User Guide for Cisco Secure Access Control System 5.4 November 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Service Request CHAPTER 1 Introducing ACS 5.4 1-1 Overview of ACS 1-1 xxv ACS Distributed Deployment 1-2 ACS 4.x and 5.
Contents Policy Terminology 3-3 Simple Policies 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Authorization Policy Rules 3-12 Service Selection Policy 3-12 Simple Service Selection 3-12 Rules-Based Service Selection 3-13 Access Services and Service Selection Scenarios First-Match Rule Tables 3-14 Policy Conditions 3-16 Policy Re
Contents Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flow 4-16 Adding a Host to an Internal Identity Store 4-17 Configuring an LDAP External Identity Store for Host Lookup 4-17 Configuring an Identity Group for Host Lookup Network Access Requests Creating an Access Service for Host Lookup 4-18 Configuring an Identity Policy for Host L
Contents My Account Page Login Banner 5-2 5-3 Using the Web Interface 5-3 Accessing the Web Interface 5-4 Logging In 5-4 Logging Out 5-5 Understanding the Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface 5-18 Supported ACS Objects 5-18 Creating Import Files 5-21 Downloading the Template from the Web Interface 5-21 Understanding the CSV Templates 5-22 Creating the Import File 5-22 Common Errors 5-25 Concurrency C
Contents Viewing and Performing Bulk Operations for Network Devices Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operations for Network Resources and Users Exporting Network Resources and Users 7-10 Creating, Duplicating, and Editing Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying Network Device Properties 7-14 Deleting Network Devices 7-17 Configuring a Default Network Device Working with OCSP Services 7-21 Creating, Duplicating, and Editing OCSP Servers D
Contents Viewing and Performing Bulk Operations for Internal Identity Store Hosts 8-18 Management Hierarchy 8-19 Attributes of Management Hierarchy 8-19 Configuring AAA Devices for Management Hierarchy 8-19 Configuring Users or Hosts for Management Hierarchy 8-20 Configuring and Using UserIsInManagement Hierarchy Attribute 8-20 Configuring and Using HostIsInManagement Hierarchy Attributes 8-21 Managing External Identity Stores 8-22 LDAP Overview 8-22 Directory Service 8-23 Authentication Using LDAP 8-23 Mu
Contents Configuring an AD Identity Store 8-49 Selecting an AD Group 8-53 Configuring AD Attributes 8-54 Configuring Machine Access Restrictions 8-56 RSA SecurID Server 8-57 Configuring RSA SecurID Agents 8-58 Creating and Editing RSA SecurID Token Servers 8-59 RADIUS Identity Stores 8-63 Supported Authentication Protocols 8-63 Failover 8-64 Password Prompt 8-64 User Group Mapping 8-64 Groups and Attributes Mapping 8-64 RADIUS Identity Store in Identity Sequence 8-65 Authentication Failure Messages 8-65 Us
Contents Managing Authorizations and Permissions 9-17 Creating, Duplicating, and Editing Authorization Profiles for Network Access 9-18 Specifying Authorization Profiles 9-19 Specifying Common Attributes in Authorization Profiles 9-19 Specifying RADIUS Attributes in Authorization Profiles 9-22 Creating and Editing Security Groups 9-24 Creating, Duplicating, and Editing a Shell Profile for Device Administration 9-24 Defining General Shell Profile Properties 9-26 Defining Common Tasks 9-26 Defining Custom At
Contents Configuring a Group Mapping Policy 10-27 Configuring Group Mapping Policy Rule Properties 10-29 Configuring a Session Authorization Policy for Network Access 10-30 Configuring Network Access Authorization Rule Properties 10-32 Configuring Device Administration Authorization Policies 10-33 Configuring Device Administration Authorization Rule Properties 10-34 Configuring Device Administration Authorization Exception Policies 10-34 Configuring Shell/Command Authorization Policies for Device Administr
Contents Adding Tabs to the Dashboard 11-6 Adding Applications to Tabs 11-7 Renaming Tabs in the Dashboard 11-7 Changing the Dashboard Layout 11-8 Deleting Tabs from the Dashboard 11-8 CHAPTER 12 Managing Alarms 12-1 Understanding Alarms 12-1 Evaluating Alarm Thresholds 12-2 Notifying Users of Events 12-3 Viewing and Editing Alarms in Your Inbox 12-3 Understanding Alarm Schedules 12-9 Creating and Editing Alarm Schedules 12-9 Assigning Alarm Schedules to Thresholds 12-10 Deleting Alarm Schedules 12-
Contents CHAPTER 13 Managing Reports 13-1 Working with Favorite Reports 13-3 Adding Reports to Your Favorites Page 13-3 Viewing Favorite-Report Parameters 13-4 Editing Favorite Reports 13-5 Running Favorite Reports 13-5 Deleting Reports from Favorites 13-6 Sharing Reports 13-6 Working with Catalog Reports 13-7 Available Reports in the Catalog 13-7 Running Catalog Reports 13-11 Deleting Catalog Reports 13-12 Running Named Reports 13-13 Understanding the Report_Name Page 13-14 Enabling RADIUS CoA Optio
Contents Formatting String Data 13-33 Formatting Custom String Data 13-33 Formatting Date and Time 13-35 Formatting Custom Date and Time 13-35 Formatting Boolean Data 13-36 Applying Conditional Formats 13-37 Setting Conditional Formatting for Columns 13-38 Deleting Conditional Formatting 13-40 Setting and Removing Page Breaks in Detail Columns 13-40 Setting and Removing Page Breaks in a Group Column 13-41 Organizing Report Data 13-41 Displaying and Organizing Report Data 13-42 Reordering Columns in Interac
Contents Hiding or Displaying Detail Rows in Groups or Sections 13-68 Working with Filters 13-69 Types of Filter Conditions 13-70 Setting Filter Values 13-71 Creating Filters 13-72 Modifying or Clearing a Filter 13-73 Creating a Filter with Multiple Conditions 13-73 Deleting One Filter Condition in a Filter that Contains Multiple Conditions Filtering Highest or Lowest Values in Columns 13-75 13-75 Understanding Charts 13-76 Modifying Charts 13-77 Filtering Chart Data 13-77 Changing Chart Subtype 13-78 Ch
Contents Viewing Scheduled Jobs Viewing Process Status 15-12 15-14 Viewing Data Upgrade Status 15-15 Viewing Failure Reasons 15-15 Editing Failure Reasons 15-15 Specifying E-Mail Settings 15-16 Configuring SNMP Preferences 15-16 Understanding Collection Filters 15-17 Creating and Editing Collection Filters Deleting Collection Filters 15-18 Configuring System Alarm Settings 15-17 15-18 Configuring Alarm Syslog Targets 15-18 Configuring Remote Database Settings 15-18 Changing the Port Number
Contents Configuring Identity Policy Rule Properties 16-18 Administrator Authorization Policy 16-19 Configuring Administrator Authorization Policies 16-19 Configuring Administrator Authorization Rule Properties Administrator Login Process 16-21 Resetting the Administrator Password 16-22 Changing the Administrator Password 16-22 Changing Your Own Administrator Password Resetting Another Administrator’s Password CHAPTER 17 Configuring System Operations 16-20 16-22 16-23 17-1 Understanding Distribute
Contents Creating, Duplicating, Editing, and Deleting Software Repositories 17-24 Managing Software Repositories from the Web Interface and CLI 17-25 CHAPTER 18 Managing System Administration Configurations 18-1 Configuring Global System Options 18-1 Configuring TACACS+ Settings 18-1 Configuring EAP-TLS Settings 18-2 Configuring PEAP Settings 18-3 Configuring EAP-FAST Settings 18-3 Generating EAP-FAST PAC 18-4 Configuring RSA SecurID Prompts 18-4 Managing Dictionaries 18-5 Viewing RADIUS and TACACS+
Contents Configuring Global Logging Categories 18-25 Configuring Per-Instance Logging Categories 18-29 Configuring Per-Instance Security and Log Settings 18-30 Configuring Per-Instance Remote Syslog Targets 18-31 Displaying Logging Categories 18-32 Configuring the Log Collector 18-33 Viewing the Log Message Catalog 18-33 Licensing Overview 18-34 Types of Licenses 18-34 Installing a License File 18-35 Viewing the Base License 18-36 Upgrading the Base Server License Viewing License Feature Options 18-38 Ad
Contents Session Access Requests (Device Administration [TACACS+]) Command Authorization Requests A-2 Network Access (RADIUS With and Without EAP) A-2 RADIUS-Based Flow Without EAP Authentication A-3 RADIUS-Based Flows with EAP Authentication A-3 Access Protocols—TACACS+ and RADIUS Overview of TACACS+ A-2 A-5 A-5 Overview of RADIUS A-6 RADIUS VSAs A-6 ACS 5.4 as the AAA Server A-7 RADIUS Attribute Support in ACS 5.
Contents Private Keys and Passwords Backup EAP-TLS Flow in ACS 5.4 B-13 B-13 PEAPv0/1 B-14 Overview of PEAP B-15 Supported PEAP Features B-15 PEAP Flow in ACS 5.4 B-17 Creating the TLS Tunnel B-18 Authenticating with MSCHAPv2 B-19 EAP-FAST B-19 Overview of EAP-FAST B-19 EAP-FAST Benefits B-21 EAP-FAST in ACS 5.
Contents Authentication Protocol and Identity Store Compatibility APPENDIX C Open Source License Acknowledgements Notices C-1 OpenSSL/Open SSL Project License Issues C-1 B-36 C-1 C-1 C-3 GLOSSARY INDEX User Guide for Cisco Secure Access Control System 5.
Preface Revised: November 13, 2013 This guide describes how to use Cisco Secure Access Control System (ACS) 5.4. Audience This guide is for security administrators who use ACS, and who set up and maintain network and application security. Document Conventions This guide uses the convention whereby the symbol ^ represents the key labeled Control. For example, the key combination ^z means hold down the Control key while you press the z key.
Preface Caution Timesaver Note Means reader be careful. You are capable of doing something that might result in equipment damage or loss of data. Means the described action saves time. You can save time by performing the action described in the paragraph. Means reader take note. Notes identify important information that you should reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document.
Preface Table 2 Product Documentation Document Title Available Formats Cisco Secure Access Control System In-Box Documentation and China ROHS Pointer Card http://www.cisco.com/en/US/products/ps9911/ products_licensing_information_listing.html License and Documentation Guide for Cisco Secure Access Control System 5.4 http://www.cisco.com/en/US/products/ps9911/ products_documentation_roadmaps_list.html Release Notes for Cisco Secure Access Control System 5.4 http://www.cisco.
Preface User Guide for Cisco Secure Access Control System 5.
CH A P T E R 1 Introducing ACS 5.4 This section contains the following topics: • Overview of ACS, page 1-1 • ACS Distributed Deployment, page 1-2 • ACS Management Interfaces, page 1-3 Overview of ACS ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications.
Chapter 1 Introducing ACS 5.4 ACS Distributed Deployment ACS provides advanced monitoring, reporting, and troubleshooting tools that help you administer and manage your ACS deployments. For more information on the monitoring, reporting, and troubleshooting capabilities of ACS, see Chapter 11, “Monitoring and Reporting in ACS.”. For more information about using ACS for device administration and network access scenarios, see Chapter 4, “Common Scenarios Using ACS.
Chapter 1 Introducing ACS 5.4 ACS Licensing Model ACS 4.x did not provide incremental replication, only full replication, and there was service downtime for replication. ACS 5.4 provides incremental replications with no service downtime. You can also force a full replication to the secondary instance if configuration changes do not replicate it.
Chapter 1 Introducing ACS 5.4 ACS Management Interfaces • ACS Web-based Interface, page 1-4 • ACS Command Line Interface, page 1-4 • ACS Programmatic Interfaces, page 1-5 ACS Web-based Interface You can use the ACS web-based interface to fully configure your ACS deployment, and perform monitoring and reporting operations. The web interface provides a consistent user experience, regardless of the particular area that you are configuring.
Chapter 1 Introducing ACS 5.4 Hardware Models Supported by ACS • Note Configuration—Use these commands to perform additional configuration tasks for the appliance server in an ADE-OS environment. The CLI includes an option to reset the configuration that, when issued, resets all ACS configuration information, but retains the appliance settings such as network configuration. For information about using the CLI, see the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.4.
Chapter 1 Introducing ACS 5.4 Hardware Models Supported by ACS User Guide for Cisco Secure Access Control System 5.
CH A P T E R 2 Migrating from ACS 4.x to ACS 5.4 ACS 4.x stores policy and authentication information, such as TACACS+ command sets, in the user and user group records. In ACS 5.4, policy and authentication information are independent shared components that you use as building blocks when you configure policies. The most efficient way to make optimal use of the new policy model is to rebuild policies by using the building blocks, or policy elements, of the new policy model.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Overview of the Migration Process Overview of the Migration Process The Migration utility completes the data migration process in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the objects that you want to export into 5.4. The Migration utility analyses the objects, consolidates the data, and exports it.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Before You Begin Note You must install the latest patch for the supported migration versions listed here. Also, if you have any other version of ACS 4.x installed, you must upgrade to one of the supported versions and install the latest patch for that version before you can migrate to ACS 5.4. Before You Begin Before you migrate data from ACS 4.x to ACS 5.4, ensure that you: • Check for database corruption issues in the ACS 4.x source machine.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Migrating from ACS 4.x to ACS 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 In ACS 5.4, you define authorizations, shell profiles, attributes, and other policy elements as independent, reusable objects, and not as part of the user or group definition. Table 2-1 describes where you configure identities, network resources, and policy elements in ACS 5.4. Use this table to view and modify your migrated data identities. See Chapter 3, “ACS 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.4 (continued) To configure... In ACS 4.x, choose... In ACS 5.4, choose...
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Common Scenarios in Migration Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.4 (continued) To configure... In ACS 4.x, choose... In ACS 5.4, choose... Additional information for 5.4 Downloadable ACLs Shared Profile Components Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs You can add downloadable ACLs (DACLs) to a network access authorization profile.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.4 If you have ACS 3.x deployed in your environment, you cannot directly migrate to ACS 5.4. You must do the following: Step 1 Upgrade to a migration-supported version of ACS 4.x. See Supported Migration Versions, page 2-2 for a list of supported migration versions. Step 2 Check the upgrade paths for ACS 3.x: • For the ACS Solution Engine, see: http://www.cisco.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Common Scenarios in Migration Step 3 Perform bulk import of data into ACS 5.4. For more information on performing bulk import of ACS objects, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/sdk/ cli_imp_exp.html#wp1056244. The data from your other AAA servers is now available in ACS 5.4. User Guide for Cisco Secure Access Control System 5.
Chapter 2 Migrating from ACS 4.x to ACS 5.4 Common Scenarios in Migration User Guide for Cisco Secure Access Control System 5.
CH A P T E R 3 ACS 5.x Policy Model ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the presentation of policy elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based policy model instead of the group-based model used in the 4.x versions. This section contains the following topics: Note • Overview of the ACS 5.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For example, we use the information described for the group-based model: If identity-condition, restriction-condition then authorization-profile In ACS 5.4, you define conditions and results as global, shared objects. You define them once and then reference them when you create rules. ACS 5.4 uses the term policy elements for these shared objects, and they are the building blocks for creating rules.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Policy Terminology Table 3-2 describes the rule-based policy terminology. Table 3-2 Rule-Based Policy Terminology Term Description Access service Sequential set of policies used to process access requests. ACS 5.x allows you to define multiple access services to support multiple, independent, and isolated sets of policies on a single ACS system.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies You can configure all of your ACS policies as rule-based policies. However, in some cases, you can choose to configure a simple policy, which selects a single result to apply to all requests without conditions. For example, you can define a rule-based authentication policy with a set of rules for different conditions; or, if you want to use the internal database for all authentications, you can define a simple policy.
Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Types of Policies Table 3-3 describes the types of policies that you can configure in ACS. The policies are listed in the order of their evaluation; any attributes that a policy retrieves can be used in any policy listed subsequently. The only exception is the Identity group mapping policy, which uses only attributes from identity stores.
Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices that connect to the network and for network administrators who administer network devices. In ACS 5.x, authentication and authorization requests are processed by access services.
Chapter 3 ACS 5.x Policy Model Access Services Table 3-5 describes an example of a set of access services. Table 3-5 Access Service List Access Service A for Device Administration Access Service B for Access to 802.1X Agentless Hosts Access Service C for Access from 802.
Chapter 3 ACS 5.x Policy Model Access Services ACS accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS and TACACS+ servers in ACS for ACS to forward requests to them. You can define the timeout period and the number of connection attempts.
Chapter 3 ACS 5.x Policy Model Access Services ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See Configuring General Access Service Properties, page 10-13 for information on how to configure a RADIUS proxy service. For more information on proxying RADIUS and TACACS+ requests, see RADIUS and TACACS+ Proxy Requests, page 4-29.
Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequence—Sequences of the identity databases. The sequence is used for authentication and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple identity methods as the result of the identity policy. You define the identity methods in an identity sequence object, and the methods included within the sequence may be of any type.
Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity group mapping policy is a standard policy. Conditions can be based on attributes or groups retrieved from the external attribute stores only, or from certificates, and the result is an identity group within the identity group hierarchy. If the identity policy accesses the internal user or host identity store, then the identity group is set directly from the corresponding user or host record.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy Terminology, page 3-3 • Authorization Profiles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-world problem is that, in day-to-day operations, you often need to grant policy waivers or policy exceptions. A specific user might need special access for a short period of time; or, a user might require some additional user permissions to cover for someone else who is on vacation.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, ACS decides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The protocol used for the request, TACACS+ or RADIUS. • Request Attributes—RADIUS or TACACS+ attributes in the request. • Date and Time—The date and time ACS receives the request. • Network Device Group—The network device group that the AAA client belongs to.
Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest access in one access service, the policy is divided into three access services. First-Match Rule Tables ACS 5.4 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables contain conditions and results. Conditions can be either simple or compound.
Chapter 3 ACS 5.x Policy Model Service Selection Policy Column Description Status You can define the status of a rule as enabled, disabled, or monitored: • Enabled—ACS evaluates an enabled rule, and when the rule conditions match the access request, ACS applies the rule result. • Disabled—The rule appears in the rule table, but ACS skips this rule and does not evaluate it. • Monitor Only—ACS evaluates a monitored rule.
Chapter 3 ACS 5.x Policy Model Authorization Profiles for Network Access Policy Conditions You can define simple conditions in rule tables based on attributes in: • Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects.
Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes You can define multiple authorization profiles as a network access policy result. In this way, you maintain a smaller number of authorization profiles, because you can use the authorization profiles in combination as rule results, rather than maintaining all the combinations themselves in individual profiles.
Chapter 3 ACS 5.x Policy Model Policies and Network Device Groups Related Topics • Managing Users and Identity Stores, page 8-1 • Policy Terminology, page 3-3 • Types of Policies, page 3-5 Policies and Network Device Groups You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, the NDGs associated with that device are retrieved and compared against those in the policy table.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 3-2 illustrates what this policy rule table could look like. Figure 3-2 Sample Rule-Based Policy Each row in the policy table represents a single rule. Each rule, except for the last Default rule, contains two conditions, ID Group and Location, and a result, Authorization Profile. ID Group is an identity-based classification and Location is a nonidentity condition.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Table 3-8 Added users to the internal ACS identity store or add external identity stores. See Creating Internal Users, page 8-11, Managing Identity Attributes, page 8-7, or Creating External LDAP Identity Stores, page 8-26.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics • Policy Terminology, page 3-3 • Policy Conditions, page 3-16 • Policy Results, page 3-16 • Policies and Identity Attributes, page 3-17 User Guide for Cisco Secure Access Control System 5.
Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies User Guide for Cisco Secure Access Control System 5.
CH A P T E R 4 Common Scenarios Using ACS Network control refers to the process of controlling access to a network. Traditionally a username and password was used to authenticate a user to a network. Now a days with the rapid technological advancements, the traditional method of managing network access with a username and a password is no longer sufficient. The ways in which the users can access the network and what they can access have changed considerably.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration ACS organizes a sequence of independent policies into an access service, which is used to process an access request. You can create multiple access services to process different kinds of access requests; for example, for device administration or network access.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corresponding permit or deny setting for the command is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single permit or deny result for the command is returned, as described in these conditions: • If an explicit deny-always setting exists in any command set, the command is denied.
Chapter 4 Common Scenarios Using ACS Overview of Device Administration Step 5 Configure an access service policy. See Access Service Policy Creation, page 10-4. Step 6 Configure a service selection policy. See Service Selection Policy Creation, page 10-4. Step 7 Configure an authorization policy (rule table). See Configuring a Session Authorization Policy for Network Access, page 10-30. Command Authorization This topic describes the flow for an administrator to issue a command to a network device.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the configuration flow to define TACACS+ custom attributes and services. Step 1 Create a custom TACACS+ condition to move to TACACS+ service on request. To do this: a. Go to Policy Elements > Session Conditions > Custom and click Create. b. Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Note During password-based access (or certificate-based access), the user is not only authenticated but also authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to-end flow for password-based network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. To configure password-based network access: Step 1 Configure network devices and AAA clients. a.
Chapter 4 Common Scenarios Using ACS Password-Based Network Access Table 4-1 Network Access Authentication Protocols Protocol Action PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. EAP-FAST 1. In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings. 2. For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. 3.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication in ACS 5.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access You can configure two types of certificates in ACS: Note • Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates. • Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server.
Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5, for details. Step 5 Create an access service. See Configuring Access Services, page 10-11, for more information. Step 6 In the Allowed Protocols Page, choose EAP-TLS or PEAP (EAP-TLS) as inner method.
Chapter 4 Common Scenarios Using ACS Agentless Network Access A default Local Server Certificate is installed on ACS so that you can connect to ACS with your browser. The default certificate is a self-signed certificate and cannot be modified during installation.
Chapter 4 Common Scenarios Using ACS Agentless Network Access The default security policy says that 802.1x authentication must succeed before access to the network is granted. Therefore, by default, non-802.1x-capable devices cannot get access to an 802.1x-protected network. Although many devices increasingly support 802.1x, there will always be devices that require network connectivity, but do not, or cannot, support 802.1x.
Chapter 4 Common Scenarios Using ACS Agentless Network Access ACS supports host lookup for the following identity stores: • Internal hosts • External LDAP • Internal users • Active Directory You can access the Active Directory via the LDAP API. You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store.
