Manual Cisco Systems OL-24201-01

650 pages 8.49 mb

Download

Go to site of 650

Prev Next

Summary

Cisco Systems OL-24201-01 - page 1

Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure A ccess Contr ol S ystem 5.3 April 20 1 4 Text Part Number: OL -24201-01 ...
Cisco Systems OL-24201-01 - page 2

THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPO NSIBILITY FOR THEIR APPLICATION OF ANY PRO ...
Cisco Systems OL-24201-01 - page 3

iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Serv ice Request xxv CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 ACS Distributed Deployment 1-2 ACS 4.x and 5. ...
Cisco Systems OL-24201-01 - page 4

Contents iv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Policy Terminology 3-3 Simple Polici es 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Auth ...
Cisco Systems OL-24201-01 - page 5

Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flo w 4-16 Adding a Host to an Internal Identity Store ...
Cisco Systems OL-24201-01 - page 6

Contents vi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding th e Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface ...
Cisco Systems OL-24201-01 - page 7

Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operation s for Network Resources and Users 7-8 Exporting Network Resources and Us ers 7-10 Creating, Duplicating, and Editin g Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying N ...
Cisco Systems OL-24201-01 - page 8

Contents viii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Us ing a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating Exter ...
Cisco Systems OL-24201-01 - page 9

Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-6 0 Creating, Duplicating, and Editing RADIUS Id entity Servers 8-60 Configurin ...
Cisco Systems OL-24201-01 - page 10

Contents x User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permis sions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Acce ss Policies 10-1 Policy Creation Flow 10-1 Network Definition and Po licy Goals 10 -2 Policy Elements in the Policy Creation F low ...
Cisco Systems OL-24201-01 - page 11

Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pa ges 10-45 Egress Policy Matrix Page 10-45 Editing a C ...
Cisco Systems OL-24201-01 - page 12

Contents xii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules 12-9 Creating and E diting Alarm Schedule s 12-9 Assigning Alarm Schedules to Thresh olds 12-10 Deleting Alarm Schedules 12 -11 Creating, Editing, and Duplic ating Alarm Threshold s 12-11 Configuring General Threshold Info rmation 12-13 Con ...
Cisco Systems OL-24201-01 - page 13

Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Re ports 13-13 Understanding the Report_Na me Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconne cting Active RADIUS Sessions 13-18 Customizing Reports 1 ...
Cisco Systems OL-24201-01 - page 14

Contents xiv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Organizing Report Data 13-4 1 Displaying and Organizing Re port Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Disp laying Report Item s 13-44 Hiding Co lumns 13-44 Displaying Hidden Columns 13-45 Merging Colu mns 13-45 Select ...
Cisco Systems OL-24201-01 - page 15

Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Cha rts 13-76 Filtering Ch art Data 13-76 Changing Chart Subtype 13-77 Changing Cha rt Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer 14-1 Available Diagnostic and Trouble shooting Tools 14-1 Connectivity Tests 14-1 ACS S ...
Cisco Systems OL-24201-01 - page 16

Contents xvi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings 15 -17 Configuring Alarm Syslog T argets 15 -17 Configuring Remote Database Settings 15-17 CHAPTER 16 Managing Syst em Administrators 16-1 Understanding Ad ministrator Roles and Accounts 16-2 Understanding Au thentication 16-3 Configuri ...
Cisco Systems OL-24201-01 - page 17

Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instan ce 17-1 3 Deleting a Secondary Instanc e 17-13 Activating a Secondary Instan ce 17-14 Registering a Secondary Instance to a Primary In stance 17-14 Deregistering Secondary Instances from ...
Cisco Systems OL-24201-01 - page 18

Contents xviii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring Local Server Certifica tes 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Proto cols 18-15 Generating Self-Signed Certificates 18-16 Generating a Certificate Sign ing Request 18-17 Binding CA Sign ...
Cisco Systems OL-24201-01 - page 19

Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logg ing Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Ta rget 19-10 Viewing Log Mess ...
Cisco Systems OL-24201-01 - page 20

Contents xx User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self ...
Cisco Systems OL-24201-01 - page 21

Contents xxi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Authentication wi th RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD B-31 EAP- MSCHAPv2 Flow in ACS 5.3 B-31 CHAP B-31 LEAP B-31 Cer ...
Cisco Systems OL-24201-01 - page 22

Contents xxii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ...
Cisco Systems OL-24201-01 - page 23

1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Revised: April 17, 201 4 This guide describes ho w to use Cisco Secure Access Control System (A CS) 5.3. Audience This guide is for securit y administrators who us e A CS, and who set up and maint ain network an d application security . Document Conventions This guide uses ...
Cisco Systems OL-24201-01 - page 24

2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface Caution Means rea d e r b e c a re f u l . Y ou are capable of doing something that might result in equipment damage or loss of data . T imesaver Me ans the described action saves time . Y ou can s av e time by perfo rming the acti on described in the paragraph. Note Means ...
Cisco Systems OL-24201-01 - page 25

3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Note W e sometimes update th e printed an d electroni c documentation after original publication. Therefo re, you should also re view the documentati on on Cisco.com for any u pdates. Obtaining Documentation and Submitting a Service Request For info rmation on obtaining doc ...
Cisco Systems OL-24201-01 - page 26

4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface ...
Cisco Systems OL-24201-01 - page 27

CH A P T E R 1-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 1 Introducing ACS 5.3 This section contains the following topics: • Overvie w of A CS, page 1-1 • A CS Distributed Depl oyment, page 1-2 • A CS Management Interfaces, page 1-3 Overview of ACS A CS is a policy-based security server that provides standards-co mp ...
Cisco Systems OL-24201-01 - page 28

1-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Distributed Depl oyment A CS provides adv anced monitoring, reportin g, and troubleshooting to ols that help you administer and manage your A CS deployments. For more in formatio n on the monito ring, reporting, and troublesh ooting capabiliti ...
Cisco Systems OL-24201-01 - page 29

1-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 ACS Licensing Model A CS 4.x did not provide incremental repl ication, on ly full r eplication, and there was service do wntime for replication. A CS 5.3 provides incrementa l replicati ons with no service do wntime. Y ou can also for ce a full repl ...
Cisco Systems OL-24201-01 - page 30

1-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Management Interfa ces ACS Web-based Interface Y ou can use the A CS web-based interface to fully co nfig ure your A CS deplo yment, and perform monitoring and reporting operati ons. The web interface provides a consistent user e xperience, re ...
Cisco Systems OL-24201-01 - page 31

1-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported b y ACS For informati on about using the CLI, see the Command Line Interface Refer ence Guide for Cisco Secur e Access Contr ol System 5.3 . Related Topic • A CS W eb-based Interface, page 1-4 ACS Programmatic Interfaces ...
Cisco Systems OL-24201-01 - page 32

1-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 Hardware Mode ls Supported by ACS ...
Cisco Systems OL-24201-01 - page 33

CH A P T E R 2-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 A CS 4.x stores polic y and authentication information , such as T A CA CS+ command sets, in the user and user group records. In A CS 5.3, polic y and authentication information are independent shared components that you use as b ...
Cisco Systems OL-24201-01 - page 34

2-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utili ty completes the data migration pro cess in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the obje ...
Cisco Systems OL-24201-01 - page 35

2-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Before You Begin Note Y ou must install the latest patch for the su pported migration v ersions listed here. Also, if you ha ve any other versio n of A C S 4.x installed, you must u pgrade to one of the supported v e rsions and in sta ...
Cisco Systems OL-24201-01 - page 36

2-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 • User-Def ined Fields (from the Interface Configuration se ction) • User Groups • Shared Shell Command Auth orization Sets • User T ACA CS+ Shell Exec Attributes (migrated to user attributes) ...
Cisco Systems OL-24201-01 - page 37

2-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In A CS 5.3, you define authorizati ons, shell prof iles, attributes, and other polic y elements as independent, reusable objects, and no t as ...
Cisco Systems OL-24201-01 - page 38

2-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Functionality Ma pping from ACS 4.x to ACS 5.3 Command sets (command authorization sets) One of the follo wing: • Shared Prof ile Components > Command Authoriz ation Set • User Setup page • Group Setup page Policy Elements &g ...
Cisco Systems OL-24201-01 - page 39

2-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The follo wing are some of the commo n scenarios that you encounter while migrating to A CS 5.3: • Migrating from ACS 4.2 on CSA CS 11 20 to A CS 5.3, page 2-7 • Migratin ...
Cisco Systems OL-24201-01 - page 40

2-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you ha ve A CS 3.x deployed in your en vironment, you cannot directly migrate to A CS 5.3. Y ou must do the follo wing: Step 1 Upgrade to a migr ation-supported v ersi ...
Cisco Systems OL-24201-01 - page 41

2-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform b ulk import of data into A CS 5.3. For more inf ormation on performing b ulk import of A CS objects, see http://www .ci sco.com/en/US/docs/n et_mgmt/cis co_sec ure_access_ control_sys tem/ ...
Cisco Systems OL-24201-01 - page 42

2-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration ...
Cisco Systems OL-24201-01 - page 43

CH A P T E R 3-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 3 ACS 5.x Policy Model A CS 5.x is a policy-based access contr ol system. The term po licy model in A CS 5.x refers to the presentation of poli cy elemen ts, objects, and rules to the polic y administrator . A CS 5.x uses a rule-based policy mo del instead of the gr ...
Cisco Systems OL-24201-01 - page 44

3-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For e xample, we use the informati on described for the grou p-based model: If identity-conditio n, r estriction-condi tion then authorization-p r of ile In A CS 5.3, you define conditi ons and results as glob a ...
Cisco Systems OL-24201-01 - page 45

3-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Policy Terminology Ta b l e 3 - 2 describes the rule-based polic y terminology . T a ble 3-2 Rule-Based Po licy T er minology T erm Description Access service Sequential set of policies used to process access r ...
Cisco Systems OL-24201-01 - page 46

3-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies Y ou can conf igure all of you r A CS policies as rule-b ased policies. Howe ver , in some cases, you can choose to conf igure a simple polic y , which select s a si ngle result to apply to all r ...
Cisco Systems OL-24201-01 - page 47

3-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Types of Policies Ta b l e 3 - 3 describes the types of policies that y ou can configur e in A CS. The policies are listed in the order of their e valuation; any at tributes t hat a polic y retrie ves can be us ...
Cisco Systems OL-24201-01 - page 48

3-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in A CS 5.x that allo w you to conf igure access policies for users and de vices that connect t o the network and for n etwork administrat ors who administer network devices ...
Cisco Systems OL-24201-01 - page 49

3-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Ta b l e 3 - 5 describes an example of a set of access services. Ta b l e 3 - 6 describes a service selection poli cy . If A CS 5.3 receiv es a T ACA CS+ access request, it applies Ac cess Service A, which authentica tes the request ...
Cisco Systems OL-24201-01 - page 50

3-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS accepts the results of the requests and returns them to the N AS. Y ou must configure the external RADIUS and T ACA CS+ servers in A CS for A CS to forw ard requests to them. Y ou can def ine the timeout period and the numb er ...
Cisco Systems OL-24201-01 - page 51

3-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS can simultaneously act as a proxy server to mu ltiple e xternal RADIUS and T A CA C S+ servers. For A CS to act as a proxy serv er , you must configure a RAD IUS or T ACA CS+ proxy service in A CS. See Config uring General Acce ...
Cisco Systems OL-24201-01 - page 52

3-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequ ence—Sequences o f the identity databases. The se quence is used for authentica tion and, if specified, an additional sequence is used to retrie ve only attrib utes. Y ou can select mult iple identity methods as ...
Cisco Systems OL-24201-01 - page 53

3-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity grou p mapping polic y is a standard polic y . Conditions can be based on attrib utes or groups retrie ved from the e xternal attrib ute stores only , o r from certif icates, and the result is an i ...
Cisco Systems OL-24201-01 - page 54

3-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy T erminology , page 3- 3 • Authorization Prof iles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-w orld problem is that, in day-to-day operations, you often ne ...
Cisco Systems OL-24201-01 - page 55

3-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, A CS d ecides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The prot ocol used for the requ ...
Cisco Systems OL-24201-01 - page 56

3-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, ag entless devices, and guest access in one access service, the policy is di vided into three access services. First-Match Rule Tables A CS 5.3 pro ...
Cisco Systems OL-24201-01 - page 57

3-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specifies the po licy result that A CS uses when no other rules exist, or when the at tribute v alues in the access request do not match any rules. A CS ev aluates a set of rules in the f irst-match rule ...
Cisco Systems OL-24201-01 - page 58

3-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Pro files for Network Access Policy Conditions Y ou can define simple conditions in rule tables b ased on attributes in: • Customizable conditions—Y ou can create custom con ditions based on protocol dictionaries and identity dic ...
Cisco Systems OL-24201-01 - page 59

3-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can define multiple authorization prof iles as a network access policy result. In this way , you maintain a smaller number of aut horization prof iles , because you can use the authorizatio n profiles in combi ...
Cisco Systems OL-24201-01 - page 60

3-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Networ k Device Groups Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Policy T erminology , page 3- 3 • T ypes of Policies, page 3-5 Policies and Network Device Groups Y ou can referenc e Network de vice group ...
Cisco Systems OL-24201-01 - page 61

3-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Figure 3-2 illu strates what this polic y rule table could look like. Figur e 3-2 Sample Rule-Based P olicy Each ro w in the polic y table represents a single rule. Each rule, except f or the last Defau ...
Cisco Systems OL-24201-01 - page 62

3-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Added users to the internal A CS identity store or add ex ternal identity st ores. See Creating Internal Users, page 8-11 , Managing Identity Attribu tes, page 8-7 , or Creating External LD AP Identi ...
Cisco Systems OL-24201-01 - page 63

3-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Related Topics • Policy T erminology , page 3- 3 • Policy Conditions, page 3-16 • Policy Resul ts, page 3-16 • Policies and Identity Attr ibutes, p age 3-17 ...
Cisco Systems OL-24201-01 - page 64

3-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies ...
Cisco Systems OL-24201-01 - page 65

CH A P T E R 4-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 4 Common Scenarios Using ACS Network contr ol refers to the process of controlli ng access to a network. T raditionally a username and password w as used to authenticate a user to a net work. No w a days with the rapid t echnological adv ancements, the traditiona l ...
Cisco Systems OL-24201-01 - page 66

4-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Cisco Secure Access Control System (A CS) allow s you to centrally manage access to your network services and resources (including d evices, such as IP phones, pr inters, and so on). A CS 5.3 is a policy-b a ...
Cisco Systems OL-24201-01 - page 67

4-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corr espon ding permit or deny setting for the command is retrie ved. If mul tiple results are found in the rules that are matched, they are consolidated and a si ...
Cisco Systems OL-24201-01 - page 68

4-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Step 5 Configure an access service polic y . See Access Service Policy Creation, page 10-4 . Step 6 Configure a service selection policy . See Service Selection Polic y Creation, page 10-4 . Step 7 Config ur ...
Cisco Systems OL-24201-01 - page 69

4-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the co nfigur ation flo w to defin e T ACA CS+ custom attrib utes and services. Step 1 Create a custom T A CACS+ condi tion to mo ve to T A CA CS+ servi ...
Cisco Systems OL-24201-01 - page 70

4-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess Note During password-based access (or certificate-based acce ss), the user is not only authenticated b ut also authorized according to the A CS configuration. An d if N AS sends accounting requests, the user i ...
Cisco Systems OL-24201-01 - page 71

4-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to -end flo w for passwor d-based network access and lists the tasks that you must perform. The info rmation about ho w to conf igure ...
Cisco Systems OL-24201-01 - page 72

4-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess For RADIUS, non- EAP authentication method s (RADIUS/P AP , RADIUS/CHAP , RADIUS/MS-CHAPv1, RADIUS/ MSCHAPv2), and simple EAP methods ( EAP-MD5 and LEAP), you need to configure onl y the protocol in the Allowe ...
Cisco Systems OL-24201-01 - page 73

4-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication i n A CS 5.3, page B-1 • Network De vices and AAA Clients, page 7-5 • Managing Access Policies, page 10-1 • Creating, Duplicating , and Editing Access Services, page 10- ...
Cisco Systems OL-24201-01 - page 74

4-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Certificate-Based Network Access Y ou can conf igure two t ypes of certif icates in A CS: • T rust cert if icate—Also kno wn as CA certif icate. Us ed to form CTL trust hierarchy for verif ication of remote certificates. • Local certi ...
Cisco Systems OL-24201-01 - page 75

