifying displaying the data in bold, italic, or underlined font style. Step 5 You set the formatting by using the same Font dialog box used for formatting labels, as shown in Figure 13-22.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figure 13-23 Step 4 Removing a Conditional Format in Interactive Viewer Click Apply. Setting and Removing Page Breaks in Detail Columns In Interactive Viewer, you can force page breaks after a preset number of rows. Step 1 Select and right-click a detail column. Step 2 From the context menu, select Group > Page Break. The Page Break window appears.
Chapter 13 Managing Reports Organizing Report Data Figure 13-24 Step 3 Setting a Page Break Specify whether to set a page break before every group, or for every group except the first or last groups. To delete an existing page break, select None in Before group or After group. Step 4 Click Apply. Organizing Report Data You can use Interactive Viewer to organize report data.
Chapter 13 Managing Reports Organizing Report Data Reordering Columns in Interactive Viewer To reorder columns: Step 1 Select and right-click a column. Step 2 From the context menu, select Column > Reorder Columns. The Arrange Columns window appears Step 3 Select the column you want to move. Note You can select only detail rows, not groups or sections. Step 4 Click the up or down arrows at the right until the column is in the correct position. Step 5 Click Apply.
Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Move to Group Header Dialog Box Step 3 From the Move to Group field, select a value. Step 4 In the Header row field, select the row number in which to move the value you selected in Step 3. Step 5 Click Apply. The data value from the first detail row in each group appears in each group header, as shown in Figure 13-27. The Name column displays one customer name beside each country group header.
Chapter 13 Managing Reports Organizing Report Data Hiding or Displaying Report Items To hide or display report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items. The Hide or Show Items dialog box appears, similar to Figure 13-28. Figure 13-28 Step 3 Hiding or Displaying Report Items Select any items you want to hide or Deselect any hidden items you want to display. To display all hidden items, click Clear. Step 4 Click Apply.
Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO display hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Columns. The Show Columns dialog box appears. Step 3 Select any items you want to display. Use Ctrl to select several columns. Step 4 Click Apply. Merging Columns You can merge the data from two or more columns into one column.
Chapter 13 Managing Reports Organizing Report Data Figure 13-30 Merged Column To merge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns. Selecting a Column from a Merged Column You can aggregate, filter, and group data in a column that contains data that is merged from multiple columns. You must first select one of the columns on which to aggregate, filter, or group data.
Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data source determines the default sort order for the data rows. If the data source sorts a column in ascending order, the column is sorted in ascending order in the design. Typically, however, data appears randomly in the data source. A column is likely to display customer names, for example, in the order in which the customers were added to the database, rather than in alphabetical order.
Chapter 13 Managing Reports Organizing Report Data Figure 13-31 Sorting Multiple Columns If the report uses grouped data, the drop-down lists in Advanced Sort show only the detail columns in the report, not the columns you used to group the data. Grouping Data A report can contain a great deal of data. Consider the task of listing every item a corporation owns, along with information such as the purchase price, purchase date, inventory tag number, and the supplier for each item.
Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped Data To organize all this information into a useful inventory report, you create data groups and data sections. Data groups contain related data rows. For example, you can create a report that lists all heavy equipment in one group, all office furniture in another group, all telephony equipment in a third group, and so on.
Chapter 13 Managing Reports Organizing Report Data Adding Groups To add groups: Step 1 Select and right-click the column you want to use to create a group. Step 2 From the Context menu, select Group > Add Group. The new group appears in the viewer. As shown in Figure 13-34, the group expands to show all the detail rows. To collapse the group, click the minus sign ( - ) beside the group name.
Chapter 13 Managing Reports Organizing Report Data Step 4 To set a grouping interval, select Group every and enter a value and select the grouping interval. For example, to create a new group for every month, type 1 and select Month from the drop-down list. The report displays monthly data groups, as shown in Figure 13-36. Figure 13-36 Data Grouped by Month Removing an Inner Group To remove an inner group: Step 1 Select and right-click the column for the group you want to remove.
Chapter 13 Managing Reports Organizing Report Data Figure 13-37 Calculated Column To create a calculation, you • Provide a title for the calculated column. • Write an expression that indicates which data to use and how to display the calculated data in the report. The expression contains a function and one or more arguments. Arguments indicate the data you want to use to create the calculation.
Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions Table 13-11 provides examples of the functions you can use to create calculations. Note Table 13-11 The Calculation dialog box does not support the use of uppercase TRUE and FALSE functions in expressions.Calculation also does not support the use of initial capital letters for True and False. These functions must be expressed in lowercase only.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use COUNT( ) Counts the rows in a table. COUNT( ) COUNT(groupLevel) Counts the rows at the specified group level. COUNT(2) COUNTDISTINCT(expr) Counts the rows that contain distinct values in a table. COUNTDISTINCT([CustomerID]) COUNTDISTINCT([Volume]*2) COUNTDISTINCT (expr, groupLevel) Counts the rows that contain distinct values at the specified group level.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description FIRST(expr, groupLevel) Displays the first value that appears in the specified FIRST([customerID], 3) column at the specified group level. IF(condition, doIfTrue, doIfFalse) Displays the result of an If...Then...Else statement.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use ISTOPNPERCENT(expr, percent, groupLevel) ISTOPNPERCENT([SalesTotals], Displays True if the value is within the highest n percentage values for the expression at the specified 5, 3) group level, and False otherwise. LAST(expr) Displays the last value in a specified column.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use MONTH(date, option) Displays the month of a specified date-and-time value, in one of three optional formats: MONTH([Semester], 2) • 1 - Displays the month number of 1 through 12. • 2 - Displays the complete month name in the user’s locale. • 3 - Displays the abbreviated month name in the user’s locale.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use RANK(expr) RANK([AverageStartTime]) Displays the rank of a number, string, or date-and-time value, starting at 1. Duplicate values receive identical rank but the duplication does not affect the ranking of subsequent values.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use TRIM(str) Displays a string with all leading and trailing blank TRIM([customerName]) characters removed. Also removes all consecutive blank characters. Leading and trailing blanks can be spaces, tabs, and so on. TRIMLEFT(str) Displays a string with all leading blanks removed. Does not remove consecutive blank characters.
Chapter 13 Managing Reports Organizing Report Data Understanding Supported Operators Table 13-12 describes the mathematical and logical operators you can use in writing expressions that create calculated columns.
Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns To use multiply values in calculated columns: Step 1 Select a column. In the report, the new calculated column appears to the right of the column you select. Step 2 Select Add Calculation. The Calculation dialog box appears. Step 3 In the Column Label field, type a header for the calculated column. The header must start with a letter and can contain only letters, numbers, underscores, and spaces.
Chapter 13 Managing Reports Organizing Report Data Step 7 For the second argument, type the number of days to add. In this case, type 7. Step 8 Validate the expression, then click Apply. The new calculated column appears in the report. For every value in the Order Date column, the calculated column displays a date seven days later than the order date. Subtracting Date Values in a Calculated Column You can display the difference between two date values. Step 1 Select a column.
Chapter 13 Managing Reports Organizing Report Data Figure 13-39 Aggregate Row for a Group Table 13-13 shows the aggregate functions that you can use. Table 13-13 Aggregate Functions Aggregate functions Description Average Calculates the average value of a set of data values. Count Counts the data rows in the column. Count Value Counts distinct values in the column. First Returns the first value in the column. Last Returns the last value in the column.
Chapter 13 Managing Reports Organizing Report Data Creating an Aggregate Data Row To create an aggregate data row: Step 1 Select a column, then select Aggregation. The Aggregation dialog box appears. The name of the column you selected is listed in the Selected Column field. Step 2 From the Select Function menu, select the function you want to use.
Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate row for a column, you can add up to two more aggregate rows for the same column. For an item total column, for example, you can create a sum of all the values, count all the values, and get the average order total. To add an aggregate row: Step 1 Select a calculated column that contains an aggregate row, then select Aggregation. The Aggregation window appears.