Chapter 4 Common Scenarios Using ACS Agentless Network Access • Twelve consecutive hexadecimal digits without any separators—0123456789AB If the Calling-Station-ID attribute is one of the four supported MAC address formats above, ACS copies it to the User-Name attribute with the format of XX-XX-XX-XX-XX-XX. If the MAC address is in a format other than one of the four above, ACS copies the string as is.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Agentless Network Access Flow This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. Perform these tasks in the order listed to configure agentless network access in ACS: Step 1 Configure network devices and AAA clients.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 10-8.
Chapter 4 Common Scenarios Using ACS Agentless Network Access Previous Step: Network Devices and AAA Clients, page 7-5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LDAP Identity Stores, page 8-26 • Deleting External LDAP Identity Stores, page 8-33 Configuring an Identity Group for Host Lookup Network Access Requests To configure an identity group for Host Lookup network access requests: Step 1 Choose Users and Identi
Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access, and check Identity and Authorization. The group mapping and External Policy options are optional. d. Make sure you select Process Host Lookup. If you want ACS to detect PAP or EAP-MD5 authentications for MAC addresses (see PAP/EAP-MD5 Authentication, page 4-15), and process it like it is a Host Lookup request (for example, MAB requests), complete the following steps: e.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests To configure an authorization policy for Host Lookup requests: Step 1 Choose Access Policies > Access Services > Authorization. See Configuring a Session Authorization Policy for Network Access, page 10-30, for details. Step 2 Select Customize to customize the authorization policy conditions. A list of conditions appears.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols ACS 5.4 supports the following protocols for inner authentication inside the VPN tunnel: • RADIUS/PAP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created.
Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported VPN Network Access Servers ACS 5.4 supports the following VPN network access servers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network Access, page 4-20 • Supported Authentication Protocols, page 4-21 • Supported Identity Stores, page 4-21 • Supported VPN Clients, page 4-22 • Configuring VPN Remote Access Service, page 4-22 Supported VPN Clients ACS 5.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network Access, page 4-20 • Supported Authentication Protocols, page 4-21 • Supported Identity Stores, page 4-21 • Supported VPN Network Access Servers, page 4-22 • Supported VPN Clients, page 4-22 • Configuring VPN Remote Access Service, page 4-22 ACS and Cisco Security Group Access Note ACS requires an additional feature license to enable Security Group Access capabilities.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access 6. Configuring EAP-FAST Settings for Security Group Access. 7. Creating an Access Service for Security Group Access. 8. Creating an Endpoint Admission Control Policy. 9. Creating an Egress Policy. 10. Creating a Default Policy. Adding Devices for Security Group Access The RADIUS protocol requires a shared secret between the AAA client and the server.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices consider only the SGT value; the name and description of a security group are a management convenience and are not conveyed to the devices. Therefore, changing the name or description of the security group does not affect the generation ID of an SGT. To create a security group: Step 1 Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups and click Create.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access To configure an NDAC policy for a device: Step 1 Choose Access Policies > Security Group Access Control > Security Group Access > Network Device Access > Authorization Policy. Step 2 Click Customize to select which conditions to use in the NDAC policy rules. The Default Rule provides a default rule when no rules match or there are no rules defined. The default security group tag for the Default Rule result is Unknown.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 7 Click Finish. Creating an Endpoint Admission Control Policy After you create a service, you configure the endpoint admission control policy. The endpoint admission control policy returns an SGT to the endpoint and an authorization profile. You can create multiple policies and configure the Default Rule policy. The defaults are Deny Access and the Unknown security group.
Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Initially, the matrix contains the cell for the unknown source and unknown destination SG. Unknown refers to the preconfigured SG, which is not modifiable. When you add an SG, ACS adds a new row and new column to the matrix with empty content for the newly added cell. To add an Egress policy and populate the Egress matrix: Step 1 Choose Access Policies > Security Group Access Control > Egress Policy. The Egress matrix is visible.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests RADIUS and TACACS+ Proxy Requests You can use ACS to act as a proxy server that receives authentication RADIUS requests and authentication and authorization TACACS+ requests from a network access server (NAS) and forwards them to a remote server. ACS then receives the replies for each forwarded request from the remote RADIUS or TACACS+ server and sends them back to the client.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests • TAC_PLUS_AUTHOR • TAC_PLUS_AUTHEN 4. Receives the following packets from the remote TACACS+ server and returns them back to the NAS: This behavior is configurable. • TAC_PLUS_ACCT An unresponsive external RADIUS server waits for about timeout * number of retries seconds before failover to move to the next server. There could be several unresponsive servers in the list before the first responsive server is reached.
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests • Supported RADIUS Attributes, page 4-31 • Configuring Proxy Service, page 4-32 Supported RADIUS Attributes The following supported RADIUS attributes are encrypted: • User-Password • CHAP-Password • Message-Authenticator • MPPE-Send-Key and MPPE-Recv-Key • Tunnel-Password • LEAP Session Key Cisco AV-Pair TACACS+ Body Encryption When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG is 0x0
Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service To configure proxy services: Step 1 Configure a set of remote RADIUS and TACACS+ servers. For information on how to configure remote servers, see Creating, Duplicating, and Editing External Proxy Servers, page 7-19. Step 2 Configure an External proxy service. For information on how to configure a External proxy service, see Configuring General Access Service Properties, page 10-13.
CH A P T E R 5 Understanding My Workspace The Cisco Secure ACS web interface is designed to be viewed using Microsoft Internet Explorer versions 6.x to 9.x and Mozilla Firefox versions 3.x to 10.x. The web interface not only makes viewing and administering ACS possible, but it also allows you to monitor and report on any event in the network. These reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and so on.
Chapter 5 Understanding My Workspace Task Guides Table 5-1 Welcome Page (continued) Field Description Initial System Setup Opens the Task Guide for initial system setup. This scenario guides you through the steps that are required to set up ACS for operation as needed; many steps are optional. Policy Setup Steps Opens the Task Guide for policy setup. This scenario guides you through the steps that are required to set up ACS policies.
Chapter 5 Understanding My Workspace Login Banner Table 5-2 My Account Page Field Description General Read-only fields that display information about the currently logged-in administrator: Change Password • Administrator name • Description • E-mail address, if it is available Displays rules for password definition according to the password policy. To change your password: Assigned Roles 1. In the Password field, enter your current password. 2.
Chapter 5 Understanding My Workspace Using the Web Interface • Common Errors, page 5-25 • Accessibility, page 5-27 Accessing the Web Interface The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer versions 6.x to 9.x and Mozilla Firefox versions 3.x to 10.x.
Chapter 5 Understanding My Workspace Using the Web Interface Note Step 7 The license page only appears the first time that you log in to ACS. See Installing a License File, page 18-35 to install a valid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful, the following error message appears: Access Denied. Please contact your Security Administrator for assistance. The Username and Password fields are cleared.
Chapter 5 Understanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 shows the overall design of the ACS web interface. Figure 5-1 ACS Web Interface The interface contains: • Header, page 5-6 • Navigation Pane, page 5-7 • Content Area, page 5-8 Header Use the header to: • Identify the current user (your username) • Access the online help • Log out • Access the About information, where you can find information about which ACS web interface version is installed.
Chapter 5 Understanding My Workspace Using the Web Interface Navigation Pane Use the navigation pane to navigate through the drawers of the web interface (see Figure 5-3). Figure 5-3 Navigation Pane Table 5-4 describes the function of each drawer. Table 5-4 Navigation Pane Drawers Drawer Function My Workspace Access the Task Guide and Welcome page with shortcuts to common tasks and links to more information. See Chapter 5, “Understanding My Workspace” for more information.
Chapter 5 Understanding My Workspace Using the Web Interface To hide the navigation pane and expand the content area, click the collapse arrow, which is centered vertically between the navigation pane and content area. Click the collapse arrow again to reveal the navigation pane. The options listed beneath drawers in the navigation pane are organized in a tree structure, where appropriate. The options in the tree structure are dynamic and can change based on administrator actions.
Chapter 5 Understanding My Workspace Using the Web Interface • Secondary Windows, page 5-13 • Rule Table Pages, page 5-16 Web Interface Location Your current location in the interface appears at the top of the content area. Figure 5-5 shows that the location is the Policy Elements drawer and the Network Devices and AAA Clients page.
Chapter 5 Understanding My Workspace Using the Web Interface Table 5-5 Common Content Area Buttons and Fields for List Pages Button or Field Description Rows per page Use the drop-down list to specify the number of items to display on this page. Options: Go • 10—Up to 10. • 25—Up to 25. • 50—Up to 50. • 100—Up to 100. Click to display the number of items you specify in the Rows per page field.
Chapter 5 Understanding My Workspace Using the Web Interface Table 5-5 Common Content Area Buttons and Fields for List Pages (continued) Button or Field Description Page num of n Enter the number of the page you want to display in the content area of the list page, where num is the page you want to display, then click Go. Not available for tree table pages. Direction arrows Click the arrows on the lower right side of the content area to access the first page, previous page, next page, or last page.
Chapter 5 Understanding My Workspace Using the Web Interface Filtering Large lists in a content area window or a secondary window (see Figure 5-9) can be difficult to navigate through and select the data that you want. You can use the web interface to filter data in these windows to reduce the data that appears in a list, based on criteria and conditions that you choose. Table 5-6 describes the filtering options. Note Not all filtering options are available in all fields.
Chapter 5 Understanding My Workspace Using the Web Interface For pages that do not have a Name or Description column, the sorting mechanism may be supported in the left-most column of the page, or the Description column. Place your cursor over a column heading to determine if sorting is available for a column. If sorting is available, the cursor turns into a hand and the text Click to sort appears.
Chapter 5 Understanding My Workspace Using the Web Interface Figure 5-9 Secondary Window In addition to selecting and filtering data, you can create a selectable object within a secondary window.
Chapter 5 Understanding My Workspace Using the Web Interface Figure 5-10 Table 5-7 Transfer Box Transfer Box Fields and Buttons Field or Button Description Available List of available items for selection. Selected Ordered list of selected items. Right arrow (>) Click to move one selected item from the Available list to the Selected list. Left arrow (<) Click to move one selected item from the Selected list to the Available list.
Chapter 5 Understanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10). You use them to select active times for a policy element from a grid, where each row represents a day of the week and each square in a row represents an hour in a day. Click one square to make one hour active. Table 5-8 describes the Schedule box options.
Chapter 5 Understanding My Workspace Using the Web Interface Directly above the rule table are two display options: • Standard Policy—Click to display the standard policy rule table. • Exception Policy—Click to display the exception policy rule table, which takes precedence over the standard policy rule table content.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Related Topic • ACS 5.x Policy Model Importing and Exporting ACS Objects through the Web Interface You can use the import functionality in ACS to add, update, or delete multiple ACS objects at the same time. ACS uses a comma-separated values (CSV) file to perform these bulk operations. This .csv file is called an import file. ACS provides a separate .
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Table 5-10 lists the ACS objects, their properties, and the property data types. The import template for each of the objects contains the properties described in this table. Note The limitations given in Table 5-10 is applicable only to the internal database users and not applicable to the external database (AD, LDAP, or RSA) users.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Table 5-10 ACS Objects – Property Names and Data Types (continued) Property Name Property Data Type KeywrapDisplayInHe (Optional) Boolean. x Support TACACS (Required in create) Boolean. TACACS secret (Optional) String. Maximum length is 32 characters. Single connect (Optional) Boolean. Legacy TACACS (Optional) Boolean. Support SGA (Required in create) Boolean. SGA Identity (Optional) String.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface For example, when fields that are related to a hierarchy are left blank, ACS assigns the value of the root node in the hierarchy. For network devices, if Security Group Access is enabled, all the related configuration fields are set to default values. Creating Import Files This section describes how to create the .csv file for performing bulk operations on ACS objects.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface • NDG – Location—Network Resources > Network Device Groups > Location – Device Type—Network Resources > Network Device Groups > Device Type • Downloadable ACLs—Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs • Command Set—Policy Elements > Authorization and Permissions > Device Administration > Command Sets Follow the procedure described in this section t
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Adding Records to the ACS Internal Store When you add records to the ACS internal store, you add the records to the existing list. This is an append operation, in which the records in the .csv file are added to the list that exists in ACS. To add internal user records to the Add template: Step 1 Download the internal user Add template.
Chapter 5 Understanding My Workspace Importing and Exporting ACS Objects through the Web Interface Figure 5-13 Note Update Users–Import File The second column, Updated name, is the additional column that you can add to the Update template. Deleting Records from the ACS Internal Store You can use this option to delete a subset of records from the ACS internal store. The records that are present in the .csv file that you import are deleted from the ACS internal store.
Chapter 5 Understanding My Workspace Common Errors Common Errors You might encounter these common errors: • Concurrency Conflict Errors, page 5-25 • Deletion Errors, page 5-26 • System Failure Errors, page 5-27 • Accessibility, page 5-27 Concurrency Conflict Errors Concurrency conflict errors occur when more than one user tries to update the same object. When you click Submit and the web interface detects an error, a dialog box appears, with an error message and an OK button.
Chapter 5 Understanding My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanation You attempted to edit or duplicate an item that is referencing an item that another user deleted while you tried to submit your change. Recommended Action Click OK to close the error message and display the previous page, the Create page or the Edit page. Your attempted changes are not saved, nor do they appear in the page.
Chapter 5 Understanding My Workspace Accessibility System Failure Errors System failure errors occur when a system malfunction is detected. When a system failure error is detected, a dialog box appears, with an error message and OK button. Read the error message, click OK, and perform the recommended action. Possible error messages, explanations, and recommended actions are: Error Message The following System Failure occurred: . Where description describes the specific malfunction.
Chapter 5 Understanding My Workspace Accessibility • Color used as an enhancement of information only, not as the only indicator. For example, required fields are associated with a red asterisk. • Confirmation messages for important settings and actions. • User-controllable font, size, color, and contrast of the entire web interface. Keyboard and Mouse Features You can interact with the ACS 5.4 web interface by using the keyboard and the mouse to accomplish actions.
CH A P T E R 6 Post-Installation Configuration Tasks This chapter provides a set of configuration tasks that you must perform to work with ACS.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Perform System Administration Tasks Configuring ACS to Perform System Administration Tasks Table 6-2 lists the set of system administration tasks that you must perform to administer ACS. Table 6-2 System Administration Tasks Step No. Task Drawer Refer to... Step 1 Install ACS license. System Administration > Configuration > Licensing Licensing Overview, page 18-34. Step 2 Install system certificates.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Perform System Administration Tasks Table 6-2 System Administration Tasks (continued) Step No. Task Drawer Step 8 Add users or hosts to the internal • For internal identity stores: identity store, or define external Users and Identity Stores > identity stores, or both. Internal Identity Stores • Refer to... • For internal identity stores: – Creating Internal Users, page 8-11.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Manage Access Policies Configuring ACS to Manage Access Policies Table 6-3 lists the set of tasks that you must perform to manage access restrictions and permissions. Table 6-3 Managing Access Policies Step No. Task Drawer Refer to... Step 1 Define policy conditions. Policy Elements > Session Conditions Managing Policy Conditions, page 9-1. Step 2 Define authorization and permissions.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Table 6-4 Monitoring and Troubleshooting Configuration (continued) Step No. Task Drawer Refer to... Step 4 Enable system alarms and specify how you would like to receive notification. Monitoring Configuration > System Configuration > System Alarm Settings Configuring System Alarm Settings, page 15-18. Step 5 Define schedules and create threshold alarms.
Chapter 6 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network User Guide for Cisco Secure Access Control System 5.
CH A P T E R 7 Managing Network Resources The Network Resources drawer defines elements within the network that issue requests to ACS or those that ACS interacts with as part of processing a request. This includes the network devices that issue the requests and external servers, such as a RADIUS server that is used as a RADIUS proxy. This drawer allows you to configure: • Network device groups—Logically groups the network devices, which you can then use in policy conditions.
Chapter 7 Managing Network Resources Network Device Groups Network Device Groups In ACS, you can define network device groups (NDGs), which are sets of devices. These NDGs provide logical grouping of devices, for example, Device Location or Type, which you can use in policy conditions. When the ACS receives a request for a device, the network device groups associated with that device are retrieved and compared against those in the policy table.
Chapter 7 Managing Network Resources Network Device Groups Table 7-1 Description Device Groups - General Page Field Descriptions (Optional) Enter a description for the NDG. Root Node Enter the name of the root node associated with the NDG. The NDG is structured as an Name/Parent inverted tree, and the root node is at the top of the tree. The root node name can be the same as the NDG name. The NDG name is displayed when you click an NDG in the Network Resources drawer. Step 4 Click Submit.
Chapter 7 Managing Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy You can arrange the network device group node hierarchy according to your needs by choosing parent and child relationships for new, duplicated, or edited network device group nodes. You can also delete network device group nodes from a hierarchy.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy To delete a network device group from within a hierarchy: Step 1 Choose Network Resources > Network Device Groups. The Network Device Groups page appears. Step 2 Click Location, Device Type, or another previously defined network device group in which you want to edit a network device group node. The Network Device Groups node hierarchy page appears.
Chapter 7 Managing Network Resources Network Devices and AAA Clients You must install Security Group Access license to enable Security Group Access options. The Security Group Access options only appear if you have installed the Security Group Access license. For more information on Security Group Access licenses, see Licensing Overview, page 18-34. Viewing and Performing Bulk Operations for Network Devices You can view the network devices and AAA clients.
Chapter 7 Managing Network Resources Network Devices and AAA Clients – Description – NDG Location – Device Type You can specify full IP address, or IP address with wildcard “*” or, with IP address range, such as [15-20] in the IP address search field. The wildcard “*” and the IP range [15-20] option can be specified in all the 4 octets of IP address. The Equals option only is listed in the search condition when searching by IP address.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Step 1 Choose Network Resources > Network Devices and AAA Clients. The Network Device page appears. Step 2 Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3 Click Go. A list of records that match your filter criterion appears. You can export this list to a .csv file. Step 4 Click Export to export the records to a .csv file.
Chapter 7 Managing Network Resources Network Devices and AAA Clients The Operation dialog box appears. Step 2 Click Next to download the .csv file template if you do not have it. Step 3 Click any one of the following operations if you have previously created a template-based .csv file on your local disk: • Add—Adds the records in the .csv file to the records currently available in ACS. • Update—Overwrites the records in ACS with the records from the .csv file. • Delete—Removes the records in the .
Chapter 7 Managing Network Resources Network Devices and AAA Clients Exporting Network Resources and Users To export a list of network resources or users: Step 1 Click Export on the Users, Network Devices, or MAC Address page of the web interface. The Network Device page appears. Step 2 Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3 Click Go. A list of records that match your filter criterion appears.
Chapter 7 Managing Network Resources Network Devices and AAA Clients The first page of the Create Network Device process appears if you are creating a new network device. The Network Device Properties page for the selected device appears if you are duplicating or editing a network device. Step 3 Modify the fields as required. For field descriptions, see Configuring Network Device and AAA Clients, page 7-11. Step 4 Click Submit. Your new network device configuration is saved.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one: • Legacy TACACS+ Single Connect Support • TACACS+ Draft Compliant Single Connect Support If you disable this option, a new TCP connection is used for every TACACS+ request.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-4 Creating Network Devices and AAA Clients (continued) Option Description Specifies the expiry time for the peer authorization policy. ACS returns this information to the Download peer device in the response to a peer policy request. The default is 1 day. authorization policy every: Weeks Days Hours Minutes Seconds Download SGACL lists Specifies the expiry time for SGACL lists.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description IP Range(s) By Mask Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.
Chapter 7 Managing Network Resources Network Devices and AAA Clients Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description RADIUS Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol. CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700.
Chapter 7 Managing Network Resources Configuring a Default Network Device Table 7-5 Network Devices and AAA Clients Properties Page (continued) Option Description Download environment data every: Weeks Days Hours Minutes Seconds Specifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day. Re-authentication every: Weeks Days Hours Minutes Seconds Specifies the dot1x (.1x) reauthentication period.
Chapter 7 Managing Network Resources Configuring a Default Network Device Choose Network Resources > Default Network Device to configure the default network device. The Default Network Device page appears, displaying the information described in Table 7-6. Table 7-6 Default Network Device Page Option Description Default Network Device The default device definition can optionally be used in cases where no specific device definition is found that matches a device IP address.
Chapter 7 Managing Network Resources Working with External Proxy Servers Table 7-6 Default Network Device Page (continued) Option Description Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications. Each key must be unique and be distinct from the RADIUS shared key. You can configure these shared keys for each AAA Client. Key Encryption Key (KEK) Used to encrypt the Pairwise Master Key (PMK).
Chapter 7 Managing Network Resources Working with External Proxy Servers Step 2 Do one of the following: • Click Create. • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate. • Click the external proxy server name that you want to edit, or check the check box next to the name and click Edit. The External Proxy Servers page appears. Step 3 Table 7-7 Edit fields in the External Proxy Servers page as shown in Table 7-7.
Chapter 7 Managing Network Resources Working with OCSP Services Note If you want ACS to forward unknown RADIUS attributes you have to define VSAs for proxy. Related Topics • RADIUS and TACACS+ Proxy Services, page 3-7 • RADIUS and TACACS+ Proxy Requests, page 4-29 • Configuring General Access Service Properties, page 10-13 • Deleting External Proxy Servers, page 7-21 Deleting External Proxy Servers To delete an external proxy server: Step 1 Choose Network Resources > External Proxy Servers.
Chapter 7 Managing Network Resources Working with OCSP Services • Unknown —The certificate status is unknown. The status of the certificate is unknown if the OCSP is not configured to handle the given certificate CA. In this case, the certificate is handled as an unknown certificate; that is, the validation process checks the Reject the request if no status flag.
Chapter 7 Managing Network Resources Working with OCSP Services Table 7-8 OCSP Servers Page Option Description Failback To Primary Enable this option to use the secondary server for the given amount of time when the primary is Server completely down. The time range is 1 to 999 minutes. Primary Server URL Enter the URL or the IP address of the primary server. Enable Nonce Extension Support Check this check box to use a nonce in the OCSP request.
Chapter 7 Managing Network Resources Working with OCSP Services Table 7-8 OCSP Servers Page Option Description Cache Entry Time To Live Defines the interval after which the a new OCSP request should be made. Enter the value in number of minutes. The default value is 300 minutes. Clear Cache Clears the Cache of the selected OCSP service for all the associated Certificate Authorities.
CH A P T E R 8 Managing Users and Identity Stores Overview ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. When a host connects to the network through ACS requesting access to a particular network resource, ACS authenticates the host and decides whether the host can communicate with the network resource. To authenticate and authorize a user or host, ACS uses the user definitions in identity stores.