4-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure polic y elements. See Managing Polic y Conditions, page 9-1 , for more informat ion. Y ou can create custom conditions to use the certi ficate’ s attrib utes as a polic y condition. See Cre ...
Cisco Systems OL-24201-01 - page 76

4-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Validating an LDAP Secure Authentication Connection Y ou can define a secure authenticati on connection for the LDAP e xtern al identity store, by using a CA certificate to vali date the connection. T o v alidate a ...
Cisco Systems OL-24201-01 - page 77

4-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provid es two features to accommodate no n-802.1x de vices. For e xample, MA C Authentication Bypass (Host Look up) and the Guest V LAN access by using web authentication. A CS 5.3 supports the Host Lookup fall ...
Cisco Systems OL-24201-01 - page 78

4-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access • Internal users • Activ e Directory Y ou can access the Active Directory via the LD AP API. Y ou can use the Internal Users identity store for Host Lookup in cases where the rele vant host is already listed in ...
Cisco Systems OL-24201-01 - page 79

4-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check Y ou may not want to copy the CallingSt ationID attrib ute v alue to the System UserName attrib ute v alue. When the Process Host Lookup o ption is checke d, A C S uses the System User ...
Cisco Systems OL-24201-01 - page 80

4-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Agentless Network Access Flow This topic describes the end-to-end flo w for agentl ess network access and lis ts the tasks that you must perform. The information abo ut how to conf igure the tasks is located in the ...
Cisco Systems OL-24201-01 - page 81

4-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service sel ection policy . For more information, see Creating, Duplicating , and Editing Service Selection Ru les, page 10-8 . Related Topic ...
Cisco Systems OL-24201-01 - page 82

4-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Previous Step: Network De vices and AAA Clients, page 7-5 Next Step: Config uring an Identity Group f or Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LD AP Identity Stores, pa ...
Cisco Systems OL-24201-01 - page 83

4-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access , and check Identity and A uthorization . The group mapping an d External Policy options are optional . d. Make sure you select Process Host Lookup. If you want A CS to detect P AP or EAP-MD5 ...
Cisco Systems OL-24201-01 - page 84

4-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests T o conf igure an authorization polic y for Host Lookup requests: Step 1 Choose Access Policies > Access Services > <access_servicename> A ut ...
Cisco Systems OL-24201-01 - page 85

4-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols A CS 5.3 supports the follo wing protocols for inner aut hentication inside the VPN tunn el: • RADIUS/P AP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 W ith the use ...
Cisco Systems OL-24201-01 - page 86

4-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Supported VPN Networ k Access Servers A CS 5.3 supports the followi ng VPN network access serv ers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network A ccess, page 4-20 • S ...
Cisco Systems OL-24201-01 - page 87

4-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network A ccess, page 4-20 • Supported Authenticati on Protocols, page 4-21 • Supported Identity Stores, pag e 4-21 • Supported VPN Netw ork Access Servers, page 4-22 ? ...
Cisco Systems OL-24201-01 - page 88

4-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access 6. Config uring EAP-F AST Setti ngs for Security Group Access . 7. Creating an Access Service for Security Group Acces s . 8. Creating an Endpoint A dmission Control Po licy . 9. Creating an Egress Policy ...
Cisco Systems OL-24201-01 - page 89

4-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices co nsider only the SGT v alue; the name and descr iption of a security group are a management con venience and are not con veyed to the de vices. Therefore, changing the name or description of the ...
Cisco Systems OL-24201-01 - page 90

4-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access T o conf igure an ND A C polic y for a de vice: Step 1 Choose Access Policies > Security Gr oup Access Control > Security Group Access > Network Device Access > A uthorization Policy . Step 2 ...
Cisco Systems OL-24201-01 - page 91

4-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next . The Access Services Properties page appears. Step 6 In the Authenticati on Protocols area, check the relev ant protoc ols for your access service. Step 7 Click Finish . Creating an Endp ...
Cisco Systems OL-24201-01 - page 92

4-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access The first r ow (topmost) of t he matr ix contains the column headers, which display the destination SGT . The first co lumn (far left) contain s the row t itles, with the source SG displayed. At t he inte ...
Cisco Systems OL-24201-01 - page 93

4-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests T o cr eate a default polic y: Step 1 Choose Access Policies > Security Gr oup Acc ess Control > Egress P olicy then choose Default Policy . Step 2 Fill in the f ields as in the Default Po licy for Eg ...
Cisco Systems OL-24201-01 - page 94

4-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receiv es the following packets from the N AS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2. Receiv es the follo wing packets fr ...
Cisco Systems OL-24201-01 - page 95

4-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests The T ACA CS+ proxy feature in A CS supports the follo wing protocols: • PA P • ASCII • CHAP • MSCHAP authentications types Related Topics • RADIUS and T A CACS+ Proxy Requests, page 4-29 • Supp ...
Cisco Systems OL-24201-01 - page 96

4-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service T o conf igure proxy services: Step 1 Config ure a set of remote RADIUS and T ACA CS+ servers. For informatio n on how to configure remote servers, see Creating , Duplicating, and ...
Cisco Systems OL-24201-01 - page 97

CH A P T E R 5-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure A CS web interface is designed to be vie wed using Microsoft Internet Explor er 7.x, 8.x, and 9.x and Mozi lla Firefox 3.x and 4.x. The web interface not only makes vie wing and administering A CS possible, but i t also ...
Cisco Systems OL-24201-01 - page 98

5-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Task Guides Task Guides From the My W orkspace dra wer , you can access T asks Guides. When you click an y of the tasks, it opens a frame on the right side of the we b interface. This frame contains step -by-step instruc tions as well as lin ...
Cisco Systems OL-24201-01 - page 99

5-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Related Topics • Config uring Authentication Settings for Administrato rs, page 16-9 • Changing the Ad ministrator Password, page 16-13 Using the Web Interface Y ou can conf igure and administer A CS through the ...
Cisco Systems OL-24201-01 - page 100

5-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Logging In T o log in to the A CS web interf ace for the f irst time after installation: Step 1 Enter the A CS URL in your browser , for example https:// acs_host /acsadmin , where /acs_ho st is the IP address or Doma ...
Cisco Systems OL-24201-01 - page 101

5-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Step 7 See Installing a License File, page 18 -35 to install a v alid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful , the follo wing error ...
Cisco Systems OL-24201-01 - page 102

5-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 sho ws the overall design of the A CS w eb interface. Figure 5-1 ACS W eb Interf ace The interface contains: • Header , page 5-6 • Navig ation Pane, pag e 5-7 • Content Area, page ...
Cisco Systems OL-24201-01 - page 103

5-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Navigation Pane Use the navigation pane to navigate through the drawers of the we b interface (see Figure 5-3 ). Figure 5-3 Navig ation P ane Ta b l e 5 - 3 describes the function o f each drawer . T o open a drawer ...
Cisco Systems OL-24201-01 - page 104

5-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface The options listed beneath dra wers in the na vigation pane are or ganized in a tree structure, where appropriate. The options in the tr ee structure are dynamic and can chan ge based on administrator actions. Creatin ...
Cisco Systems OL-24201-01 - page 105

5-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Web Interface Location Y our current location in the interface ap pears at the top of the content a rea. Figure 5-5 sho ws that the location is the Poli cy Elements drawer and t he Network De vices and AAA Clients pa ...
Cisco Systems OL-24201-01 - page 106

5-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface T able 5-4 Common Cont ent Ar ea Butt o ns and Fields for List P ages Button or Field Description Rows per page Use the drop-down list to specify the num ber of items to disp lay on this page. Options: • 10—Up to ...
Cisco Systems OL-24201-01 - page 107

5-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface T ree table pages are a v ariation of list pages (see Figure 5-6 ). Y ou can perform the same operations on tree table pages that you can on l ist pages, except for paging. In addition, with tree tabl e pages: • A ...
Cisco Systems OL-24201-01 - page 108

5-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Filtering Large lists in a content area windo w or a secondary window (see Figure 5-9 ) can be dif ficult to navigate through and select the data that you w ant. Y ou can us e the web interface to f ilter data in the ...
Cisco Systems OL-24201-01 - page 109

5-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface For pages that do not ha ve a Name or Description column, the sorting mechan ism may be supported in the left-most column of the pa ge, or the Descript ion column. Place your curs or ov er a column heading to determ ...
Cisco Systems OL-24201-01 - page 110

5-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Figur e 5-9 Secondary Windo w In addition to selectin g and filt ering data, you can cr eate a selectable object within a secondary windo w . For ex ample, if you attempt to cr eate a us ers internal identity store, ...
Cisco Systems OL-24201-01 - page 111

5-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Figur e 5-1 0 T ransf er Box T able 5-6 T ransf er Box Fields and But tons Field or Button Description A v ailable List of av ailable items for selection. Selected Ordered list of selected items. Right arrow (>) ...
Cisco Systems OL-24201-01 - page 112

5-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10 ). Y ou use them to select activ e times for a policy element from a grid, where each ro w represents a day of the week and ea ...
Cisco Systems OL-24201-01 - page 113

5-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Directly above the rule ta ble are two displa y options: • Standard Polic y—Click to display the stand ard policy rule tabl e. • Exception Po licy—Click to di splay the exceptio n policy rule tab le, which t ...
Cisco Systems OL-24201-01 - page 114

5-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Related Topic • A CS 5.x Polic y Model Importing and Exporting ACS Objects through the Web Interface Y ou can use the import functionality in A CS to add, up date, or delete ...
Cisco Systems OL-24201-01 - page 115

5-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Ta b l e 5 - 9 lists the A CS objects, their properties, and the property data types. The imp ort template for each of the objects contain s the properties described in this ta ...
Cisco Systems OL-24201-01 - page 116

5-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Fields that ar e optional can be left empt y and A C S substitutes the def ault v alues for those f ields. For e xample, whe n fie lds that are rela ted to a hierar chy are lef ...
Cisco Systems OL-24201-01 - page 117

5-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must downlo ad the import f ile templates from the A CS web interface. T o do wnload ...
Cisco Systems OL-24201-01 - page 118

5-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface For e xample, the internal user Add temp late contains the fields described in Ta b l e 5 - 1 0 : Each ro w of the .csv f ile corresponds to one internal user re cord . Y ou mu ...
Cisco Systems OL-24201-01 - page 119

5-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Figure 5-12 Add Users – Import File Step 4 Sav e the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in t ...
Cisco Systems OL-24201-01 - page 120

5-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Figur e 5-13 Update Users–Import File Note The second column, Updated name, is the addi tional column that you can add to the Update template. Deleting Records from the ACS I ...
Cisco Systems OL-24201-01 - page 121

5-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Common Errors Common Errors Y ou might encounter these common errors: • Concurrency Co nflict Errors, page 5-25 • Deletion Errors, page 5-26 • System F ailure Errors, page 5-27 • Accessibility , page 5- 27 Concurrency Conflict Error ...
Cisco Systems OL-24201-01 - page 122

5-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Common Errors Error Message The item you are trying to Submit i s referencing items that do not exist anymore. Explanation Y ou attempted to edit or duplicate an it em that is referencing an item th at another user deleted while yo u tried ...
Cisco Systems OL-24201-01 - page 123

5-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Accessibility System Failure Errors System failure errors occur when a system malfunc tion is detect ed. When a sys tem failur e error is detected, a dialog box appears, with an error messa ge and OK b utton. Read the error message, click O ...
Cisco Systems OL-24201-01 - page 124

5-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Accessibility • Color used as an enhan cement of information only , not as the only indicator . F or example, required fields are associated with a red asterisk. • Confir mation messages for important setti ngs and actions. • User-con ...
Cisco Systems OL-24201-01 - page 125

CH A P T E R 6-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of conf iguration tasks that you must perform to work with A CS. This chapter contains the follo wing sections: • Config uring Minimal System Setup, page 6-1 • Config uring A CS to Perform Syst ...
Cisco Systems OL-24201-01 - page 126

6-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Configuring ACS to Perform System Administration Tasks Ta b l e 6 - 2 lists the set of syst em administration tasks that you must perform to admini ster A CS. Ta b l e 6 - 2 ...
Cisco Systems OL-24201-01 - page 127

6-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Step 8 Add users or hosts to the internal identity sto re, or define external identity stores, or both. • For internal i dentity stores: Users and Identity Stores > Inte ...
Cisco Systems OL-24201-01 - page 128

6-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Manage Access Polic ies Configuring ACS to Manage Access Policies Ta b l e 6 - 3 lists the set of tasks that you must perform to manage access restrictions and permissi ons. Configuring ACS to Monitor and Troubl ...
Cisco Systems OL-24201-01 - page 129

6-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 4 Enable sys tem alarms an d specify ho w you wou ld like to recei ve notif ication. Monitoring Conf iguration > System Config uration > System Alarm S ...
Cisco Systems OL-24201-01 - page 130

6-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Mo nitor and Troublesho ot Problems in the Network ...
Cisco Systems OL-24201-01 - page 131

CH A P T E R 7-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resource s drawer defines elements within the networ k that issue requests to A CS or those that A CS interacts with as part of processing a requ est. This includes the network devices that issue the requests and external ser ...
Cisco Systems OL-24201-01 - page 132

7-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Network Device Groups In A CS, you can de fine network de vice groups (ND Gs ), which are sets of de vices. These NDGs pro vide logical groupin g of devi ces, for examp le, Devi ce Location or T ype, which you can use i ...
Cisco Systems OL-24201-01 - page 133

7-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Device Groups Step 4 Click Submit . The network de vice group conf iguration is sa ved. The Network De vice Groups page appears with the ne w network de vice group configurat ion. Related Topics • Network De vice Groups, page 7-2 ...
Cisco Systems OL-24201-01 - page 134

7-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy Y ou can arrange the netw ork de vice group node hierarchy accord ing to your needs by choo sing parent and child relationships fo r new , d up ...
Cisco Systems OL-24201-01 - page 135

7-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy T o delete a netw ork dev ice group from within a hierarch y: Step 1 Choose Network Resour ces > Network Device Gr oups . The Network De vice Groups page app ...
Cisco Systems OL-24201-01 - page 136

7-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Y ou must install Security Group Access license to enable Security Group A ccess options. The Security Group Access options only appear if y ou hav e installed the Secur ity Group Access license. F or more in ...
Cisco Systems OL-24201-01 - page 137

7-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients – Device T y pe Y ou can specify full IP ad dress, or IP address with wildcard “* ” or , with IP address range, such as [15-20] in the IP address search field. The wi ldcard “*” and the IP rang e [1 ...
Cisco Systems OL-24201-01 - page 138

7-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Step 2 Choose the filter condition and the Match if operator , and enter the f ilter criterion that you are looking for in the te xt box. Step 3 Click Go . A list of recor ds that match y our filter criterion ...
Cisco Systems OL-24201-01 - page 139

7-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Step 3 Click any one of the follo wing operations if you hav e pre viously created a template-based .csv f ile on your local disk: • Add—Adds the records in th e .csv file to the records currently a v ail ...
Cisco Systems OL-24201-01 - page 140

7-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Exporting Network Resources and Users T o e xport a list of network resources or u sers: Step 1 Click Export on the Users, Network De vices, or MA C Address page of the web interface. The Network De vice pag ...
Cisco Systems OL-24201-01 - page 141

7-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients The first page of the Create Network De vice process appears if you are creating a ne w network d evice. The Network Device Properties page for the selected device appears if you are duplicating o r editing ...
Cisco Systems OL-24201-01 - page 142

7-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients IP Range(s) By Mask Choose to enter an IP address range. Y ou can configure up to 40 IP addresses or sub net masks for each network device. If you use a subnet ma sk in th is field, all IP addresses within t ...
Cisco Systems OL-24201-01 - page 143

7-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all T ACA CS+ communication wit h the network de vice. Choose one: • Legac y T A CA CS+ Single Conn ect Support • T A CA CS+ Draft Complian ...
Cisco Systems OL-24201-01 - page 144

7-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Displaying Network Device Properties Choose Network Resour ces > Network De vices and AAA Clients , then click a de vice name or check the check box ne xt to a de vice name, and click Edit or Duplicate . ...
Cisco Systems OL-24201-01 - page 145

7-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients IP Range(s) By Mask Choose to enter an IP addre ss range. Y ou can configure up to 40 IP addresses or subnet masks for each network de vice. If you use a subn et mask in this f iel d, all IP addresses within ...
Cisco Systems OL-24201-01 - page 146

7-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients RADIUS Shared Secret Shared secret of the network d evice, if y ou hav e enabled the RA DIUS protocol. A shared secret is an expected string of te xt, which a user must pro vide before the netwo rk device au ...
Cisco Systems OL-24201-01 - page 147