Chapter 13 Managing Reports Hiding and Filtering Report Data Deleting Aggregate Rows To delete an aggregate row: Step 1 Select the calculated column that contains the aggregation you want to remove, then select Aggregation. The Aggregation dialog box appears, displaying all the aggregations for the column. Step 2 For the aggregation you want to remove, choose Delete Aggregation, then click Apply.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-43 Suppressed Values You can suppress duplicate values to make your report easier to read. You can suppress only consecutive occurrences of duplicate values. In the Location column in Figure 13-43, the Boston value is suppressed in the second, third, fourth, and fifth rows. If Boston occurs again after the listing for NYC, that occurrence of Boston is visible and subsequent consecutive occurrences are suppressed.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-44 Group Detail Rows Displayed Figure 13-45 shows the results of hiding the detail rows for the creditrank grouping. Figure 13-45 • Group Detail Rows Hidden To collapse a group or section, select and right-click a member of the group or section that you want to collapse. The context menu appears. • To display the group members without their detail rows, select Group > Hide Detail.
Chapter 13 Managing Reports Hiding and Filtering Report Data Table 13-14 Conditions to Use with Filters (continued) Condition Description Bottom N Returns the lowest n values in the column. Bottom Percent Returns the lowest n percent of values in the column. Equal to Returns values that are equal to a specified value. Greater Than Returns values that are greater than a specified value. Greater Than or Equal to Returns values that are greater than or equal to a specified value.
Chapter 13 Managing Reports Hiding and Filtering Report Data Table 13-15 Examples of Filter Conditions Type of filter condition Description Comparison Examples of instructions to data source Compares the value of one expression to the value quantity = 10 custName = 'Acme Inc.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-46 Step 2 Selecting a Filter Value in Interactive Viewer To search for a value, type the value in the Find Value field, then click Find. All values that match your filter text are returned. For example, if you type: 40 the text box displays any values in the column that begin with 40, such as: 40 400 4014 40021 When you see the value you want in the large text box, double-click the value. The value appears in the Value field.
Chapter 13 Managing Reports Hiding and Filtering Report Data Step 3 Step 4 From the Condition pulldown menu, select a condition. Table 13-14 describes the conditions you can select. • If you select Between or Not Between, Value From and Value To, additional fields appear to display a range of values. • If you select Is False, Is True, Is Null, or Is Not Null, no value fields appear. For all other selections, a single value field appears. Enter values in each of the available fields.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-47 The Advanced Filter Dialog Box in Interactive Viewer Advanced Filter provides a great deal of flexibility in setting the filter value. For conditions that test equality and for the Between condition, you can either set a literal value or you can base the value on another data column.
Chapter 13 Managing Reports Hiding and Filtering Report Data Step 7 Validate the filter syntax by clicking Validate. You have now created a filter with one condition. The next step is to add conditions. Step 8 Follow steps Step 3 to Step 7 to create each additional desired filter condition. Step 9 In Filters, adjust the filter conditions to achieve the desired filtering.
Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldown menu, select a particular number of rows or a percentage of rows, as shown in Figure 13-48. Step 3 Enter a value in the field next to the Filter pulldown menu to specify the number or percentage of rows to display.
Chapter 13 Managing Reports Understanding Charts Figure 13-49 Parts of a Basic Bar Chart There are a variety of chart types. Some types of data are best depicted with a specific type of chart. Charts can be used as reports in themselves and they can be used together with tabular data report styles. Modifying Charts The basic characteristics of a chart are determined in the report design editor.
Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts have subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stacked, Percent Stacked • Line chart—Overlay, Stacked, Percent Stacked • Area chart—Overlay, Stacked, Percent Stacked • Meter chart—Standard, Superimposed • Stock chart—Candlestick, Bar Stick Many chart types offer two-dimensional subtypes, in which the chart shape appears flat against the chart background.
Chapter 13 Managing Reports Understanding Charts Figure 13-50 Chart Formatting Options You use this page to: • Edit and format the default chart title. • Edit and format the default title for the category, or x-, axis. • Modify settings for the labels on the x-axis. You can: – Indicate whether to display x-axis labels. – Indicate whether to rotate x-axis labels and set the degree of rotation. – Indicate whether to stagger x-axis labels.
CH A P T E R 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the diagnostic and troubleshooting tools that the Monitoring & Report Viewer provides for the Cisco Secure Access Control System.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Available Diagnostic and Troubleshooting Tools Support bundles typically contain the ACS database, log files, core files, and Monitoring & Report Viewer support files. You can exclude certain files from the support bundle, per ACS node. You can download the support bundle to your local computer.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Performing Connectivity Tests Table 14-1 Expert Troubleshooter - Diagnostic Tools (continued) Diagnostic Tool Description Trust Sec Tools Egress (SGACL) Policy Compares the Egress Policy (SGACL) between a network device and ACS. See Comparing SGACL Policy Between a Network Device and ACS, page 14-11 for more information. SXP-IP Mappings Compares SXP mappings between a device and peers.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Downloading ACS Support Bundles for Diagnostic Information Related Topics • Available Diagnostic and Troubleshooting Tools, page 14-1 • Connectivity Tests, page 14-1 • ACS Support Bundle, page 14-1 • Expert Troubleshooter, page 14-2 Downloading ACS Support Bundles for Diagnostic Information To create and download an ACS support bundle: Step 1 Select Monitoring and Reports > Troubleshooting > ACS Support Bundle.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter • Include core files—Check this check box to include core files, then click All or click Include files from the last and enter a value from 1 to 365 in the day(s) field. • Include monitoring and reporting logs—Check this check box to include monitoring and reporting logs, then click All or click Include files from the last and enter a value from 1 to 365 in the day(s) field.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter • Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records, page 14-14 • Comparing Device SGT with ACS-Assigned Device SGT, page 14-15 Related Topics • Available Diagnostic and Troubleshooting Tools, page 14-1 • Connectivity Tests, page 14-1 • ACS Support Bundle, page 14-1 • Expert Troubleshooter, page 14-2 Troubleshooting RADIUS Authentications Use the RADIUS Authentication diagnosti
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-4 RADIUS Authentication Troubleshooter Page (continued) Option Description Time Range Define a time range from the Time Range drop-down list box. The Monitoring & Report Viewer fetches the RADIUS authentication records that are created during this time range.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-5 Progress Details Page - User Input Dialog Box Option Description Specify Connection Parameters for Network Device a.b.c.d Username Enter the username for logging in to the network device. Password Enter the password. Protocol Choose the protocol from the Protocol drop-down list. Valid options are: • Telnet • SSHv2 Telnet is the default option.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-6 Results Summary Page Option Description Diagnosis and Resolution Diagnosis The diagnosis for the problem is listed here. Resolution The steps for resolution of the problem are detailed here. Troubleshooting Summary Summary A step-by-step summary of troubleshooting information is provided here. You can expand any step to view further details.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-7 Execute Show Command on a Network Device Option Description Enter Information Network Device IP Enter the IP address of the network device on which you want to run the show command. Command Step 3 Enter the show command that you want to run. Click Run to run the show command on the specified network device. The Progress Details page appears.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-8 Step 3 Evaluate Configuration Validator Option Description Web Authentication Check this check box if you want to compare the web authentication configuration. Profiler Configuration Check this check box if you want to compare the Profiler configuration. SGA Check this check box if you want to compare Security Group Access configuration. 802.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter 3. Compares the SGACL policy obtained from the network device with the SGACL policy obtained from ACS. 4. Displays the source SGT —destination SGT pair if there is a mismatch. Also, displays the matching entries as additional information. To compare the SGACL policy between a network device and ACS: Step 1 Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 4 Click SXP-IP Mappings from the list of troubleshooting tools. The Expert Troubleshooter page refreshes and shows the following field: Network Device IP—Enter the IP address of the network device. Step 5 Click Run. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 10 Click Show Results Summary to view the diagnosis and resolution steps. The Results Summary page appears with the information described in Table 14-6.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 6 Click Show Results Summary to view the diagnosis and resolution steps.
Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Table 14-11 Device SGT Option Description Common Connection Parameters Use Common Check this check box to use the following common connection parameters for Connection Parameters comparison: • Username—Enter the username of the network device. • Password—Enter the password. • Protocol—Choose the protocol from the Protocol drop-down list box.