Chapter 8 Managing Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity group to which users belong Configurable components are: • Enable password for TACACS+ authentication • Sets of identity attributes that determine how the user definition is displayed and entered Cisco recommends that you configure identity attributes before you create users.
Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Two-Factor Authentication You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external identity stores use an OTP that provides greater security.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Sequences You can configure a complex condition where multiple identity stores and profiles are used to process a request. You can define these identity methods in an Identity Sequence object. The identity methods within a sequence can be of any type. The identity sequence is made up of two components, one for authentication and the other for retrieving attributes.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores • Note Authentication information ACS 5.4 supports authentication for internal users against the internal identity store only.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Groups You can assign each internal user to one identity group. Identity groups are defined within a hierarchical structure. They are logical entities that are associated with users, but do not contain data or attributes other than the name you give to them. You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics • Managing Users and Identity Stores, page 8-1 • Managing Internal Identity Stores, page 8-4 • Performing Bulk Operations for Network Resources and Users, page 7-8 • Identity Groups, page 8-3 • Creating Identity Groups, page 8-6 • Deleting an Identity Group, page 8-7 Deleting an Identity Group To delete an identity group: Step 1 Select Users and Identity Stores > Identity Groups.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Standard Attributes Table 8-1 describes the standard attributes in the internal user record. Table 8-1 Standard Attributes Attribute Description Username ACS compares the username against the username in the authentication request. The comparison is case-insensitive. Status • Enabled status indicates that the account is active. • Disabled status indicates that authentications for the username will fail.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores In ACS 5.4, you can configure identity attributes that are used within your policies, in this order: 1. Define an identity attribute (using the user dictionary). 2. Define custom conditions to be used in a policy. 3. Populate values for each user in the internal database. 4. Define rules based on this condition. As you become more familiar with ACS 5.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-2 Password Complexity Tab (continued) Option Description Password may not contain the username Whether the password may contain the username or reverse username. Password may not contain ‘cisco’ Check to specify that the password cannot contain the word cisco. Password may not contain Check to specify that the password does not contain the string that you enter.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-3 Advanced Tab Options Description Password must be different from the previous n versions. Specifies the number of previous passwords for this user to be compared against. The number of previous passwords include the default password as well. This option prevents the users from setting a password that was recently used. Valid options are 1 to 99.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores The Change Password page appears. Step 3 Table 8-4 Complete the fields as described in Table 8-4 to change the internal user password. Internal User - Change Password Page Option Description Password Information Password Type Displays all configured external identity store names, along with Internal Users which is the default password type. You can choose any one identity store from the list.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores . Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page Option Description General Name Username. Status Use the drop-down list box to select the status for the user: • Enabled—Authentication requests for this user are allowed. • Disabled—Authentication requests for this user fail. Description (Optional) Description of the user.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description User Information If defined, this section displays additional identity attributes defined for user records. ManagementHierarchy User’s assigned access level of hierarchy. Enter the hierarchical level of the network devices that the user can access.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Deleting Users from Internal Identity Stores To delete a user from an internal identity store: Step 1 Select Users and Identity Stores > Internal Identity Store > Users. The Internal Users page appears. Step 2 Check one or more check boxes next to the users you want to delete. Step 3 Click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 4 Click OK.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores – Delete—Choose this option to delete the internal users listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7-8 for a detailed description of the bulk operations.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Table 8-6 Internal Hosts Properties Page (continued) Option Description Identity Group Enter an identity group with which to associate the MAC address, or click Select to display the Identity Groups window. Choose an identity group with which to associate the MAC address, then click OK. MAC Host Information Display only. Contains MAC host identity attribute information.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores • Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18 • Policies and Identity Attributes, page 3-17 • Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Deleting Internal Hosts To delete a MAC address: Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal MAC List page appears, with any configured MAC addresses listed.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics • Host Lookup, page 4-13 • Creating Hosts in Identity Stores, page 8-16 • Deleting Internal Hosts, page 8-18 • Policies and Identity Attributes, page 3-17 • Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Management Hierarchy Management Hierarchy enables the administrator to give access permission to the internal users or internal hosts according to their level of hierar
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Configuring Users or Hosts for Management Hierarchy A specific level of access is defined to represent the top-most node in the Management Hierarchy assigned for each user or a host. This level is defined in the user’s “ManagementHierarchy” attribute. Total value length is limited to 256 characters. The administrator can configure any level of hierarchy while defining management centers or AAA client locations.
Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 8 After successfully creating the policy, try authenticating the user using the created policy. The user will be authenticated only if the hierarchy defined for the user equals or contained in the AAA clients hierarchy. You can view the logs to analyze the authentication results. Related Topics Configuring and Using HostIsInManagement Hierarchy Attributes, page 8-21.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Managing External Identity Stores ACS 5.4 integrates with external identity systems in a number of ways. You can leverage an external authentication service or use an external system to obtain the necessary attributes to authenticate a principal, as well to integrate the attributes into an ACS policy.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Configuring LDAP Groups, page 8-33 • Viewing LDAP Attributes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storing and organizing information about a computer network's users and network resources. You can use the directory service to manage user access to these resources. The LDAP directory service is based on a client-server model.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.4 supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server. For example, as when the server is down or is otherwise unreachable by ACS. To use this feature, you must define primary and secondary LDAP servers, and you must set failover settings.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LDAP server to return bind (authentication) errors are: – Filtering errors—A search using filter criteria fails. – Parameter errors—Invalid parameters were entered. – User account is restricted (disabled, locked out, expired, password expired, and so on). The following errors are logged as external resource errors, indicating a possible problem with the LDAP server: • A connection error occurred.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • String • Unsigned Integer 32 • IP Address—This can be either an IP version 4 (IPv4) or IP version 6 (IPv6) address. For unsigned integers and IP address attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails, or if no values are retrieved for the attributes, ACS logs a debug message but does not fail the authentication or the lookup process.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 4 Check the Enable Password Change option to modify the password, to detect the password expiration, and to reset the password. Step 5 Click Next. Step 6 Continue with Configuring an External LDAP Server Connection, page 8-27. Note NAC guest Server can also be used as an External LDAP Server. For procedure to use NAC guest server as an External LDAP Server: http://www.cisco.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-7 LDAP: Server Connection Page (continued) Option Description Anonymous Access Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured accessible to any unauthenticated client.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-7 LDAP: Server Connection Page (continued) Option Description Admin DN Enter the domain name of the administrator; that is, the LDAP account which, if bound to, permits searching for all required users under the User Directory Subtree and permits searching groups.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page Option Description Schema Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have several values for the objectClass attribute, some of which are unique to the subject, some of which are shared with other object types. This box should contain a value that is not shared.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page (continued) Option Description Subjects In Groups Are Use the drop-down list box to indicate if the subjects in groups are stored in member attributes Stored In Member Attribute as either: As • Username • Distinguished name Directory Structure Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: o=corporation.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page (continued) Option Description Username Prefix\Suffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropriate text to remove domain prefixes from usernames.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Configuring LDAP Groups, page 8-33 • Deleting External LDAP Identity Stores, page 8-33 Deleting External LDAP Identity Stores You can delete one or more external LDAP identity stores simultaneously. To delete an external LDAP identity store: Step 1 Select Users and Identity Stores > External Identity Stores > LDAP.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Viewing LDAP Attributes Use this page to view the external LDAP attributes. Step 1 Select Users and Identity Stores > External Identity Stores > LDAP. Step 2 Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and then click the Directory Attributes tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means the switch port to which these devices attach cannot authenticate them using the 802.1X exchange of device or user credentials and must revert to an authentication mechanism other than port-based authentication (typically endpoint MAC address-based) in order for them to connect to the network.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-1 LDAP Interface Configuration in NAC Profiler Step 5 Click Update Server. Step 6 Click the Configuration tab and click Apply Changes. The Update NAC Profiler Modules page appears. Step 7 Click Update Modules to enable LDAP to be used by ACS. You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Configuration > Endpoint Profiles > View/Edit Profiles List. A list of profiles in a table appears. Step 3 Click on the name of a profile to edit it. Step 4 In the Save Profile page, ensure that the LDAP option is enabled by clicking the Yes radio button next to it, if it is not already done as shown in Figure 8-2. Figure 8-2 Step 5 Configuring Endpoint Profiles in NAC Profiler Click Save Profile.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores To edit the NAC Profiler template in ACS: Step 1 Choose Users and Identity Stores > External Identity Stores > LDAP. Step 2 Click on the name of the NAC Profiler template or check the check box next to the NAC Profiler template and click Edit. The Edit NAC Profiler definition page appears as shown in Figure 8-3. Figure 8-3 Step 3 Edit NAC Profiler Definition - General Page Click the Server Connection tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-5 Test Bind to Server Dialog Box For more information, see Creating External LDAP Identity Stores, page 8-26. Note Step 6 The default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco NAC Profiler Installation and Configuration Guide at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/ p_ldap31.html#wp1057155.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-7 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler). After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather MIB (Management Information Base) information about the switch as well as the connecting endpoint.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profiler Integration To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully authenticated, complete the following steps: Step 1 Run the following command on the switch which is connected to the endpoint devices: ACCESS-Switch# show authentication sessions The following output is displayed: Interface Fa1/0/1 MAC Address Met
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Maximum password age is N days. • Minimum password age is N days. • Minimum password length is N characters. • Password must meet complexity requirements. AD uses the “Maximum password age is N days” rule to detect password expiry. All other rules are used during attempts to change a password.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Note To prevent ACS from using the outdated mappings, you should create new AD groups instead of changing or moving the existing ones. If you change or move the existing groups, you have to wait for 24 hours and restart the ACS services to refresh all the cached data. ACS 5.4 supports certificate authorization.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine authentication happens while starting up a computer or while logging in to a computer. Supplicants, such as Funk Odyssey perform machine authentication periodically while the supplicant is running. If you enable machine authentication, ACS authenticates the computer before a user authentication request comes in. ACS checks the credentials provided by the computer against the Windows user database.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If the user has one of these limitations, the AD1::IdentityAccessRestricted attribute on the AD dedicated dictionary is set to indicate that the user has restricted access. You can use this attribute in group mapping and authorization rules. Machine Access Restrictions MAR helps tying the results of machine authentication to user authentication and authorization process.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores AD Group Machine Authentication Required … ATZ profile Engineers Yes … VLAN X Managers No … VLAN B … … … DENY ACCESS The Engineers' rule is an example of MAR rule that only allows engineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an example of an exemption from MAR. Distributed MAR Cache ACS 5.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The distributed search is performed based on the cache entry query attempts and cache entry query timeouts that are configured in the ACS web interface. The MAR entry search is also delayed until the first successful response from any of the queried ACS nodes, up to the maximum of the configured cache entry query timeout period.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Callback Options for Dial-In users If the callback option is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set either by the caller or the network administrator. The possible callback options are: • No callback • Set by Caller (routing and remote access service only).
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The callback number value is also returned on the RADIUS response, using the RADIUS attribute CallbackNumber (#19). • If callback option is Set by Caller, the RADIUS response contains the following attributes with no value: – cisco-av-pair=lcp:callback-dialstring= – cisco-av-pair=Shell:callback-dialstring= – cisco-av-pair=Slip:callback-dialstring= – cisco-av-pair=Arap:callback-dialstring= Joining ACS to an AD Domain In ACS 5.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Note When you upgrade ACS to ACS 5.4 version using the Reimaging and Upgrading an ACS Server method, if you restore a configuration in which the AD is defined, you need to join ACS manually to the AD domain. See Installation and Upgrade Guide for Cisco Secure Access Control System for more information on upgrade methods. Note When you upgrade ACS to ACS 5.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Save Changes to save the configuration. • Discard Changes to discard all changes. • If AD is already configured and you want to delete it, click Clear Configuration after you verify the following: – There are no policy rules that use custom conditions based on the AD dictionary. – The AD is not chosen as the identity source in any of the available access services. – There are no identity store sequences with the AD.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-11 Join/Test Connection Page Option Description Active Directory Domain Name Name of the AD domain to which you want to join ACS. Username Enter the username of a predefined AD user. An AD account which is required for the domain access in ACS, should have either of the following: • Add workstations to the domain user in the corresponding domain.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-12 Leave Connection Page Option Description Username Enter the username of a predefined AD user. An AD account which is required for the domain access in ACS, should have either of the following: • Add workstations to the domain user in the corresponding domain.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The Groups page appears. The Selected Directory Groups field lists the AD groups you selected and saved. The AD groups you selected in the External User Groups page are listed and can be available as options in group mapping conditions in rule tables. If you have more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow down your search results.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-13 Active Directory: Attributes Page Option Description Name of example Subject to Enter the name of a user or computer found on the joined domain. You can enter the user’s or Select Attributes the computer’s CN or distinguished name. The set of attributes that are displayed belong to the subject that you specify. The set of attributes are different for a user and a computer.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores AD Deployments with Users Belonging to Large Number of Groups In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large number of groups (more than 50 groups). But, the subsequent authentication of the same user or another user belongs to the same group works properly. This is due to the adclient.get.builtin.membership parameter in ACS AD agent configuration.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication mechanism than conventional reusable passwords.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Manually Intervene to Remove a Down RSA SecurID Server When an RSA SecurID server is down, the automatic exclusion mechanism does not always work quickly. To speed up this process, you can remove the sdstatus.12 file from ACS. Creating and Editing RSA SecurID Token Servers ACS 5.4 supports RSA SecurID Token Servers for authenticating users for the increased security that one-time passwords provide.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Click the Advanced tab. See Configuring Advanced Options, page 8-62 for more information. Step 6 Click Submit to create an RSA SecurID store. The RSA SecurID Token Server page appears with the configured servers.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Editing ACS Instance Settings You can edit the ACS instance settings to: • Enable the RSA options file, page 8-61 • Reset Agent Files, page 8-61 Enable the RSA options file You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the realm. Table 8-17 describes the fields in the RSA Options File tab.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the following options: • To reset node secret on the agent host, check the Remove securid file on submit check box. If you reset the node secret on the agent host, you must reset the agent host’s node secret in the RSA server. • Step 2 To reset the status of servers in the realm, check the Remove sdstatus.12 file on submit check box. Click OK.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Creating and Editing RSA SecurID Token Servers, page 8-59 • Configuring ACS Instance Settings, page 8-60 • Editing ACS Instance Settings, page 8-61 • Editing ACS Instance Settings, page 8-61 RADIUS Identity Stores RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store, which is part of ACS, connects to the RADIUS server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.4 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server. Password Prompt RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS web interface.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores RADIUS Identity Store in Identity Sequence You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server, you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format. This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Check the check box next to the identity store you want to duplicate, then click Duplicate. • Click the identity store name that you want to modify, or check the box next to the name and click Edit. Step 3 Complete the fields in the General tab. See Configuring General Settings, page 8-67 for a description of the fields in the General tab. Step 4 You can: Step 5 • Click Submit to save the RADIUS Identity Server.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-19 RADIUS Identity Server - General Tab (continued) Option Description Primary Server Server IP Address IP address of the primary RADIUS identity server. Shared Secret Shared secret between ACS and the primary RADIUS identity server. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Shell Prompts For TACACS+ ASCII authentication, ACS must return the password prompt to the user. RADIUS identity server supports this functionality by the password prompt option. ACS can use the prompt that you configure in the Shell Prompts page on the ACS web interface. If the prompt is empty, the user receives the default prompt that is configured under TACACS+ global settings.
Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-20 RADIUS Identity Servers - Directory Attributes Tab Option Description RADIUS Attribute Name of the RADIUS attribute. Click Select to choose the RADIUS attribute. This name is composed of two parts: The attribute name and an extension to support AV-pairs if the attribute selected is a Cisco AV-Pair. For example, for an attribute, cisco-av-pair with an AV-pair name some-avpair, ACS displays cisco-av-pair.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Table 8-21 RADIUS Identity Server - Advanced Tab Option Description This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Note ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure that the chain is signed correctly and that all the certificates are valid.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Editing a Certificate Authority and Configuring Certificate Revocation Lists Use this page to edit a trusted CA (Certificate Authority) certificate. Step 1 Select Users and Identity Stores > Certificate Authorities. The Trust Certificate page appears with a list of configured certificates. Step 2 Click the name that you want to modify, or check the check box for the Name, and click Edit.
Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Table 8-23 Edit Certificate Authority Properties Page (continued) Option Description CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses HTTP. Retrieve CRL ACS attempts to download a CRL from the CA. Toggle the time settings for ACS to retrieve a new CRL from the CA. • Automatically —Obtain the next update time from the CRL file.
Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles The Trust Certificate page appears without the deleted certificate(s). Related Topic • Overview of EAP-TLS, page B-6 Exporting a Certificate Authority To export a trust certificate: Step 1 Select Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. Step 2 Check the box next to the certificates that you want to export.
Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles When ACS processes a certificate-based request for authentication, one of two things happens: the username from the certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP or AD identity store to validate the certificate information.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Table 8-24 Certificate Authentication Profile Properties Page (continued) Option Description Principal Username X509 Attribute Available set of principal username attributes for x509 authentication.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Attribute Retrieval Sequence You can optionally define a list of databases from which to retrieve additional attributes. These databases can be accessed regardless of whether you use password or certificate-based authentication. When you use certificate-based authentication, ACS populates the username field from a certificate attribute and then uses the username to retrieve attributes.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Table 8-25 Identity Store Sequence Properties Page (continued) Option Description Password Based Check this check box to use the password-based authentication method. If you choose this option, you must choose the set of identity stores that ACS will access one after another until a match is found.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Table 8-25 Identity Store Sequence Properties Page (continued) Option Description Advanced Options Break sequence If this option is selected and if an authentication attempt against current Identity Store results in process error, the flow breaks the Identity Stores sequence. The flow then continues to the Fail-Open option configured in the Identity Policy. The same applies to attribute retrieval.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Internal Identity Stores, page 8-4 • Managing External Identity Stores, page 8-22 • Configuring Certificate Authentication Profiles, page 8-75 • Creating, Duplicating, and Editing Identity Store Sequences, page 8-78 User Guide for Cisco Secure Access Control System 5.
Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences User Guide for Cisco Secure Access Control System 5.
CH A P T E R 9 Managing Policy Elements A policy defines the authentication and authorization processing of clients that attempt to access the ACS network. A client can be a user, a network device, or a user associated with a network device. Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design and how it is implemented in ACS.
Chapter 9 Managing Policy Elements Managing Policy Conditions You can map users and hosts to identity groups by using the group mapping policy. You can include identity groups in conditions to configure common policy conditions for all users in the group. For more information about creating identity groups, see Managing Identity Attributes, page 8-7. • Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 device hierarchies.
Chapter 9 Managing Policy Elements Managing Policy Conditions • Creating, Duplicating, and Editing a Date and Time Condition, page 9-3 • Creating, Duplicating, and Editing a Custom Session Condition, page 9-5 • Deleting a Session Condition, page 9-6 • Managing Network Conditions, page 9-6 See Chapter 3, “ACS 5.x Policy Model” for information about additional conditions that you can use in policy rules, although they are not configurable.
Chapter 9 Managing Policy Elements Managing Policy Conditions Table 9-1 Date and Time Properties Page (continued) Option Description Duration Start Click one of the following options: • Start Immediately—Specifies that the rules associated with this condition are valid, starting at the current date.
Chapter 9 Managing Policy Elements Managing Policy Conditions Related Topics • Creating, Duplicating, and Editing a Custom Session Condition, page 9-5 • Deleting a Session Condition, page 9-6 • Configuring Access Service Policies, page 10-22 Creating, Duplicating, and Editing a Custom Session Condition The protocol and identity dictionaries contain a large number of attributes. To use any of these attributes as a condition in a policy rule, you must first create a custom condition for the attribute.
Chapter 9 Managing Policy Elements Managing Policy Conditions To add custom conditions to a policy, you must first customize the rule table. See Customizing a Policy, page 10-4. Step 4 Click Submit. The new custom session condition is saved. The Custom Condition page appears with the new custom session condition. Clients that are associated with this condition are subject to it for the duration of their session.
Chapter 9 Managing Policy Elements Managing Policy Conditions Note The filters in ACS 5.4 are similar to the NARs in ACS 4.x. In ACS 4.x, the NARs were based on either the user or user group. In 5.4, the filters are independent conditions that you can reuse across various rules and policies. ACS offers three types of filters: • End Station Filter—Filters end stations, such as a laptop or printer that initiates a connection based on the end station’s IP address, MAC address, CLID number, or DNIS number.
Chapter 9 Managing Policy Elements Managing Policy Conditions The device dictionary (the NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically created attributes that represent NDGs. These attributes, in turn, contain the groups that the current device is related to. You can create, duplicate, and edit these filters. You can also do a bulk import of the contents within a filter from a .csv file and export the filters from ACS to a .csv file.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 5 Click Close to close the Import Progress window. You can submit only one .csv file to the system at one time. If an import is under way, an additional import cannot succeed until the original import is complete. Timesaver Instead of downloading the template and creating an import file, you can use the export file of the particular filter, update the information in that file, save it, and reuse it as your import file.
Chapter 9 Managing Policy Elements Managing Policy Conditions Note Step 5 To configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. Click Submit to save the changes.
Chapter 9 Managing Policy Elements Managing Policy Conditions • Defining MAC Address-Based End Station Filters, page 9-11 • Defining CLI or DNIS-Based End Station Filters, page 9-11 Defining MAC Address-Based End Station Filters You can create, duplicate, and edit the MAC addresses of end stations or destinations that you want to permit or deny access to. To do this: Step 1 From the MAC Address tab, do one of the following: • Click Create.
Chapter 9 Managing Policy Elements Managing Policy Conditions Step 2 Check the CLI check box to enter the CLI number of the end station. You can optionally set this field to ANY to refer to any CLI number. Step 3 Check the DNIS check box to enter the DNIS number of the destination machine. You can optionally set this field to ANY to refer to any DNIS number.
Chapter 9 Managing Policy Elements Managing Policy Conditions Note Step 5 To configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. Click Submit to save the changes.
Chapter 9 Managing Policy Elements Managing Policy Conditions Defining Name-Based Device Filters You can create, duplicate, and edit the name of the network device that you want to permit or deny access to. To do this: Step 1 From the Device Name tab, do one of the following: • Click Create. • Check the check box next to the name-based device filter that you want to duplicate, then click Duplicate. • Check the check box next to the name-based device filter that you want to edit, then click Edit.
Chapter 9 Managing Policy Elements Managing Policy Conditions Creating, Duplicating, and Editing Device Port Filters Use the Device Port Filters page to create, duplicate, and edit device port filters. To do this: Step 1 Choose Policy Elements > Session Conditions > Network Conditions > Device Port Filters. The Device Port Filters page appears with a list of device port filters that you have configured. Step 2 Step 3 Step 4 Click Create.