7-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Configuring a Default Network Device Related Topics: • V ie wing and Performing Bulk Operations fo r Network De vices, page 7-6 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Deleting Network Devices T o delet ...
Cisco Systems OL-24201-01 - page 148

7-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Configuring a Default Network Device Choose Network Resour ces > Default Network De vice to conf igure the default network de vice. The Default Netw ork De vice page appears, di splaying the informat ion described in Ta b l e 7 - 6 . T a ...
Cisco Systems OL-24201-01 - page 149

7-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Related Topics • Network De vice Groups, page 7-2 • Network De vices and AAA Clients, page 7-5 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Working with External Proxy ...
Cisco Systems OL-24201-01 - page 150

7-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate . • Click the exte rnal proxy server nam ...
Cisco Systems OL-24201-01 - page 151

7-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Note If you want A CS to forward un known RADIUS attrib utes you ha ve to define VSAs f or proxy . Related Topics • RADIUS and T A CA CS+ Proxy Services, page 3-7 • RADIUS and T A CACS+ Proxy Reques ...
Cisco Systems OL-24201-01 - page 152

7-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers ...
Cisco Systems OL-24201-01 - page 153

CH A P T E R 8-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview A CS manages your network de vices and other A C S clients by using the A CS network resource repositories and identity stores. When a host conn ects to the network through ACS requesting access to a particular network r ...
Cisco Systems OL-24201-01 - page 154

8-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity grou p to which users belong Config urable components are: • Enable password f or T ACA CS+ authentication • Sets of ...
Cisco Systems OL-24201-01 - page 155

8-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Tw o-Factor Authentication Y ou can use t he RSA SecurID T oken Serv er and RA DIUS Ident ity Server t o provide two-facto r authentication. These extern al identity stores use an O TP that pr ovides g re ...
Cisco Systems OL-24201-01 - page 156

8-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Sequences Y ou can configure a complex condition where multiple identity stores an d prof iles are used to process a request. Y ou can define these identity met hods in an Identity Sequence ...
Cisco Systems OL-24201-01 - page 157

8-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Authentication informatio n Note A CS 5.3 supports authent ication for internal users against th e internal identity sto re only . This section contains the following topics: • Authentication I ...
Cisco Systems OL-24201-01 - page 158

8-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Groups Y ou can assign each i nternal user to one identit y group. Iden tity groups are def ined within a hi erarchical structure. Th ey are lo gical entities t hat are associ ated with use ...
Cisco Systems OL-24201-01 - page 159

8-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Managing Intern al Identity Sto res, page 8-4 • Performing Bulk Operation s for Network Resources and Users, page 7-8 • Ident ...
Cisco Systems OL-24201-01 - page 160

8-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal us er record. User Attributes Administrators can create and ad d user-d efined attribut es from the set of identi ...
Cisco Systems OL-24201-01 - page 161

8-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores In A CS 5.3, you can configure i dentity attrib utes that are used within your policies, in th is order: 1. Define an identity attribute (using t he user dictionary). 2. Define custom conditions t o ...
Cisco Systems OL-24201-01 - page 162

8-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 3 In the Advanced tab, enter the values for the criter ia th at you want to configure for your user authentication process. Ta b l e 8 - 3 describe s the fields in the Advanced tab . Passwor d ...
Cisco Systems OL-24201-01 - page 163

8-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit . The user password is configured with the de fined criteria. These criteria will apply only for future lo gins. Note A CS supports an y character as passw ords and shar ed secre ...
Cisco Systems OL-24201-01 - page 164

8-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores • Click the username that you want to modify , or check the check box next to the name and click Edit . • Check the check box next to the user whos e password you w ant to change, then click Ch ...
Cisco Systems OL-24201-01 - page 165

8-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Description (Optional) Descrip tion of the user . Identity Group Click Select to display the Id entity Groups windo w . Choose an identity group and click OK to configure the user wi th a specif ic ...
Cisco Systems OL-24201-01 - page 166

8-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 5 Click Submit . The user configuration is saved. The Internal Users pa ge appears with the new configuration. Related Topics • Config uring Authentication Settings for Users, page 8-9 • V ...
Cisco Systems OL-24201-01 - page 167

8-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click OK . The Internal Users page appears without the deleted users. Related Topics • V iewing and Perform ing Bulk Operations for Internal Identity Store Users, page 8-15 • Creating Int ...
Cisco Systems OL-24201-01 - page 168

8-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Creating Hosts in Identity Stores T o create, d uplicate, or edit a MA C address and assign identity groups to in ternal hosts: Step 1 Select Users and Identity Stores > Inter nal Identity Stor ...
Cisco Systems OL-24201-01 - page 169

8-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit to sav e changes. The MA C address configuration is sa ved. The Internal MA C list page appears with the new configuration. Note Hosts with wildcards (suppor ted formats) for MA ...
Cisco Systems OL-24201-01 - page 170

8-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Deleting Internal Hosts T o delete a MA C address: Step 1 Select Users and Identity Stores > Inter nal Identity Stor es > Hosts . The Internal MA C List page appears, w ith any configured MA ...
Cisco Systems OL-24201-01 - page 171

8-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Policies and Identity Attr ibutes, p age 3-17 • Config uring an Identity Group f or Host Lookup Network Access Requ ests, page 4-18 Management Hierarchy Management Hierarch y enables the admin ...
Cisco Systems OL-24201-01 - page 172

8-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores The administrator can conf igure an y le vel of hi erarchy while def ining management centers or AAA client locations. Th e syntax for ManagementHierarchy attrib ute is: <Hierar chyName>: < ...
Cisco Systems OL-24201-01 - page 173

8-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics Config uring and Using HostI sInManagement Hierar chy Attrib utes, page 8-21 . Configuring and Using HostIsInM anagement Hierarchy Attributes T o configure and use HostIsInMana gement ...
Cisco Systems OL-24201-01 - page 174

8-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Managing External Identity Stores A CS 5.3 integrates with e xternal identity sy stems in a number of w ays. Y ou can le verage an e xternal authentication service or use an ex ternal system to obt ...
Cisco Systems OL-24201-01 - page 175

8-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Config uring LD AP Groups, page 8-33 • V ie wing LD AP Attrib utes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storin g and organ ...
Cisco Systems OL-24201-01 - page 176

8-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Failover A CS 5.3 supports failo ver between a primary LD AP se rver and secondary LD AP server . In the context of LD AP authent ication with A CS , failover applie s when an authentication reques ...
Cisco Systems OL-24201-01 - page 177

8-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LD AP server to return bind (authentication) errors are: – Filtering errors—A search using f ilter criteria fails. – Parameter errors—In valid parameters were entered. ...
Cisco Systems OL-24201-01 - page 178

8-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Unsigned Integer 32 • IPv4 Address For unsig ned integers and IPv 4 attrib utes, A CS conv erts the strings that it has retrie ved to the corresponding data types. If con version f ails or if ...
Cisco Systems OL-24201-01 - page 179

8-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Continue with Conf iguring an External LD AP Server Connection, page 8-27 . Note N A C guest Server can also be used as an External LD AP Server . For proced ure to use NA C guest server as an ...
Cisco Systems OL-24201-01 - page 180

8-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonym ously . The server does not distinguish who th e client is and will allo w the cl ient read access to any data that ...
Cisco Systems OL-24201-01 - page 181

8-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue with Conf iguring External LD AP Directory Or ganization, page 8-29 . Configuring External LDAP Directory Organization Use this page to configure an external LD AP ...
Cisco Systems OL-24201-01 - page 182

8-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T able 8-8 LD AP: Dir ect ory Or ganization P age Option Description Schema Subject Object class V alue of the LD AP objectClass attribute that id entifies th e subject. Often, subject records hav ...
Cisco Systems OL-24201-01 - page 183

8-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search B ase Enter the distinguishe d name (DN ) fo r the subtree that contains all subjects. For example: o=corporati on.com If the tree containing subjects is the base DN, enter: o=corporat ...
Cisco Systems OL-24201-01 - page 184

8-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Finis h . The external identity st ore you created is sav ed. Username PrefixS uffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropr ...
Cisco Systems OL-24201-01 - page 185

8-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Config uring LD AP Groups, page 8-33 • Deleting External LD AP Identity Stores, page 8 -33 Deleting External LDAP Identity Stores Y ou can delete one or more e xternal LD AP iden ...
Cisco Systems OL-24201-01 - page 186

8-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Viewing LDAP Attributes Use this page to view the external LD A P attributes. Step 1 Select Users and Identity Stores > Exter nal Identity Stor es > LD AP . Step 2 Check the check box next to ...
Cisco Systems OL-24201-01 - page 187

8-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means th e switch port to wh ich these de vices attach cannot authenticate them using the 802.1X exch ange of de vice or user creden tials and must re vert to an authenticati on mechanism other ...
Cisco Systems OL-24201-01 - page 188

8-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Figur e 8-1 LD AP Int erf ace Configur ation in NAC Pr ofiler Step 5 Click Update Serv er . Step 6 Click the Conf iguration tab and click A pply Changes . The Update N A C Profiler Modules pa ge ap ...
Cisco Systems OL-24201-01 - page 189

8-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Conf iguration > Endpoint Pr of iles > V i ew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve ...
Cisco Systems OL-24201-01 - page 190

8-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T o edit the N A C Prof iler template in A CS: Step 1 Choose Users and Identity Stor es > External Identity Stor es > LD AP . Step 2 Click on the name of the N AC Prof iler template or ch eck ...
Cisco Systems OL-24201-01 - page 191

8-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Server Dialog Bo x For more information, see Cr eating External LD AP Identity Stores, page 8-26 . Note The default password for LD AP is GBSbeacon . If you w ant to change ...
Cisco Systems OL-24201-01 - page 192

8-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Number of Subjects: 100 • Number of Director y Groups: 6 Figur e 8-7 T est Configuration Dialog Bo x Number of Subjects —This v alue maps to the actual subj ect de vices already prof iled b ...
Cisco Systems OL-24201-01 - page 193

8-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Ev ent Deli very Method and Activ e Response, see the Cisco N AC Pr ofiler Installation and Conf iguration Gu ide, Release 3.1 at the follo wing location: http:/ ...
Cisco Systems OL-24201-01 - page 194

8-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The AD user password change using the abo ve met hods must fo llo w the AD passwor d policy . Y ou must check with your AD administrator to kno w the complete AD password pol icy rule. AD passw ord ...
Cisco Systems OL-24201-01 - page 195

8-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a fi rew all between A CS and AD, certain ports need to be opened in order t o allow A CS to communicate with AD. The foll owing are the default por ts to be opened: Note Dial-in users ar ...
Cisco Systems OL-24201-01 - page 196

8-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Attribute Retrieval for Authorization Y ou can configure A CS to retriev e user or machine AD attributes to be use d in authori zation and g roup mapping rules. The attrib utes are mapped to the A ...
Cisco Systems OL-24201-01 - page 197

8-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machin e authentication to user authentication an d authori zation process. The most common usage of MAR is to fail authen tication of users ...
Cisco Systems OL-24201-01 - page 198

8-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The Engineers' rule is an example of MAR rule that only allows e ngineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an exam ple of a ...
Cisco Systems OL-24201-01 - page 199

8-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Activ e Director y are supported on the follo wing serv ers: • W indo ws server 2003 • W indo ws server 2003 R2 • W indo ws server 2008 • W i ...
Cisco Systems OL-24201-01 - page 200

8-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Joining ACS to an AD Domain After you conf igure the AD identity store in A CS th rough the A CS web interface, you must submi t the confi guration to join A CS to the AD domain. F or more informat ...
Cisco Systems OL-24201-01 - page 201

8-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3 Click: Username Predefined user in AD. AD account require d for doma in access in A CS should have either of the follo wing: • Add workstations t o domain user right in correspo nding domain ...
Cisco Systems OL-24201-01 - page 202

8-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Sa ve Changes to sav e the conf iguration, join the A CS to the specified AD domain with the configured credentials, and start the AD agent. • Discard Changes to discard all changes. • If A ...
Cisco Systems OL-24201-01 - page 203

8-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD grou ps in the domain, as well as other trusted domains in the same forest. If you ha ve more group s that are not displayed, use t ...
Cisco Systems OL-24201-01 - page 204

8-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 3 Click: • Sa ve Changes to sav e the configuration. • Discard Changes to discard all changes. T able 8-1 1 Activ e Direct ory: A t tr ibutes P age Option Description Name of ex ample Subj ...
Cisco Systems OL-24201-01 - page 205

8-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already con figured an d you want to del ete it, click Clear Conf iguration after you v erify that there are no policy rules that use cu stom conditions based on the AD dictionary . AD D ...
Cisco Systems OL-24201-01 - page 206

8-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RSA SecurID Server A CS supports the RSA SecurID server as an extern al database. RSA SecurID two-factor authentication consists of the user’ s personal identif ication number (PIN) and an indi v ...
Cisco Systems OL-24201-01 - page 207

8-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the re quested loads on the RSA Sec urID servers in the realm. Ho we ver , you do hav e the option to manu ally balance the ...
Cisco Systems OL-24201-01 - page 208

8-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 4 Click the A CS Instance Settings tab . See Configuring A CS Instance Settings, page 8-57 for more inform ation. Step 5 Click the Advanced tab . See Configuring A dvan ced Options, page 8-59 ...
Cisco Systems OL-24201-01 - page 209

8-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server , pa ge 8-54 • Config uring A CS Instance Settings, page 8-57 • Config uring Adv anced Optio ns, page 8-59 Configuring ACS Instance Settings The A CS Instan ...
Cisco Systems OL-24201-01 - page 210

8-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Enable the RSA options file Y ou can enable the RSA options file ( sdopts.r ec ) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the ...
Cisco Systems OL-24201-01 - page 211

8-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the follo wing options: • T o reset node secret on the agent host, check the Remove securid f ile on submit check box. If you reset the node secret on t he agent host, you m ...
Cisco Systems OL-24201-01 - page 212

8-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RSA SecurID Server , pa ge 8-54 • Creating and Editing RSA SecurI D T ok en Servers, pa ge 8-55 • Config uring A CS Instance Settings, page 8-57 • Editing A CS Instance Set ...
Cisco Systems OL-24201-01 - page 213

8-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover A CS 5.3 allows you to configure mul tiple RADIUS identity stores. Each RADIUS i dentity store can hav e primary and secondary RADIUS servers. When AC S is unable to c onnect to t he primar ...
Cisco Systems OL-24201-01 - page 214

8-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RADIUS Identity Store in Identity Sequence Y ou can add the RADIUS identity store for authentica tion sequence in an iden tity sequence. Howe ver , you cannot add th e RADIUS identity store fo r at ...
Cisco Systems OL-24201-01 - page 215

8-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safew ord token servers support bo th the formats. A CS works with v arious token servers. While configuring a Safe word server , yo u must check the Safew ord Server check box for A CS to parse the ...
Cisco Systems OL-24201-01 - page 216

8-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Cr eate . Y ou can also: • Check the check box ne xt to the identi ty store you want to d uplicate, then click Duplicate . • Click the iden tity store name that yo u want to modi f ...
Cisco Systems OL-24201-01 - page 217

8-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the pr imary RADIUS identity server f ails. If you enable the secon ...
Cisco Systems OL-24201-01 - page 218

8-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RADIUS Identity St ores, page 8-60 • Creating, Duplicating , and Editing RADIUS Identi ty Servers, page 8-63 • Config uring Shell Prompts, page 8-6 6 • Config uring Directo ...
Cisco Systems OL-24201-01 - page 219

8-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a reques t, RADIUS attributes are return ed along with the response. Y ou can make use of these RADI US attrib utes in polic ...
Cisco Systems OL-24201-01 - page 220

8-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates • Config uring Shell Prompts, page 8-6 6 • Config uring Adv anced Optio ns, page 8-68 Configuring Advanced Options In the Adv anced tab, you can do the follo wing: • Define what an access reject fro ...
Cisco Systems OL-24201-01 - page 221

8-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Y ou use the CA options to install digital certif icate s to support EAP-TLS authentication. A CS uses the X.509 v3 digital certificate standard. A CS also supports manual certificate acquisition and pro v ...
Cisco Systems OL-24201-01 - page 222

8-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates Step 4 Click Submit . The new cert ificat e is sav ed. The T rust Certif i cate List page appears with the new certif icate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of ...
Cisco Systems OL-24201-01 - page 223