CH A P T E R 15 Managing System Operations and Configuration in the Monitoring & Report Viewer This chapter describes the tasks that you must perform to configure and administer the Monitoring & Report Viewer. The Monitoring Configuration drawer allows you to: • Manage data—The Monitoring & Report Viewer handles large volumes of data from ACS servers. Over a period of time, the performance and efficiency of the Monitoring & Report Viewer depends on how well you manage the data.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer • Configure and edit failure reasons—The Monitoring & Report Viewer allows you to configure the description of the failure reason code and provide instructions to resolve the problem. See Viewing Failure Reasons, page 15-14 for more information on how to edit the failure reason description and instructions for resolution.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Data Purging and Incremental Backup • Configuring Alarm Syslog Targets, page 15-17 • Configuring Remote Database Settings, page 15-17 Configuring Data Purging and Incremental Backup The Monitoring & Report Viewer database handles large volumes of data. When the database size becomes too large, it slows down all the processes. You do not need all the data all the time.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Data Purging and Incremental Backup – If the database disk usage is greater than 83 GB, a backup is run immediately followed by a purge until the database disk usage is below 83 GB. – If the backup fails and the database disk usage is greater than 83 GB, the Monitoring & Report Viewer decides to wait.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Data Purging and Incremental Backup • ACS displays an alert message when the difference between the physical and actual size of the view database is greater than 10 GB and less than 50 GB. Also, an automatic database compress operation is triggered when the size of the database exceeds 111 GB to avoid disk space issues.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Data Purging and Incremental Backup Table 15-1 Data Purging and Incremental Backup Page (continued) Option Description On Click the On radio button to enable incremental backup. If incremental backup is enabled, the delta is backed up. Off Click the Off radio button to disable incremental backup.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from the View database that was backed up earlier. You can restore data from an incremental or full backup. If you choose to restore incremental backup data, ACS restores the full View data backup and then the rest of the incremental backups one at a time in the correct sequence.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Log Collections Note Table 15-3 You can use the refresh symbol to refresh the contents of the page. Log Collection Page Option Description ACS Server Name of the ACS server. Click to open the Log Collection Details page and view recently collected logs. Last Syslog Message Display only.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently collected log names for an ACS server. Step 1 From the Monitoring & Report Viewer, select Monitoring and Reports > Monitoring Configuration > Log Collection. Step 2 Do one of the following: Note • Click the name of an ACS server.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Log Collections Table 15-4 Log Collection Details Page Option Description Log Name Name of the log file. Last Syslog Message Display only. Indicates the arrival time of the most recent syslog message, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. • Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Recovering Log Messages Recovering Log Messages ACS server sends syslog messages to the Monitoring and Report Viewer for the activities such as passed authentication, failed attempts, authorization, accounting, and so on. The syslog messages have a sequence number attached.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Scheduled Jobs Table 15-6 Scheduler Status Page Option Description Name Display only. Name of the job. Type Display only. Type of associated job; for example, Incremental Backup Utility, Session Termination, DB Aggregation Event, Database Purge Utility, and so on. This list includes both system- and user-defined jobs. Owner Display only. Owner of the associated job—System.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Process Status Viewing Process Status Use this page to view the status of processes running in your ACS environment. From the Monitoring & Report Viewer, select Monitoring Configuration > System Operations > Process Status. Note Table 15-7 You can click the refresh symbol to refresh the contents of the page. Process Status Page Option Description Process Name Display only. Name of the process.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Data Upgrade Status Viewing Data Upgrade Status After you upgrade to ACS 5.3, ensure that the Monitoring & Report Viewer database upgrade is complete. You can do this through the ACS web interface. Refer to the Installation Guide for the Cisco Secure Access Control System 5.3 for more information on the upgrade process.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Specifying E-Mail Settings Table 15-9 Failure Reasons Editor Page Option Description Failure Reason Display only. The error code and associated failure reason name. Description Enter a free text description of the failure reason to assist administrators; use the text tools as needed.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Understanding Collection Filters Understanding Collection Filters You can create collection filters that allow you to filter and drop syslog events that are not used for monitoring or troubleshooting purposes. When you configure collection filters, the Monitoring & Report Viewer does not record these events in the database and saves much needed disk space.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring System Alarm Settings Related Topics • Creating and Editing Collection Filters, page 15-16 • Deleting Collection Filters, page 15-17 Deleting Collection Filters To delete a collection filter: Step 1 Choose Monitoring Configuration > System Configuration > Collection Filters. The Collection Filters page appears.
Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Remote Database Settings Step 1 From the Monitoring & Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings. The Remote Database Settings Page appears as described in Table 15-12. Table 15-12 Remote Database Settings Page Option Description Publish to Remote Database Check the check box for ACS to export data to the remote database periodically.
CH A P T E R 16 Managing System Administrators System administrators are responsible for deploying, configuring, maintaining, and monitoring the ACS servers in your network. They can perform various operations in ACS through the ACS administrative interface. When you define an administrator in ACS, you assign a password and a role or set of roles that determine the access privilege the administrator has for the various operations.
Chapter 16 Managing System Administrators Understanding Administrator Roles and Accounts • Configure administrator session setting • Configure administrator access setting The first time you log in to ACS 5.3, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system.
Chapter 16 Managing System Administrators Configuring System Administrators and Accounts Understanding Authentication An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out. ACS 5.3 authenticates every login operation by using user credentials (username and password).
Chapter 16 Managing System Administrators Understanding Roles Permissions A permission is an access right that applies to a specific administrative task. Permissions consist of: • A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements. • Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.
Chapter 16 Managing System Administrators Understanding Roles Table 16-1 Predefined Role Descriptions (continued) Role Privileges SecurityAdmin This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy.
Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Administrator Accounts and Role Association Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment. Note It is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log. Administrators are authenticated against the internal database only.
Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Step 2 Do any of the following: • Click Create. • Check the check box next to the account that you want to duplicate and click Duplicate. • Click the account that you want to modify; or, check the check box for the Name and click Edit. • Check the check box next to the account for which you want to change the password and click Change Password.
Chapter 16 Managing System Administrators Viewing Predefined Roles The new account is saved. The Administrators page appears, with the new account that you created or duplicated. Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Association, page 16-6 • Viewing Predefined Roles, page 16-8 • Configuring Authentication Settings for Administrators, page 16-9 Viewing Predefined Roles See Table 16-1 for description of the predefined roles included in ACS.
Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Association, page 16-6 • Configuring Authentication Settings for Administrators, page 16-9 Configuring Authentication Settings for Administrators Authentication settings are a set of rules that enhance security by forcing administrators to use strong passwords, regularly change their passwords, and so on.
Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators Table 16-7 Advanced Tab Options Description Password History Password must be different from the previous n versions Specifies the number of previous passwords for this administrator to be compared against. This option prevents the administrators from setting a password that was recently used. Valid options are 1 to 99.
Chapter 16 Managing System Administrators Configuring Session Idle Timeout Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Association, page 16-6 • Viewing Predefined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, by default, is assigned a timeout period of 30 minutes. You can configure a timeout period for anywhere from 5 to 90 minutes. To configure the timeout period: Step 1 Choose System Administration > Administrators > Settings > Session.
Chapter 16 Managing System Administrators Resetting the Administrator Password Step 3 Click Create in the IP Range(s) area. A new window appears. Enter the IP address of the machine from which you want to allow remote access to ACS. Enter a subnet mask for an entire IP address range. Step 4 Click OK. The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges for which you want to provide remote access. Step 5 Click Submit.
Chapter 16 Managing System Administrators Changing the Administrator Password http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli_app_a.html#wp1893005. Note You cannot reset the administrator password through the ACS web interface. Changing the Administrator Password ACS 5.3 introduces a new role Change Admin Password that entitles an administrator to change another administrator’s password.
Chapter 16 Managing System Administrators Changing the Administrator Password Resetting Another Administrator’s Password To reset another administrator’s password: Step 1 Choose System Administration > Administrators > Accounts. The Accounts page appears with a list of administrator accounts. Step 2 Check the check box next to the administrator account for which you want to change the password and click Change Password.
CH A P T E R 17 Configuring System Operations You can configure and deploy ACS instances so that one ACS instance becomes the primary instance and the other ACS instances can be registered to the primary as secondary instances. An ACS instance represents ACS software that runs on a network. An ACS deployment may consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally.
Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Distributed Deployment You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers. In general, you make configuration changes on the primary server only, and the changes are propagated to all secondary servers, which can then view the configuration data as read-only data.