Chapter 9 Managing Policy Elements Managing Policy Conditions • Check the check box next to the IP-based device port filter that you want to duplicate, then click Duplicate. • Check the check box next to the IP-based device port filter that you want to edit, then click Edit. A dialog box appears. Step 2 Choose either of the following: • Single IP Address—If you choose this option, you must enter a valid address, as follows: – IPv4 address in the format x.x.x.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Step 3 Check the Port check box and enter the port number. Step 4 Click OK.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions • Security groups and security group ACLs for Cisco Security Group Access. See ACS and Cisco Security Group Access, page 4-23, for information on configuring these policy elements.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions • Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. The Authorization Profile Properties page appears. Step 3 Step 4 Enter valid configuration data in the required fields in each tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Step 1 Step 2 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: • Create to create a new network access authorization definition, then click the Common Tasks tab. • Duplicate to duplicate a network access authorization definition, then click the Common Tasks tab. • Edit to edit a network access authorization definition, then click the Common Tasks tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-5 Authorization Profile: Common Tasks Page Option Description ACLS Downloadable ACL Name Includes a defined downloadable ACL. See Creating, Duplicating, and Editing Downloadable ACLs, page 9-32 for information about defining a downloadable ACL. Filter-ID ACL Includes an ACL Filter ID. Proxy ACL Includes a proxy ACL. Voice VLAN Permission to Join Select Static. A value for this parameter is displayed.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-6 Authorization Profile: RADIUS Attributes Page (continued) Option Description RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your network.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Creating and Editing Security Groups Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, duplicate, and edit security groups. When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions The Common Tasks tab allows you to select and configure the frequently used attributes for the profile. The attributes that are included here are those defined by the TACACS protocol draft specification that are specifically relevant to the shell service. However, the values can be used in the authorization of requests from other services. The Custom Attributes tab allows you to configure additional attributes.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining General Shell Profile Properties Use this page to define a shell profile’s general properties. Step 1 Step 2 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one of the following: • Click Create. • Check the check box next to the shell profile that you want to duplicate and click Duplicate.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-9 Shell Profile: Common Tasks Option Description Privilege Level Default Privilege (Optional) Enables the initial privilege level assignment that you allow for a client, through shell authorization. If disabled, the setting is not interpreted in authorization and permissions. The Default Privilege Level specifies the default (initial) privilege level for the shell profile.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-9 Shell Profile: Common Tasks Option Description Timeout (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed timeout in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to define custom attributes for the shell profile. This tab also displays the Common Tasks Attributes that you have chosen in the Common Tasks tab.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions After you create command sets, you can use them in authorizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-24. Note Command sets support TACACS+ protocol attributes only.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-11 Command Set Properties Page Field Description Name Name of the command set. Description (Optional) The description of the command set. Permit any Check to allow all commands that are requested, unless they are explicitly denied in the Grant table. command that is not Uncheck to allow only commands that are explicitly allowed in the Grant table.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Related Topics • Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 • Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-24 • Deleting an Authorizations and Permissions Policy Element, page 9-33 • Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-24 Creating, Duplicating, and Editing Downloadable ACLs You can define do
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions – Click Start Export to export the DACLs without any encryption. Step 3 Table 9-12 Enter valid configuration data in the required fields as shown in Table 9-12, and define one or more ACLs by using standard ACL syntax. Downloadable ACL Properties Page Option Description Name Name of the DACL. Description Description of the DACL. Downloadable ACL Content Define the ACL content.
Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Configuring Security Group Access Control Lists Security group access control lists (SGACLs) are applied at Egress, based on the source and destination SGTs. Use this page to view, create, duplicate and edit SGACLs. When you modify the name or content of an SGACL, ACS updates its generation ID. When the generation ID of an SGACL changes, the relevant Security Group Access network devices reload the content of the SGACL.
CH A P T E R 10 Managing Access Policies In ACS 5.4, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request. For a basic workflow for configuring policies and all their elements, see Flows for Configuring Services and Policies, page 3-19.
Chapter 10 Managing Access Policies Policy Creation Flow In short, you must determine the: • Details of your network configuration. • Access services that implement your policies. • Rules that define the conditions under which an access service can run.
Chapter 10 Managing Access Policies Policy Creation Flow Policy Elements in the Policy Creation Flow The web interface provides these defaults for defining device groups and identity groups: • All Locations • All Device Types • All Groups The locations, device types, and identity groups that you create are children of these defaults. To create the building blocks for a basic device administration policy: Step 1 Step 2 Step 3 Create network resources. In the Network Resources drawer, create: a.
Chapter 10 Managing Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Policy Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an access policy that includes identity groups and privileges.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy If you have implemented Security Group Access functionality, you can also customize results for authorization policies. Caution If you have already defined rules, be certain that a rule is not using any condition that you remove when customizing conditions. Removing a condition column removes all configured conditions that exist for that column.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Table 10-2 Rule-based Service Selection Policy Page Option Description Policy type Defines the type of policy to configure: Status • Select one result—Results apply to all requests. • Rule-based result selection—Configuration rules apply different results depending on the request. Current status of the rule that drives service selection. The rule statuses are: • Enabled—The rule is active.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined. When you create rules, remember that the order of the rules is important.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy • The Default Rule—You can change only the access service. See Table 10-3 for field descriptions: Table 10-3 Service Selection Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: • Enabled—The rule is active.
Chapter 10 Managing Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-based Policy page. To display this page, click Hit Count on the Rule-based Policy page. Table 10-4 Hit Count Page Option Description Hit Counts Reset Last time hit counts were Displays the date and time of the last hit count reset for this policy.
Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and authorization policies for requests. You can create separate access services for different use cases; for example, device administration, wireless network access, and so on. When you create an access service, you define the type of policies and policy structures that it contains; for example, policies for device administration or network access.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-5 Default Access Service - General Page (continued) Option Description Identity Check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service, to map groups and attributes that are retrieved from external identity stores to the identity groups in ACS.
Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the following: • Click Create. • Check the check box next to the access service that you want to duplicate; then click Duplicate. • Click the access service name that you want to modify; or, check the check box next to the name and click Edit. • Click the access service name in the left navigation tab. The Access Service Properties General page appears. • If you are creating a new access service: a.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-6 Access Service Properties—General Page (continued) Option Description Description Description of the access service. Access Service Policy Structure Based on service template Creates an access service containing policies based on a predefined template. This option is available only for service creation. Based on existing service Creates an access service containing policies based on an existing access service.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-6 Access Service Properties—General Page (continued) Option Description Edit To edit the listed RADIUS attribute, select the attribute in the list and click Edit. The attribute properties appear in the fields. Modify the properties as required, then click Replace. Replace Click Replace to replace the selected RADIUS attribute with the one that is currently defined in the RADIUS fields.
Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Service Allowed Protocols The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-TLS Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how ACS verifies user identity as presented in the EAP Identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Allow EAP-FAST (continued) PAC Options • Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day. • Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description Preferred EAP protocol Select the preferred EAP protocol from the following options available: • EAP-FAST • PEAP • LEAP • EAP-TLS • EAP-MD5 This option helps ACS to be flexible to work with old supplicants (end devices) which are not capable of sending No-Acknowledgement, when a particular protocol is not implemented.
Chapter 10 Managing Access Policies Configuring Access Services Table 10-8 Access Services Templates Template Name Access Service Type Device Admin Simple Device Admin Command Auth Protocols Policies Conditions Results Device Administration PAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, Shell profile NDG:Device Type, Time and Date Device Administration PAP/ASCII Identity None - Simple Authorization Identity group, NDG:Location, Command set
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Access Service Policies You configure access service policies after you create the access service: • Viewing Identity Policies, page 10-22 • Configuring Identity Policy Rule Properties, page 10-25 • Configuring a Group Mapping Policy, page 10-27 • Configuring a Session Authorization Policy for Network Access, page 10-30 • Configuring a Session Authorization Policy for Network Access, page 10-30 • Configuring Sh
Chapter 10 Managing Access Policies Configuring Access Service Policies In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them. Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy.
Chapter 10 Managing Access Policies Configuring Access Service Policies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity, where is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 10-9.
Chapter 10 Managing Access Policies Configuring Access Service Policies • Creating Policy Rules, page 10-38 • Duplicating a Rule, page 10-39 • Editing Policy Rules, page 10-39 • Deleting Policy Rules, page 10-40 For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for Host Lookup Requests, page 4-20.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-11 Identity Rule Properties Page Option Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which can be used in authorization policy rules. If you created an access service that includes a group mapping policy, you can configure and modify this policy.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-13 Rule-based Group Mapping Policy Page Option Description Policy type Defines the type of policy to configure: • Simple—Specifies the results to apply to all requests. • Rule-based—Configure rules to apply different results depending on the request. Caution Status If you switch between policy types, you will lose your previously saved policy configuration. Current status of the rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies • Deleting Policy Rules, page 10-40 Related Topics • Viewing Identity Policies, page 10-22 • Configuring a Session Authorization Policy for Network Access, page 10-30 • Configuring a Session Authorization Policy for Network Access, page 10-30 • Configuring Shell/Command Authorization Policies for Device Administration, page 10-35 Configuring Group Mapping Policy Rule Properties Use this page to create, duplicate, or edit a g
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring a Session Authorization Policy for Network Access When you create an access service for network access authorization, it creates a Session Authorization policy. You can then add and modify rules to this policy to determine the access permissions for the client session. You can create a standalone authorization policy for an access service, which is a standard first-match rule table.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-15 Network Access Authorization Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Network Access Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine access permissions in a network access service. Step 1 Select Access Policies > Access Services > > Authorization, and click Create, Edit, or Duplicate.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A device administration authorization policy determines the authorizations and permissions for network administrators. You create an authorization policy during access service creation. See Configuring General Access Service Properties, page 10-13 for details of the Access Service Create page. Use this page to: • View rules. • Delete rules.
Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a device administration access service. Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or Duplicate. The Device Administration Authorization Rule Properties page appears as described in Table 10-18.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-19 Device Administration Authorization Exception Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies To configure rules, see: • Creating Policy Rules, page 10-38 • Duplicating a Rule, page 10-39 • Editing Policy Rules, page 10-39 • Deleting Policy Rules, page 10-40 Configuring Authorization Exception Policies An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to grant provisional access to visitors or increase the level of access to specific users.
Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-20 Network Access Authorization Exception Policy Page Option Description Status Rule statuses are: Name • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only.
Chapter 10 Managing Access Policies Configuring Access Service Policies Creating Policy Rules When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found. The Default Rule provides a default policy in cases where no rules are matched or defined.
Chapter 10 Managing Access Policies Configuring Access Service Policies Duplicating a Rule You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. Note You cannot duplicate the Default rule.
Chapter 10 Managing Access Policies Configuring Access Service Policies Step 4 Click OK. The Policy page appears with the edited rule. Step 5 Click Save Changes to save the new configuration. Step 6 Click Discard Changes to cancel the edited information. Related Topics • Creating Policy Rules, page 10-38 • Duplicating a Rule, page 10-39 • Deleting Policy Rules, page 10-40 Deleting Policy Rules Note You cannot delete the Default rule.
Chapter 10 Managing Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound conditions in a policy rule page; you cannot define them as separate condition objects.
Chapter 10 Managing Access Policies Configuring Compound Conditions Table 10-21 Supported Dynamic Attribute Mapping in Policy Compound Condition Operand1 Operand2 Example String attribute String attribute — Integer attribute Integer attribute — Enumeration attribute Enumeration attribute — Boolean attribute Boolean attribute — IP address attribute IP address attribute — Hierarchical attribute String attribute NDG:Customer vs.
Chapter 10 Managing Access Policies Configuring Compound Conditions Figure 10-2 Compound Expression - Atomic Condition Single Nested Compound Condition Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators.
Chapter 10 Managing Access Policies Configuring Compound Conditions Figure 10-4 Multiple Nested Compound Expression Compound Expression with Dynamic value You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected as operand. See Figure 10-5 for an example. Figure 10-5 Compound Expression Builder with Dynamic Value User Guide for Cisco Secure Access Control System 5.
Chapter 10 Managing Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-41 • Using the Compound Expression Builder, page 10-45 Using the Compound Expression Builder You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder contains two sections: a predicate builder to create primary conditions and controls for managing the expression.
Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-41 • Types of Compound Conditions, page 10-42 Security Group Access Control Pages This section contains the following topics: • Egress Policy Matrix Page, page 10-46 • Editing a Cell in the Egress Policy Matrix, page 10-47 • Defining a Default Policy for Egress Policy Page, page 10-47 • NDAC Policy Page, page 10-48 • NDAC Policy Properties Page, page 10-49 •
Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topic • Creating an Egress Policy, page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the corresponding source and destination security group. To display this page, choose Access Policies > Security Group Access Control > Egress Policy, select a cell, then click Edit.
Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a Security Group Access environment. The NDAC policy handles: • Peer authorization requests from one device about its neighbor. • Environment requests (a device is collecting information about itself). The policy returns the same SGT for a specific device, regardless of the request type.
Chapter 10 Managing Access Policies Security Group Access Control Pages Table 10-27 Rule-Based NDAC Policy Page Option Description Policy type Defines the type of policy to configure: • Simple—Specifies the result to apply to all requests. • Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Status Name Rule statuses are: • Enabled—The rule is active.
Chapter 10 Managing Access Policies Security Group Access Control Pages Note Table 10-28 For endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 10-32 for information about creating a session authorization policy. NDAC Policy Properties Page Option Description General Name Name of the rule.
Chapter 10 Managing Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses. To display this page, choose Access Policies > Security Group Access Control > Network Device Access. Table 10-29 Network Device Access EAP-FAST Settings Page Option Description EAP-FAST Settings Tunnel PAC Time To Live Time to live (TTL), or duration, of a PAC before it expires and requires replacing.
Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings You can configure maximum user session to impose maximum session value for each users. To configure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > Max Session User Settings. Step 2 Specify a Max User Session Value, for the maximum number of concurrent sessions permitted. Step 3 Check the Unlimited Sessions checkbox if you want the users to have unlimited sessions.
Chapter 10 Managing Access Policies Maximum User Sessions Table 10-30 Max User Session Global Settings Page Option Description General Name Name of the Identity Group. Description Description of the Identity Group. Max Session Group Settings Unlimited Session Check this checkbox if you want to provide unlimited session to the group. Max Session for Group Specify a value for the maximum number of concurrent sessions permitted for the group. Unlimited is selected by default.
Chapter 10 Managing Access Policies Maximum User Sessions Table 10-31 Max User Session Global Settings Page Option Description RADIUS Session Key Assignment Available Session Keys RADIUS sessions keys available for assignation.
Chapter 10 Managing Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to purge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users is displayed. Step 4 Click Purge All Sessions to purge all the user session logged in to the particular AAA client.
Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accounting requests should be sent to the same ACS server, else the Maximum Session feature will not work as desired.
CH A P T E R 11 Monitoring and Reporting in ACS The Monitoring and Reports drawer appears in the primary web interface window and contains the Launch Monitoring and Report Viewer option. The Monitoring and Report Viewer provides monitoring, reporting, and troubleshooting capabilities for the ACS servers in your network. You can extract consolidated log, configuration, and diagnostic data from one or more ACS servers for advanced reporting and troubleshooting purposes.
Chapter 11 Monitoring and Reporting in ACS Authentication Records and Details • Support for non-English characters (UTF-8)—You can have non-English characters in: – Syslog messages—Configurable attribute value, user name, and ACS named configuration objects – GUI input fields – Query pages – Reports and Interactive Viewer – Alarms – Dashboard lookup – Failure reason text Note In Monitoring and Reports drawer pages, you can use the page area’s down arrow (v) to hide an area’s content, and the right ar
Chapter 11 Monitoring and Reporting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the following tabs. • General—The General tab lists the following: – Five most recent alarms—When you click the name of the alarm, a dialog box appears with the details and the status of the alarm. You can update the information in the Status tab of this dialog box to track the alarm. See Table 12-5 for a description of the fields in the Status tab.
Chapter 11 Monitoring and Reporting in ACS Working with Portlets – Authentication Snapshot—Provides a snapshot of authentications in the graphical and tabular formats for up to the past 30 days. In the graphical representation, the field based on which the records are grouped together is plotted on the X-axis and the authentications are plotted on the Y-axis.
Chapter 11 Monitoring and Reporting in ACS Working with Portlets Figure 11-1 Portlets Top 5 Alarms and My Favorite Reports appear in separate windows. You can edit each of these portlets separately. To edit a portlet, click the edit button ( ) at the upper-right corner of the window. The Monitoring and Report Viewer allows you to customize the information in the portlets to suit your needs. You can add, edit, and delete tabs; edit application settings in portlets; and delete portlets.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Related Topic • Dashboard Pages, page 11-2 • Running Authentication Lookup Report, page 11-6 Running Authentication Lookup Report When you run an Authentication Lookup report, consider the following: • If you have provided the Username or MAC Address value in the format aa-bb-cc-dd-ee-ff, an authentication report is run for this MAC address.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Step 5 Click Add Page. A new tab of your choice is created. You can add the applications that you most frequently monitor in this tab Adding Applications to Tabs To add an application to a tab: Step 1 From the Monitoring and Report Viewer > choose Monitoring and Reports > Dashboard. The Dashboard page appears. Step 2 Select the tab to which you want to add an application.
Chapter 11 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Changing the Dashboard Layout You can change the look and feel of the Dashboard. ACS provides you with nine different in-built layouts. To choose a different layout: Step 1 From the Monitoring and Report Viewer, choose Monitoring and Reports > Dashboard. The Dashboard page appears. Step 2 Select the tab whose layout you wish to change.
CH A P T E R 12 Managing Alarms The Monitoring feature in ACS generates alarms to notify you of critical system conditions. The monitoring component retrieves data from ACS. You can configure thresholds and rules on this data to manage alarms. Alarm notifications are displayed in the web interface and you can get a notification of events through e-mail and Syslog messages. ACS filters duplicate alarms by default.
Chapter 12 Managing Alarms Understanding Alarms System Alarms System alarms notify you of critical conditions encountered during the execution of the ACS Monitoring and Reporting viewer. System alarms also provide informational status of system activities, such as data purge events or failure of the log collector to populate the View database. You cannot configure system alarms, which are predefined.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Notifying Users of Events When a threshold is reached or a system alarm is generated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can view the alarm details, add a comment about the alarm, and change its status to indicate that it is Acknowledged or Closed.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-2 Alarms Page (continued) Option Description Time Display only. Indicates the time of the associated alarm generation in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. • Mmm = Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. • dd = A two-digit numeric representation of the day of the month, from 01 to 31.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.4 (continued) Alarm Severity Configure Incremental Backup Data Repository as Remote Repository otherwise Warning backup will fail and Incremental backup mode will be changed to off. Configure Remote Repository under Purge Configuration which is used to take a Warning backup of data before purge. View database size exceeds the max limit of maxlimit GB.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.4 (continued) Alarm Severity Full Database Purge Backup failed: Exception Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recovery failed: Exception Details Critical View Compress Database rebuild operation has started.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Table 12-3 System Alarms in ACS 5.4 (continued) Alarm Severity Failed to load backup library. Scheduled backup of ACS configuration db failed. Critical Please check ADE.log for more details. Symbol lookup error. Scheduled backup of ACS configuration db failed. Please check ADE.log for more details. Critical Failed to perform ACS backup due to internal error. Please check ADE.log for more details.
Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note ACS cannot be used as a remote syslog server. But, you can use an external server as a syslog server. If you use an external server as a syslog server, no alarms can be generated in the ACS view as the syslog messages are sent to the external syslog server. If you want to generate the alarms in ACS view, set the logging option as localhost using CLI. To edit an alarm: Step 1 Select Monitoring and Reports > Alarms > Inbox.
Chapter 12 Managing Alarms Understanding Alarm Schedules Related Topics • Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules You can create alarm schedules to specify when a particular alarm threshold is run. You can create, edit, and delete alarm schedules. You can create alarm schedules to be run at different times of the day during the course of a seven-day week.
Chapter 12 Managing Alarms Understanding Alarm Schedules Table 12-7 Option Alarm Schedules - Create or Edit Page Description Identification Name Name of the alarm schedule. The name can be up to 64 characters in length. Description A brief description of the alarm schedule; can be up to 255 characters in length. Schedule Click a square to select or deselect that hour. Use the Shift key to select or deselect a block starting from the previous selection.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Deleting Alarm Schedules Note Before you delete an alarm schedule, ensure that it is not referenced by any thresholds that are defined in ACS. You cannot delete the default schedule (nonstop) or schedules that are referenced by any thresholds. To delete an alarm schedule: Step 1 Choose Monitoring and Reports > Alarms > Schedules. The Alarm Schedules page appears.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-8 Step 2 Step 3 Step 4 Alarm Thresholds Page (continued) Option Description Category The alarm threshold category.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics • Configuring General Threshold Information, page 12-13 • Configuring Threshold Criteria, page 12-14 • Configuring Threshold Notifications, page 12-32 Configuring General Threshold Information To configure general threshold information, fill out the fields in the General Tab of the Thresholds page. Table 12-9 describes the fields. Table 12-9 General Tab Option Description Name Name of the threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Configuring Threshold Criteria ACS 5.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds You can specify one or more filters to limit the passed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the authentication records and only those records whose filter value matches the value that you specify are counted. If you specify multiple filters, only the records that match all the filter conditions are counted.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-10 Passed Authentications (continued) Option Description Device Group Click Select to choose a valid device group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Device IP Failed Authentication Count i.j.k.l 1 m.n.o.p 1 An alarm is triggered because at least one Device IP has greater than 10 failed authentications in the past 2 hours. Note You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-11 Failed Authentications (continued) Option Description ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds The aggregation job begins at 00:05 hours every day. From 23:50 hours, up until the time the aggregation job completes, the authentication inactivity alarms are suppressed. For example, if your aggregation job completes at 01:00 hours today, then the authentication inactivity alarms will be suppressed from 23:50 hours until 01:00 hours.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-13 TACACS Command Accounting Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: • Any • A number from 0 to 15. Filter User Click Select to choose or enter a valid username on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-14 TACACS Command Authorization Option Description Authorization Result Use the drop-down list box to select the authorization result on which you want to configure your threshold. Valid options are: • Passed • Failed Filter User Click Select to choose or enter a valid username on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-15 ACS Configuration Changes Option Description Change Use the drop-down list box to select the administrative change on which you want to configure your threshold. Valid options are: • Any • Create—Includes “duplicate” and “edit” administrative actions. • Update • Delete Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-16 ACS System Diagnostics Option Description Severity at and above Use the drop-down list box to choose the severity level on which you want to configure your threshold. This setting captures the indicated severity level and those that are higher within the threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-17 ACS Process Status Option Description Monitoring and Reporting Collector Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Alarm Manager Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Job Manager Check the check box to have this process monitored.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-18 ACS System Health Option Description Disk I/O Enter the percentage of disk usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/opt Enter the percentage of /opt disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-19 ACS AAA Health Option Description Average over the past Use the drop-down list box to select the amount of time you want to configure for your configuration, where is minutes and can be: • 15 • 30 • 45 • 60 RADIUS Throughput Enter the number of RADIUS transactions per second you want to set (lesser than or equal to the specified value) for your threshold configuration.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-20 RADIUS Sessions Option Description More than num authenticated sessions in the past 15 minutes, num—A count of authenticated sessions in the past 15 where accounting start event has not been received for a minutes. Device IP Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-21 Unknown NAD Option Description Unknown NAD count greater than num in the past time Minutes|Hours for a object, where: • num values can be any five-digit number greater than or equal to zero (0). • time values can be 1 to 1440 minutes, or 1 to 24 hours. • Minutes|Hours value can be Minutes or Hours.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds If, in the past four hours, RBACL drops have occurred for two different source group tags as shown in the following table, an alarm is triggered, because at least one SGT has a count greater than 10. SGT Count of RBACL Drops 1 17 3 14 You can specify one or more filters to limit the RBACL drop records that are considered for threshold evaluation.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds NAD-Reported AAA Downtime When ACS evaluates this threshold, it examines the NAD-reported AAA down events that occurred during the specified interval up to the previous 24 hours. The AAA down records are grouped by a particular common attribute, such as device IP address or device group, and a count of records within each of those groups is computed.
Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Table 12-24 NAD-Reported AAA Downtime Option Description Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold.
Chapter 12 Managing Alarms Deleting Alarm Thresholds Table 12-25 Thresholds: Notifications Page (continued) Option Description Email Notification Email Notification User List Enter a comma-separated list of e-mail addresses or ACS administrator names or both. Do one of the following: • Enter the e-mail addresses. • Click Select to enter valid ACS administrator names.
Chapter 12 Managing Alarms Configuring System Alarm Settings Configuring System Alarm Settings System alarms are used to notify users of: • Errors that are encountered by the Monitoring and Reporting services • Information on data purging Use this page to enable system alarms and to specify where alarm notifications are sent. When you enable system alarms, they are sent to the Alarms Inbox.
Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslog targets are the destinations where alarm syslog messages are sent. The Monitoring and Report Viewer sends alarm notification in the form of syslog messages. You must configure a machine that runs a syslog server to receive these syslog messages. To view a list of configured alarm syslog targets, choose Monitoring Configuration > System Configuration > Alarm Syslog Targets.
Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Table 12-27 Alarm Syslog Targets Create or Edit Page Option Description Use Advanced Syslog Options Port Port in which the remote syslog server listens. By default, it is set to 514. Valid options are from 1 to 65535. Facility Code Syslog facility code to be used for logging. Valid options are Local0 through Local7. Step 4 Click Submit.
CH A P T E R 13 Managing Reports The Monitoring and Report Viewer component of ACS collects log and configuration data from various ACS servers in your deployment, aggregates it, and provides interactive reports that help you analyze the data. The Monitoring and Report Viewer provides you integrated monitoring, reporting, and troubleshooting capabilities to efficiently manage your network and troubleshoot network-related problems.
Chapter 13 • Managing Reports Catalog—Monitoring and Reports > Reports > Catalog > For easy access, you can add reports to your Favorites page, from which you can customize and delete reports. You can customize the reports that must be shared within your group and add them to the Shared page. The Catalog pages provide a rich set of reports on log, diagnostic, and troubleshooting data retrieved from the ACS servers in your deployment.
Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in detail the following: • Working with Favorite Reports, page 13-3 • Sharing Reports, page 13-6 • Working with Catalog Reports, page 13-7 • Viewing Reports, page 13-20 • Formatting Reports in Interactive Viewer, page 13-27 • Organizing Report Data, page 13-41 • Hiding and Filtering Report Data, page 13-67 • Understanding Charts, page 13-76 Working with Favorite Reports You can add reports that you most freque
Chapter 13 Managing Reports Working with Favorite Reports Step 5 Click Add to Favorite. The report is added to your Favorites page. Related Topics • Working with Favorite Reports, page 13-3 • Viewing Favorite-Report Parameters, page 13-4 • Editing Favorite Reports, page 13-5 • Deleting Reports from Favorites, page 13-6 • Understanding the Report_Name Page, page 13-14 Viewing Favorite-Report Parameters Before you run your favorite report, you can view the parameters that are set and edit them.
Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you view the existing parameters in your favorite report, you can edit them. To edit the parameters in your favorite reports: Step 1 Choose Monitoring and Reports > Reports > Favorites. The Favorites page appears with a list of your favorite reports. Step 2 Check the check box next to the favorite report that you want to edit, then click Edit. The Edit Favorite Report page appears.
Chapter 13 Managing Reports Sharing Reports The report is generated in the page. Step 3 Click Launch Interactive Viewer for more options.
Chapter 13 Managing Reports Working with Catalog Reports Step 7 Click Save. The report is saved in your Shared folder and is available for all users. Note The shared reports that were created in older versions of ACS do not work after you upgrade an older version of ACS to ACS 5.4 or install a fresh version of ACS 5.4. Therefore, you need to remove the existing shared reports and add them in ACS 5.4. Working with Catalog Reports Catalog reports are system reports that are preconfigured in ACS.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category TACACS Authentication Provides TACACS+ authentication details for a selected time period. Passed authentications, failed attempts TACACS Authorization Provides TACACS+ authorization details for a selected time period.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category ACS Log Information Provides ACS log information for a particular log All log categories category and ACS server for a selected time period. ACS Operations Audit Provides all the operational changes done in ACS by the administrator for a selected time period.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category Network Device Authentication Summary Provides the RADIUS and TACACS+ authentication summary information for a particular network device for a selected time period, along with the graphical representation.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-2 Available ACS Reports (continued) Report Name Description Logging Category RADIUS Active Sessions Provides information on RADIUS authenticated, authorized, and started sessions. Passed authentications, RADIUS accounting ACS 5.4 introduces the Change of Authorization (CoA) feature through the RADIUS Active Sessions report, which allows you to dynamically control active RADIUS sessions.
Chapter 13 Managing Reports Working with Catalog Reports The available reports for the report type you selected are displayed with the information shown in Table 13-3. Table 13-3 Page Option Description Report Name Available reports based on the report type you selected. Type Type of report. Modified At Time that the associated report was last modified by an administrator, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: Step 2 • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat.
Chapter 13 Managing Reports Working with Catalog Reports Note You cannot delete system reports from the Reports > Catalog pages; you can delete customized reports only. Step 2 Check one or more check boxes next to the reports you want to delete, and click Delete. Step 3 Click OK to confirm that you want to delete the selected report(s). The Catalog listing page appears without the deleted report. Running Named Reports Use this page to run reports on specific named reports.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-4 Reports > Report Types and Names (continued) Failure Reason Authentication Failure Code Lookup Failure Reason Authentication Summary Top N Authentications By Failure Reason Network Device AAA Down Summary Network Device Authentication Summary Network Device Log Messages Session Status Summary Top N AAA Down By Network Device Top N Authentications By Network Device Security Group Access RBACL Drop Summ
Chapter 13 Managing Reports Working with Catalog Reports Table 13-5 Page (continued) Option Description Identity Group Enter an identity group name or click Select to enter a valid identity group name on which to run your report. Device Name Enter a device name or click Select to enter a valid device name on which to run your report. Device IP Enter a device IP address or click Select to enter a valid device IP address on which to run your report.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-5 Page (continued) Option Description Command Accounting Only Check the check box to enable your report to run for command accounting. Top Use the drop down list box to select the number of top (most frequent) authentications by access service on which you want to run your report.
Chapter 13 Managing Reports Working with Catalog Reports Table 13-5 Page (continued) Option Description End Time Enter the end time you want to use to run the report. Day Enter a date, or click the date selector icon to enter the end date for which you want run your report. Clear Click to delete the contents of an associate text box. Export Click to export the records in the form of a .csv file.
Chapter 13 Managing Reports Working with Catalog Reports Changing Authorization and Disconnecting Active RADIUS Sessions Note Some of the NADs in your deployment do not send an Accounting Stop or Accounting Off packet after a reload. As a result of this, you might find two sessions in the Session Directory reports, one of which has expired.
Chapter 13 Managing Reports Working with Catalog Reports Figure 13-3 Step 4 CoA Options Click Run to reauthenticate or disconnect the RADIUS session. If your change of authorization fails, it might be because of any of the following reasons: Step 5 • Device does not support CoA • Changes to the identity or authorization policy • Shared secret mismatch See the Troubleshooting RADIUS Authentications, page 14-6 to troubleshoot a failed change of authorization attempt.
Chapter 13 Managing Reports Viewing Reports If you save the customized report with the same name as the original system report (overwriting the original system report), you cannot delete it. To restore a customized report to the default, preconfigured system report settings, see Restoring Reports, page 13-20. Note The customized report is saved to your specified location.
Chapter 13 Managing Reports Viewing Reports About Standard Viewer From Standard Viewer, you can open a table of contents, navigate the report, export data to spreadsheet format, and print the report. You can click Launch Interactive Viewer to close Standard Viewer and view the report in Interactive Viewer. See About Interactive Viewer, page 13-21.
Chapter 13 Managing Reports Viewing Reports Figure 13-5 Context Menu for Labels in Interactive Viewer If the report contains a chart, you can use the context menu for charts, shown in Figure 13-6, to modify the chart’s formatting, subtype, and other properties. Figure 13-6 Context Menu for Charts in Interactive Viewer In each context menu, selecting an entry with a right arrow provides access to related context menu choices.
Chapter 13 Managing Reports Viewing Reports Using the Table of Contents In the viewer, you can open a table of contents to view the report structure and navigate the report. To open the table of contents, choose the table of contents button in the toolbar. Figure 13-9 shows a report in Standard Viewer with the table of contents open. Figure 13-9 Using the Table of Contents to Navigate Table of contents Each entry in the table of contents is a link to a page in the report.
Chapter 13 Managing Reports Viewing Reports Exporting Report Data The viewer supports the ability to export report data to an Excel spreadsheet as a comma-separated values (.csv) file, pipe-separated values (.psv) file, or a tab-separated values (.tsv) file. You can select an option to export the column’s data type. The spreadsheet data is formatted like the data in the information object or the template.
Chapter 13 Managing Reports Viewing Reports Figure 13-12 The Export Data Dialog Box Available Result Sets lists the tables in the report. Available Columns lists the columns you can export from the specified table. You can export any of the data the report uses, including the data in aggregate rows and calculated columns. If the report uses more than one data source, you can export data from each data source separately.
Chapter 13 Managing Reports Viewing Reports Printing Reports You can print a report that appears in the viewer in HTML or PDF format. Because you can modify the report in Interactive Viewer, Interactive Viewer supports printing either the original report or the report as you modify it. Step 1 In the viewer, select Print Report. The Print dialog box appears. Step 2 In Format field, select HTML or PDF. Step 3 In the Page Range field, select the pages you want to print. Step 4 Click OK.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figure 13-13 Save Dialog Box Step 2 Navigate to the location where you want to save the file. Step 3 Type a file name and click Save. Step 4 Click OK in the confirmation message that appears. Formatting Reports in Interactive Viewer You can use the Interactive Viewer to format reports.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer The text of a column header comes from the data source. If the data source displays column headers in capital letters with no spaces between words, the report design displays column header names in the same way. You can change the content of the column header by using a context menu. The formatting of the column header comes from the report template or from the theme.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer • Modify the font, color, style, and other properties of the text. • Specify that the column displays uppercase or lowercase. • Modify the default formatting of the data value in an aggregate row. • Format the data type. For example, if the column displays numbers, you can format the data as currency, percentages, or scientific numbers.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Data in Aggregate Rows An aggregate row displays a total, average, or other summary data for a column. You learn how to create an aggregate row in a later chapter. Figure 13-15 shows an aggregate row at the end of a report. Typically, the default formatting of the aggregate row comes from the template or the theme.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer . Table 13-6 Data Types and Formats Data type Option Description Date and Time Unformatted Data retains the default format set by the template or theme. General Date June 5, 2006 12:00:00 AM GMT +00:00 Long Date June 5, 2006 Medium Date Jun 5, 2006 Short Date 6/5/06 Long Time 12:00:00 AM GMT +00:00 Medium Time 12:00:00 AM Short Time 12:00 Custom Format depends on a format code you type.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer The data type of a column is determined by the data source. Keep in mind that a text or string data type can contain numeric digits. A telephone number, for example, is frequently string data in the data source. The title of the formatting dialog box tells you what data type the column contains. Step 1 Select a column that contains numeric data, then select Format. The Number column format dialog box appears.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Custom Numeric Data To define a custom format, you use special symbols to construct a format pattern. A format pattern shows where to place currency symbols, thousands separators, decimal points or commas. Table 13-7 shows examples of custom format patterns and their effects on numeric data . Table 13-7 Step 1 Results of Custom Number Format Patterns Format pattern Data in the data set Result of formatting 0000.00 12.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer 415-555-2121 You can create custom formats for string data. Table 13-8 describes the symbols you can use to define custom string formats . Table 13-8 Symbols for Defining Custom String Formats Symbol Description @ Character placeholder. Each @ character displays a character in the string. If the string has fewer characters than the number of @ symbols that appear in the format pattern, spaces appear.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 Click Apply. Formatting Date and Time The appearance of date and time data depends on the locale in which you are working. For example, the following date and time are correct for the U.S.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Table 13-10 Results of Custom Date Formats Format Result of formatting MM-dd-yy 04-15-06 E, M/d/yyyy Fri, 4/15/2006 MMM d Apr 15 MMMM April yyyy 2006 W 3 (the week in the month) w 14 (the week in the year) D 105 (the day in the year) To create a custom date or time format, Step 1 Select a date-and-time column, then click Format. The Date or Time column format window appears.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figure 13-17 Specifying Display Values for True and False Applying Conditional Formats Conditional formatting changes the formatting of data when a certain condition is true. For example, in a report that shows customers’ past-due invoices, you can highlight in red any customer name that has an invoice 90 days or more past due. Then, you can highlight in blue any customer name that has an invoice 60 days or more past due.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer After you create the condition, you set the format in which to display data that meets the condition. The format applies to the column in Select Column, not to the column you use to set the condition. Setting Conditional Formatting for Columns You can set conditional formatting or modify conditional formatting for a column. Step 1 Right-click on the column that you want to display the conditional formatting. The context menu appears.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figure 13-20 Two Comparison Value Fields Appear for the Between Operator The values for the comparison can be typed in directly or derived from the specified report column. Select Change Value to display the Value dialog, as shown in Figure 13-21. Figure 13-21 Specifying Literal or Column Values A literal value can be directly typed or chosen from a list of values in the specified column.
Chapter 13 Managing Reports Formatting Reports in Interactive Viewer To add additional conditional formatting rules, select Add Rule and repeat steps 3 and 4 for each new rule. Step 6 Click Apply. The report design appears with the specified conditional formatting applied. Deleting Conditional Formatting To remove conditional formatting for a column: Step 1 Select and right-click the column. Step 2 Select Style > Conditional Formatting.
Chapter 13 Managing Reports Organizing Report Data Step 4 Click Apply. Setting and Removing Page Breaks in a Group Column In Interactive Viewer, if your report design has grouped data, you can set page breaks before or after the grouped data. Step 1 Select and right-click a grouped column. Step 2 From the context menu, choose Group > Page Break. The Page Break window appears, as shown in Figure 13-24.
Chapter 13 Managing Reports Organizing Report Data Displaying and Organizing Report Data After you access a data source and select the data set to use, you determine the best way to display the data in a report. There are several ways to organize data sets: • Sort a data column in ascending or descending order. • Organize data into groups. A group displays all the information about a type of item in one place.
Chapter 13 Managing Reports Organizing Report Data Figure 13-25 Step 2 Report Displaying Customers Grouped by Country Select Column > Move to Group Header. The Move to Group Header window appears, as shown in Figure 13-26. Figure 13-26 Move to Group Header Dialog Box Step 3 From the Move to Group field, select a value. Step 4 In the Header row field, select the row number in which to move the value you selected in Step 3. Step 5 Click Apply.
Chapter 13 Managing Reports Organizing Report Data Figure 13-27 Report Displaying Customer Name in Each Group Header Removing Columns To remove a column, select the column and click Delete. When you remove a column from the report, you are not deleting the column from the information object or other data source. To remove multiple columns, press Ctrl and select the columns to remove. Then, click Delete.
Chapter 13 Managing Reports Organizing Report Data Step 3 Select any items you want to hide or Deselect any hidden items you want to display. To display all hidden items, click Clear. Step 4 Click Apply. Hiding Columns To hide or display columns: Step 1 Select and right-click a column. Step 2 Select Column > Hide Column. Interactive Viewer displays the report without the hidden column. Displaying Hidden Columns TO display hidden columns: Step 1 Select and right-click a column.
Chapter 13 Managing Reports Organizing Report Data Figure 13-29 Separate Columns In Figure 13-30, the data from these two columns is merged into one column. Figure 13-30 Merged Column To merge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns. User Guide for Cisco Secure Access Control System 5.
Chapter 13 Managing Reports Organizing Report Data Selecting a Column from a Merged Column You can aggregate, filter, and group data in a column that contains data that is merged from multiple columns. You must first select one of the columns on which to aggregate, filter, or group data. To select one column from a merged column, Step 1 Select and right-click the merged column, then select a command to apply from the context menu, such as Aggregation, Filter > Filter, or Group > Add Group.
Chapter 13 Managing Reports Organizing Report Data When you sort multiple columns, it is important to understand the order of precedence for the sort. In Advanced Sort, the first column you select is the primary sorting column. Report data is sorted first by this column. If the primary column is Customer and the order is Ascending, for example, the report displays customers in alphabetical order.
Chapter 13 Managing Reports Organizing Report Data Grouping Data A report can contain a great deal of data. Consider the task of listing every item a corporation owns, along with information such as the purchase price, purchase date, inventory tag number, and the supplier for each item. If a report presents all these items in an unorganized list, there is no way to determine how much the corporation spends for heavy equipment because heavy equipment items are scattered throughout the report.
Chapter 13 Managing Reports Organizing Report Data Figure 13-33 Grouped Data You can group data in the report design editor or in Interactive Viewer. The changes you make in the viewer do not affect the report design. If you work in Enterprise mode, you can save report output that reflects your changes. You can add or remove data groups in Interactive Viewer if the report design does not contain the grouping desired during that use of Interactive Viewer.
Chapter 13 Managing Reports Organizing Report Data Step 2 From the context menu, select Group > Add Group. The Group Detail dialog box appears, as shown in Figure 13-35. Figure 13-35 Grouping Date or Time Data Step 3 To show every date or time value, leave the default setting Group using individual values. Step 4 To set a grouping interval, select Group every and enter a value and select the grouping interval.
Chapter 13 Managing Reports Organizing Report Data Step 2 From the context menu, select Group > Delete Inner Group. Creating Report Calculations Most reports require some sort of calculations to track sales, finances, inventory, and other critical business activities. You might want to keep a simple count of items in a warehouse or you might need to provide more complex financial data such as tracking stock portfolio performance over time.
Chapter 13 Managing Reports Organizing Report Data Figure 13-38 Selecting a Function Understanding Supported Calculation Functions Table 13-11 provides examples of the functions you can use to create calculations. Note Table 13-11 The Calculation dialog box does not support the use of uppercase TRUE and FALSE functions in expressions.Calculation also does not support the use of initial capital letters for True and False. These functions must be expressed in lowercase only.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use AND Combines two conditions and returns records that This function is used to connect clauses in an expression and does not take match both conditions. For example, you can arguments. request records from customers who spend more than $50,000 a year and also have a credit rank of A. AVERAGE(expr) Displays an average value for the column.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use False The Boolean False. This function is used in expressions to indicate that an argument is false. In the following example, False indicates that the second argument, ascending, is false and therefore the values should be returned in descending order. RANK([Score], false) FIND(strToFind, str) Displays the index of the first occurrence of specified text.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use ISBOTTOMN(expr, n) Displays True if the value is within the lowest n values for the expression, and False otherwise. ISBOTTOMN([OrderTotals], 50) ISBOTTOMN(expr, n, groupLevel) Displays True if the value is within the lowest n values for the expression at the specified group level, and False otherwise.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use LIKE(str) Displays True if the values match, and False otherwise. Use SQL syntax to specify the string pattern. LIKE([customerName], "D%") LIKE([quantityOrdered], "2_") The following rules apply: • Literal pattern characters must match exactly. LIKE is case-sensitive. • A percent character (%) matches zero or more characters.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use OR The logical OR operator. This function is used to connect clauses in an expression and does not take arguments. PERCENTILE(expr, pct) Displays a percentile value, a value on a scale of 100 that indicates the percent of a distribution that is equal to or below the specified value. PERCENTILE([Rank], 1) Valid pct argument ranges are 0 to 1.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use ROUNDDOWN(num) Rounds a number down. ROUNDDOWN([StockPrice]) ROUNDDOWN(num, dec) Rounds a number down, away from 0, to the specified number of digits. The default value for dec is 0. ROUNDDOWN([StockPrice], 2) ROUNDUP(num) Rounds a number up. ROUNDUP([TotalValue]) ROUNDUP(num, dec) Rounds a number up, away from 0, to the specified number of digits.
Chapter 13 Managing Reports Organizing Report Data Table 13-11 Examples of Functions (continued) Function Description Example of use WEEKDAY(date, option) Displays the day of the week in one of the following format options: WEEKDAY([DateSold], 4) • 1 - Returns the day number, from 1 (Sunday) through 7 (Saturday). 1 is the default option. • 2 - Returns the day number, from 1 (Monday) through 7 (Sunday). • 3 - Returns the day number, from 0 (Monday) through 6 (Sunday).
Chapter 13 Managing Reports Organizing Report Data Understanding Supported Operators Table 13-12 describes the mathematical and logical operators you can use in writing expressions that create calculated columns.
Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns To use multiply values in calculated columns: Step 1 Select a column. In the report, the new calculated column appears to the right of the column you select. Step 2 Select Add Calculation. The Calculation dialog box appears. Step 3 In the Column Label field, type a header for the calculated column. The header must start with a letter and can contain only letters, numbers, underscores, and spaces.