8-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3 Click Submit . The T rust Certificate page appe ars with the edited certificate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of EAP-TLS, page B-6 Deleting a Certifica ...
Cisco Systems OL-24201-01 - page 224

8-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Certificat e Authentication Profiles Related Topic • Overvie w of EAP-TLS, page B-6 Exporting a Certificate Authority T o e xport a t rust certif icate: Step 1 Select Users and Identity Stores > Certif icate A uthor ...
Cisco Systems OL-24201-01 - page 225

8-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificat e Authen tication Profiles T o cr eate, duplicate , or edit a certif icate authentication profile: Step 1 Select Users and Identity Stores > Cert ificate A uthe nticatio n Profile . The Certificate Authentic ...
Cisco Systems OL-24201-01 - page 226

8-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity polic y determines the iden tity sources that A CS uses for authentication and attrib ute retrie v al. An identity source consi sts ...
Cisco Systems OL-24201-01 - page 227

8-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box ne xt to the sequence that you want to duplicat e, then click Duplicate . • Click the sequence name that you want to ...
Cisco Systems OL-24201-01 - page 228

8-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Step 3 Click Submit . The Identity Store Sequen ces page reappears. Related Topics • Performing Bulk Operation s for Network Resources and Users, page 7-8 • V ie wing Identity Polici es, page ...
Cisco Systems OL-24201-01 - page 229

8-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Intern al Identity Sto res, page 8-4 • Managing External Iden tity Stores, page 8-22 • Config uring Certif icate Authentication Prof iles, page 8-72 • Creating, Duplicating , an ...
Cisco Systems OL-24201-01 - page 230

8-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences ...
Cisco Systems OL-24201-01 - page 231

CH A P T E R 9-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy def ines the authenti cation and authorizat ion processing of cl ients that attempt to access the A CS network. A clien t can be a user , a network de vice, or a user associated with a netw ork de vice. Policies are sets of rules. ...
Cisco Systems OL-24201-01 - page 232

9-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Y ou can map users and hosts to identity grou ps by using the group mapping polic y . Y ou can include identity groups in cond itions to conf igure common policy co nditions for all users in the group. F or more info ...
Cisco Systems OL-24201-01 - page 233

9-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Deleting a Session Condition , page 9-6 • Managing Netw ork Conditions, page 9 -6 See Chapter 3, “ ACS 5.x Polic y Model” for informati on about additional condit ions that you can use in policy ru les, alt ...
Cisco Systems OL-24201-01 - page 234

9-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions T o add date and ti me conditions to a policy , you must first customize the rule table. See Customizing a Polic y , page 10-4 . Step 4 Click Submit . The date and time condition is sa ve d. The Date and T ime Condit ...
Cisco Systems OL-24201-01 - page 235

9-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and i dentity dictionaries co ntain a larg e number of at tribu tes. T o u se any of these attri bute s as a condition in a p olicy rule, you ...
Cisco Systems OL-24201-01 - page 236

9-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 4 Click Submit . The new custom session condi tion is saved. The Custom Condition p age appears with th e new custom session conditio n. Clients that are associated with this con dition are subject to it f or th ...
Cisco Systems OL-24201-01 - page 237

9-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions A CS of fers three types of filters: • End Station Filt er—Filters end statio ns, such as a laptop or print er that initiates a connection based on the end station’ s IP address, MA C ad dress, CLID number , or ...
Cisco Systems OL-24201-01 - page 238

9-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Netwo rk Conditions, page 9-8 • Exporting Netwo rk Conditions, page 9-9 • Creating, Duplicati ng, and Editing End Stati on Filters, page 9-9 • Creating, ...
Cisco Systems OL-24201-01 - page 239

9-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions T imesaver Instead of download ing the template and creati ng an import f ile, you can use the e xport fi le of the particular f ilter , update the information in that f ile, sa ve it, and reu se it as your import f ...
Cisco Systems OL-24201-01 - page 240

9-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9-6 • Importing Netwo rk Conditions, page 9-8 • Creating, Duplicating , and Editing De vice Filters, page 9-12 • ...
Cisco Systems OL-24201-01 - page 241

9-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Defining MAC Address-Based End Station Filters Y ou can create, duplicate, and edit the MA C addresses of end stati ons or destinations that you w ant to permit or deny access to . T o do this: Step 1 From the MA C ...
Cisco Systems OL-24201-01 - page 242

9-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS numb er of the destination machine. Y ou can optionally set this f ield to ANY to refer to an y DNIS number . Note Y ou can use ? and * wildcard charact ers to refer ...
Cisco Systems OL-24201-01 - page 243

9-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9 -6 • Importing Network Co nditions, page 9-8 • Creating, Duplicati ng, and Editing End Stati on Filters, pa ge 9- ...
Cisco Systems OL-24201-01 - page 244

9-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions • Check the check box next to the name-based de vice filter that you want to edi t, then click Edit . A dialog box appears. Step 2 Click Select to choose the netwo rk de vice that you want t o filt er . Step 3 Cli ...
Cisco Systems OL-24201-01 - page 245

9-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Check the check box next to th e de vice port filter that yo u w ant to edit, then cli ck Edit . • Click Expor t to sav e a list of de vice port filters in a .csv file. F or more information, see Exporting Net ...
Cisco Systems OL-24201-01 - page 246

9-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the Por t check box and enter t he port number . This f ield is of type string and can contain numbers or characters. Y ou ca n use the following wildcard characters: • ?—match a single character ? ...
Cisco Systems OL-24201-01 - page 247

9-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining NDG-Based Device Port Filters Y ou can create, duplicate, and ed it the network de vice group type and the port to which you want t o permit or deny access. T o do this: Step 1 From the Netw or ...
Cisco Systems OL-24201-01 - page 248

9-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Aut horization Profiles for Network Access Y ou creat e authoriza tion profiles to de fine ho w di fferent types of users are authorized to access the network. F or ex ...
Cisco Systems OL-24201-01 - page 249

9-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying Authorization Profiles Use this tab to conf igure the name and descripti on for a network access authori zation profil e. Step 1 Select Policy Elements > A uthorization and P ermissions &g ...
Cisco Systems OL-24201-01 - page 250

9-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9 -5 A uthorization Profile: Common T asks Page Option Description ACLS Downloadable A CL Name Includes a defined downloadable ACL. See Creating, Duplicat ing, and Editing Do wnloadable A CLs, pa ...
Cisco Systems OL-24201-01 - page 251

9-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to conf igure which RADIUS attri butes to include in the Acce ss-Accept packet for an authorization pro file. This tab also displays t ...
Cisco Systems OL-24201-01 - page 252

9-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 3 T o co nfigure: • Basic information o f an authorization prof ile; see Specifying Authorization Prof iles, page 9-19 . • Common tasks for an authorizat ion profi le; see Specifying Common At ...
Cisco Systems OL-24201-01 - page 253

9-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Creating and Editing Security Groups Use this page to vie w names and details of security groups and securi ty group tags (SGTs), and to open pages to create, duplicate, and edit security gr oups. When ...
Cisco Systems OL-24201-01 - page 254

9-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions The Common T asks tab al lows you to select and conf igure the frequent ly used attrib utes for the prof ile. The attributes that are in cluded he re are tho se defined by the T A CACS prot ocol draft s ...
Cisco Systems OL-24201-01 - page 255

9-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining General Shel l Profile Properties Use this page to def ine a shell profil e’ s general properties. Step 1 Select P olicy Elements > A uthorization and Permissions > Device Admini strati ...
Cisco Systems OL-24201-01 - page 256

9-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9-9 Shell Pr ofile: Common T asks Option Description Privilege Level Default Pri vilege (Optional) En ables the initial pri vilege le vel assi gnment that you allo w for a client, through shell a ...
Cisco Systems OL-24201-01 - page 257

9-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Step 3 Click: • Submit to sa ve your chan ges and return to the Shell Prof iles page. • The General tab to conf igure the name and d escription for the authorizatio n profile; see Defi ning General ...
Cisco Systems OL-24201-01 - page 258

9-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to def ine custom attrib utes for the shell prof ile. This tab also displays the Commo n T asks Attrib utes that you ha ve chosen i n the Common T asks tab . Step ...
Cisco Systems OL-24201-01 - page 259

9-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions After you create command sets, you can use them in autho rizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shel l Profi le ...
Cisco Systems OL-24201-01 - page 260

9-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 4 Click Submit . The command set is sav ed. The Command Sets page appears with the command set that you created or duplicat ed. T able 9-1 1 Command Set Pr operties P age Field Description Name Nam ...
Cisco Systems OL-24201-01 - page 261

9-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Related Topics • Creating, Duplicating , and Editing Authorization Profiles for Netw ork Access, page 9-18 • Creating, Duplicating , and Editing a Shell Prof ile for Device Admi nistration, page 9-2 ...
Cisco Systems OL-24201-01 - page 262

9-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions – Click Start Export to e xport the D A CLs without any encryption. Step 3 Enter v alid conf iguration data in the required f ields as shown in Ta b l e 9 - 1 2 , and define one o r more A CLs by usin ...
Cisco Systems OL-24201-01 - page 263

9-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Configuring Security Group Access Control Lists Security group access control lists (SG A CLs) are applied at Egress, based on the source and destination SGTs. Use this page to vie w , create, duplicate ...
Cisco Systems OL-24201-01 - page 264

9-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions ...
Cisco Systems OL-24201-01 - page 265

CH A P T E R 10-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 10 Managing Access Policies In A CS 5.3, policy dri ves all acti vities. Polici es cons ist mainly of rules that determi ne the action of the policy . Y ou c reate access services to define authen tication and authorizat ion policies for requests. A global service ...
Cisco Systems OL-24201-01 - page 266

10-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Policy Creation Flow In short, you must determi ne the: • Details of your netw ork conf iguration. • Access services that implement your policies. • Rules that def ine the conditions un der which an access service can run. This section ...
Cisco Systems OL-24201-01 - page 267

10-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creatio n Flow Policy Elements in the Policy Creation Flow The web interf ace provides these def aults for def ining de vice groups and i dentity groups: • All Locations • All De vice T ypes • All Groups The locations, de vice ty ...
Cisco Systems OL-24201-01 - page 268

10-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Polic y Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an acce ...
Cisco Systems OL-24201-01 - page 269

10-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy If you ha ve imp lemented Security Group Access function ality , you can also customize results for authorization po licies. Caution If you ha ve already defined rules, be certain that a rule is not u ...
Cisco Systems OL-24201-01 - page 270

10-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Note If you create and sav e a simple policy , and then change to a rule-based polic y , the simple policy beco mes the default rule of the rule-based policy . If you have saved a rule-based polic y a ...
Cisco Systems OL-24201-01 - page 271

10-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy T o conf igure a rule-based service selection policy , see these topics: • Creating, Duplicating , and Editing Service Selection Rul es, page 10-8 • Deleting Service Selection Rules, page 10 -10 A ...
Cisco Systems OL-24201-01 - page 272

10-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determin e whic h access service processes incoming requests. The Default Rule pro vides a default access s ...
Cisco Systems OL-24201-01 - page 273

10-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy • The Default Rule—Y ou can change only the access service. See T able 10-3 for field descri ptions: Step 4 Click OK. The Service Selection Polic y page appears with the rule that you conf igured. ...
Cisco Systems OL-24201-01 - page 274

10-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count displ ay on the Rule-based Polic y page. T o di splay this page, click Hit Count on the Rule-based Polic y page. Deleting Servic ...
Cisco Systems OL-24201-01 - page 275

10-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and au thorization policies for requests. Y ou c an create separate access services for different use cases; fo r example, de vice administrat ...
Cisco Systems OL-24201-01 - page 276

10-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Edit the fields in the Allowed Protocols tab as d escribed in T able 10-7 . Step 4 Click Submit to sav e the changes you hav e made to the default access service. Creating, Duplicating, and Editing Access ...
Cisco Systems OL-24201-01 - page 277

10-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box next to the access servic e that you want to du plicate; then click Duplicate . • Click the access service name that you w ant to mod ...
Cisco Systems OL-24201-01 - page 278

10-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Click Next to conf igure the allowed pr otocols. See Configuring Access Servic e Allowed Protocols, page 10-15 . Description Description of the access service. Access Service Policy Structure Based on serv ...
Cisco Systems OL-24201-01 - page 279

10-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Config uring Access Service Allo wed Protocols, page 10-15 • Config uring Access Services T empl ates, page 10-19 Configuring Access Serv ice Allowed Protocols The allowed protocols are the sec ...
Cisco Systems OL-24201-01 - page 280

10-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authenticat ion protocol and configures EAP-TLS settin gs. Y ou can specify ho w A CS verif ies user identity as pre sented in the EAP Identity response from the end-user client. ...
Cisco Systems OL-24201-01 - page 281

10-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allo w EAP-F AST Enable s the EAP-F AST authentication protocol an d EAP-F AST settings. Th e EAP-F AST protocol can support multiple int ernal protocols on the same server . The defa ult inner method is MSCHAPv2. ...
Cisco Systems OL-24201-01 - page 282

10-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allo w EAP-F AST (continued) PA C O p t i o n s • T unnel P A C T ime T o Li ve—The T ime T o Live ( TTL) v alue restricts the lifetime of the P A C. Specify the lifetime value and unit s. The default is one ...
Cisco Systems OL-24201-01 - page 283

10-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3 Click Finish to sav e your changes to the access service. T o enable an access service, you must add it to the service sel ection polic y . Configuring Access Services Templates Use a service template to de ...
Cisco Systems OL-24201-01 - page 284

10-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Deleting an Access Service T o delete an access service: Step 1 Select Access Policies > Access Services . The Access Services page appea rs with a list of configured services. Step 2 Check one or more check b ...
Cisco Systems OL-24201-01 - page 285

10-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Access Service Policies Y ou configure access service policies after you c reate the access service: • V ie wing Identity Polici es, page 10-21 • Config uring Identity Polic y Rule Propert ...
Cisco Systems OL-24201-01 - page 286

10-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies In the rule-based policy , each rule contains one or more conditions an d a result, which is the identity source to use for authentication. Y ou can create, dupl icate, edit, and delete rules within the i ...
Cisco Systems OL-24201-01 - page 287

10-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity , w here <servi ce> is the name of the access service. By default, th e Simple Identity P ...
Cisco Systems OL-24201-01 - page 288

10-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 For info rmation about confi guring an identit y po ...
Cisco Systems OL-24201-01 - page 289

10-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T able 1 0-1 1 Identity Rule Proper ties P age Option Description General Rule Name Name of th e rule. If you are duplicat ing a rule, you must enter a unique name as a minimum conf iguration; all other f ...
Cisco Systems OL-24201-01 - page 290

10-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Config ure a group mapping polic y to map groups and attrib utes that are retrie ve d from external iden tity stores to A CS identity groups. When A CS processes a reque ...
Cisco Systems OL-24201-01 - page 291

10-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 2 Select an identity group. Step 3 Click Sav e Changes to sa ve th e polic y . T o conf igure a rule-ba sed policy , see these topics: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, ...
Cisco Systems OL-24201-01 - page 292

10-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Deleting Poli cy Rules, p age 10-39 Related Topics • V ie wing Identity Polici es, page 10-21 • Config uring a Session Authorization Po licy for Netw ork Access, page 10-29 • Config uring a Sess ...
Cisco Systems OL-24201-01 - page 293

10-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring a Session Authorization Policy for Network Access When you create an access service for ne twork access authorization, it create s a Session Authorization policy . Y ou can then add and modify ...
Cisco Systems OL-24201-01 - page 294

10-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T able 1 0-15 Networ k Access A uthorization P olicy P age Option Description Status Rule statuses are: • Enabled—The r ule is active. • Disabled—A CS does not apply the results of the rule. • M ...
Cisco Systems OL-24201-01 - page 295

10-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Network Access Au thorization Rule Properties Use this page to create, duplicate, and edit the ru les to determine acce ss permissions in a network access service. Step 1 Select Access Policie ...
Cisco Systems OL-24201-01 - page 296

10-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A dev ice administration authorization polic y determines the authorizations an d permissions for network administrators. Y ou create an authorizat ...
Cisco Systems OL-24201-01 - page 297

10-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Device Administration Authorization Rule Properties Use this page to create , duplicate, and edit the r ules to det ermine author izations an d permissio ns in a device administration access s ...
Cisco Systems OL-24201-01 - page 298

10-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Shell/Command Authoriza tion Policies for Device Administration When you create an access se rvice and select a service policy st ructure for Device Administration, A CS automatically creates ...
Cisco Systems OL-24201-01 - page 299