Chapter 17 Configuring System Operations Understanding Distributed Deployment Note ACS 5.3 does not support the large deployment with more than ten ACS instances (one primary and nine secondaries). For more information on ACS server deployments, see: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/gui de/csacs_deploy.html.
Chapter 17 Configuring System Operations Understanding Distributed Deployment • Understanding Distributed Deployment, page 17-2 Promoting a Secondary Server There can be one server only that is functioning as the primary server. However, you can promote a secondary server so that is assumes the primary role for all servers in the deployment. The promotion operation is performed either on the secondary server that is to assume the primary role or on the primary server.
Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each configuration change is propagated to all secondary instances. Unlike ACS 4.x where full replication was performed, in ACS 5.3, only the specific changes are propagated.
Chapter 17 Configuring System Operations Scheduled Backups • Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Scheduled Backups You can schedule backups to be run at periodic intervals. You can schedule backups from the primary web interface or through the local CLI. The Scheduled Backups feature backs up ACS configuration data. You can back up data from an earlier version of ACS and restore it to a later version.
Chapter 17 Configuring System Operations Backing Up Primary and Secondary Instances Step 2 Click Submit to schedule the backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances ACS provides you the option to back up the primary and secondary instances at any time apart from the regular scheduled backups.
Chapter 17 Configuring System Operations Synchronizing Primary and Secondary Instances After Backup and Restore Step 4 Click Submit to run the backup immediately. Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Restore When you specify that a system backup is restored on a primary instance, the secondary instance is not updated to the newly restored database that is present on the primary instance.
Chapter 17 Configuring System Operations Editing Instances The Distributed System Management page appears with two tables: • Primary Instance table—Shows the primary instance. The primary instance is created as part of the installation process. • Secondary Instances table—Shows a listing and the status of the secondary instances. See Viewing and Editing a Secondary Instance, page 17-12 for more information.
Chapter 17 Configuring System Operations Editing Instances Table 17-4 Distributed System Management Page (continued) Option Description Replication Time Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy. Version Current version of the ACS software running on the secondary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress. Description Description of the secondary instance.
Chapter 17 Configuring System Operations Editing Instances Table 17-5 Distributed System Management Properties Page (continued) Option Description Port Port for Management service. MAC Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every Rate at which the primary instance sends a heartbeat status request to the secondary instance. The (only applies for primary default value is 60 seconds.
Chapter 17 Configuring System Operations Editing Instances The Primary Instance table on the Distributed System Management page appears with the edited primary instance. Related Topics • Replicating a Secondary Instance from a Primary Instance, page 17-18 • Viewing and Editing a Secondary Instance, page 17-12 Viewing and Editing a Secondary Instance To edit a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management.
Chapter 17 Configuring System Operations Activating a Secondary Instance The following warning message appears: Are you sure you want to delete the selected item/items? Step 5 Click OK. The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instances. Activating a Secondary Instance To activate a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management.
Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance . Table 17-6 System Operations: Deployment Operations Page Option Description Instance Status Current Status Identifies the instance of the node you log into as primary or secondary, and identifies whether you are running in local mode. Primary Instance Hostname of the primary instance. Primary IP IP address of the primary instance.
Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Table 17-6 System Operations: Deployment Operations Page (continued) Option Description Deregistration Deregister from Primary Deregisters the secondary from the primary instance. The secondary instance retains the database configuration from when it was deregistered. All nodes are marked as deregistered and inactive, and the secondary instance becomes the primary instance.
Chapter 17 Configuring System Operations Deregistering Secondary Instances from the Distributed System Management Page Deregistering Secondary Instances from the Distributed System Management Page To deregister secondary instances from the Distributed System Management page: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears.
Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Management Page The system displays the following warning message: This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 3 Click OK. Step 4 Log into the ACS machine. Step 5 Choose System Administration > Operations > Local Operations > Deployment Operations.
Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Deployment Operations Page Promoting a Secondary Instance from the Deployment Operations Page To promote a secondary instance to a primary instance from the Deployment Operations page: Step 1 Choose System Administration > Operations > Distributed System Management. The Deployment Operations page appears. See the Table 17-6 for valid field options. Step 2 Register the secondary instance to the primary instance.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Replicating a Secondary Instance from the Distributed System Management Page Note All ACS appliances must be in sync with the AD domain clock. To replicate a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Failover ACS 5.3 allows you to configure multiple ACS instances for a deployment scenario. Each deployment can have one primary and multiple secondary ACS server. Scenario 1: Primary ACS goes down in a Distributed deployment Consider we have three ACS instances ACS1, ACS2, and ACS3. ACS1 is the primary, and ACS2 and ACS3 are secondaries.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Cleanup....... Starting ACS.... The database on the primary server is restored successfully. Now, you can observe that all secondary servers in the distributed deployment are disconnected. Step 3 Log into the secondary webinterface and choose System Administration > Operations > Local Operations > Deployment Operations and click Request Local Mode.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance You can use the configuration information on the ACS Configuration Audit report to manually restore the configuration information for this instance. Creating, Duplicating, Editing, and Deleting Software Repositories To create, duplicate, edit, or delete a software repository: Step 1 Choose System Administration > Operations > Software Repositories.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Table 17-8 Software Update Repositories Properties Page (continued) Option Description Repository Information Protocol The name of the protocol that you want to use to transfer the upgrade file. Valid options are: Server Name Note • DISK—If you choose this protocol, you must provide the path. • FTP—If you choose this protocol, you must provide the server name, path, and credentials.
CH A P T E R 18 Managing System Administration Configurations After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS web interface allows you to easily configure ACS to perform various operations. For a list of post-installation configuration tasks to get started with ACS, see Chapter 6, “Post-Installation Configuration Tasks”.
Chapter 18 Managing System Administration Configurations Configuring Global System Options Table 18-1 TACACS+ Settings Option Description Port to Listen Port number on which to listen. By default, the port number is displayed as 49 and you cannot edit this field. Connection Timeout Number of minutes before the connection times out. Session Timeout Number of minutes before the session times out. Maximum Packet Size Maximum packet size (in bytes).
Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring PEAP Settings Use the PEAP Settings page to configure PEAP runtime characteristics. Select System Administration > Configuration > Global System Options > PEAP Settings.
Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prompts Generating EAP-FAST PAC Use the EAP-FAST Generate PAC page to generate a user or machine PAC. Step 1 Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC. The Generate PAC page appears as described in Table 18-5: Table 18-5 Generate PAC Option Description Tunnel PAC Select to generate a tunnel PAC. Machine PAC Select to generate a machine PAC.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-6 RSA SecurID Prompts Page Option Description Accept System PIN Prompt Text string to accept the system-generated PIN. The default value is “ARE YOU PREPARED TO ACCEPT A SYSTEM-GENERATED PIN?”. For the two PIN entry prompts below, if the prompt contains the following strings, they will be substituted as follows: • {MIN_LENGTH}- will be replaced by the minimum PIN length configured for the RSA Realm.
Chapter 18 Managing System Administration Configurations Managing Dictionaries • RADIUS (RedCreek) • RADIUS (US Robotics) • TACACS+ To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary. The Dictionary page appears with a list of available attributes as shown in Table 18-7: Table 18-7 Protocols Dictionary Page Option Description Attribute Name of the attribute. ID (RADIUS only) The VSA ID.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-8 RADIUS VSA - Create, Duplicate, Edit Page Option Description Attribute Name of the RADIUS VSA. Description (Optional) A brief description of the RADIUS VSA. Vendor ID ID of the RADIUS vendor. Attribute Prefix (Optional) Prefix that you want to prepend to the RADIUS attribute so that all attributes for the vendor start with the same prefix.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description General Attribute Name of the subattribute. The name must be unique. Description (Optional) A brief description of the subattribute. RADIUS Configuration Vendor Attribute ID Enter the vendor ID field for the subattribute. This value must be unique for this vendor.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description ID-Value (Optional) For the Enumeration attribute type only. • ID—Enter a number from 0 to 999. • Value—Enter a value for the ID. • Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: • Select the ID-Value pair from the ID-Value table.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Related Topic Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10 • Deleting an Internal User Identity Attribute, page 18-12 • Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 • Creating, Duplicat
Chapter 18 Managing System Administration Configurations Managing Dictionaries Configuring Internal Identity Attributes Table 18-10 describes the fields in the internal identity attributes. Table 18-10 Identity Attribute Properties Page Option Description General Attribute Name of the attribute. Description Description of the attribute. Attribute Type Attribute Type (Optional) Use the drop-down list box to choose an attribute type.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-10 Identity Attribute Properties Page (continued) Option Description ID-Value (Optional) For the Enumeration attribute type only. • ID—Enter a number from 0 to 999. • Value—Enter a value for the ID. • Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: • Select the ID-Value pair from the ID-Value table. • Click Edit to edit the ID and Value fields.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Creating, Duplicating, and Editing an Internal Host Identity Attribute To create, duplicate, and edit an internal host identity attribute: Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts. The Attributes list for the Internal Hosts page appears. Step 2 Do one of the following: • Click Create.
Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store To add static IP address to a user in Internal Identity Store: Step 1 Add a static IP attribute to internal user attribute dictionary: Step 2 Select System Administration > Configuration > Dictionaries > Identity > Internal Users. Step 3 Click Create. Step 4 Add static IP attribute.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-11 Local Certificates Page Option Description Friendly Name Name that is associated with the certificate. Issued To Entity to which the certificate is issued. The name that appears is from the certificate subject. Issued By Trusted party that issued the certificate. Valid From Date the certificate is valid from. Valid To (Expiration) Date the certificate is valid to.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-13 Import Server Certificate Page Option Description Certificate File Select to browse the client machine for the local certificate file. Private Key File Select to browse to the location of the private key. Private Key Password Enter the private key password. The value may be minimum length = 0 and maximum length = 256.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-14 Generate Self Signed Certificate Step 2 Option Description Management Interface Check to associate the certificate with the management interface. Override Policy Replace Certificate Step 4 Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections. Click Finish. The new certificate is saved.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. Step 2 Select Bind CA Signed Certificate > Next.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-17 Edit Certificate Store Properties Page (continued) Option Description Issued By Display only. The certification authority that issued the certificate. Valid From Display only. The start date of the certificate’s validity. An X509 certificate is valid only from the start date to the end date (inclusive). Valid To (Expiration) Display only. The last date of the certificate’s validity.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates To export a certificate: Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates. Step 2 Check the box next to the certificates that you want to export, then click Export. The Export Certificate dialog box appears.
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Logs Log records are generated for: • Accounting messages • AAA audit and diagnostics messages • System diagnostics messages • Administrative and operational audit messages The messages are arranged in tree hierarchy structure within the logging categories (see Configuring Logging Categories, page 18-24 for more information).
Chapter 18 Managing System Administration Configurations Configuring Logs Step 3 • Remote Log Targets > Duplicate: “log_target”, where log_target is the name of the remote log target you selected in Step 2, if you are duplicating a remote log target. • Remote Log Targets > Edit: “log_target”, where log_target is the name of the remote log target you selected in Step 2, if you are modifying a remote log target.
Chapter 18 Managing System Administration Configurations Configuring Logs Deleting a Remote Log Target To delete a remote log target: Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears, with a list of configured remote log targets. Step 2 Check one or more check boxes next to the remote log targets you want to delete. Step 3 Click Delete.
Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. Step 2 Click Delete Logs Now to immediately delete all local log data files, except the log data in the currently active log data file. The Local Configuration page is refreshed.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-20 Global: General Page (continued) Option Descriptions Configure Local Setting for Category Log to Local Target Check to enable logging to the local target. For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled. Local Target is Critical Usable for accounting and for AAA audit (passed authentication) logging category types only.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-22 lists a set of administrative and operational logs under various categories that are not logged to the local target.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-22 Administrative and Operational Logs Not Logged in the Local Target (continued) Category Log and Description Software-Management System-Management • ACS_UPGRADE—ACS upgraded • ACS_PATCH—ACS patch installed • UPGRADE_SCHEMA_CHANGE—ACS schema upgrade complete • UPGRADE_DICTIONARY—ACS dictionary upgrade complete • UPGRADE_DATA_MANIPULATION—ACS upgrade - data manipulation stage complete • UPGRADE_AAC—ACS AAC
Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in Table 18-22 are written to the ADE-OS logs. From the ACS CLI, you can use the following command to view the ADE-OS logs: show logging system This command lists all the ADE-OS logs and your output would be similar to the following example. Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.
Chapter 18 Managing System Administration Configurations Configuring Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migra
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings You can configure the severity level and local log settings in a logging category configuration for a specific overridden or custom ACS instance. Use this page to: Step 1 • View a tree of configured logging categories for a specific ACS instance. • Open a page to configure a logging category’s severity level, log target, and logged attributes for a specific ACS instance.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-24 Per-Instance: General Page Option Description Configure Log Category Log Severity Use the list box to select the severity level for diagnostic logging categories. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are: • FATAL—Emergency. The ACS is not usable and you must take action immediately. • ERROR—Critical or error condition.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-25 Per-Instance: Remote Syslog Targets Page Option Description Configure Syslog Targets Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring the Log Collector Use the Log Collector page to select a log data collector and suspend or resume log data transmission. Step 1 Select System Administration > Configuration > Log Configuration > Log Collector. The Log Collector page appears.
Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license. Note Each server requires a unique base license in a distributed deployment. Types of Licenses Table 18-29 shows the ACS 5.3 license support: .
Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview, page 18-34 • Installing a License File, page 18-35 • Viewing the Base License, page 18-36 • Adding Deployment License Files, page 18-39 • Deleting Deployment License Files, page 18-40 Installing a License File You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file: Step 1 Log into the ACS web interface.
Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License To upgrade the base license: Step 1 Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses. Table 18-30 describes the fields in the Base Server License page.
Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Server License, page 18-37 Upgrading the Base Server License You can upgrade the base server license. Step 1 Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.
Chapter 18 Managing System Administration Configurations Viewing License Feature Options Viewing License Feature Options You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the deployment information. Select System Administration > Configuration > Licensing > Feature Options.
Chapter 18 Managing System Administration Configurations Adding Deployment License Files Adding Deployment License Files To add a new base deployment license file: Step 1 Select System Administration > Configuration > Licensing > Feature Options. The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses.
Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview, page 18-34 • Types of Licenses, page 18-34 • Installing a License File, page 18-35 • Viewing the Base License, page 18-36 • Deleting Deployment License Files, page 18-40 Deleting Deployment License Files To delete deployment license files: Step 1 Select System Administration > Configuration > Licensing > Feature Options.
Chapter 18 Managing System Administration Configurations Available Downloads Downloading Migration Utility Files To download migration application files and the migration guide for ACS 5.3: Step 1 Choose System Administration > Downloads > Migration Utility. The Migration from 4.x page appears. Step 2 Click Migration application files, to download the application file you want to use to run the migration utility.
Chapter 18 Managing System Administration Configurations Available Downloads To download these sample scripts: Step 1 Choose System Administration > Downloads > Sample Python Scripts. The Sample Python Scripts page appears. Step 2 Step 3 Click one of the following: • Python Script for Using the User Change Password Web Service—To download the sample script for the UCP web service.
CH A P T E R 19 Understanding Logging This chapter describes logging functionality in ACS 5.3. Administrators and users use the various management interfaces of ACS to perform different tasks. Using the administrative access control feature, you can assign permissions to administrators and users to perform different tasks. Apart from this, you also need an option to track the various actions performed by the administrators and users.
Chapter 19 Understanding Logging About Logging Using Log Targets You can specify to send customer log information to multiple consumers or Log Targets and specify whether the log messages are stored locally in text format or forwarded to syslog servers. By default, a single predefined local Log Target called Local Store stores data in text format on an ACS server and contains log messages from the local ACS server only. You can view records stored in the Local Store from the CLI.
Chapter 19 Understanding Logging About Logging Note For complex configuration items or attributes, such as policy or DACL contents, the new attribute value is reported as "New/Updated" and the audit does not contain the actual attribute value or values. – ACS administrator access—Logs all events that occur when an administrators accesses the system until the administrator logs out. It logs whether the administrator exits ACS with an explicit request or if the session has timed out.