Chapter 13 Managing Reports Organizing Report Data Step 7 For the second argument, type the number of days to add. In this case, type 7. Step 8 Validate the expression, then click Apply. The new calculated column appears in the report. For every value in the Order Date column, the calculated column displays a date seven days later than the order date. Subtracting Date Values in a Calculated Column You can display the difference between two date values. Step 1 Select a column.
Chapter 13 Managing Reports Organizing Report Data Figure 13-39 Aggregate Row for a Group Table 13-13 shows the aggregate functions that you can use. Table 13-13 Aggregate Functions Aggregate functions Description Average Calculates the average value of a set of data values. Count Counts the data rows in the column. Count Value Counts distinct values in the column. First Returns the first value in the column. Last Returns the last value in the column.
Chapter 13 Managing Reports Organizing Report Data Creating an Aggregate Data Row To create an aggregate data row: Step 1 Select a column, then select Aggregation. The Aggregation dialog box appears. The name of the column you selected is listed in the Selected Column field. Step 2 From the Select Function menu, select the function you want to use.
Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate row for a column, you can add up to two more aggregate rows for the same column. For an item total column, for example, you can create a sum of all the values, count all the values, and get the average order total. To add an aggregate row: Step 1 Select a calculated column that contains an aggregate row, then select Aggregation. The Aggregation window appears.
Chapter 13 Managing Reports Hiding and Filtering Report Data Deleting Aggregate Rows To delete an aggregate row: Step 1 Select the calculated column that contains the aggregation you want to remove, then select Aggregation. The Aggregation dialog box appears, displaying all the aggregations for the column. Step 2 For the aggregation you want to remove, choose Delete Aggregation, then click Apply.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-43 Suppressed Values You can suppress duplicate values to make your report easier to read. You can suppress only consecutive occurrences of duplicate values. In the Location column in Figure 13-43, the Boston value is suppressed in the second, third, fourth, and fifth rows. If Boston occurs again after the listing for NYC, that occurrence of Boston is visible and subsequent consecutive occurrences are suppressed.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-44 Group Detail Rows Displayed Figure 13-45 shows the results of hiding the detail rows for the creditrank grouping. Figure 13-45 • Group Detail Rows Hidden To collapse a group or section, select and right-click a member of the group or section that you want to collapse. The context menu appears. • To display the group members without their detail rows, select Group > Hide Detail.
Chapter 13 Managing Reports Hiding and Filtering Report Data Table 13-14 Conditions to Use with Filters (continued) Condition Description Bottom N Returns the lowest n values in the column. Bottom Percent Returns the lowest n percent of values in the column. Equal to Returns values that are equal to a specified value. Greater Than Returns values that are greater than a specified value. Greater Than or Equal to Returns values that are greater than or equal to a specified value.
Chapter 13 Managing Reports Hiding and Filtering Report Data Table 13-15 Examples of Filter Conditions Type of filter condition Comparison Description Examples of instructions to data source Compares the value of one expression to the value of another expression using: quantity = 10 custName = 'Acme Inc.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-46 Step 2 Selecting a Filter Value in Interactive Viewer To search for a value, type the value in the Find Value field, then click Find. All values that match your filter text are returned. For example, if you type: 40 the text box displays any values in the column that begin with 40, such as: 40 400 4014 40021 When you see the value you want in the large text box, double-click the value. The value appears in the Value field.
Chapter 13 Managing Reports Hiding and Filtering Report Data Step 3 Step 4 From the Condition pulldown menu, select a condition. Table 13-14 describes the conditions you can select. • If you select Between or Not Between, Value From and Value To, additional fields appear to display a range of values. • If you select Is False, Is True, Is Null, or Is Not Null, no value fields appear. For all other selections, a single value field appears. Enter values in each of the available fields.
Chapter 13 Managing Reports Hiding and Filtering Report Data Figure 13-47 The Advanced Filter Dialog Box in Interactive Viewer Advanced Filter provides a great deal of flexibility in setting the filter value. For conditions that test equality and for the Between condition, you can either set a literal value or you can base the value on another data column.
Chapter 13 Managing Reports Hiding and Filtering Report Data Step 7 Validate the filter syntax by clicking Validate. You have now created a filter with one condition. The next step is to add conditions. Step 8 Follow steps Step 3 to Step 7 to create each additional desired filter condition. Step 9 In Filters, adjust the filter conditions to achieve the desired filtering.
Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldown menu, select a particular number of rows or a percentage of rows, as shown in Figure 13-48. Step 3 Enter a value in the field next to the Filter pulldown menu to specify the number or percentage of rows to display.
Chapter 13 Managing Reports Understanding Charts Figure 13-49 Parts of a Basic Bar Chart There are a variety of chart types. Some types of data are best depicted with a specific type of chart. Charts can be used as reports in themselves and they can be used together with tabular data report styles. Modifying Charts The basic characteristics of a chart are determined in the report design editor.
Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts have subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stacked, Percent Stacked • Line chart—Overlay, Stacked, Percent Stacked • Area chart—Overlay, Stacked, Percent Stacked • Meter chart—Standard, Superimposed • Stock chart—Candlestick, Bar Stick Many chart types offer two-dimensional subtypes, in which the chart shape appears flat against the chart background.
Chapter 13 Managing Reports Understanding Charts Figure 13-50 Chart Formatting Options You use this page to: • Edit and format the default chart title. • Edit and format the default title for the category, or x-, axis. • Modify settings for the labels on the x-axis. You can: – Indicate whether to display x-axis labels. – Indicate whether to rotate x-axis labels and set the degree of rotation. – Indicate whether to stagger x-axis labels.
Chapter 13 Managing Reports Understanding Charts User Guide for Cisco Secure Access Control System 5.
CH A P T E R 14 Troubleshooting ACS with the Monitoring and Report Viewer This chapter describes the diagnostic and troubleshooting tools that the Monitoring and Report Viewer provides for the Cisco Secure Access Control System.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Available Diagnostic and Troubleshooting Tools Support bundles typically contain the ACS database, log files, core files, and Monitoring and Report Viewer support files. You can exclude certain files from the support bundle, per ACS node. You can download the support bundle to your local computer.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Performing Connectivity Tests Table 14-1 Expert Troubleshooter - Diagnostic Tools (continued) Diagnostic Tool Description Trust Sec Tools Egress (SGACL) Policy Compares the Egress Policy (SGACL) between a network device and ACS. See Comparing SGACL Policy Between a Network Device and ACS, page 14-12 for more information. SXP-IP Mappings Compares SXP mappings between a device and peers.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Downloading ACS Support Bundles for Diagnostic Information Related Topics • Available Diagnostic and Troubleshooting Tools, page 14-1 • Connectivity Tests, page 14-1 • ACS Support Bundle, page 14-1 • Expert Troubleshooter, page 14-2 Downloading ACS Support Bundles for Diagnostic Information To create and download an ACS support bundle: Step 1 Select Monitoring and Reports > Troubleshooting > ACS Support Bundle.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Downloading ACS Support Bundles for Diagnostic Information • Include local logs—Check this check box to include local logs, then click All, or click Recent and enter a value from 1 to 999 in the file(s) field to specify which debug logs to include. • Include core files—Check this check box to include core files, then click All or click Include files from the last and enter a value from 1 to 365 in the day(s) field.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Working with Expert Troubleshooter The following sections describe how to use the Expert Troubleshooter diagnostic tools: • Troubleshooting RADIUS Authentications, page 14-6 • Executing the Show Command on a Network Device, page 14-10 • Evaluating the Configuration of a Network Device, page 14-10 • Comparing SGACL Policy Between a Network Device and ACS, page 14-12 • Comparing the SXP-IP Mappi
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Table 14-4 RADIUS Authentication Troubleshooter Page (continued) Option Description NAS Port Enter the NAS port number or click Select to choose a NAS port number from a list. Click Clear to clear the NAS port number. Authentication Status Choose the status of your RADIUS authentication from the Authentication Status drop-down list box.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter The Expert Troubleshooter begins to troubleshoot your RADIUS authentication. The Monitoring and Report Viewer prompts you for additional input, if required. For example, if the Expert Troubleshooter must connect to a network device, it prompts you for connection parameters and login credentials.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Table 14-5 Step 8 Progress Details Page - User Input Dialog Box (continued) Option Description Prompt Expect String Enter the prompt that the network device uses. For example, #, >, and @. Authentication Failure Expect String Enter the string that the network device returns when there is an authentication failure; for example, Incorrect password, Login invalid, and so on.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Executing the Show Command on a Network Device The Execute Network Device Command diagnostic tool allows you to run any show command on a network device from the ACS web interface. The result of the show command is precisely what you would see on a console and can be used to identify problems in the device configuration.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Table 14-8 Evaluate Configuration Validator Option Description Enter Information Network Device IP Enter the IPv4 or IPv6 address of the network device whose configuration you want to evaluate. Select the configuration items below that you want to compare against the recommended template. Step 3 AAA Checked by default. RADIUS Checked by default. Device Discovery Checked by default.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Comparing SGACL Policy Between a Network Device and ACS For Security Group Access-enabled devices, ACS assigns an SGACL for every source SGT-destination SGT pair based on the Egress policy matrix that you configure in ACS. The Egress policy diagnostic tool does the following: 1. Connects to the device whose IP address you provide and obtains the ACLs for each source SGT— destination SGT pair. 2.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Use this diagnostic tool to compare the SXP-IP mappings between a device and its peers. To do this: Step 1 Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2 Select SXP-IP Mappings from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and shows the Network Device IP field. Step 3 Enter the IP address of the network device.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Step 4 Click SXP-IP Mappings from the list of troubleshooting tools. The Expert Troubleshooter page refreshes and shows the following field: Network Device IP—Enter the IP address of the network device. Step 5 Click Run. The Progress Details page appears. The Monitoring and Report Viewer prompts you for additional input.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Step 10 Click Show Results Summary to view the diagnosis and resolution steps. The Results Summary page appears with the information described in Table 14-6.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Step 6 Click Show Results Summary to view the diagnosis and resolution steps.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Table 14-11 Device SGT Option Description Common Connection Parameters Use Common Check this check box to use the following common connection parameters for Connection Parameters comparison: • Username—Enter the username of the network device. • Password—Enter the password. • Protocol—Choose the protocol from the Protocol drop-down list box.
Chapter 14 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter User Guide for Cisco Secure Access Control System 5.
CH A P T E R 15 Managing System Operations and Configuration in the Monitoring and Report Viewer This chapter describes the tasks that you must perform to configure and administer the Monitoring and Report Viewer. The Monitoring Configuration drawer allows you to: • Manage data—The Monitoring and Report Viewer handles large volumes of data from ACS servers. Over a period of time, the performance and efficiency of the Monitoring and Report Viewer depends on how well you manage the data.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer • Configure and edit failure reasons—The Monitoring and Report Viewer allows you to configure the description of the failure reason code and provide instructions to resolve the problem. See Viewing Failure Reasons, page 15-15 for more information on how to edit the failure reason description and instructions for resolution.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup • Configuring System Alarm Settings, page 15-18 • Configuring Alarm Syslog Targets, page 15-18 • Configuring Remote Database Settings, page 15-18 Configuring Data Purging and Incremental Backup The Monitoring and Report Viewer database handles large volumes of data. When the database size becomes too large, it slows down all the processes.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup If you enable incremental backup, data is purged daily at 4:00 a.m. at the local time zone where the ACS instance that runs the View process is located. In ACS 5.4, the view database is allocated based on the opt partition size. ACS View database is 42 percent of opt partition size.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup only the log collector services during compress operation and will be up and running after the compress operation is completed. You need to enable the log recovery feature to recover the log messages that are received during the database compress operation. In ACS 5.4, database compress operation is automated.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup From the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Data Management > Removal and Backup. Table 15-1 Data Purging and Incremental Backup Page Option Description Data Purging Data Repository Use the drop-down list box to select the data repository backup location to be used during data purging.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Restoring Data from a Backup Table 15-1 Data Purging and Incremental Backup Page (continued) Option Description Schedule Use the drop-down list boxes to select the time of the day when you want the full View database backup to run. Frequency Use the drop-down list box to choose the frequency at which you want the full View database backup to run.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Log Collections Table 15-2 Incremental Backup Restore Page Column Description Skip View Database backup before Restore Check this check box to skip the Monitoring and Report Viewer database backup before restoring data from a backup. This option, when checked, hastens the restore process. Name Name of the backup file.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Log Collections Table 15-3 Log Collection Page Option Description ACS Server Name of the ACS server. Click to open the Log Collection Details page and view recently collected logs. Last Syslog Message Display only. Indicates the arrival time of the most recent syslog message, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently collected log names for an ACS server. Step 1 From the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Log Collection. Step 2 Do one of the following: Note • Click the name of an ACS server.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Log Collections Table 15-4 Log Collection Details Page Option Description Log Name Name of the log file. Last Syslog Message Display only. Indicates the arrival time of the most recent syslog message, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: • Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. • Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Recovering Log Messages Recovering Log Messages ACS server sends syslog messages to the Monitoring and Report Viewer for the activities such as passed authentication, failed attempts, authorization, accounting, and so on. The syslog messages have a sequence number attached.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Scheduled Jobs Table 15-6 Scheduler Status Page Option Description Name Display only. Name of the job. Type Display only. Type of associated job; for example, Incremental Backup Utility, Session Termination, DB Aggregation Event, Database Purge Utility, and so on. This list includes both system- and user-defined jobs. Owner Display only. Owner of the associated job—System.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Process Status Viewing Process Status Use this page to view the status of processes running in your ACS environment. From the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Process Status. Note Table 15-7 You can click the refresh symbol to refresh the contents of the page. Process Status Page Option Description Process Name Display only. Name of the process.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Data Upgrade Status Viewing Data Upgrade Status After you upgrade to ACS 5.4, ensure that the Monitoring and Report Viewer database upgrade is complete. You can do this through the ACS web interface. Refer to the Installation Guide for Cisco Secure Access Control System 5.4 for more information on the upgrade process.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Specifying E-Mail Settings Table 15-9 Failure Reasons Editor Page Option Description Failure Reason Display only. The error code and associated failure reason name. Description Enter a free text description of the failure reason to assist administrators; use the text tools as needed.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Understanding Collection Filters Understanding Collection Filters You can create collection filters that allow you to filter and drop syslog events that are not used for monitoring or troubleshooting purposes. When you configure collection filters, the Monitoring and Report Viewer does not record these events in the database and thus saves much needed disk space. Note ACS 5.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring System Alarm Settings Step 3 Click Submit. Related Topics • Creating and Editing Collection Filters, page 15-17 • Deleting Collection Filters, page 15-18 Deleting Collection Filters To delete a collection filter: Step 1 Choose Monitoring Configuration > System Configuration > Collection Filters. The Collection Filters page appears.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Remote Database Settings Note ACS does not support remote database with cluster setup. To configure a remote database: Step 1 From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings. The Remote Database Settings Page appears as described in Table 15-12.
Chapter 15 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Remote Database Settings Note Note You can view the status of your export job in the Scheduler. See Viewing Scheduled Jobs, page 15-12 for more information. If there are two log collector servers that have been configured to export data to a remote database, only one log collector server can export data to the remote database at a time.
CH A P T E R 16 Managing System Administrators System administrators are responsible for deploying, configuring, maintaining, and monitoring the ACS servers in your network. They can perform various operations in ACS through the ACS administrative interface. When you define an administrator in ACS, you assign a password and a role or set of roles that determine the access privilege the administrator has for the various operations.
Chapter 16 Managing System Administrators Understanding Administrator Roles and Accounts • Configure administrator session setting • Configure administrator access setting The first time you log in to ACS 5.4, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system.
Chapter 16 Managing System Administrators Configuring System Administrators and Accounts When these steps are completed, defined administrators can log in and start working in the system. Understanding Authentication An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out. ACS 5.
Chapter 16 Managing System Administrators Understanding Roles • Dynamic Role assignment—Roles are assigned based on the rules in the AAC authorization policy. Assigning Static Roles ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account. This is applicable only for the internal administrator accounts. If you choose this static option, then you must select the administrator roles for each internal administrator account manually.
Chapter 16 Managing System Administrators Understanding Roles Predefined Roles Table 16-1 shows the predefined roles included in ACS: Table 16-1 Predefined Role Descriptions Role Privileges ChangeAdminPassword This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators. ChangeUserPassword This role is intended for ACS administrators who manage internal user accounts.
Chapter 16 Managing System Administrators Understanding Roles Table 16-1 Predefined Role Descriptions (continued) Role Privileges SystemAdmin This role is intended for administrators responsible for ACS system configuration and operations.
Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there. When you create a new administrator, you have an option to choose the type of identity store for the password type.
Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Table 16-2 Accounts Page Option Description Status Current status of this administrator: • Enabled—This administrator is active. • Disabled—This administrator is not active. You cannot log into ACS with a disabled admin account. Name Name of the administrator. Role(s) Roles assigned to the administrator. Description Description of this administrator.
Chapter 16 Managing System Administrators Viewing Predefined Roles Table 16-3 Administrator Accounts Properties Page (continued) Option Description Account never disabled Check to ensure that your account is never disabled.
Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators Choose System Administration > Administrators > Roles. The Roles page appears with a list of predefined roles. Table 16-4 describes the Roles page fields. Table 16-4 Roles Page Field Description Name List of all configured roles. See Predefined Roles, page 16-5 for a list of predefined roles. Description Description of each role.
Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators The Password Policies page appears with the Password Complexity and Advanced tabs. Step 2 In the Password Complexity tab, check each check box that you want to use to configure your administrator password. Table 16-6 describes the fields in the Password Complexity tab.
Chapter 16 Managing System Administrators Configuring Session Idle Timeout Table 16-7 Advanced Tab Options Description Disable administrator account after n days Specifies that the administrator account must be disabled after n days if the if password is not changed password is not changed; the valid options are 1 to 365. ACS does not allow you to configure this option without configuring the Display reminder after n days option.
Chapter 16 Managing System Administrators Configuring Administrator Access Settings Step 1 Choose System Administration > Administrators > Settings > Session. The GUI Session page appears. Step 2 Enter the Session Idle Timeout value in minutes. Valid values are 5 to 90 minutes. Step 3 Click Submit. Note The CLI client interface has a default session timeout value of 6 hours. You cannot configure the session timeout period in the CLI client interface.
Chapter 16 Managing System Administrators Working with Administrative Access Control Step 1 Choose System Administration > Administrators > Settings > Access. The IP Addresses Filtering page appears. Step 2 Click Reject connections from listed IP addresses radio button. The IP Range(s) area appears. Step 3 Click Create in the IP Range(s) area. A new window appears. Step 4 Enter the IP address of the machine that you do not want to access ACS remotely.
Chapter 16 Managing System Administrators Working with Administrative Access Control The AAC service processes these two policies in a sequence. You need to configure both the Administrator identity policy and the Administrator authorization policy. The default for both the policies are: Identity policy—The default is Internal Identity Store. Authorization policy—The default is Deny Access. The AAC service supports only the PAP authentication type.
Chapter 16 Managing System Administrators Working with Administrative Access Control In cases where Deny Access is selected as the result, the access of the administrator is denied. In a rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication.
Chapter 16 Managing System Administrators Working with Administrative Access Control Table 16-9 Rule-Based Identity Policy Page Option Description Policy type Defines the type of policy to configure: • Simple—Specifies the results to apply to all requests. • Rule-based—Configures rules to apply different results depending on the request. Caution Status If you switch between policy types, you will lose your previously saved policy configuration. The current status of the rule.
Chapter 16 Managing System Administrators Working with Administrative Access Control Configuring Identity Policy Rule Properties You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the administrator and retrieve attributes for the administrator. The retrieval of attributes is possible only if you use an external database.
Chapter 16 Managing System Administrators Working with Administrative Access Control Administrator Authorization Policy The authorization policy in the Administrative Access Control is used for dynamically assigning roles to administrators upon login. The role of the administrator is set according to the rules that are defined in the policy. According to the rules that are defined in the policy, the condition can include attributes and groups if authenticated with an external database.
Chapter 16 Managing System Administrators Working with Administrative Access Control Table 16-11 Administrators Authorization Policy Page Option Description Status Rule statuses are: • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule. • Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor-only.
Chapter 16 Managing System Administrators Working with Administrative Access Control Table 16-12 Option Administrators Authorization Rule Properties Page Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are as follows: • Enabled—The rule is active. • Disabled—ACS does not apply the results of the rule.
Chapter 16 Managing System Administrators Resetting the Administrator Password Note If the administrator password on the AD or LDAP server is expired or reset, then ACS denies the administrator access to the web interface. Resetting the Administrator Password While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none of the administrators able to access ACS from any IP address in your enterprise.
Chapter 16 Managing System Administrators Changing the Administrator Password The administrator password is created. You can also use the acs reset-password command to reset your ACSAdmin account password. For more information on this command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/command/refer ence/cli_app_a.html#wp1887660.
Chapter 16 Managing System Administrators Changing the Administrator Password User Guide for Cisco Secure Access Control System 5.
CH A P T E R 17 Configuring System Operations You can configure and deploy ACS instances so that one ACS instance becomes the primary instance and the other ACS instances can be registered to the primary as secondary instances. An ACS instance represents ACS software that runs on a network. An ACS deployment may consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally.
Chapter 17 Configuring System Operations Understanding Distributed Deployment • Using the Deployment Operations Page to Create a Local Mode Instance, page 17-23 Understanding Distributed Deployment You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers.
Chapter 17 Configuring System Operations Understanding Distributed Deployment ACS 5.4 supports one primary and twenty secondary servers in a large ACS deployment. The medium ACS deployment consists of one primary and twelve secondary servers. Also, all ACS 5.4 deployments supports 100,000 AAA clients, 10,000 network device groups, and 150,000 hosts. ACS 5.
Chapter 17 Configuring System Operations Understanding Distributed Deployment Removing Secondary Servers To permanently remove a secondary server from a deployment, you must first deregister the secondary server and then delete it from the primary. You can make the request to deregister a server from either the secondary server to be deregistered or from the primary server.
Chapter 17 Configuring System Operations Understanding Distributed Deployment When the connection to the primary server resumes, you can reconnect the disconnected secondary instance in Local Mode to the primary server. From the secondary instance in Local Mode, you specify the Admin username and password to reconnect to the primary instance. All configuration changes made while the secondary server was in Local Mode are lost.
Chapter 17 Configuring System Operations Scheduled Backups Step 3 You must activate the secondary server on the primary, either automatically or by issuing a manual request.