10-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Configuring Authorizatio ...
Cisco Systems OL-24201-01 - page 300

10-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Related Topics • Confi ...
Cisco Systems OL-24201-01 - page 301

10-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Creating Policy Rules When you create rules, remember that the order of the rules is important. When A C S encounters a match as it processes the request of a client that tries to access the ACS network, ...
Cisco Systems OL-24201-01 - page 302

10-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Duplicating a Rule Y ou can duplicate a rul e if you want to create a ne w rule that is the same, or very similar t o, an existing rule. The duplicat e rule name is based on the original rule with parenth ...
Cisco Systems OL-24201-01 - page 303

10-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 4 Click OK . The Policy page appears with the edited rule. Step 5 Click Sav e Changes to sa ve th e ne w config uration. Step 6 Click Discard Changes to cancel t he edited information. Related Topics ...
Cisco Systems OL-24201-01 - page 304

10-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound condi tions to def ine a set of conditions based on any attrib utes allowed in simple pol icy conditions. Y ou def ine com pound conditi ons in a policy rule page; ...
Cisco Systems OL-24201-01 - page 305

10-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Note Dynamic attribut e mapping is not applicable for Exte rnalGroups attribute of T ype "String Enum" and "T ime And Date" attrib ute of type "Date T ime Period". For hierarchic ...
Cisco Systems OL-24201-01 - page 306

10-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Figur e 1 0-2 Compound Expr ession - At omic Condition Single Nested Compound Condition Consists of a single operator followed by a set of pr edicates (>=2). The operator is applied between each of the pre ...
Cisco Systems OL-24201-01 - page 307

10-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compound Expression with Dynamic value Y ou can select dynamic value to select another dict ionary attrib ute to compare agai nst the dict ionary attribute ...
Cisco Systems OL-24201-01 - page 308

10-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-4 0 • Using the Co mpound Expre ssion Builder, page 10-44 Using the Compound Expression Builder Y ou construct compoun d conditions by using th ...
Cisco Systems OL-24201-01 - page 309

10-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-4 0 • T ypes of Compoun d Conditions, page 10-41 Security Group Access Control Pages This section contains the following topics: • Egress ...
Cisco Systems OL-24201-01 - page 310

10-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topic • Creating an Egress Polic y , page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to config ure the policy for the selected cell. Y ou can configure the SGA CLs to apply t ...
Cisco Systems OL-24201-01 - page 311

10-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Con trol (ND A C) policy determines the SG T for network devices in a Security Group Access en vironmen t. The ND A C policy handles: • Peer authorization re ...
Cisco Systems OL-24201-01 - page 312

10-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topics: • Config uring an ND AC Policy , page 4-25 • ND AC Polic y Properties Page, page 10-48 NDAC Policy Properties Page Use this page to create , duplicate, and edit rules to determine the ...
Cisco Systems OL-24201-01 - page 313

10-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Note For endpoint admissi on control, you must def ine an access service and session authori zation policy . See Configuring Netw ork Access Authoriz ation Rule Properties, page 10-31 for information about ...
Cisco Systems OL-24201-01 - page 314

10-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to conf igure parameters for the EAP-F AST protocol that the ND AC po licy uses. T o disp lay this page, choose Access Policies > Security Gr oup Access Con ...
Cisco Systems OL-24201-01 - page 315

10-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings Y ou can confi gure maximum user session t o impose maximum session v alue for each users. T o conf igure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > ...
Cisco Systems OL-24201-01 - page 316

10-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Unlimited is selected by def ault. Group le vel sessi on is applied based on the hierarchy . F or example: The group hierarch y is America:US:W est:CA and the maximum sessions are as follows: • America: 100 max sessi ...
Cisco Systems OL-24201-01 - page 317

10-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics • Maximum User Sessions, page 10- 50 • Max Session Use r Settings, page 10-51 • Max Session Group Sett ings, page 10-51 • Purgin g User Sessions, page 10-53 • Maximum User Session in Distri bute ...
Cisco Systems OL-24201-01 - page 318

10-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to pur ge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users i ...
Cisco Systems OL-24201-01 - page 319

10-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accou nting requests should be sent to the same A CS server , else the Maximum Session feature will not work as desired. Related topics • Maximum User Sessions ...
Cisco Systems OL-24201-01 - page 320

10-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions ...
Cisco Systems OL-24201-01 - page 321

CH A P T E R 11-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 11 Monitoring and Reporting in ACS The Monitoring and Reports dra wer appears in th e primary web interf ace windo w and contains th e Launch Monitori ng & Report V ie wer option. The Monitoring & Re port V iewer provides monitoring, report ing, and troubl ...
Cisco Systems OL-24201-01 - page 322

11-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Authentication Records and Details • Support for non-Engli sh characters (UTF-8)—Y ou can hav e non-English characters in: – Syslog messages—Conf igurable attribute v alu e, user name, and ACS named configuration objects – G ...
Cisco Systems OL-24201-01 - page 323

11-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the follo wing tabs. • General—The General tab lists the follo wing: – Fi ve most recent alar ms—When you click the name of the alarm, a dial og bo ...
Cisco Systems OL-24201-01 - page 324

11-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Working with Portlets – Authentication Snap shot—Provides a sn apshot of authenticatio ns in the graphical and tab ular formats for up to the past 30 days. In the graphical represen tation, the field based on which the records are ...
Cisco Systems OL-24201-01 - page 325

11-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Working with Portlets Figure 1 1 -1 P ortlets T op 5 Alarms an d My Fa vorit e Reports appear in sepa rate windo ws. Y ou can edit each of these portlets separately . T o edit a portlet, click the edit b utton ( ) at the upper -right ...
Cisco Systems OL-24201-01 - page 326

11-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Related Topic • Dashboard Pages, page 11 -2 • Running Authentication Loo kup Report, page 11-6 Running Authenticat ion Lookup Report When you run an Authenti cation Lookup rep ort, consider the ...
Cisco Systems OL-24201-01 - page 327

11-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Configuring Tabs in the Dashbo ard Step 5 Click Add Page . A ne w tab of your choice is creat ed. Y ou can add the applications that you mo st frequently monitor in this tab Adding Applications to Tabs T o add an application to a tab: ...
Cisco Systems OL-24201-01 - page 328

11-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Changing the Dashboard Layout Y ou can change the look an d feel of the Dashboard. A CS provides you with nine di fferent in- built layouts. T o choose a dif ferent layout: Step 1 From the Monitorin ...
Cisco Systems OL-24201-01 - page 329

CH A P T E R 12-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 12 Managing Alarms The Monitoring feature in A CS generates alarms to notify you of critical system conditions. The monitoring component retrie ves data from A CS. Y ou can configure thresho lds and rules on this data to manage alarms. Alarm notif ications are disp ...
Cisco Systems OL-24201-01 - page 330

12-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rms System Alarms System alarms notify you of cri ti cal conditions encountered durin g th e ex ecution of the A CS Monitoring and Reporting viewer . System alarms also pro vide informational status of system activities, such as data ...
Cisco Systems OL-24201-01 - page 331

12-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Notifying Users of Events When a threshold is reached or a system ala rm is ge nerated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can vie w th e alarm details, add a comme ...
Cisco Systems OL-24201-01 - page 332

12-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox T ime Display o nly . Indicates the time of the associat ed alarm generation in the format Ddd Mmm d d hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , Sat. • Mmm = Jan, Feb, Mar , A ...
Cisco Systems OL-24201-01 - page 333

12-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Conf igure Incremental Backup Data Repository as Remote Reposit ory otherwise backup will fa il and Incremental backup mode will be changed to of f. Wa r n i n g Conf igure Remote Repository und er Purge Conf ...
Cisco Systems OL-24201-01 - page 334

12-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Full Database Purg e Backup failed: Exceptio n Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recov ery fail ed: Exception Details Critical Vie w C o mp re ss Da ...
Cisco Systems OL-24201-01 - page 335

12-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Failed to load backup library . Scheduled backup of A CS conf iguration db fail ed. Please check ADE.log for more details. Critical Symbol lookup er ror . Scheduled backup of A CS configurati on db failed. Ple ...
Cisco Systems OL-24201-01 - page 336

12-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note A CS cannot be used as a remote sysl og se rver . But, you can use an external server as a syslog server . If you use an external server as a syslog server , no al arms can be generated in the A CS view as ...
Cisco Systems OL-24201-01 - page 337

12-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Schedule s • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules Y ou can create alarm schedules to spec ify when a particular alarm thres hol d is run. Y ou can create, edit, and delete alarm schedules. Y ou can ...
Cisco Systems OL-24201-01 - page 338

12-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Schedules Step 3 Click Submit to sav e the alarm schedule. The schedule that you create is added to the Schedu le list box in the Threshold pages. Assigning Alarm Schedules to Thresholds When you create an alarm threshold, you mu ...
Cisco Systems OL-24201-01 - page 339

12-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Deleting Alarm Schedules Note Before you del ete an alarm schedul e, ensure that it is not reference d by any thresholds that are defined in A CS. Y o u cannot delete the default schedule (n onstop ...
Cisco Systems OL-24201-01 - page 340

12-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the alarm th at you w ant to duplicate, then cl ick Duplicate . • Click the alarm name that you w ant to modi ...
Cisco Systems OL-24201-01 - page 341

12-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Criteri a, page 12-14 • Config uring Threshold Notif ications, page 12-32 Configuring General ...
Cisco Systems OL-24201-01 - page 342

12-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Configuring Threshold Criteria A CS 5.3 provides the follo wing threshold categor ies to defin e diff erent threshold crit eria: • Passed Authen tications, page 12-14 • Failed Auth entications, ...
Cisco Systems OL-24201-01 - page 343

12-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Note Y ou can specify one or more f ilters to limit the passed au thentications that are considered for threshold e val uation. Each fi lter is associated with a particular attrib ute in the authen ...
Cisco Systems OL-24201-01 - page 344

12-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 345

12-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds An alarm is triggered because at le a st one Device IP has greater than 10 failed authentications in the past 2 hours. Note Y ou can specify one or more f ilters to limit the f ailed authentication ...
Cisco Systems OL-24201-01 - page 346

12-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 347

12-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds The aggregation job begins at 00:05 ho urs e very day . From 23:50 ho urs, up until the time the aggregation job completes, the authenticat ion inacti vity alarms are suppressed. For example, if yo ...
Cisco Systems OL-24201-01 - page 348

12-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 349

12-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 350

12-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 351

12-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 352

12-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 353

12-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 354

12-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 355

12-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Unknown NAD When A CS ev aluates thi s threshold, it examines the RADIUS or T ACA CS+ failed authent ications that hav e occurred durin g the specif ied time interv al up to the pre vious 24 hours. ...
Cisco Systems OL-24201-01 - page 356

12-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 357

12-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Y ou can specify one or more f ilters to limit t he failed authentications t hat are considered for threshold e v aluation. Each f ilter is ass ociated with a particular attrib ute in the records a ...
Cisco Systems OL-24201-01 - page 358

12-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds If, in the past four hour s, RB A C L drops ha ve occurred fo r two dif ferent source grou p tags as sho wn in the follo wing table, an alarm is trigg ered, beca use at least one SGT has a count gr ...
Cisco Systems OL-24201-01 - page 359

12-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds NAD-Reported AAA Downtime When A CS ev aluates thi s threshold, it examines the N AD-reported AAA do wn e vents that occurre d during the spec ified interval up to the pre vious 24 h ours. The AAA ...
Cisco Systems OL-24201-01 - page 360

12-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32 ...
Cisco Systems OL-24201-01 - page 361

12-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Deleting Al arm Threshol ds Related Topics • V ie wing and Editing Alar ms in Y our Inbox, page 12-3 • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Deleting Alarm Thresholds, page 12-33 Deleting Alarm Thresholds T o delete ...
Cisco Systems OL-24201-01 - page 362

12-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Configuring System Alarm Settin gs Configuring System Alarm Settings System alar ms are used to noti fy users of: • Errors that ar e encounter ed by the Monitor ing and Report ing services • Information on data purging Use this page to enable sys ...
Cisco Systems OL-24201-01 - page 363

12-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslo g targ ets are th e destinatio ns where alarm syslog messages are sent. The Monitori ng & Report V ie wer sends alarm notifi cation in the form of syslog messages. ...
Cisco Systems OL-24201-01 - page 364

12-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Syslog Targets Step 4 Click Submit . Related Topics • Understanding Alar m Syslog T ar gets, page 12-35 • Deleting Alarm Syslog T ar gets, page 12- 36 Deleting Alarm Syslog Targets Note Y ou cannot delete the def ault nonstop ...
Cisco Systems OL-24201-01 - page 365

CH A P T E R 13-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 13 Managing Reports The Monitoring & Report V ie wer component of A CS collects log and conf iguration data from v arious A CS servers in your deployment, aggregates it, and provides interactive report s that help you analyze the data. The Monitoring & Repo ...
Cisco Systems OL-24201-01 - page 366

13-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports • Catalog— Monitoring & Reports > Reports > Catalog > < r eport_type > For easy access, you can add reports to your F av o ri tes pa ge, from which you can customi ze and delete reports. Y ou can customize the reports that mus ...
Cisco Systems OL-24201-01 - page 367

13-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in d etail the fo llowing: • W orking with F av orite Reports, page 13-3 • Sharing Reports, p age 13-6 • W orkin g with Catalog Reports, page 13-7 • V ie wing Reports, page 13-21 • Format ...
Cisco Systems OL-24201-01 - page 368

13-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Favorite Reports Step 5 Click Add to F av orite . The report is added to yo ur Fa vori tes page. Related Topics • W orking with F av orite Reports, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Editing F av o ri ...
Cisco Systems OL-24201-01 - page 369

13-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you vie w the e xisting parameters in your fa vori te report, you can ed it them. T o edit t he parameters in your fa vorite reports: Step 1 Choose Monitoring and Reports > Reports > ...
Cisco Systems OL-24201-01 - page 370

13-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Sharing Reports The report is generated in the page . Step 3 Click Launch Interactive V iew er for more options. Related Topics • Adding Reports to Y our Fa vorites P age, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Runnin ...
Cisco Systems OL-24201-01 - page 371

13-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 7 Click Sav e . The report is sa ved in your Shared folder and is a v ailable for all users. Working with Catalog Reports Catalog reports ar e system reports that are preco nfigured in A C S. This section contai n ...
Cisco Systems OL-24201-01 - page 372

13-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Access Service Authentication Summar y Provid es RADIUS and T ACA CS+ authentication summary informat ion for a particular access service for a selected time peri od; along with a graphical represen tation. Passed au the ...
Cisco Systems OL-24201-01 - page 373

13-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts A CS System Diagnostics Provides syst e m diagnostic details b ased on se verity for a selected time period. Internal Operations Diagnostics, distrib uted management, administrator authentication and autho rization T o ...
Cisco Systems OL-24201-01 - page 374

13-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Session Status Summary Pro vides the port sessions and status of a particular network de vice obtained by SNMP . This report uses either the commu nity string provid ed in the report or the community string configured i ...
Cisco Systems OL-24201-01 - page 375

13-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Running Catalog Reports T o run a r eport that is in the Catalog: Step 1 Select Monitoring & Reports > Reports > Catalog > r eport_type , where r eport_typ e is the type of report you want to run. The av ...
Cisco Systems OL-24201-01 - page 376

13-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Ty p e Ty p e o f r e p o r t . Modified At Time that the associated report w as la st modified by an admini st rator , in the format Ddd Mmm dd hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , ...
Cisco Systems OL-24201-01 - page 377

13-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 2 Click the radio b utton next to th e report name you w ant to run, t hen select one of the options under Run : • Run for T oday —The repo rt you specified is run a nd the generated results are displayed. ? ...
Cisco Systems OL-24201-01 - page 378

13-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports T able 13-4 Repor ts > Report T ypes and Names <report_type> <report_name> AAA Protocol AAA Diagnosti cs Authentication T rend RADIUS Accoun ting RADIUS Authentication T ACA CS Accounting T ACA CS Authent ...
Cisco Systems OL-24201-01 - page 379

13-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • Understanding the Report_N ame Page, page 13-15 Understanding the Report_Name Page Note Not all options listed in Ta b l e 1 3 - 5 are used in selecting ...
Cisco Systems OL-24201-01 - page 380

13-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Failure Reason Enter a f ailure reason name or click Select to en ter a vali d failure reason name on w hich to run your report. Protocol Use the drop do wn list box to select which protocol on which you w ant to run yo ...
Cisco Systems OL-24201-01 - page 381