Chapter 19 Understanding Logging About Logging Each log message contains the following information: • Event code—A unique message code. • Logging category—Identifies the category to which a log message belongs. • Severity level—Identifies the level of severity for diagnostics. See Log Message Severity Levels, page 19-4 for more information. • Message class—Identifies groups of messages of similar context, for example, RADIUS, policy, or EAP-related context.
Chapter 19 Understanding Logging About Logging Table 19-1 ACS Severity Level Log Message Severity Levels Syslog Severity Level Description FATAL Emergency. ACS is not usable and you must take action immediately. 1 (highest) ERROR Critical or error conditions. 3 WARN Normal, but significant condition. 4 NOTICE Audit and accounting messages. Messages of severity NOTICE are always sent to the configured log targets and are not filtered, regardless of the specified severity threshold.
Chapter 19 Understanding Logging About Logging Table 19-2 Local Store and Syslog Message Format Field Description timestamp Date of the message generation, according to the local clock of the originating ACS, in the format YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm. Possible values are: • YYYY = Numeric representation of the year. • MM = Numeric representation of the month. For single-digit months (1 to 9) a zero precedes the number. • DD = Numeric representation of the day of the month.
Chapter 19 Understanding Logging About Logging You can use the web interface to configure the number of days to retain local store log files; however, the default setting is to purge data when it exceeds 5 MB or each day, whichever limit is first attained. If you do configure more than one day to retain local store files and the data size of the combined files reaches 95000Mb, a FATAL message is sent to the system diagnostic log, and all logging to the local store is stopped until data is purged.
Chapter 19 Understanding Logging About Logging When you configure a critical log target, and a message is sent to that critical log target, the message is also sent to the configured noncritical log target on a best-effort basis. • When you configure a critical log target, and a message does not log to that critical log target, the message is also not sent to the configured noncritical log.
Chapter 19 Understanding Logging About Logging Table 19-3 Remote Syslog Message Header Format Field Description pri_num Priority value of the message; a combination of the facility value and the severity value of the message. Priority value = (facility value* 8) + severity value.
Chapter 19 Understanding Logging About Logging The syslog message data or payload is the same as the Local Store Message Format, which is described in Table 19-2. The remote syslog server targets are identified by the facility code names LOCAL0 to LOCAL7 (LOCAL6 is the default logging location.) Log messages that you assign to the remote syslog server are sent to the default location for Linux syslog (/var/log/messages), however; you can configure a different location on the server.
Chapter 19 Understanding Logging About Logging The Monitoring & Report Viewer has two drawer options: • Monitoring and Reports—Use this drawer to view and configure alarms, view log reports, and perform troubleshooting tasks. • Monitoring Configuration—Use this drawer to view and configure logging operations and system settings.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are familiar with the logging functionality in ACS 4.x, ensure that you familiarize yourself with the logging functionality of ACS 5.3, which is considerably different. Table 19-4 describes the differences between the logging functionality of ACS 4.x and ACS 5.3. Table 19-4 ACS 4.x vs. ACS 5.3 Logging Functionality This logging function… Log Types is handled this way in ACS 4.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Table 19-4 ACS 4.x vs. ACS 5.3 Logging Functionality (continued) This logging function… is handled this way in ACS 4.x… Configuration Use the System Configuration > Logging See Configuring Logs, page 18-21 and the CLI Reference Guide for the Cisco Secure page to define: Access Control System 5.3. • Loggers and individual logs • Critical loggers • Remote logging • CSV log file • Syslog log • ODBC log and this way in ACS 5.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging User Guide for Cisco Secure Access Control System 5.
A P P E N D I X A AAA Protocols This section contains the following topics: • Typical Use Cases, page A-1 • Access Protocols—TACACS+ and RADIUS, page A-5 • Overview of TACACS+, page A-5 • Overview of RADIUS, page A-6 Typical Use Cases This section contains the following topics: • Device Administration (TACACS+), page A-1 • Network Access (RADIUS With and Without EAP), page A-2 Device Administration (TACACS+) Figure A-1 shows the flows associated with device administration.
Appendix A AAA Protocols Typical Use Cases Session Access Requests (Device Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1. For session request: 1. An administrator logs into a network device. 2. The network device sends a TACACS+ access request to ACS. 3. ACS uses an identity store to validate the user's credentials. 4. ACS sends a TACACS+ response to the network device that applies the decision.
Appendix A AAA Protocols Typical Use Cases – EAP protocols that involve a TLS handshake and in which the client uses the ACS server certificate to perform server authentication: PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-FAST, using one of the following inner methods: EAP-FAST/EAP-MSCHAPv2 and EAP-FAST/EAP-GTC – EAP protocols that are fully certificate-based, in which the TLS handshake uses certificates for both server and client authentication: EAP-TLS For mo
Appendix A AAA Protocols Typical Use Cases – EAP-FAST/EAP-MSCHAPv2 – EAP-FAST/EAP-GTC • EAP methods that use certificates for both server and client authentication – EAP-TLS Whenever EAP is involved in the authentication process, it is preceded by an EAP negotiation phase to determine which specific EAP method (and inner method, if applicable) should be used. For all EAP authentications: 1. A host connects to a network device. 2. The network device sends an EAP Request to the host. 3.
Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overview of TACACS+, page A-5 • Overview of RADIUS, page A-6 ACS 5.3 can use the TACACS+ and RADIUS access protocols. Table A-1 compares the two protocols. Table A-1 TACACS+ and RADIUS Protocol Comparison Point of Comparison TACACS+ RADIUS Transmission Protocol TCP—Connection-oriented transport-layer protocol, reliable full-duplex data transmission.
Appendix A AAA Protocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • ACS 5.3 as the AAA Server, page A-7 • RADIUS Attribute Support in ACS 5.3, page A-8 • RADIUS Access Requests, page A-9 RADIUS is a client/server protocol through which remote access servers communicate with a central server to authenticate dial-in users, and authorize their access to the requested system or service.
Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to computer resources, and for an enterprise, provides AAA services. The AAA server typically interacts with network access and gateway servers, and databases and directories that contain user information. The current standard by which devices or applications communicate with an AAA server is RADIUS. ACS 5.
Appendix A AAA Protocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 ACS 5.3 supports the RADIUS protocol as RFC 2865 describes. ACS 5.3 supports the following types of RADIUS attributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vendors’ attributes ACS 5.3 also supports attributes defined in the following extensions to RADIUS: Note • Accounting-related attributes, as defined in RFC 2866. • Support for Tunnel Protocol, as defined in RFCs 2867 and 2868.
Appendix A AAA Protocols Overview of RADIUS Authentication ACS supports various authentication protocols transported over RADIUS. The supported protocols that do not include EAP are: • PAP • CHAP • MSCHAPv1 • MSCHAPv2 In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and to what extent, they make use of certificates.
Appendix A AAA Protocols Overview of RADIUS In RADIUS, authentication and authorization are coupled. If the RADIUS server finds the username and the password is correct, the RADIUS server returns an access-accept response, including a list of attribute-value pairs that describe the parameters to use for this session. This list of parameters sets the authorization rights for the user.
A P P E N D I X B Authentication in ACS 5.3 Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication methods. A fundamental implicit relationship exists between authentication and authorization.
Appendix B Authentication in ACS 5.3 PAP This appendix describes the following: • RADIUS-based authentication that does not include EAP: – PAP, page B-2 – CHAP, page B-31 – MSCHAPv1 – EAP-MSCHAPv2, page B-30 • EAP family of protocols transported over RADIUS, which can be further classified as: – Simple EAP protocols that do not use certificates: EAP-MD5—For more information, see EAP-MD5, page B-5. LEAP—For more information, see LEAP, page B-31.
Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication You can use different levels of security concurrently with ACS for different requirements. PAP applies a two-way handshaking procedure. If authentication succeeds, ACS returns an acknowledgement; otherwise, ACS terminates the connection or gives the originator another chance. The originator is in total control of the frequency and timing of the attempts.
Appendix B Authentication in ACS 5.3 EAP In ACS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a particular EAP message is greater than the maximum RADIUS attribute data size (253 bytes). The RADIUS State attribute (24) stores the current EAP session reference information, and ACS stores the actual EAP session data.