Chapter 17 Configuring System Operations Scheduled Backups Table 17-2 Scheduled Backups Page Option Description Backup Data Filename created by backup includes a time stamp and file type information appended to the prefix entered Filename Prefix Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg.
Chapter 17 Configuring System Operations Backing Up Primary and Secondary Instances Backing Up Primary and Secondary Instances ACS provides you the option to back up the primary and secondary instances at any time apart from the regular scheduled backups. For a primary instance, you can back up the following: Note • ACS configuration data only • ACS configuration data and ADE-OS configuration data For secondary instances, ACS only backs up the ADE-OS configuration data.
Chapter 17 Configuring System Operations Synchronizing Primary and Secondary Instances After Backup and Restore Synchronizing Primary and Secondary Instances After Backup and Restore When you specify that a system backup is restored on a primary instance, the secondary instance is not updated to the newly restored database that is present on the primary instance.
Chapter 17 Configuring System Operations Editing Instances Table 17-4 Distributed System Management Page Option Description Primary Instance Name Hostname of the primary instance. IP Address IP address of the primary instance. Online Status Indicates if the primary instance is online or offline. A check mark indicates that the primary instance is online; x indicates that the primary instance is offline.
Chapter 17 Configuring System Operations Editing Instances Table 17-4 Distributed System Management Page (continued) Option Description Activate If the option to auto-activate the newly registered secondary instance is disabled, the secondary is initially placed in the inactive state. Click Activate to activate these inactive secondary instances. Deregister1 Disconnects the secondary instance from the primary instance.
Chapter 17 Configuring System Operations Editing Instances Table 17-5 Distributed System Management Properties Page (continued) Option Description Statistics Polling Period Rate at which the primary instance polls the secondary instance for statistical and logging (only applies for primary information. During each polling period, the primary server does not send any query to all the instance) secondary servers, but, all ACS servers send their health information to the log collector server.
Chapter 17 Configuring System Operations Editing Instances Viewing and Editing a Secondary Instance To edit a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with two tables: • Primary Instance table—Shows the primary instance. • Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance. See Table 17-4 to view column definitions.
Chapter 17 Configuring System Operations Activating a Secondary Instance Activating a Secondary Instance To activate a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with two tables: • Primary Instance table—Shows the primary instance. • Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance.
Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance . Table 17-6 System Operations: Deployment Operations Page Option Description Instance Status Current Status Identifies the instance of the node you log into as primary or secondary, and identifies whether you are running in local mode. Primary Instance Hostname of the primary instance. Primary IP IP address of the primary instance.
Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Table 17-6 System Operations: Deployment Operations Page (continued) Option Description Deregistration Deregister from Primary Deregisters the secondary from the primary instance. The secondary instance retains the database configuration from when it was deregistered. All nodes are marked as deregistered and inactive, and the secondary instance becomes the primary instance.
Chapter 17 Configuring System Operations Deregistering Secondary Instances from the Distributed System Management Page Deregistering Secondary Instances from the Distributed System Management Page To deregister secondary instances from the Distributed System Management page: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears.
Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Management Page The system displays the following warning message: This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 3 Click OK. Step 4 Log into the ACS machine. Step 5 Choose System Administration > Operations > Local Operations > Deployment Operations.
Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Deployment Operations Page Promoting a Secondary Instance from the Deployment Operations Page To promote a secondary instance to a primary instance from the Deployment Operations page: Step 1 Choose System Administration > Operations > Distributed System Management. The Deployment Operations page appears. See the Table 17-6 for valid field options. Step 2 Register the secondary instance to the primary instance.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Replicating a Secondary Instance from the Distributed System Management Page Note All ACS appliances must be in sync with the AD domain clock. To replicate a secondary instance: Step 1 Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance.
Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Failover ACS 5.4 allows you to configure multiple ACS instances for a deployment scenario. Each deployment can have one primary and multiple secondary ACS server. Scenario 1: Primary ACS goes down in a Distributed deployment Consider we have three ACS instances ACS1, ACS2, and ACS3. ACS1 is the primary, and ACS2 and ACS3 are secondaries.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Cleanup....... Starting ACS.... The database on the primary server is restored successfully. Now, you can observe that all secondary servers in the distributed deployment are disconnected. Step 3 Log into the secondary web interface, choose System Administration > Operations > Local Operations > Deployment Operations, and click Request Local Mode.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance You can use the configuration information on the ACS Configuration Audit report to manually restore the configuration information for this instance. Creating, Duplicating, Editing, and Deleting Software Repositories To create, duplicate, edit, or delete a software repository: Step 1 Choose System Administration > Operations > Software Repositories.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Table 17-8 Software Update Repositories Properties Page (continued) Option Description Repository Information Protocol The name of the protocol that you want to use to transfer the upgrade file. Valid options are: Server Name Note • DISK—If you choose this protocol, you must provide the path. • FTP—If you choose this protocol, you must provide the server name, path, and credentials.
Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance User Guide for Cisco Secure Access Control System 5.
CH A P T E R 18 Managing System Administration Configurations After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS web interface allows you to easily configure ACS to perform various operations. For a list of post-installation configuration tasks to get started with ACS, see Chapter 6, “Post-Installation Configuration Tasks”.
Chapter 18 Managing System Administration Configurations Configuring Global System Options Table 18-1 TACACS+ Settings Option Description Port to Listen Port number on which to listen. By default, the port number is displayed as 49 and you cannot edit this field. Connection Timeout Number of minutes before the connection times out. Session Timeout Number of minutes before the session times out. Maximum Packet Size Maximum packet size (in bytes).
Chapter 18 Managing System Administration Configurations Configuring Global System Options Table 18-2 EAP-TLS Settings (continued) Option Description Master Key Generation Period The value is used to regenerate the master key after the specified period of time. The default is one week. Revoke Click Revoke to cancel all previous master keys. This operation should be used with caution. If the ACS node is a secondary node, the Revoke option is disabled.
Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prompts Table 18-4 EAP-FAST Settings (continued) Option Description Master Key Generation Period The value is used to encrypt or decrypt and sign or authenticate PACs. The default is one week. Revoke Revoke Click Revoke to revoke all previous master keys and PACs. This operation should be used with caution. If the ACS node is a secondary node, the Revoke option is disabled.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-6 RSA SecurID Prompts Page Option Description Passcode Prompt Text string to request for the passcode. The default value is “Enter PASSCODE:”. Next Token Prompt Text string to request for the next token. The default value is “Enter Next TOKENCODE:”. Choose PIN Type Prompt Text string to request the PIN type. The default value is “Do you want to enter your own pin?”.
Chapter 18 Managing System Administration Configurations Managing Dictionaries • RADIUS (Cisco BBSM) • RADIUS (Cisco VPN 3000) • RADIUS (Cisco VPN 5000) • RADIUS (Juniper) • RADIUS (Nortel [Bay Networks]) • RADIUS (RedCreek) • RADIUS (US Robotics) • TACACS+ To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary.
Chapter 18 Managing System Administration Configurations Managing Dictionaries • Click Create. • Check the check box next to the RADIUS VSA that you want to duplicate, then click Duplicate. • Check the check box next to the RADIUS VSA that you want to edit, then click Edit. The Create RADIUS VSA page appears. Modify the fields as described in Table 18-8. Table 18-8 RADIUS VSA - Create, Duplicate, Edit Page Option Description Attribute Name of the RADIUS VSA.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description General Attribute Name of the subattribute. The name must be unique. Description (Optional) A brief description of the subattribute. RADIUS Configuration Vendor Attribute ID Enter the vendor ID field for the subattribute. This value must be unique for this vendor.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description ID-Value (Optional) For the Enumeration attribute type only. • ID—Enter a number from 0 to 999. • Value—Enter a value for the ID. • Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: • Select the ID-Value pair from the ID-Value table.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Related Topic Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10 • Deleting an Internal User Identity Attribute, page 18-12 • Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 • Creating, Duplicat
Chapter 18 Managing System Administration Configurations Managing Dictionaries Configuring Internal Identity Attributes Table 18-10 describes the fields in the internal identity attributes. Table 18-10 Identity Attribute Properties Page Option Description General Attribute Name of the attribute. Description Description of the attribute. Attribute Type Attribute Type (Optional) Use the drop-down list box to choose an attribute type.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-10 Identity Attribute Properties Page (continued) Option Description ID-Value (Optional) For the Enumeration attribute type only. • ID—Enter a number from 0 to 999. • Value—Enter a value for the ID. • Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: • Select the ID-Value pair from the ID-Value table. • Click Edit to edit the ID and Value fields.
Chapter 18 Managing System Administration Configurations Managing Dictionaries Creating, Duplicating, and Editing an Internal Host Identity Attribute To create, duplicate, and edit an internal host identity attribute: Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts. The Attributes list for the Internal Hosts page appears. Step 2 Do one of the following: • Click Create.
Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store To add static IP address to a user in Internal Identity Store: Step 1 Add a static IP attribute to internal user attribute dictionary: Step 2 Select System Administration > Configuration > Dictionaries > Identity > Internal Users. Step 3 Click Create. Step 4 Add static IP attribute.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-11 Local Certificates Page Option Description Friendly Name Name that is associated with the certificate. Issued To Entity to which the certificate is issued. The name that appears is from the certificate subject. Issued By Trusted party that issued the certificate. Valid From Date the certificate is valid from. Valid To (Expiration) Date the certificate is valid to.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-13 Import Server Certificate Page Option Description Certificate File Select to browse the client machine for the local certificate file. Private Key File Select to browse to the location of the private key. Private Key Password Enter the private key password. The value may be minimum length = 0 and maximum length = 256.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-14 Generate Self Signed Certificate Step 2 Option Description Management Interface Check to associate the certificate with the management interface. Allow Duplicate Certificates Allows to add certificate with same CN and same SKI with different Valid From, Valid To, and Serial number.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Binding CA Signed Certificates Use this page to bind a CA signed certificate to the request that was used to obtain the certificate from the CA. Step 1 Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. Step 2 Select Bind CA Signed Certificate > Next.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Table 18-17 Edit Certificate Store Properties Page Option Description Issuer Friendly Name Name that is associated with the certificate. Description Description of the certificate. Issued To Display only. The entity to which the certificate is issued. The name that appears is from the certificate subject. Issued By Display only. The certification authority that issued the certificate.
Chapter 18 Managing System Administration Configurations Adding Local Server Certificates The Certificate Store page appears without the deleted certificate(s). Related Topic • Configuring Local Server Certificates, page 18-14 Exporting Certificates To export a certificate: Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates. Step 2 Check the box next to the certificates that you want to export, then click Export.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-18 Step 2 Certificate Signing Request Page (continued) Option Description Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Timestamp Date certificate was created. Friendly Name Name that is associated with the certificate. Click Export to export the local certificate to a client machine.
Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears. Step 2 Do one of the following: • Click Create. • Check the check box next to the remote log target that you want to duplicate and click Duplicate.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-19 Remote Log Targets Configuration Page (continued) Option Description Facility Code Facility code. Valid options are: • LOCAL0 (Code = 16) • LOCAL1 (Code = 17) • LOCAL2 (Code = 18) • LOCAL3 (Code = 19) • LOCAL4 (Code = 20) • LOCAL5 (Code = 21) • LOCAL6 (Code = 22; default) • LOCAL7 (Code = 23) This option is only visible if you click Use Advanced Syslog Options.
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring the Local Log Use the Local Configuration page to configure the maximum days to retain your local log data. Step 1 Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. Step 2 In the Maximum log retention period box, enter the number of days for which you want to store local log message files, where is the number of days you enter.
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Global Logging Categories To view and configure global logging categories: Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Global. The Logging Categories page appears; from here, you can view the logging categories.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-21 Global: Remote Syslog Target Page Option Description Configure Syslog Targets Step 6 Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration. Click Submit.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-22 Administrative and Operational Logs Not Logged in the Local Target (continued) Category Log and Description File-Management Software-Management System-Management • ACS_DELETE_CORE—ACS core files deleted • ACS_DELETE_LOG—ACS log files deleted • ACS_UPGRADE—ACS upgraded • ACS_PATCH—ACS patch installed • UPGRADE_SCHEMA_CHANGE—ACS schema upgrade complete • UPGRADE_DICTIONARY—ACS dictionary upgrade complete
Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in Table 18-22 are written to the ADE-OS logs. From the ACS CLI, you can use the following command to view the ADE-OS logs: show logging system This command lists all the ADE-OS logs and your output would be similar to the following example. Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.
Chapter 18 Managing System Administration Configurations Configuring Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migra
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings You can configure the severity level and local log settings in a logging category configuration for a specific overridden or custom ACS instance. Use this page to: Step 1 • View a tree of configured logging categories for a specific ACS instance. • Open a page to configure a logging category’s severity level, log target, and logged attributes for a specific ACS instance.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-24 Per-Instance: General Page Option Description Configure Log Category Log Severity Use the list box to select the severity level for diagnostic logging categories. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are: • FATAL—Emergency. The ACS is not usable and you must take action immediately. • ERROR—Critical or error condition.
Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-25 Per-Instance: Remote Syslog Targets Page Option Description Configure Syslog Targets Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
Chapter 18 Managing System Administration Configurations Configuring Logs Configuring the Log Collector Use the Log Collector page to select a log data collector and suspend or resume log data transmission. Step 1 Select System Administration > Configuration > Log Configuration > Log Collector. The Log Collector page appears.
Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license. Note Each server requires a unique base license in a distributed deployment. Types of Licenses Table 18-29 shows the ACS 5.4 license support: .
Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview, page 18-34 • Installing a License File, page 18-35 • Viewing the Base License, page 18-36 • Adding Deployment License Files, page 18-39 • Deleting Deployment License Files, page 18-40 Installing a License File You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file: Step 1 Log into the ACS web interface.
Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License To upgrade the base license: Step 1 Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses. Table 18-30 describes the fields in the Base Server License page.
Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Server License, page 18-37 Upgrading the Base Server License You can upgrade the base server license. Step 1 Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.
Chapter 18 Managing System Administration Configurations Viewing License Feature Options Viewing License Feature Options You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the deployment information. Select System Administration > Configuration > Licensing > Feature Options.
Chapter 18 Managing System Administration Configurations Adding Deployment License Files Adding Deployment License Files To add a new base deployment license file: Step 1 Select System Administration > Configuration > Licensing > Feature Options. The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses.
Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview, page 18-34 • Types of Licenses, page 18-34 • Installing a License File, page 18-35 • Viewing the Base License, page 18-36 • Deleting Deployment License Files, page 18-40 Deleting Deployment License Files To delete deployment license files: Step 1 Select System Administration > Configuration > Licensing > Feature Options.
Chapter 18 Managing System Administration Configurations Available Downloads Downloading Migration Utility Files To download migration application files and the migration guide for ACS 5.4: Step 1 Choose System Administration > Downloads > Migration Utility. The Migration from 4.x page appears. Step 2 Click Migration application files, to download the application file you want to use to run the migration utility.
Chapter 18 Managing System Administration Configurations Available Downloads To download these sample scripts: Step 1 Choose System Administration > Downloads > Sample Python Scripts. The Sample Python Scripts page appears. Step 2 Step 3 Click one of the following: • Python Script for Using the User Change Password Web Service—To download the sample script for the UCP web service.
CH A P T E R 19 Understanding Logging This chapter describes logging functionality in ACS 5.4. Administrators and users use the various management interfaces of ACS to perform different tasks. Using the administrative access control feature, you can assign permissions to administrators and users to perform different tasks. Apart from this, you also need an option to track the various actions performed by the administrators and users.
Chapter 19 Understanding Logging About Logging Using Log Targets You can specify to send customer log information to multiple consumers or Log Targets and specify whether the log messages are stored locally in text format or forwarded to syslog servers. By default, a single predefined local Log Target called Local Store stores data in text format on an ACS server and contains log messages from the local ACS server only. You can view records stored in the Local Store from the CLI.
Chapter 19 Understanding Logging About Logging Note For complex configuration items or attributes, such as policy or DACL contents, the new attribute value is reported as "New/Updated" and the audit does not contain the actual attribute value or values. – ACS administrator access—Logs all events that occur when an administrators accesses the system until the administrator logs out. It logs whether the administrator exits ACS with an explicit request or if the session has timed out.
Chapter 19 Understanding Logging About Logging Each log message contains the following information: • Event code—A unique message code. • Logging category—Identifies the category to which a log message belongs. • Severity level—Identifies the level of severity for diagnostics. See Log Message Severity Levels, page 19-4 for more information. • Message class—Identifies groups of messages of similar context, for example, RADIUS, policy, or EAP-related context.
Chapter 19 Understanding Logging About Logging Table 19-1 ACS Severity Level Log Message Severity Levels Syslog Severity Level Description FATAL Emergency. ACS is not usable and you must take action immediately. 1 (highest) ERROR Critical or error conditions. 3 WARN Normal, but significant condition. 4 NOTICE Audit and accounting messages. Messages of severity NOTICE 5 are always sent to the configured log targets and are not filtered, regardless of the specified severity threshold.
Chapter 19 Understanding Logging About Logging Table 19-2 Local Store and Syslog Message Format Field Description timestamp Date of the message generation, according to the local clock of the originating ACS, in the format YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm. Possible values are: • YYYY = Numeric representation of the year. • MM = Numeric representation of the month. For single-digit months (1 to 9) a zero precedes the number. • DD = Numeric representation of the day of the month.
Chapter 19 Understanding Logging About Logging You can use the web interface to configure the number of days to retain local store log files; however, the default setting is to purge data when it exceeds 5 MB or each day, whichever limit is first attained. If you do configure more than one day to retain local store files and the data size of the combined files reaches 95000Mb, a FATAL message is sent to the system diagnostic log, and all logging to the local store is stopped until data is purged.
Chapter 19 Understanding Logging About Logging When you configure a critical log target, and a message is sent to that critical log target, the message is also sent to the configured noncritical log target on a best-effort basis. • When you configure a critical log target, and a message does not log to that critical log target, the message is also not sent to the configured noncritical log.
Chapter 19 Understanding Logging About Logging Table 19-3 Remote Syslog Message Header Format Field Description pri_num Priority value of the message; a combination of the facility value and the severity value of the message. Priority value = (facility value* 8) + severity value.
Chapter 19 Understanding Logging About Logging The syslog message data or payload is the same as the Local Store Message Format, which is described in Table 19-2. The remote syslog server targets are identified by the facility code names LOCAL0 to LOCAL7 (LOCAL6 is the default logging location.) Log messages that you assign to the remote syslog server are sent to the default location for Linux syslog (/var/log/messages), however; you can configure a different location on the server.
Chapter 19 Understanding Logging About Logging The Monitoring and Report Viewer has two drawer options: • Monitoring and Reports—Use this drawer to view and configure alarms, view log reports, and perform troubleshooting tasks. • Monitoring Configuration—Use this drawer to view and configure logging operations and system settings.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.4 Logging ACS 4.x Versus ACS 5.4 Logging If you are familiar with the logging functionality in ACS 4.x, ensure that you familiarize yourself with the logging functionality of ACS 5.4, which is considerably different. Table 19-4 describes the differences between the logging functionality of ACS 4.x and ACS 5.4. Table 19-4 ACS 4.x vs. ACS 5.4 Logging Functionality This logging function… Log Types is handled this way in ACS 4.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.4 Logging Table 19-4 ACS 4.x vs. ACS 5.4 Logging Functionality (continued) This logging function… is handled this way in ACS 4.x… Configuration Use the System Configuration > Logging See Configuring Logs, page 18-21 and the CLI Reference Guide for Cisco Secure Access page to define: Control System 5.4. • Loggers and individual logs • Critical loggers • Remote logging • CSV log file • Syslog log • ODBC log and this way in ACS 5.
Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.4 Logging User Guide for Cisco Secure Access Control System 5.
A P P E N D I X A AAA Protocols This section contains the following topics: • Typical Use Cases, page A-1 • Access Protocols—TACACS+ and RADIUS, page A-5 • Overview of TACACS+, page A-5 • Overview of RADIUS, page A-6 Typical Use Cases This section contains the following topics: • Device Administration (TACACS+), page A-1 • Network Access (RADIUS With and Without EAP), page A-2 Device Administration (TACACS+) Figure A-1 shows the flows associated with device administration.
Appendix A AAA Protocols Typical Use Cases Session Access Requests (Device Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1. For session request: 1. An administrator logs into a network device. 2. The network device sends a TACACS+ access request to ACS. 3. ACS uses an identity store to validate the user's credentials. 4. ACS sends a TACACS+ response to the network device that applies the decision.
Appendix A AAA Protocols Typical Use Cases – EAP protocols that involve a TLS handshake and in which the client uses the ACS server certificate to perform server authentication: PEAP, using one of the following inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-FAST, using one of the following inner methods: EAP-FAST/EAP-MSCHAPv2 and EAP-FAST/EAP-GTC – EAP protocols that are fully certificate-based, in which the TLS handshake uses certificates for both server and client authentication: EAP-TLS PEAP w
Appendix A AAA Protocols Typical Use Cases – EAP-FAST/EAP-MSCHAPv2 – EAP-FAST/EAP-GTC • EAP methods that use certificates for both server and client authentication – EAP-TLS – PEAP/EAP-TLS Whenever EAP is involved in the authentication process, it is preceded by an EAP negotiation phase to determine which specific EAP method (and inner method, if applicable) should be used. For all EAP authentications: 1. A host connects to a network device. 2. The network device sends an EAP Request to the host.
Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overview of TACACS+, page A-5 • Overview of RADIUS, page A-6 ACS 5.4 can use the TACACS+ and RADIUS access protocols. Table A-1 compares the two protocols. Table A-1 TACACS+ and RADIUS Protocol Comparison Point of Comparison TACACS+ RADIUS Transmission Protocol TCP—Connection-oriented transport-layer protocol, reliable full-duplex data transmission.
Appendix A AAA Protocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • ACS 5.4 as the AAA Server, page A-7 • RADIUS Attribute Support in ACS 5.4, page A-8 • RADIUS Access Requests, page A-11 RADIUS is a client/server protocol through which remote access servers communicate with a central server to authenticate dial-in users, and authorize their access to the requested system or service.
Appendix A AAA Protocols Overview of RADIUS ACS 5.4 as the AAA Server A AAA server is a server program that handles user requests for access to computer resources, and for an enterprise, provides AAA services. The AAA server typically interacts with network access and gateway servers, and databases and directories that contain user information. The current standard by which devices or applications communicate with an AAA server is RADIUS. ACS 5.