13-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • W orking with F av orite Reports, page 13-3 • A v ailable Repo rts in the C atalog, page 13-7 • Running Catalog Reports, page 13-11 Administrator Na ...
Cisco Systems OL-24201-01 - page 382

13-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Enabling RADIUS CoA Options on a Device T o vi ew all t he RADIUS Acti ve Session repo rts you ha ve to enable RADI US CoA options on the de vice. T o co nfigure th e RADIUS CoA options: Step 1 Config ure MAB, 802.1X an ...
Cisco Systems OL-24201-01 - page 383

13-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Figure 13-2 RADIUS Active Session Report Step 2 Click the CoA link from the RADIUS session that y ou want to reauthenticate or termin ate. The Change of Aut horization Requ est page appear s. Step 3 Select a CoA optio ...
Cisco Systems OL-24201-01 - page 384

13-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports • Shared secret mismatch Step 5 See the T roubleshoot ing RADIUS Authenticat ions, page 14-6 to troub leshoot a failed change of authorization attempt . A failed dynamic CoA will be li sted under failed RADIUS authent ...
Cisco Systems OL-24201-01 - page 385

13-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Step 3 Click Ye s to conf irm that you want to reset the System Report f iles to the fact ory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default. Viewing Reports This section ...
Cisco Systems OL-24201-01 - page 386

13-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-4 Context Menu for Colu m n Data in Int er active V iewer Figure 13-5 sh ows the con text menu you use to modi fy labels in Interacti ve V ie wer . T o disp lay this menu, select and right-cl ick a label. Use this menu t ...
Cisco Systems OL-24201-01 - page 387

13-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the vie wer , you see the first page of data. T o vi ew or w ork with data, you use tools that hel p you navig ate the report. I n the vie wer , you can page through a report by using t he ...
Cisco Systems OL-24201-01 - page 388

13-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-1 0 T able of Cont ents Expanded Entry T o na vigate to a specific page, cli ck the related link. Exporting Report Data The vie wer supports the ability t o export report d a ta to an Exc el spreadsh eet a s a comma-separ ...
Cisco Systems OL-24201-01 - page 389

13-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for an y other spreadsheet. Step 1 In the viewer , sele ct Export Data. The Export Data dialog box appears, as sho wn in Figure 13-12 . Figure 13-12 The Export Dat ...
Cisco Systems OL-24201-01 - page 390

13-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Printing Reports Y ou can print a repo rt that appears in the vie wer in HTML or PDF format. Because you can modify the report in Interacti ve V iewer , Interactiv e V ie wer supports printing either the original report or the repor ...
Cisco Systems OL-24201-01 - page 391

13-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navig ate to the location where you want to sa ve the file. Step 3 T ype a f ile name and click Sa ve . Step 4 Click OK on the conf irmation message that appears. Formatting Reports in Interactive View ...
Cisco Systems OL-24201-01 - page 392

13-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 2 Select Change T ext . The Edit T e xt dialog box appears. Step 3 Modify the tex t as desired and click A pply . Formatting Labels T o modify the formatting of a label: Step 1 Click on the label and th ...
Cisco Systems OL-24201-01 - page 393

13-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment T o ch ange the alignment o f data in a co lumn, right-click t he column and select Alignment from the context menu. Then, choose one of the alignment options: Left, Center , or ...
Cisco Systems OL-24201-01 - page 394

13-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Data Types In an information obj ect, as in the relational databases on w hich information objects are based, all the data in a column is of the same data type, e x cluding the column header . The ...
Cisco Systems OL-24201-01 - page 395

13-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Numeric Data Numeric data can take se veral f orms. A column of postal codes requires dif ferent formatting from a column of sales figures. Figure 13-16 sho ws the numeric formats you can use. Figu ...
Cisco Systems OL-24201-01 - page 396

13-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 7 In Neg ativ e Numbers, select an opt ion for displaying ne gati ve numbers, b y using either a minus sign before the number or parentheses around the nu mber . Step 8 Click A pply . Formatting Fixed o ...
Cisco Systems OL-24201-01 - page 397

13-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code f ield, type a format pattern similar to those sho wn in T able 13-7 . Step 4 Click Apply . Formatting String Data Step 1 T o def ine the format fo r a column that contai ns string data, ...
Cisco Systems OL-24201-01 - page 398

13-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 1 Select a string data column, th en click For m a t . The String column form at windo w appears. Step 2 In Format String as f ield, select Custom. A second field, F ormat Code, appears. Step 3 In the F ...
Cisco Systems OL-24201-01 - page 399

13-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer T abl e 13-6 sho ws the standard date-and-time data ty pe formats. Step 1 Select a column that contains date o r time data, then click For m at . The Date and T ime Format windo w appears. Step 2 In Format Da ...
Cisco Systems OL-24201-01 - page 400

13-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean e xpression e v aluates to T rue or False. Fo r example, you create a calculated column with the follo wing e xpression: ActualShipDate <= TargetShipDate If the actual sh ...
Cisco Systems OL-24201-01 - page 401

13-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figur e 13-18 Conditional For mat ting in Int eractiv e View er Y ou can affect the formatting of one column based on the v alue in another column. F or example, if you select the CustomerName column, yo u ca ...
Cisco Systems OL-24201-01 - page 402

13-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer b. In the next field, use the d rop-do wn list to select the operator to apply to the column you selected. Y ou can select Equal to, Less than, Le ss t han or Equal to, and so on. Depending on your selection ...
Cisco Systems OL-24201-01 - page 403

13-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional F ormatting, cho ose Format, and set the for matting for the condi tional text . Y ou can set the font, font size, fo nt color , and background color . Y ou also can specifyi ng displayi ...
Cisco Systems OL-24201-01 - page 404

13-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Figur e 13-23 Removing a Conditiona l F or mat in Int eractiv e Viewer Step 4 Click A pply . Setting and Removing Page Breaks in Detail Columns In Interactiv e V iewer , you can force page breaks after a pre ...
Cisco Systems OL-24201-01 - page 405

13-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figur e 13-24 Setting a P age Br ea k Step 3 Specify whether to set a page break before e very group, or for e very group except the f irst or last groups. T o delete an e xisting page break, select No ne in Before group or Af ...
Cisco Systems OL-24201-01 - page 406

13-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Reordering Columns in Interactive Viewer T o reorder columns: Step 1 Select and right-click a column. Step 2 From the conte xt menu, select Column > Reorder Columns . The Arrange Columns windo w appears Step 3 Select the c ...
Cisco Systems OL-24201-01 - page 407

13-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Mov e to Gr ou p Header Dialog Box Step 3 From the Mov e to Group field, select a v alue. Step 4 In the Header row f ield, select the row number in which t o mov e the v alue you selected in Step 3. Step 5 Click A ...
Cisco Systems OL-24201-01 - page 408

13-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Hiding or Displaying Report Items T o hide or d isplay report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items. The Hide or Sho w Items dialog box appears, similar to Figure 13-28 . Figure 13-28 ...
Cisco Systems OL-24201-01 - page 409

13-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO displ ay hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Col umns . The Show Columns dialog box appears. Step 3 Select any item s you want to di splay . Use C ...
Cisco Systems OL-24201-01 - page 410

13-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figure 13-30 Merg ed Column T o mer ge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns . Selecting a Column from a Merged Column Y ou can aggreg ate, f ilter , and g ...
Cisco Systems OL-24201-01 - page 411

13-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data sour ce determines the default sort order for the data ro ws. If the data source sorts a column in ascending order , the column is sorted in ascending order in the ...
Cisco Systems OL-24201-01 - page 412

13-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-31 Sorting Multip le Columns If the report uses group ed data, the drop-do wn lists in Adv a nced Sort sho w only the detail columns in the report, not the column s you used to group the data. Grouping Data A repor ...
Cisco Systems OL-24201-01 - page 413

13-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped D ata T o or ganize all thi s information into a u seful in vent ory report, you create data gr oups and data sections. Data groups contain relat ed data rows. For e xample, you can create a report that ...
Cisco Systems OL-24201-01 - page 414

13-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Adding Groups T o ad d groups: Step 1 Select and right-click the column you want to use to create a group . Step 2 From the Conte xt menu, select Gr oup > Add Group . The ne w group appears in the vie wer . As shown in Fig ...
Cisco Systems OL-24201-01 - page 415

13-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Step 4 T o set a grouping interv al, select Group ev ery and enter a value and select the grouping interv al. For e xample, to create a ne w group for e very month, type 1 and select Month f rom the drop-do wn list. The report ...
Cisco Systems OL-24201-01 - page 416

13-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-37 Calculated Column T o create a calculation, you • Provide a ti tle for the calculated column. • Write an expression th at indicates which data to use and ho w to display the calculated data in the report. Th ...
Cisco Systems OL-24201-01 - page 417

13-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions T abl e 13-11 provides e xamples of the functions you can use to create calcula tions. Note The Calculation dialog box does not support the use of uppercase TR UE and F ALSE functi ...
Cisco Systems OL-24201-01 - page 418

13-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data COUNT( ) Counts the ro ws in a table. COUNT( ) COUNT(groupLe vel) Counts the ro ws at the specif ied group le vel. COUNT(2) COUNTDISTINCT(expr) Counts the rows th at contain distinct v alues in a table. COUNTDISTINCT([Custome ...
Cisco Systems OL-24201-01 - page 419

13-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data FIRST(expr , groupLev el) Displays the firs t value that appears in the specif ied column at the specified grou p lev el. FIRST([customerID], 3) IF(condition, doIfT rue, doIfFalse) Displays the result of an If...Then...Else st ...
Cisco Systems OL-24201-01 - page 420

13-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data ISTOPNPERCENT(e xpr , percent, groupLe vel ) Displays T rue if the value is within the hi ghest n percentage v alues for the expression at the specified group le vel , and Fal se otherwise. ISTOPNPERCENT([SalesTotals], 5, 3) ...
Cisco Systems OL-24201-01 - page 421

13-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data MONTH(date, option) Displays the m onth of a sp ecified d ate-and-time valu e, in one of three optional formats: • 1 - Displays the month number of 1 through 12. • 2 - Displays the complete month name i n the user’ s loc ...
Cisco Systems OL-24201-01 - page 422

13-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data RANK(exp r) Displays the rank of a numb er , string, or date-and-time value, starting at 1. Duplicate v alues recei ve identical ran k but the d uplication does not af fect the ranking of subsequent v alues. RANK([AverageStar ...
Cisco Systems OL-24201-01 - page 423

13-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data TRIM(str) Display s a string with all leading and trailing blank ch ar ac te r s re m oved . A ls o r e move s a ll co ns ec u tive blank characters. Leading and trailing blanks can be spaces, tabs, and so on. TRIM([customerNa ...
Cisco Systems OL-24201-01 - page 424

13-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Understanding Supported Operators T abl e 13-12 describes the mathematical an d logical operators you can use in writing expressions th at create calculated columns. Using Numbers and Da tes in an Expression When you create a ...
Cisco Systems OL-24201-01 - page 425

13-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns T o use multip ly va lues in calculated columns: Step 1 Select a column. In the report, the ne w calculated column appears to the right of the column you select. Step 2 Select Add Ca ...
Cisco Systems OL-24201-01 - page 426

13-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Step 7 For the second ar gument, type the number of days to add. In this case, type 7. Step 8 V alidate the ex pression, then click A pply . The new calculated column appears in the report. F or e very v a lue in the Order Da ...
Cisco Systems OL-24201-01 - page 427

13-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-39 A ggreg ate Ro w for a Group T abl e 13-13 sho ws the aggregate funct ions that you can use. T able 13-13 Aggr egate Functions Aggregate functions Description A verage Calculates the av erage va lue of a set of da ...
Cisco Systems OL-24201-01 - page 428

13-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Creating an Aggregate Data Row T o create an aggregate data ro w: Step 1 Select a column, then select Aggr egation . The Aggreg ation dialog box appears. The name of th e column you selected is listed in the Selected Column f ...
Cisco Systems OL-24201-01 - page 429

13-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate ro w for a column, you can add up to tw o more aggregate ro ws for the same column. F or an item total column, for e xample, you can create a sum of all the ...
Cisco Systems OL-24201-01 - page 430

13-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Deleting Aggregate Rows T o delete an aggre gate ro w: Step 1 Select the calculated column th at contains the aggre gation you w ant to remo ve, th en select Aggr egation . The Aggre gation dialog box appears, disp ...
Cisco Systems OL-24201-01 - page 431

13-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figure 13-43 Suppressed V alues Y ou can suppress duplicate v alues to make your repo rt easier to read. Y ou can suppress only conse cuti ve occurrences of dupl icate v alues. In the Locati on column in Figur e 13- ...
Cisco Systems OL-24201-01 - page 432

13-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Figur e 13-44 Group Detail Rows Displa yed Figure 13-45 sho ws the results of hiding the detail r ows for t he creditrank gr ouping. Figure 13-45 Gr oup Detail Rows Hidden • T o collapse a group or section, sel ec ...
Cisco Systems OL-24201-01 - page 433

13-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Types of Filter Conditions T abl e 13-15 describes the types of f ilter conditions and pr ovides e xamples of how f ilter conditions are translated into instructi ons to the data source. Bottom N Returns the lo west ...
Cisco Systems OL-24201-01 - page 434

13-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Setting Filter Values After you choose a condition, you set a f ilter value. Step 1 T o vie w all the v alues for the selected column, select Select V alues . Additional f ields appear in the Filter dialog bo x as s ...
Cisco Systems OL-24201-01 - page 435

13-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-46 Selecting a Filter V alue in Interactiv e Viewer Step 2 T o search for a v alue, type the value in the Find V alue field, then click Find . All v alues that match your f ilter text are returned. For e ...
Cisco Systems OL-24201-01 - page 436

13-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 3 From the Condition pu lldow n menu, select a condition. T able 13-14 describes the conditions you can select. • If you select Between or Not Between , Va l u e F r o m and Va l u e To , additional field s a ...
Cisco Systems OL-24201-01 - page 437

13-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-47 The Adv anced Filter Di alog Bo x in Intera ctive View er Adva nced Filter provi des a great deal of fle xibility in setti ng the filter v alue. For conditions that test equality and for the Between co ...
Cisco Systems OL-24201-01 - page 438

13-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 7 V alidate the f ilter syntax by clicking Va l i d a t e . Y ou hav e now created a filter with one cond ition . The next step is to ad d conditions. Step 8 Follo w steps Step 3 to Step 7 to create each additi ...
Cisco Systems OL-24201-01 - page 439

13-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldo wn menu, select a particular nu mber of rows or a percentage of ro ws, as shown in Figure 13-48 . Step 3 Enter a v alue in t he field n ext to the Fil ter pulldo wn menu to specify the nu mber or pe ...
Cisco Systems OL-24201-01 - page 440

13-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-49 P arts of a Basic Bar Char t There are a variety of chart types. So me types of data are best depicted with a specific ty pe of chart. Charts can be used as reports in th emselves and they can be used togeth er wi ...
Cisco Systems OL-24201-01 - page 441

13-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts hav e subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stack ed, Percent Stacked • Line chart—Overlay , Stacked, Percent Stacked • Area chart—Overlay , Stacked, Percen ...
Cisco Systems OL-24201-01 - page 442

13-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-50 Chart F o r matting Options Y ou use this page to: • Edit and format the default chart titl e. • Edit and format the def ault title for the category , or x-, axis. • Modify settings for the labels o n the x- ...
Cisco Systems OL-24201-01 - page 443

CH A P T E R 14-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the di agnostic and troublesho oting tools that the Monitor ing & Report V ie wer provides for the Cisco Secure Access Control Syste m. This chapter contains the following sec ...
Cisco Systems OL-24201-01 - page 444

14-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Available Diag nostic and Troub leshooting Tools Support b undles typically contain t he A CS database, log f iles, core f iles, and Monitoring & Repo rt V iewer sup port files. Y ou can exclude certai ...
Cisco Systems OL-24201-01 - page 445

14-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests Y ou can test your con nectiv ity to a network devi ce with the de vice’ s hostname or IP address. For exam ple, you can verify you r connectio ...
Cisco Systems OL-24201-01 - page 446

14-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Downloading ACS Su pport Bund les for Diagnostic Information Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Connecti vity T ests, page 14-1 • A CS Support Bundle, ...
Cisco Systems OL-24201-01 - page 447

14-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter • Include core files—Check this check box to include core f iles, then click All or click Include f iles from t he last and enter a value from 1 to 36 5 in the day(s ...
Cisco Systems OL-24201-01 - page 448