Appendix B Authentication in ACS 5.3 EAP-MD5 ACS supports full EAP infrastructure, including EAP type negotiation, message sequencing and message retransmission. All protocols support fragmentation of big messages. In ACS 5.3, you configure EAP methods for authentication as part of access service configuration. For more information about access services, see Chapter 3, “ACS 5.x Policy Model.” EAP-MD5 This section contains the following topics: • Overview of EAP-MD5, page B-5 • EAP- MD5 Flow in ACS 5.
Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of the methods in the EAP authentication framework, and is based on the 802.1x and EAP architecture. Components involved in the 802.1x and EAP authentication process are the: • Host—The end entity, or end user’s machine. • AAA client—The network access point. • Authentication server—ACS.
Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third-party signature, usually from a CA, that verifies the information in a certificate. This third-party binding is similar to the real-world equivalent of the stamp on a passport. You trust the passport because you trust the preparation and identity-checking that the particular country’s passport office made when creating that passport. You trust digital certificates by installing the root certificate CA signature.
Appendix B Authentication in ACS 5.3 EAP-TLS An anonymous Diffie-Hellman tunnel relates to the establishment of a completely anonymous tunnel between a client and a server for cases where none of the peers authenticates itself. ACS runtime supports anonymous Diffie-Hellman tunnels for EAP-FAST with a predefined prime and a predefined generator of two. There is no server authentication conducted within anonymous Diffie-Hellman tunnel cipher-suites.
Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates ACS generates and uses self-signed certificates to identify various management protocols such as the Web browser, HTTPS, ActiveMQ SSH, and SFTP. Self-signed certificates are generated when ACS is installed and are maintained locally in files outside of the ACS database. You cannot modify or export these certificates. You can, however, assign imported certificates to management interfaces.
Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Server Certificate When you manually import and ACS server certificate you must supply the certificate file, the private key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along with its private-key and private-key-password, is added to the Local Certificate store. For non-encrypted private-keys, the user supplied password may be ignored. ACS supports PEM or DER formatted X509 certificate files.
Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of certificate generation: • Self signing certificate generation — ACS supports generation of an X.509 certificate and a PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger passwords, and the private key is hidden in the local certificate store.
Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server certificates are associated and designated for a specific node, which uses that specific certificate. Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS distributed mechanism.
Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates, private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary server is also backed up with the primary's backup. Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also can pass relatively secured in and out of the ACS servers.
Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between the host and ACS goes through the network device. EAP-TLS authentication fails if the: • Server fails to verify the client’s certificate, and rejects EAP-TLS authentication. • Client fails to verify the server’s certificate, and rejects EAP-TLS authentication. Certificate validation fails if the: – Certificate has expired. – Server or client cannot find the certificate issuer. – Signature check failed.
Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that you use to encrypt EAP transactions, thereby protecting the contents of EAP authentications. PEAP uses server-side public key certificates to authenticate the server. It then creates an encrypted SSL/TLS tunnel between the client and the authentication server.
Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unauthenticated Tunnel Establishment Modes Tunnel establishment helps prevent an attacker from injecting packets between the client and the network access server (NAS) or, to allow negotiation of a less secure EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the ACS.
Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local certificate can be validated by the peer (server-authenticated mode) or not validated (server-unauthenticated mode).
Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2: 1 ACS sends an EAP-Request/Identity message. 2 3 ACS sends an EAP-Request/EAP-MSCHAPv2 challenge 4 message that contains a challenge string.
Appendix B Authentication in ACS 5.3 EAP-FAST EAP-FAST is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based on strong secrets that are unique to users. These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only to ACS.
Appendix B Authentication in ACS 5.3 EAP-FAST EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one, however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text.
Appendix B Authentication in ACS 5.3 EAP-FAST • ACS-Supported Features for PACs, page B-24 • Master Key Generation and PAC TTLs, page B-26 • EAP-FAST for Allow TLS Renegotiation, page B-26 About Master-Keys EAP-FAST master-keys are strong secrets that ACS automatically generates and of which only ACS is aware. Master-keys are never sent to an end-user client. EAP-FAST requires master-keys for two purposes: • PAC generation—ACS generates PACs by using the active master-key.
Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement. To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials within the protected tunnel.
Appendix B Authentication in ACS 5.3 EAP-FAST The various means by which an end-user client can receive PACs are: • PAC provisioning—Required when an end-user client has no PAC. For more information about how master-key and PAC states determine whether PAC provisioning is required, see Master Key Generation and PAC TTLs, page B-26. The two supported means of PAC provisioning are: – Automatic In-Band PAC Provisioning—Sends a PAC by using a secure network connection.
Appendix B Authentication in ACS 5.3 EAP-FAST To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global System Options pages in the System Administration drawer. For more information, see EAP-FAST, page B-18. Manual PAC Provisioning Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be distributed to the applicable network users. Users must configure end-user clients with their PAC files.
Appendix B Authentication in ACS 5.3 EAP-FAST The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This mechanism allows the client to be always updated with a valid PAC. Note There is no proactive PAC update for Machine and Authorization PACs. Accept Peer on Authenticated Provisioning The peer may be authenticated during the provisioning phase.
Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The values for master key generation and PAC TTLs determine their states, as described in About Master-Keys, page B-21 and Types of PACs, page B-22. Master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing.
Appendix B Authentication in ACS 5.3 EAP-FAST To enable ACS to perform EAP-FAST authentication: Step 1 Configure an identity store that supports EAP-FAST authentication. To determine which identity stores support EAP-FAST authentication, see Authentication Protocol and Identity Store Compatibility, page B-35. For information about configuring identity stores, see Chapter 8, “Managing Users and Identity Stores” Step 2 Determine master key generation and PAC TTL values.
Appendix B Authentication in ACS 5.3 EAP-FAST This scheme improves the security by reducing the amount of cryptographic sensitive material that is transmitted. This section contains the following topics: • Key Distribution Algorithm, page B-28 • EAP-FAST PAC-Opaque Packing and Unpacking, page B-28 • Revocation Method, page B-28 • PAC Migration from ACS 4.
Appendix B Authentication in ACS 5.3 EAP Authentication with RADIUS Key Wrap PAC Migration from ACS 4.x Although the configuration can be migrated from 4.x, the PACs themselves, as being stored only in supplicants, may still be issued from versions as far back as ACS 3.x. ACS 5.3 accepts PACs of all types according to migrated master-keys from versions 4.x and onwards, and re-issues a new 5.0 PAC, similar to the proactive PAC update for EAP-FAST 5.0. When ACS 5.3, accepts a PAC from either ACS 3.x or 4.
Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user's password. This section contains the following topics: • Overview of EAP-MSCHAPv2, page B-30 • EAP- MSCHAPv2 Flow in ACS 5.
Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for machine authentication. EAP-MSCHAPv2 Windows machine authentication is the same as user authentication. The difference is that you must use the Active Directory of a Windows domain, since a machine password can be generated automatically on the machine and the AD, as a function of time and other parameters. The password generated cannot be stored in other types of credential databases.
Appendix B Authentication in ACS 5.
Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can apply any rule based policy on these attributes as with any rule attributes in ACS.
Appendix B Authentication in ACS 5.3 Machine Authentication • For automatic downloading, you define the amount of time before the CRL file expires, should ACS download it. The CRL expiration time is taken from the CRL nextUpdate field. For both modes, if the download somehow fails, you can define the amount of time that ACS will wait before trying to redownload the CRL file.
Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Note Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user shuts down or restarts the computer rather than just logging off. ACS supports EAP-TLS, EAP-FAST, PEAP (EAP-MSCHAPv2), and PEAP (EAP-GTC) for machine authentication.
Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Table B-5 specifies EAP authentication protocol support.
A P P E N D I X C Open Source License Acknowledgments See http://www.cisco.com/en/US/products/ps9911/products_licensing_information_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
Appendix C Open Source License Acknowledgments Notices 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6.
Appendix C Open Source License Acknowledgments 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix C Open Source License Acknowledgments User Guide for Cisco Secure Access Control System 5.
GLOSSARY A AAA Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network.
Glossary accounts The capability of ACS to record user sessions in a log file. ACS System Administrators Administrators with different access privileges defined under the System Configuration section of the ACS web interface. They administer and manage ACS deployments in your network. ARP address resolution protocol. A protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network.
Glossary authenticity The validity and conformance of the original information. authorization The approval, permission, or empowerment for someone or something to do something. authorization profile The basic "permissions container" for a RADIUS-based network access service. The authorization profile is where you define all permissions to be granted for a network access request.