Appendix A AAA Protocols Overview of RADIUS RADIUS Attribute Support in ACS 5.4 ACS 5.4 supports the RADIUS protocol as RFC 2865 describes. ACS 5.4 supports the following types of RADIUS attributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vendors’ attributes ACS 5.4 also supports attributes defined in the following extensions to RADIUS: Note • Accounting-related attributes, as defined in RFC 2866. • Support for Tunnel Protocol, as defined in RFCs 2867 and 2868.
Appendix A AAA Protocols Overview of RADIUS Authentication ACS supports various authentication protocols transported over RADIUS. The supported protocols that do not include EAP are: • PAP • CHAP • MSCHAPv1 • MSCHAPv2 In addition, various EAP-based protocols can be transported over RADIUS, encapsulated within the RADIUS EAP-Message attribute. These can be further categorized with respect to whether or not, and to what extent, they make use of certificates.
Appendix A AAA Protocols Overview of RADIUS Administrator can configure the attribute operation clause for a specific proxy access service. When this service is selected, ACS performs the operation on the access request and forwards the updated access request to the external server. ACS 5.4 does not support conditioning on the existing value.
Appendix A AAA Protocols Overview of RADIUS • If the Multiple attributes are allowed, then the update operation removes all the occurrences of this attribute and adds one attribute with a new value. Example: Login-IP-Host – attribute Multiple allowed: On the Access Request: Login-IP-Host=10.56.21.190 Login-IP-Host=10.56.1.1 Attribute Operation statement: Login-IP-Host UPDATE 10.12.12.12 Result of the attribute operation on the request forwarded to the server: Login-IP-Host=10.12.12.
Appendix A AAA Protocols Overview of RADIUS When the RADIUS server receives the access-request from the NAD, it searches a database for the username. Depending on the result of the database query, an accept or reject is sent. A text message can accompany the access-reject message to indicate the reason for the refusal. In RADIUS, authentication and authorization are coupled.
A P P E N D I X B Authentication in ACS 5.4 Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication methods. A fundamental implicit relationship exists between authentication and authorization.
Appendix B Authentication in ACS 5.4 PAP This appendix describes the following: • RADIUS-based authentication that does not include EAP: – PAP, page B-2 – CHAP, page B-32 – MSCHAPv1 – EAP-MSCHAPv2, page B-30 • EAP family of protocols transported over RADIUS, which can be further classified as: – Simple EAP protocols that do not use certificates: EAP-MD5—For more information, see EAP-MD5, page B-5. LEAP—For more information, see LEAP, page B-32.
Appendix B Authentication in ACS 5.4 EAP RADIUS PAP Authentication You can use different levels of security concurrently with ACS for different requirements. PAP applies a two-way handshaking procedure. If authentication succeeds, ACS returns an acknowledgement; otherwise, ACS terminates the connection or gives the originator another chance. The originator is in total control of the frequency and timing of the attempts.
Appendix B Authentication in ACS 5.4 EAP In ACS 5.4, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a particular EAP message is greater than the maximum RADIUS attribute data size (253 bytes). The RADIUS State attribute (24) stores the current EAP session reference information, and ACS stores the actual EAP session data.
Appendix B Authentication in ACS 5.4 EAP-MD5 ACS supports full EAP infrastructure, including EAP type negotiation, message sequencing and message retransmission. All protocols support fragmentation of big messages. In ACS 5.4, you configure EAP methods for authentication as part of access service configuration. For more information about access services, see Chapter 3, “ACS 5.x Policy Model.” EAP-MD5 This section contains the following topics: • Overview of EAP-MD5, page B-5 • EAP- MD5 Flow in ACS 5.
Appendix B Authentication in ACS 5.4 EAP-TLS Overview of EAP-TLS EAP-TLS is one of the methods in the EAP authentication framework, and is based on the 802.1x and EAP architecture. Components involved in the 802.1x and EAP authentication process are the: • Host—The end entity, or end user’s machine. • AAA client—The network access point. • Authentication server—ACS.
Appendix B Authentication in ACS 5.4 EAP-TLS • Using a third-party signature, usually from a CA, that verifies the information in a certificate. This third-party binding is similar to the real-world equivalent of the stamp on a passport. You trust the passport because you trust the preparation and identity-checking that the particular country’s passport office made when creating that passport. You trust digital certificates by installing the root certificate CA signature.
Appendix B Authentication in ACS 5.4 EAP-TLS You can configure the timeout for each session in the cache, for each protocol individually. The lifetime of a session is measured from the beginning of the conversation and is determined when the TLS session is created. ACS supports establishment of a tunnel from a commonly shared key known to the client and the server for the EAP-FAST protocol.
Appendix B Authentication in ACS 5.4 EAP-TLS For HTTPS, SFTP, SSH and ActiveMQ, an auto-generated self-signed certificates can be used as the means for server authentication. Fixed Management Certificates ACS generates and uses self-signed certificates to identify various management protocols such as the Web browser, HTTPS, ActiveMQ SSH, and SFTP. Self-signed certificates are generated when ACS is installed and are maintained locally in files outside of the ACS database.
Appendix B Authentication in ACS 5.4 EAP-TLS • Initial Self-Signed Certificate Generation, page B-10 • Certificate Generation, page B-10 Importing the ACS Server Certificate When you manually import and ACS server certificate you must supply the certificate file, the private key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along with its private-key and private-key-password, is added to the Local Certificate store.
Appendix B Authentication in ACS 5.4 EAP-TLS There are two types of certificate generation: • Self-signing certificate generation—ACS supports generation of an X.509 certificate and a PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger passwords, and the private key is hidden in the local certificate store. You can select the newly generated certificate for immediate use for HTTPS Management protocol, for TLS-related EAP protocols, or both.
Appendix B Authentication in ACS 5.4 EAP-TLS Credentials Distribution All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server certificates are associated and designated for a specific node, which uses that specific certificate. Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS distributed mechanism.
Appendix B Authentication in ACS 5.4 EAP-TLS Private Keys and Passwords Backup The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates, private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary server is also backed up with the primary's backup. Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also can pass relatively secured in and out of the ACS servers.
Appendix B Authentication in ACS 5.4 PEAPv0/1 Note All communication between the host and ACS goes through the network device. EAP-TLS authentication fails if the: • Server fails to verify the client’s certificate, and rejects EAP-TLS authentication. • Client fails to verify the server’s certificate, and rejects EAP-TLS authentication. Certificate validation fails if the: – Certificate has expired. – Server or client cannot find the certificate issuer. – Signature check failed.
Appendix B Authentication in ACS 5.4 PEAPv0/1 • Cisco AC 3.x • Funk Odyssey Access Client 4.0.2 and 5.x • Intel Supplicant 12.4.x Overview of PEAP PEAP is a client-server security architecture that you use to encrypt EAP transactions, thereby protecting the contents of EAP authentications. PEAP uses server-side public key certificates to authenticate the server. It then creates an encrypted SSL/TLS tunnel between the client and the authentication server.
Appendix B Authentication in ACS 5.4 PEAPv0/1 • Fast Reconnect, page B-16 • Session Resume, page B-16 • Protected Exchange of Arbitrary Parameters, page B-17 • Cryptobinding TLV Extension, page B-17 Server Authenticated and Unauthenticated Tunnel Establishment Modes Tunnel establishment helps prevent an attacker from injecting packets between the client and the network access server (NAS) or, to allow negotiation of a less secure EAP method.
Appendix B Authentication in ACS 5.4 PEAPv0/1 Protected Exchange of Arbitrary Parameters TLV tuples provide a way to exchange arbitrary information between the peer and ACS within a secure channel. Cryptobinding TLV Extension The cryptobinding TLV extension in MS PEAP authentication is used to ensure that both the EAP peer (client) and the EAP server (ACS) are participating in the inner and outer EAP authentications of the PEAP authentication.
Appendix B Authentication in ACS 5.4 PEAPv0/1 Figure B-3 Phase 1 PEAP Processing Flow Client authenticates the server certificate. TLS Tunnel is created Phase 2 User authentication credentials are sent through TLS Tunnel again using EAP. Client gets network access AP gets encryption keys 271629 RADIUS Server authenticates to user repository.
Appendix B Authentication in ACS 5.4 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2: 1 ACS sends an EAP-Request/Identity message. 2 3 ACS sends an EAP-Request/EAP-MSCHAPv2 challenge 4 message that contains a challenge string.
Appendix B Authentication in ACS 5.4 EAP-FAST EAP-FAST is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based on strong secrets that are unique to users. These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only to ACS.
Appendix B Authentication in ACS 5.4 EAP-FAST EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one, however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text.
Appendix B Authentication in ACS 5.4 EAP-FAST • ACS-Supported Features for PACs, page B-25 • Master Key Generation and PAC TTLs, page B-27 • EAP-FAST for Allow TLS Renegotiation, page B-27 About Master-Keys EAP-FAST master-keys are strong secrets that ACS automatically generates and of which only ACS is aware. Master-keys are never sent to an end-user client. EAP-FAST requires master-keys for two purposes: • PAC generation—ACS generates PACs by using the active master-key.
Appendix B Authentication in ACS 5.4 EAP-FAST Provisioning Modes ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement. To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials within the protected tunnel.
Appendix B Authentication in ACS 5.4 EAP-FAST The various means by which an end-user client can receive PACs are: • PAC provisioning—Required when an end-user client has no PAC. For more information about how master-key and PAC states determine whether PAC provisioning is required, see Master Key Generation and PAC TTLs, page B-27. The two supported means of PAC provisioning are: – Automatic In-Band PAC Provisioning—Sends a PAC by using a secure network connection.
Appendix B Authentication in ACS 5.4 EAP-FAST To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global System Options pages in the System Administration drawer. For more information, see EAP-FAST, page B-19. Manual PAC Provisioning Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be distributed to the applicable network users. Users must configure end-user clients with their PAC files.
Appendix B Authentication in ACS 5.4 EAP-FAST The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This mechanism allows the client to be always updated with a valid PAC. Note There is no proactive PAC update for Machine and Authorization PACs. Accept Peer on Authenticated Provisioning The peer may be authenticated during the provisioning phase.
Appendix B Authentication in ACS 5.4 EAP-FAST Master Key Generation and PAC TTLs The values for master key generation and PAC TTLs determine their states, as described in About Master-Keys, page B-22 and Types of PACs, page B-23. Master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing.
Appendix B Authentication in ACS 5.4 EAP-FAST For information about how master key generation and PAC TTL values determine whether PAC provisioning or PAC refreshing is required, see Master Key Generation and PAC TTLs, page B-27. Step 3 Determine whether you want to use automatic or manual PAC provisioning. For more information about the two means of PAC provisioning, see Automatic In-Band PAC Provisioning, page B-24, and Manual PAC Provisioning, page B-25.
Appendix B Authentication in ACS 5.4 EAP-FAST • PAC Migration from ACS 4.x, page B-29 Key Distribution Algorithm The common seed-key is a relatively large and a completely random buffer that is generated by the primary ACS server. The seed-key is generated only once during installation, or it can be manually regenerated by an administrator. The seed-key should rarely be replaced, because if you change seed-key, of all the previous master-keys and PACs would automatically be deactivated.
Appendix B Authentication in ACS 5.4 EAP Authentication with RADIUS Key Wrap • A list of retired ACS 4.x master-keys. The list is taken from the ACS 4.x configuration and placed in a new table in ACS 5.4. Each migrated master-key is associated with its expected time of expiration. The table is migrated along with the master-key identifier (index) and the PAC's-cipher assigned to each key.
Appendix B Authentication in ACS 5.4 EAP-MSCHAPv2 Overview of EAP-MSCHAPv2 Some of the specific members of the EAP family of authentication protocols, specifically EAP-FAST and PEAP, support the notion of an “EAP inner method.” This means that another EAP-based protocol performs additional authentication within the context of the first protocol, which is known as the "EAP outer method.
Appendix B Authentication in ACS 5.4 CHAP EAP- MSCHAPv2 Flow in ACS 5.4 Components involved in the 802.1x and MSCHAPv2 authentication process are the: • Host—The end entity, or end user’s machine. • AAA client—The network access point. • Authentication server—ACS. The MSCHAPv2 protocol is described in RFC 2759. Related Topic • Authentication Protocol and Identity Store Compatibility, page B-36 CHAP CHAP uses a challenge-response mechanism with one-way encryption on the response.
Appendix B Authentication in ACS 5.4 Certificate Attributes • Subject’s ST attribute (State Province) • Subject’s E attribute (eMail) • Subject’s SN attribute (Subject Serial Number) • Issuer I attribute • SAN (Subject Alternative Name) You can define a policy to set the principle username to use in the TLS conversation, as an attribute that is taken from the received certificate.
Appendix B Authentication in ACS 5.4 Certificate Attributes • Subject's ST attribute (State Province) • Subject's E attribute (eMail) • Subject's SN attribute (Subject Serial Number) • Issuer I attribute • SAN (Subject Alternative Name) • Subject • SAN—Email • SAN—DNS • SAN—otherName Certificate Revocation Every client certificate that ACS receives is verified with a Certificate Revocation List (CRL) according to a policy that is defined.
Appendix B Authentication in ACS 5.4 Machine Authentication The configuration of URLs and their association to CA's is distributed to the entire ACS domain. The downloaded CRLs are not distributed and are autonomously populated in parallel in each ACS server. Machine Authentication ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication.
Appendix B Authentication in ACS 5.4 Authentication Protocol and Identity Store Compatibility Related Topics • Microsoft AD, page 8-41 • Managing External Identity Stores, page 8-22 Authentication Protocol and Identity Store Compatibility ACS supports various authentication protocols to authenticate against the supported identity stores. Table B-4 specifies non-EAP authentication protocol support.
Appendix B Authentication in ACS 5.4 Authentication Protocol and Identity Store Compatibility User Guide for Cisco Secure Access Control System 5.
Appendix B Authentication in ACS 5.4 Authentication Protocol and Identity Store Compatibility User Guide for Cisco Secure Access Control System 5.
A P P E N D I X C Open Source License Acknowledgements See http://www.cisco.com/en/US/products/ps9911/products_licensing_information_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.4. Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
Appendix C Open Source License Acknowledgements Notices 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6.
Appendix C Open Source License Acknowledgements 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix C Open Source License Acknowledgements User Guide for Cisco Secure Access Control System 5.
G L OS S A RY A AAA Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network.
Glossary accounts The capability of ACS to record user sessions in a log file. ACS System Administrators Administrators with different access privileges defined under the System Configuration section of the ACS web interface. They administer and manage ACS deployments in your network. ARP address resolution protocol. A protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network.
Glossary authenticity The validity and conformance of the original information. authorization The approval, permission, or empowerment for someone or something to do something. authorization profile The basic "permissions container" for a RADIUS-based network access service. The authorization profile is where you define all permissions to be granted for a network access request.
Glossary certificate-based authentication The use of Secure Sockets Layer (SSL) and certificates to authenticate and encrypt HTTP traffic. certificate Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key. CGI common gateway interface. This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically. CHAP Challenge-Handshake Authentication Protocol.
Glossary configuration management The process of establishing a known baseline condition and managing it. cookie Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use. An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes.
Glossary D daemon A program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services. DES Data Encryption Standard.
Glossary digital envelope An encrypted message with the encrypted session key. digital signature A hash of a message that uniquely identifies the sender of the message and proves the message hasn't changed since transmission. DSA digital signature algorithm. An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers.
Glossary dumpsec A security tool that dumps a variety of information about a system's users, file system, registry, permissions, password policy, and services. DLL Dynamic Link Library. A collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file).
Glossary EAP Extensible Authentication Protocol. A protocol for wireless networks that expands on Authentication methods used by the PPP (Point-to-Point Protocol), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and Public Key Encryption authentication. EAP-MD5 Extensible Authentication Protocol-Message Digest 5.
Glossary G gateway A network point that acts as an entrance to another network. global system options Configuring TACACS+, EAP-TTLS, PEAP, and EAP-FAST runtime characteristics and generating EAP-FAST PAC. H hash functions Used to generate a one way "check sum" for a larger text, which is not trivially reversed. The result of this hash function can be used to validate if a larger file has been altered, without having to compare the larger files to each other.
Glossary I I18N Internationalization and localization are means of adapting software for non-native environments, especially other nations and cultures. Internationalization is the adaptation of products for potential use virtually everywhere, while localization is the addition of special features for use in a specific locale. identity Whom someone or what something is, for example, the name by which something is known.
Glossary ISO International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations. ISP Internet Service Provider. A business or organization that provides to consumers access to the Internet and related services. In the past, most ISPs were run by the phone companies. J Java Runtime Environment.
Glossary M MAC Address A physical address; a numeric value that uniquely identifies that network device from every other device on the planet. matchingRule (LDAP) The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 definition that usually contains an OID a name (for example, caseIgnoreMatch [OID = 2.5.23.2]), and the data type it operates on (for example, DirectoryString). MD5 A one way cryptographic hash function.
Glossary PI (Programmatic Interface) The ACS PI is a programmatic interface that provides external applications the ability to communicate with ACS to configure and operate ACS; this includes performing the following operations on ACS objects: create, update, delete and read. policy condition Rule-based single conditions that are based on policies, which are sets of rules used to evaluate an access request and return a decision.
Glossary R RDN (LDAP) The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished Name). The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid.
Glossary Schema (LDAP) A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in which the object classes and attributes that the application will use (reference) are packaged are identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In OpenLDAP this done using the slapd.conf file. search (LDAP) An operation that is carried out by defining a base directory name (DN), a scope, and a search filter.
Glossary SOAP (Simple Object Access Protocol) A lightweight XML-based protocol for exchange of information in a decentralized, distributed environment. SOAP consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses.
Glossary U UDP User Datagram Protocol. A communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP) URL Uniform Resource Locator. The unique address for a file that is accessible on the Internet. user and identity store A repository of users, user attributes, and user authentication options. user authentication option An option to enable or disable TACACS+ password authentication.
Glossary X X.509 A standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm. XML (eXtensible Markup Language) XML is a flexible way to create common information formats and share both the format and the data on the World Wide Web, intranets, and elsewhere. User Guide for Cisco Secure Access Control System 5.
Glossary User Guide for Cisco Secure Access Control System 5.
I N D EX ADD_QUARTER function Symbols ADD_SECOND function ! formatting symbol % operator 13-34 13-61 & formatting symbol & operator 13-34 13-61 13-53 ADD_YEAR function 13-53 Add Group command 13-50, 13-51 adding 13-61 aggregate rows + operator 13-61 data filters 13-61 13-65, 13-66 13-69, 13-71, 13-72, 13-73 data groups 13-49, 13-50 <= operator 13-61 formatting rules <> operator 13-61 page breaks < formatting symbol 13-53 ADD_WEEK function * operator / operator 13-53 13-34
Index Arrange Columns dialog 13-42 default formats ascending sort order 13-47 labels AVERAGE function 13-54 reports Average function averages 13-27 13-21 character patterns 13-64 13-54, 13-57, 13-60, 13-64 13-28 13-59, 13-71 character placeholder 13-34 charts overview B 13-76 Chart Subtype command background colors 13-39 Cisco CAT 6K Between condition 13-69, 13-74 clearing data filters BETWEEN function Between operator Boolean values 13-73 13-21 collapsing data groups colors
Index formatting data and context menus conversions date calculations 13-37 date data types 13-21 COUNT_DISTINCT function Count function 13-54 date values Count Value function 13-64 creating aggregate rows 13-65, 13-66 calculated columns crud operations currency 13-31, 13-35 13-37, 13-38 DAY function 13-54 decimal values 13-32 default formats 13-28, 13-29 default network device 13-44 conditional formats page breaks 13-32 Currency format option currency formatting options currency
Index downloads 18-40 F duplicate values 13-67, 13-68 false function fields E 13-55 13-27 filter conditions Filter dialog EAP-FAST enabling 13-72, 13-73 Filter drop-down list B-27 identity protection logging filters B-21 13-55 finding text values master keys definition FIRST function B-22 automatic provisioning definition 13-64 Fixed format option Font dialog box B-25 fonts B-27 13-39 13-63 EAP-FAST settings Format Chart page configuring Format command 18-3 format pattern
Index IF function G 13-55 import and export General Date format option 13-31 General Number format option Go to page pick list creating import files 13-31 13-22 Greater Than condition greater than operator information objects 13-70 IN function 13-61 greater than or equal to operator 13-70 13-61 13-51 13-55 13-21 internal identity stores ISBOTTOMN function Is False condition grouping intervals 13-75 13-50 Is Not Null operator 13-49, 13-50 Is Null condition collapsing 13-63 13-50, 1
Index locales configuring remote database creating charts and customizing formats for locating text values logical operators dashboard 13-78 11-2 data backup and purge 13-30, 13-32, 13-35 data upgrade status 13-55, 13-59 restore 13-61 15-7 13-31 viewing process status Long Time format option 13-31 viewing scheduled jobs Lowercase format option LOWER function MONTH function 13-57 13-31 15-3 15-15 Long Date format option lowercase characters 15-14 15-12 13-57 Move to Group Header c
Index numeric data types numeric expressions numeric values printing 13-31 13-26 printing options 13-61, 13-62 13-26 13-24, 13-33 Q O QUARTER function opening QUARTILE function exported data files 13-25 Interactive Viewer 13-21 operators 13-58 Quartile function 13-38, 13-61 OR operator 13-58 13-64 R 13-61, 13-75 RADIUS proxy 4-29 configuring proxy service P supported protocols PAC definition B-24 B-22 manual provisioning B-25 page breaks 13-41 13-37, 13-38, 13-69, 13-71
Index report viewers String Column Format dialog 13-21 resizing columns 13-24, 13-29 String column format dialog RIGHT function 13-58 string conversions ROUNDDOWN function ROUND function rounding 13-59 ROUNDUP function row-by-row comparisons rows strings 13-59 13-55 13-59 13-33, 13-56, 13-70 substrings 13-56, 13-58, 13-70 subtraction operator 13-67, 13-68 RUNNINGSUM function running totals 13-31 13-71 string patterns 13-54, 13-58 13-59 subtypes (charts) SUM function 13-59 13-25
Index time data types time formats returning lowest 13-31 returning null 13-31, 13-35 timesaver, description of 13-57, 13-59 rounding time values 13-35, 13-50 searching for totals TRIM function testing sets of TRIMLEFT function value series 13-59 TRIMRIGHT function variance expert troubleshooter true function viewers 14-2 13-71 13-71 13-59 13-59, 13-64 Variance function 14-1 13-55 13-76 VAR function 13-59 troubleshooting support bundles 13-56, 13-71 testing range of 13-59
Index X x-axis values 13-76 Y y-axis values 13-76 YEAR function 13-60 User Guide for Cisco Secure Access Control System 5.