14-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter • Comparing IP-SGT P airs on a De vice with A CS-Assigned SGT Records, page 14-14 • Comparing Device SGT with ACS-Assigned Device SGT , page 14-15 Related Topics • ...
Cisco Systems OL-24201-01 - page 449

14-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click Search to display the RADIUS authentications that match your search criteria. The Search Result table is po pulated with the results of your search. The fol ...
Cisco Systems OL-24201-01 - page 450

14-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 8 Click Done to return to th e Expert T roubleshoot er . The Progress Details page refreshes periodically to display the tasks that are performed as troubleshooting ...
Cisco Systems OL-24201-01 - page 451

14-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 10 Click Done to return to the Expert T roubleshooter . The Monitoring & Report V ie wer pro vides you the diagnosis, steps to resolv e the problem, and trouble ...
Cisco Systems OL-24201-01 - page 452

14-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run to run the sho w command on the specif ied network de vice. The Progress Details pag e appears. The Monitoring & Report V iewer prompts you for ad ...
Cisco Systems OL-24201-01 - page 453

14-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 3 Click Run . The Progress Details pag e appears. The Monitoring & Report V ie wer prompts you for additional i nput. Step 4 Click the User Input Required b u ...
Cisco Systems OL-24201-01 - page 454

14-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter 3. Compares the SGA CL policy obt ained from the netw ork de vice with the SGA CL policy obt ained from A CS. 4. Displays the source SGT —destinat ion SGT pair if the ...
Cisco Systems OL-24201-01 - page 455

14-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click S XP-IP Mappings from the list of troublesho oting tools. The Expert T roubleshooter page refreshes and sho ws the following f ield: Network De vice IP—E ...
Cisco Systems OL-24201-01 - page 456

14-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 10 Click Show Results Summary to vie w the diagnosis and resolution steps. The Results Summary page appears with the informatio n described in T able 14-6 . Relate ...
Cisco Systems OL-24201-01 - page 457

14-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 6 Click Show Results Summary to vie w the diagnosis and resolution steps. Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Co ...
Cisco Systems OL-24201-01 - page 458

14-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run . The Progress Details page appears with a summary . Step 4 Click Show Results Summary to vie w the results of devi ce SGT comparison. The Results Summ ...
Cisco Systems OL-24201-01 - page 459

CH A P T E R 15-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 15 Managing System Operati ons and Configuration in the Monitoring & Report Viewer This chapter describes the tasks th at you must perform to co nfigure an d administer the Monitor ing & Report V ie wer . The Monitoring Co nfigu ration dra wer allows y ou t ...
Cisco Systems OL-24201-01 - page 460

15-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er • Config ure and edit fail ure reasons—The Monitoring & Report V ie wer allows you to co nfigu re the description of the fail ure reason code and pro vide instructions to r ...
Cisco Systems OL-24201-01 - page 461

15-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • Config uring Alarm Syslog T argets, page 15-17 • Config uring Remote Database Settings, page 15-17 Configuring Data Purgin g and ...
Cisco Systems OL-24201-01 - page 462

15-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p – If the database disk usage is greater than 8 3 GB, a backup is run immediately follo wed by a purge u ntil the database disk ...
Cisco Systems OL-24201-01 - page 463

15-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • A CS displays an alert message when the dif ference between the physical and a ctual size of the view database i s greater tha n 10 ...
Cisco Systems OL-24201-01 - page 464

15-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p Configuring NFS stagging If the ut ilization of /opt exceeds 30%, then it is req uired to use NFS staging with a remote repositor ...
Cisco Systems OL-24201-01 - page 465

15-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from t he V iew database that was backed up ea rlier . Y ou can restore data from an incrementa ...
Cisco Systems OL-24201-01 - page 466

15-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Note Y ou can use the refresh symbol to refresh the cont ents of the page. Related Topic Log Collection Deta ils Page, page 15- 9 T able 15-3 Log Co llecti ...
Cisco Systems OL-24201-01 - page 467

15-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently co llected log names for an ACS serv er . Step 1 From the Monitoring & Rep ort V iewer , sel ...
Cisco Systems OL-24201-01 - page 468

15-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Related Topic • V ie wing Log Collections, p age 15-7 T able 15-4 Log Collection Details P age Option Description Log Name Name of the log file. Last Sy ...
Cisco Systems OL-24201-01 - page 469

15-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Recovering Log Message s Recovering Log Messages A CS server sends syslog messages to the Monitoring and Report V iewer fo r the acti vities such as passed authentication, failed at ...
Cisco Systems OL-24201-01 - page 470

15-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Scheduled J obs Note When you change any schedule through the ACS web in terface, for th e ne w schedule to take ef fect, you must manually restart the Job Manager p roces ...
Cisco Systems OL-24201-01 - page 471

15-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Process Sta tus Viewing Process Status Use this page to vie w the status of processes running in your A CS en vironment. From the Monitoring & Report V ie wer, select Mon ...
Cisco Systems OL-24201-01 - page 472

15-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Data Upgr ade Status Viewing Data Upgrade Status After you upgrad e to A CS 5.3, ensure that the Monitoring & Report V iewer database upgrade is complete. Y ou can do ...
Cisco Systems OL-24201-01 - page 473

15-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Specifying E-Mail Settings Related Topic V iewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address. ...
Cisco Systems OL-24201-01 - page 474

15-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Understanding Collection Filters Understanding Collection Filters Y ou can create collection f ilters that allo w you to filt er and drop syslog ev ents that are n ot used for mon ...
Cisco Systems OL-24201-01 - page 475

15-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring System Alarm Settings Related Topics • Creating and Editing Collect ion Filters, page 15-16 • Deleting C ollection Filt ers, page 15-17 Deleting Collection Filters T ...
Cisco Systems OL-24201-01 - page 476

15-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Remo te Database Settings Step 1 From the Monitoring & Report V ie wer , choose Monitoring Conf iguration > System Conf iguration > Remote Database Settings ...
Cisco Systems OL-24201-01 - page 477

CH A P T E R 16-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators ar e responsible for depl oying, conf iguring, maintain ing, and monitoring the A CS servers in your network. The y can perform v arious operations in A CS through the A CS administrati ve interface. When you ...
Cisco Systems OL-24201-01 - page 478

16-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Administra tor Roles and Accounts • Config ure administrator session setting • Config ure administrator access setting The first t ime you log in to A CS 5.3, you are prompted for the predef ined administrator userna ...
Cisco Systems OL-24201-01 - page 479

16-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Ad ministrators and Accou nts Understanding Authentication An authentication requ est is the fi rst operation for e v ery management session. If authenticati on fails, the management session is terminated. But if auth ...
Cisco Systems OL-24201-01 - page 480

16-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Roles Permissions A permission is an access right that applies to a specif ic admini strati v e task . Permissions consist of: • A Resource – The list of A CS components that an administrator can acce ss, such as net ...
Cisco Systems OL-24201-01 - page 481

16-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Role s Note At first logi n, only the Super Admin is assigned t o a specific admini strator . Related Topics • Administrator Accounts and Role Association • Creating, Dup licating, Edi ting, and Dele ting Admin istrato ...
Cisco Systems OL-24201-01 - page 482

16-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Creating, Dup licating, Editing, and Deleti ng Administrator Accounts Administrator Accounts and Role Association Administrator account def initions consist of a name, status, description, e-mail ad dress, password, and role assignmen ...
Cisco Systems OL-24201-01 - page 483

16-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicatin g, Editing, and D eleting Administrator Accounts Step 2 Do any of the follo wing: • Click Cr eate . • Check the check box next to the account that you want t o duplicate an d click Duplicate . • Click the acco ...
Cisco Systems OL-24201-01 - page 484

16-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Viewing Predefined Role s The new account is sa ved. The Administrators page appears, with the new account that you created or duplicat ed. Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Ro le Associa ...
Cisco Systems OL-24201-01 - page 485

16-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Auth entication Settings for Administrators Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • Config uring Authentication Settings for Administrato rs, page 16- ...
Cisco Systems OL-24201-01 - page 486

16-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Configuring Authenticatio n Settings for Administrators Note A CS automatically deactiv ates or disable s your account based on your last login, last password change, or number of lo gin retries. The CLI and PI use r accounts are blo ...
Cisco Systems OL-24201-01 - page 487

16-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeou t Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • V ie wing Predef ined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, ...
Cisco Systems OL-24201-01 - page 488

16-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Resetting the Admi nistrator Password Step 3 Click Cr eate in the IP Range(s) area. A ne w window appears. Enter the IP address of the machine from which you want to allow remote access to A CS. Enter a subnet mask for an entire IP a ...
Cisco Systems OL-24201-01 - page 489

16-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Admini strator Password http://www .ci sco.com/en/US/docs/net _mgmt/cisco_secure_access_ control_system/5.3/comman d/ reference/cli_app_a.html#wp189 3005 . Note Y ou cannot reset the administrat or password through the A C ...
Cisco Systems OL-24201-01 - page 490

16-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Changing the Admi nistrator Password Resetting Another Administrator’s Password T o reset another administrator’ s password: Step 1 Choose System Administration > Administrators > Accounts . The Accounts page appears wi th ...
Cisco Systems OL-24201-01 - page 491

CH A P T E R 17-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 17 Configuring System Operations Y ou can confi gure and deploy A CS instance s so that one A CS instance becomes the primary instance and the other A CS instances can be registered to the primary as secondary instances . An A CS instance represents A CS software t ...
Cisco Systems OL-24201-01 - page 492

17-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment Understanding Distributed Deployment Y ou can confi gure multiple A CS servers in a deployment. W ithin any deplo yment, you designate one server as the primary server and all the other servers are ...
Cisco Systems OL-24201-01 - page 493

17-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Note A CS 5.3 does not support the large deplo yment with more than ten A CS instances (one primary and nine secondaries). F or more informat ion on A CS server deployments, see: http://www .ci sco.co ...
Cisco Systems OL-24201-01 - page 494

17-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment • Understanding Distrib uted Deplo yment, page 17-2 Promoting a Secondary Server There can be one server only that is functio ning as the prim ary se rver . Howe ver , you can promote a secondary ...
Cisco Systems OL-24201-01 - page 495

17-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each co nfiguration chan ge is propagate d to all secondary instances. Unlike A CS 4.x where full replic ation was performe d, in A CS 5.3, o ...
Cisco Systems OL-24201-01 - page 496

17-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Scheduled Backup s • Using the Deployment Operations Pa ge to Create a Local Mode Instanc e, page 17-22 Scheduled Backups Y ou can schedu le backups to be ru n at periodic in tervals. Y ou can schedule backups from the primar y web in ...
Cisco Systems OL-24201-01 - page 497

17-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Seconda ry Instances Step 2 Click Submit to schedule t he backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances A CS provides you the option to back ...
Cisco Systems OL-24201-01 - page 498

17-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Synchronizing Primary and Secondary Instan ces After Backup and Restore Step 4 Click Submit to run the backup i mmediately . Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Resto ...
Cisco Systems OL-24201-01 - page 499

17-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distribu ted System Management page appears with two t ables: • Primary Instance table — Shows the primary instance. The primary instance is created as part of the installatio n process. • Secondary Instances ...
Cisco Systems OL-24201-01 - page 500

17-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances Step 2 From the Primary Instance table, click the pr imary instance that you want to modify , or check the Name check box and click Edit . Step 3 Complete the fields in the Di stributed System Management Properties pa ...
Cisco Systems OL-24201-01 - page 501

17-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4 Click Submit . Port Port for Management service. MA C Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every (only applies for primary instance) ...
Cisco Systems OL-24201-01 - page 502

17-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances The Primary Instance table on the Distrib uted System Management page app ears with the edited primary instance. Related Topics • Replicating a Secondary Instance fr o m a Primary Instance , page 17-18 • V iewing ...
Cisco Systems OL-24201-01 - page 503

17-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The follo wing warning message appears: Are you sure you want to delete the sel ected item/it ems? Step 5 Click OK . The Secondary Instances table on th e Distrib uted System Management page appears witho ...
Cisco Systems OL-24201-01 - page 504

17-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Registering a Seconda ry Instance to a Prima ry Instance . T able 17 -6 S ystem Oper ations: Deployment Operations P age Option Description Instance Status Current Status Identifies the instance of the node you log in to as primary or ...
Cisco Systems OL-24201-01 - page 505

17-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3 Specify the appropriate v alues in the Registration Section. Step 4 Click Register to Primary . The follo wing warnin g message is displayed. This operati on will regis ter t ...
Cisco Systems OL-24201-01 - page 506

17-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Deregistering Secondary Instanc es from the Distr ibuted System Management Page Deregistering Secondary Instance s from the Distributed System Management Page T o deregister secondary instances from t he Distributed System Manageme nt ...
Cisco Systems OL-24201-01 - page 507

17-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Mana gement Page The system displays the follo wing warning message: This operati on will dereg ister this ser ver as a seco ndary with the p rimary server . ACS will be rest ar ...
Cisco Systems OL-24201-01 - page 508

17-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Promoting a Secondar y Instance from the Dep loyment Operations Pag e Promoting a Secondary Instance from the Deployment Operations Page T o promot e a secondary instance to a pri mary instance from the Deplo yment Operations page: Ste ...
Cisco Systems OL-24201-01 - page 509

17-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Replicating a Secondary Instance from the Distributed System Management Page Note All A CS appliances must be in sync with the AD d omain clock. T o re plicate a seco ndary inst ...
Cisco Systems OL-24201-01 - page 510

17-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Replicating a Secondary Instanc e from a Primary Instance The Distribu ted System Management page appears. On the Secondary Instance table, the Replication Status column sho ws UPD A TE D . Replication is complete on the secondary in s ...
Cisco Systems OL-24201-01 - page 511

17-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Failover A CS 5.3 allows you to configure mul tiple A C S instances for a dep loyment scenario. Each deplo yment can hav e one primary and multiple secondar y A CS server . Scen ...
Cisco Systems OL-24201-01 - page 512

17-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Cleanup..... .. Starting ACS... . The database on the primary se rver is restored successfully . Now , you can observe that all se condary servers in the distribute ...
Cisco Systems OL-24201-01 - page 513

17-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Insta nce Y ou can use the conf iguration information on the A C S Config uration Audit report to manually restore the conf iguration infor mation for this inst ance. Creating, ...
Cisco Systems OL-24201-01 - page 514

17-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Step 4 Click Submit . The new software repository is sa ved. The Soft ware Repository page appears, with the ne w software repository that you created, dupl icated, ...
Cisco Systems OL-24201-01 - page 515

CH A P T E R 18-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Ci sco Secure A CS, you must conf igure and administer it t o manage your network eff iciently . The ACS web interface allo ws you to ea sily configure A CS to perform v arious operations. For a lis ...
Cisco Systems OL-24201-01 - page 516

18-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Administration > Conf iguration > Global System Options > E ...
Cisco Systems OL-24201-01 - page 517

18-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Op tions Configuring PEAP Settings Use the PEAP Settings page to conf igure PEAP ru ntim e characteristics. Select System Administration > Conf iguration > Global System Options > PEAP S ...
Cisco Systems OL-24201-01 - page 518

18-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Generate P AC pag e to generate a user or machine P AC. Step 1 Select System Admini stration > Confi guration > Global System Options > E ...
Cisco Systems OL-24201-01 - page 519

18-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to conf igure the RSA SecurID Prompt s. Managing Dictionaries The follo wing tasks ar e av ailable when you select System Administration > Conf iguration > Dictionaries : ? ...
Cisco Systems OL-24201-01 - page 520

18-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries • RADIUS (RedCreek) • RADIUS (US Robotics) • TA C A C S + T o vie w and choose attributes from a p rotocol dictionary , select System Administ ration > Confi guration > Dictionaries > ...
Cisco Systems OL-24201-01 - page 521

18-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to sav e the changes. Related Topics V iewi ng RADIUS and T ACA CS+ Attrib utes, page 18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes T o create, dup ...
Cisco Systems OL-24201-01 - page 522

18-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries T able 18-9 Cr eating, Duplicating, and Ed iting RADIUS Subat tr ibutes Option Description General Attrib ute Name of the subattribut e. The name must be unique. Description (Optional) A brief descr ...
Cisco Systems OL-24201-01 - page 523

18-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 4 Click Submit to sav e the suba ttribute. Viewing RADIUS Vendor-Specific Subattributes T o vi ew the att ribut es that are supported by a par ticular RADIUS v endor: Step 1 Choose Syst em Admi ...
Cisco Systems OL-24201-01 - page 524