Glossary certificate-based authentication The use of Secure Sockets Layer (SSL) and certificates to authenticate and encrypt HTTP traffic. certificate Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key. CGI common gateway interface. This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically. CHAP Challenge-Handshake Authentication Protocol.
Glossary configuration management The process of establishing a known baseline condition and managing it. cookie Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes.
Glossary D daemon A program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services. DES Data Encryption Standard.
Glossary digital envelope An encrypted message with the encrypted session key. digital signature A hash of a message that uniquely identifies the sender of the message and proves the message hasn't changed since transmission. DSA digital signature algorithm. An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers.
Glossary dumpsec A security tool that dumps a variety of information about a system's users, file system, registry, permissions, password policy, and services. DLL Dynamic Link Library. A collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file).
Glossary EAP Extensible Authentication Protocol. A protocol for wireless networks that expands on Authentication methods used by the PPP (Point-to-Point Protocol), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and Public Key Encryption authentication. EAP-MD5 Extensible Authentication Protocol-Message Digest 5.
Glossary G gateway A network point that acts as an entrance to another network. global system options Configuring TACACS+, EAP-TTLS, PEAP, and EAP-FAST runtime characteristics and generating EAP-FAST PAC. H hash functions Used to generate a one way "check sum" for a larger text, which is not trivially reversed. The result of this hash function can be used to validate if a larger file has been altered, without having to compare the larger files to each other.
Glossary I I18N Internationalization and localization are means of adapting software for non-native environments, especially other nations and cultures. Internationalization is the adaptation of products for potential use virtually everywhere, while localization is the addition of special features for use in a specific locale. identity Whom someone or what something is, for example, the name by which something is known.
Glossary ISO International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations. ISP Internet Service Provider. A business or organization that provides to consumers access to the Internet and related services. In the past, most ISPs were run by the phone companies. J Java Runtime Environment.
Glossary M MAC Address A physical address; a numeric value that uniquely identifies that network device from every other device on the planet. matchingRule (LDAP) The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 definition that usually contains an OID a name (for example, caseIgnoreMatch [OID = 2.5.23.2]), and the data type it operates on (for example, DirectoryString). MD5 A one way cryptographic hash function.
Glossary PI (Programmatic Interface) The ACS PI is a programmatic interface that provides external applications the ability to communicate with ACS to configure and operate ACS; this includes performing the following operations on ACS objects: create, update, delete and read. policy condition Rule-based single conditions that are based on policies, which are sets of rules used to evaluate an access request and return a decision.
Glossary R RDN (LDAP) The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished Name). The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid.
Glossary Schema (LDAP) A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in which the object classes and attributes that the application will use (reference) are packaged are identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In OpenLDAP this done using the slapd.conf file. search (LDAP) An operation that is carried out by defining a base directory name (DN), a scope, and a search filter.
Glossary SOAP (Simple Object Access Protocol) A lightweight XML-based protocol for exchange of information in a decentralized, distributed environment. SOAP consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses.
Glossary U UDP User Datagram Protocol. A communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP) URL Uniform Resource Locator. The unique address for a file that is accessible on the Internet. user and identity store A repository of users, user attributes, and user authentication options. user authentication option An option to enable or disable TACACS+ password authentication.
Glossary X X.509 A standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm. XML (eXtensible Markup Language) XML is a flexible way to create common information formats and share both the format and the data on the World Wide Web, intranets, and elsewhere. User Guide for Cisco Secure Access Control System 5.
Glossary User Guide for Cisco Secure Access Control System 5.
INDEX ADD_QUARTER function Symbols ADD_SECOND function ! formatting symbol % operator 13-33 13-60 & formatting symbol & operator 13-33 13-60 13-53 ADD_YEAR function 13-53 Add Group command 13-50 adding 13-60 aggregate rows + operator 13-60 data filters 13-60 13-64, 13-65 13-68, 13-70, 13-71, 13-72 data groups 13-49, 13-50 <= operator 13-60 formatting rules <> operator 13-60 page breaks < formatting symbol 13-53 ADD_WEEK function * operator / operator 13-53 13-33 13-36, 1
Index Arrange Columns dialog 13-42 default formats ascending sort order 13-47 labels AVERAGE function 13-53 reports Average function averages 13-27 13-21 character patterns 13-63 13-53, 13-57, 13-59, 13-63 13-28 13-58, 13-70 character placeholder 13-33 charts overview B 13-75 Chart Subtype command background colors 13-39 Cisco CAT 6K Between condition 13-68, 13-73 clearing data filters BETWEEN function Between operator Boolean values 13-72 13-21 collapsing data groups colors
Index formatting data and context menus conversions date calculations 13-36 date data types 13-21 COUNT_DISTINCT function Count function 13-54 date values Count Value function 13-63 creating aggregate rows 13-64, 13-65 calculated columns crud operations currency 13-30, 13-34, 13-35 13-36, 13-37 DAY function 13-54 decimal values 13-31 default formats 13-28, 13-29 default network device 13-43 conditional formats page breaks 13-31 Currency format option currency formatting options c
Index downloads 18-40 F duplicate values 13-66, 13-67 false function fields E 13-54 13-27 filter conditions Filter dialog EAP-FAST enabling 13-71, 13-72 Filter drop-down list B-26 identity protection logging filters B-20 13-54 finding text values master keys definition FIRST function B-21 automatic provisioning definition 13-63 Fixed format option Font dialog box B-24 fonts B-26 13-39 13-62 EAP-FAST settings Format Chart page configuring Format command 18-3 format pattern
Index IF function G 13-55 import and export General Date format option 13-30 General Number format option Go to page pick list creating import files 13-30 13-23 Greater Than condition greater than operator information objects 13-69 IN function 13-60 greater than or equal to operator 13-69 13-60 13-50 13-55 13-21 internal identity stores ISBOTTOMN function Is False condition grouping intervals 13-74 13-50 Is Not Null operator 13-49, 13-50 Is Null condition collapsing 13-62 13-50, 1
Index locales data backup and purge creating charts and customizing formats for locating text values logical operators data upgrade status 13-77 restore 13-30, 13-31, 13-35 15-7 15-13 viewing scheduled jobs 13-60 Long Date format option 13-30 Long Time format option 13-30 15-11 monitoring and report viewer dashboard 11-2 MONTH function 13-56 Lowercase format option LOWER function 15-14 viewing process status 13-54, 13-58 lowercase characters 15-3 13-56, 13-57 Move to Group Header
Index numeric data types numeric expressions numeric values printing 13-30 13-26 printing options 13-60, 13-61 13-26 13-24, 13-32 Q O QUARTER function opening QUARTILE function exported data files 13-25 Interactive Viewer 13-21 operators 13-57 Quartile function 13-38, 13-60 OR operator 13-57 13-63 R 13-60, 13-74 RADIUS proxy 4-29 configuring proxy service P supported protocols PAC definition B-23 B-21 manual provisioning B-24 page breaks 13-40 RANK function 13-58 13-7
Index report viewers String Column Format dialog 13-21 resizing columns 13-25, 13-28 String column format dialog RIGHT function 13-58 string conversions ROUNDDOWN function ROUND function rounding 13-58 ROUNDUP function row-by-row comparisons rows strings 13-58 13-54 13-58 13-33, 13-56, 13-69 substrings 13-56, 13-58, 13-69 subtraction operator 13-66, 13-67 RUNNINGSUM function running totals 13-31 13-70 string patterns 13-53, 13-58 13-58 subtypes (charts) SUM function 13-58 13-25
Index time data types time formats returning lowest 13-30 returning null 13-30, 13-34 timesaver, description of 13-57, 13-58 rounding time values 13-34, 13-50 searching for totals TRIM function testing sets of TRIMLEFT function value series 13-59 TRIMRIGHT function variance expert troubleshooter true function viewers 14-2 13-70 13-70 13-59 13-59, 13-63 Variance function 14-1 13-55 13-75 VAR function 13-59 troubleshooting support bundles 13-55, 13-70 testing range of 13-59
Index X x-axis values 13-75 Y y-axis values 13-75 YEAR function 13-59 User Guide for Cisco Secure Access Control System 5.