18-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Related Topic Creating, Duplicating , and Editing RADIUS V endor-Specif ic Attrib utes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplica ...
Cisco Systems OL-24201-01 - page 525

18-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Configuring Internal Identity Attributes T abl e 18-10 describes the f ields in the internal < users | hosts > identit y attrib utes. T able 18-1 0 Identity Attr ibute Pr operties P age Optio ...
Cisco Systems OL-24201-01 - page 526

18-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Deleting an Internal User Identity Attribute T o delete an internal user identity attrib ute: Step 1 Select System Administration > Conf iguration > Di ctionaries > Identity > Internal ...
Cisco Systems OL-24201-01 - page 527

18-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Creating, Duplicating, and Editing an Internal Host Identity Attribute T o cr eate, duplicate, and edit an internal h ost identity attrib ute: Step 1 Select System Administration > Conf iguratio ...
Cisco Systems OL-24201-01 - page 528

18-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store T o add stat ic IP address to a user in I nternal Identity Store: Step 1 Add a static IP attribute to inte rnal user attr ...
Cisco Systems OL-24201-01 - page 529

18-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 2 Click Add . Step 3 Enter the informatio n in the Local Certif icate Store Properties page as described i n T able 1 8-12 : Importing Server Certificates and As sociating Certifica ...
Cisco Systems OL-24201-01 - page 530

18-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating Self-Signed Certificates Step 1 Select System Administ ...
Cisco Systems OL-24201-01 - page 531

18-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating a Certificate Signing Request Step 1 Select System Ad ...
Cisco Systems OL-24201-01 - page 532

18-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Conf igurations > Loca l Server Certif icates > Local Certificates > Add. Step 2 Select Bind CA Signed Certif icate > Next . Step 3 En ...
Cisco Systems OL-24201-01 - page 533

18-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Submit to ex tend the existing certif icate’ s v alidity . The Local Certificate Store page ap pears with the edited certificate. Related Topic • Config uring Local Serv ...
Cisco Systems OL-24201-01 - page 534

18-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates T o e xport a certi fica te: Step 1 Select System Administration > Conf iguration > Loca l Server Certif icates > Local Certificates . Step 2 Check the box ...
Cisco Systems OL-24201-01 - page 535

18-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Logs Log records are generated for: • Accounting messages • AAA audit and di agnostics messages • System diagnostics messages • Administrati ve and operatio nal audit messages The me ...
Cisco Systems OL-24201-01 - page 536

18-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs • Remote Log T argets > Duplicate: “ lo g_tar get” , where log_tar get is the name of the remote log tar get you selected in Step 2 , if you are duplicat ing a remote log targ et. • Remote Log ...
Cisco Systems OL-24201-01 - page 537

18-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Deleting a Remote Log Target T o delete a remote log t arget: Step 1 Select System Administration > Conf iguration > Log Conf iguration > Remote Log T argets . The Remote Log T a rgets page app ...
Cisco Systems OL-24201-01 - page 538

18-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Conf iguration > Log Conf iguration > Local Log T arget . The Local Configurat ion page appears. Step 2 Click De lete Logs Now to immediately delete all loc ...
Cisco Systems OL-24201-01 - page 539

18-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs If you ha ve compl eted your conf iguration, proceed to Step 6 . Step 4 T o conf igure a remote syslog target, click the Remot e Syslog T arget and proceed to Step 5 . Step 5 Complete the Remote Syslog ...
Cisco Systems OL-24201-01 - page 540

18-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs T abl e 18-22 lists a set of adminis trativ e and operational logs under v arious categories that are no t logged to the local t arget. T able 18-22 Administr ative and Oper ationa l Logs Not Logged in t ...
Cisco Systems OL-24201-01 - page 541

18-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Related Topic • Config uring Per -Instance Logging Cate gories, page 18-29 • V iewi ng ADE-OS Logs, page 18-28 Software-Management • A CS_UPGRADE—A CS upgraded • AC S _ P A T C H — AC S p a ...
Cisco Systems OL-24201-01 - page 542

18-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in T abl e 18-22 are written to the ADE-OS logs. From the AC S CLI, you can use the follo wing command t o vie w the ADE-OS logs: show logging system This command list ...
Cisco Systems OL-24201-01 - page 543

18-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09: ...
Cisco Systems OL-24201-01 - page 544

18-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings Y ou can conf igure the se verity lev e l and local lo g settings in a logging cate gory conf iguration for a specific o verridden or custom A C S insta ...
Cisco Systems OL-24201-01 - page 545

18-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Per-Instance Remote Syslog Targets Use this page to configure remote sy slog targets for logging cate gories. Step 1 Select System Administration > Conf iguration > Log Conf iguration ...
Cisco Systems OL-24201-01 - page 546

18-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Displaying Logging Categories Y ou can vie w a tree of conf igured logging cat egories for a specif ic ACS inst ance. In addition, you can confi gure a logging cate gory’ s sev erity le ve l, log targe ...
Cisco Systems OL-24201-01 - page 547

18-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring the Log Collector Use the Log Collector pa ge to sel ect a log data collecto r and suspend or resume log data transmission. Step 1 Select System Administration > Conf iguration > Log C ...
Cisco Systems OL-24201-01 - page 548

18-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview T o operate A CS, you must install a va lid license. A CS prompts you to install a v alid base license when you first access the web interface. Each A CS instance (p rimary or second ...
Cisco Systems OL-24201-01 - page 549

18-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview , page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Adding Deplo yment License Files, page 18-39 • Delet ...
Cisco Systems OL-24201-01 - page 550

18-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License T o upgrade the base license: Step 1 Select System Administration > Conf iguration > Licensing > Base Server Li cense . The Base Server License page appears wit ...
Cisco Systems OL-24201-01 - page 551

18-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Serv er License, page 18-37 Upgrading the Base Server License Y ou can upgrade the base server license. Step 1 Select System Administration > Conf igurati ...
Cisco Systems OL-24201-01 - page 552

18-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Fe ature Options Viewing License Feature Options Y ou can add, upgrade, or delete e xisting deploy ment licenses. The config uration pane at the top o f the page sho ws the deployment information. Select ...
Cisco Systems OL-24201-01 - page 553

18-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License File s Adding Deployment License Files T o add a new base deployment license file: Step 1 Select System Administration > Conf iguration > Licensing > F eature Options . The Feature Opti ...
Cisco Systems OL-24201-01 - page 554

18-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview , page 18-34 • T ypes of Licenses, page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Deleting De ...
Cisco Systems OL-24201-01 - page 555

18-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Availabl e Downloa ds Downloading Migration Utility Files T o do wnload migration application files an d the migration gui de for A C S 5.3: Step 1 Choose System Administra tion > Download s > Migration Util ity . ...
Cisco Systems OL-24201-01 - page 556

18-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Do wnloads T o do wnload these sample scripts: Step 1 Choose System Administration > Downl oads > Sample Python Scripts . The Sample Python Scripts pag e appears. Step 2 Click one of the follo wing: • P ...
Cisco Systems OL-24201-01 - page 557

CH A P T E R 19-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logg ing functionality in A C S 5.3. Administrator s and users use the v arious management interfaces of A CS to perform dif feren t tasks. Using the administrati ve access control feature, you can assign permissi ons ...
Cisco Systems OL-24201-01 - page 558

19-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Using Log Targets Y ou can specify to send cust omer log information to multiple consumers or Lo g T arg ets and specify whether the log messages are stored locally in te xt form at or forw arded to syslog servers. By default, a s ...
Cisco Systems OL-24201-01 - page 559

19-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Note For comple x conf iguration items or attrib utes, such as policy or D A CL contents, the ne w attrib ute v alue is reported as "Ne w/Updated" and the audit does not contai n the actual at trib ute va l u e o r va l u ...
Cisco Systems OL-24201-01 - page 560

19-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Each log message contains the follo wing information: • Event code—A un ique message code. • Logging category—Identif i es the catego ry to which a log message belongs. • Se verity le vel—Identifies th e lev e l of se ...
Cisco Systems OL-24201-01 - page 561

19-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Local Store Target Log messages in the local stor e are text f iles that are sent to one log f ile, located at /opt/CSCOacs/lo gs/localStor e/ , regardless of which l ogging category they belo ng to. The local store can only contai ...
Cisco Systems OL-24201-01 - page 562

19-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging T able 19-2 Local St or e and Syslog Message F or mat Field Description timestamp Date of the message generat ion, according to the local clock of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh: zm . Possible ...
Cisco Systems OL-24201-01 - page 563

19-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Y ou can use the web in terface to configure the n umber of da ys to retain local store log files; howe ver , the default setting is to purge data when it exceeds 5 MB or each d ay , whiche ver limit is f irst attained. If you do c ...
Cisco Systems OL-24201-01 - page 564

19-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging When you configure a critical log target, and a message is sent to that critical log tar get, the message is also sent to the configured noncriti cal log target on a best-effort basis. • When you configure a critical log tar get ...
Cisco Systems OL-24201-01 - page 565

19-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging T able 19-3 Remote Syslog Messag e Header For mat Field Description pri_num Priority v alue of the message; a comb ination of the facility value an d the sev erity v alue of the message. Priority v alue = (facility valu e* 8) + se ...
Cisco Systems OL-24201-01 - page 566

19-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging The syslog messa ge data or pay load is the same as the Local Store Message Format, which is described in T able 19-2 . The remote syslog server tar gets are id entified by the f acility code names LOCAL0 to LOCAL7 ( LOCAL6 is th ...
Cisco Systems OL-24201-01 - page 567

19-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging The Monitoring & Report V ie wer has two dra wer options: • Monitoring and Reports—Use this dra wer to view and con figur e alarms, vie w log reports, an d perform troubleshooti ng tasks. • Monitoring Conf iguration—Us ...
Cisco Systems OL-24201-01 - page 568

19-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are fa miliar with the loggin g functionality in A CS 4.x, ensure that you familiarize yo urself with the logging functionali ty of A CS 5.3, which is con siderably dif feren ...
Cisco Systems OL-24201-01 - page 569

19-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Conf iguration Use the System Confi guration > Logging page to defi ne: • Loggers and indi vidual logs • Critical loggers • Remote logging • CSV log fi le • Syslog log • ODBC log See Config uring Lo ...
Cisco Systems OL-24201-01 - page 570

19-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ...
Cisco Systems OL-24201-01 - page 571

A-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX A AAA Protocols This section contains the following topics: • T ypical Use Cases, page A-1 • Access Protocols—T A CACS+ and RADI US, page A-5 • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 Typical Use Cases This section contains the followin ...
Cisco Systems OL-24201-01 - page 572

A-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s Session Access Requests (Dev ice Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1 . For session request: 1. An administrator l ogs into a networ k dev ice. 2. The network de vice sends a T A CA CS+ access req ...
Cisco Systems OL-24201-01 - page 573

A-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Typical Us e Cases – EAP protocols that in volv e a TLS handshake a nd in which the client uses the A CS server certificate to perform se rv er authentication: PEAP , using one of the follo wing inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-F AS ...
Cisco Systems OL-24201-01 - page 574

A-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP methods that use certi ficates for bo th server and client authentication – EAP-TLS Whene ver EAP is in volved in the au thenticat ion process, it is p receded by an EAP ne go ...
Cisco Systems OL-24201-01 - page 575

A-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 A CS 5.3 can use the T A CA CS+ and RADIUS access prot ocols. Ta ...
Cisco Systems OL-24201-01 - page 576

A-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • A CS 5.3 as the AAA Server , page A-7 • RADIUS Attribute Support in A CS 5.3, page A-8 • RADIUS Access Req uests, page A-9 RADIUS is a cl ...
Cisco Systems OL-24201-01 - page 577

A-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to compu ter resources, and for an enterprise, provides AAA services. The AAA se rver typically interacts with network access and gate way ...
Cisco Systems OL-24201-01 - page 578

A-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 A CS 5.3 supports the RADIUS protocol as RFC 2865 descri bes. A CS 5.3 supports the follo wing types of RADIUS at tributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vend ors? ...
Cisco Systems OL-24201-01 - page 579

A-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS Authentication A CS supports various aut hentication protocols transpo rted ov er RADIUS. The support ed protocols that do not includ e EAP are: • PA P • CHAP • MSCHAPv1 • MSCHAPv2 In addition, v arious EAP-based protocols can b ...
Cisco Systems OL-24201-01 - page 580

A-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS In RADIUS, authentication and authorization are coupl ed. If the RADIUS serv er finds the username and the password is correct, the RADIUS server retu rns an access-accept respon se, including a list of attrib ute-v alue pairs that d ...
Cisco Systems OL-24201-01 - page 581

B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX B Authentication in ACS 5.3 Authentication v erif ies user information to conf irm the user's identity . T raditional authentication uses a name and a f ixed passw ord. More secure methods use cry ptographic techniques, such as those used inside the Challeng e Authe ...
Cisco Systems OL-24201-01 - page 582

B-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the fo llowi ng: • RADIUS-based authen tica tion that d oes not inclu de EAP: – PA P, p a g e B - 2 – CHAP , page B-31 – MSCHAPv1 – EAP-MSCHAPv2, page B-3 0 • EAP family of protocol s transported over R ...
Cisco Systems OL-24201-01 - page 583

B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication Y ou can use dif ferent le vels of secur ity concurrently wi th A CS for dif ferent requirements. P AP applies a two-w ay handshaking procedure. If auth entication succeeds, A CS returns an ackno wledgement; other ...
Cisco Systems OL-24201-01 - page 584

B-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In A CS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a partic ul ...
Cisco Systems OL-24201-01 - page 585

B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 A CS supports full EAP infrastructure, including EAP typ e negotiation, message sequencing and message retransmission. All prot ocols support fragmentation of big messages. In A CS 5.3, you configure EAP method s for authentication as ...
Cisco Systems OL-24201-01 - page 586

B-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of th e methods in the EAP authenti cation frame work, and i s based on the 802.1x and EAP architecture. Componen ts in v olved in the 80 2.1x and EAP authentication p rocess are the: • Host—The ...
Cisco Systems OL-24201-01 - page 587

B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third- party signature, usually fr om a CA, th at verif ies the informatio n in a certif icate. This third-party binding is similar to the real-world eq ui valent of t he stamp on a passport. Y ou trust the passport be caus ...
Cisco Systems OL-24201-01 - page 588

B-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anony mous Dif fie-Hel lman tunnel relates to the establi shment of a completely anon ymous tunnel between a client and a serv er for cases where none of the peers authenticates itself. A CS runtime supports anon ymous Dif fie-Hell ...
Cisco Systems OL-24201-01 - page 589

B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates A CS generates and use s self-signe d certificates to identi fy various management protocols such as the W eb bro wser , HTTPS, Activ eMQ SSH, and SFTP . Self-signed certif icates are generated when ACS is ...
Cisco Systems OL-24201-01 - page 590

B-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Se rver Certificate When you manually import and A CS server cer tificate yo u must supply the certif icate file, the pri v ate key file, and the pri vate ke y password used to decr ypt the PKCS#12 pri vate ke y . T ...
Cisco Systems OL-24201-01 - page 591

B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of cert ificate generation: • Self signing certif icate generation — A CS supp orts generation of an X.5 09 certifi cate and a PKCS#12 priv ate key . The passphrase used to encr ypt the pri v ate ke y in the PK ...
Cisco Systems OL-24201-01 - page 592

B-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certifi cates are kept in the A CS database which is distributed and shared between all A CS nodes. The A CS server certif icates are associated and designat ed for a specific node, which uses that specif ...
Cisco Systems OL-24201-01 - page 593

B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire A CS database is distributed and backed-up on the primary A CS along with all the certif icates, priv ate-keys and the encrypted pri v ate-key-passwor d s. The pri vate-k ey-passw ord-ke y ...
Cisco Systems OL-24201-01 - page 594

B-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between t he host and A CS goes through the network de vice. EAP-TLS authenticatio n fails if th e: • Server f ails to verify the client’ s certif icate, and rejects EAP-TLS authentication. • Client fail ...
Cisco Systems OL-24201-01 - page 595

B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that yo u use to encrypt EAP transactions, thereby protecting the contents of EAP authenticatio ns. PEAP uses server -side public ke y certificat es to authenticate the s ...
Cisco Systems OL-24201-01 - page 596

B-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unau thenticated Tunnel Establishmen t Modes T unnel esta blishment helps prev ent an attacker from in jecting pac kets betw een the client and the network access serv er (N AS) or , to allo w ne gotiatio n ...
Cisco Systems OL-24201-01 - page 597

B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allo ws authentication between A CS and the peer by usin g the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 pro tocol as the inner method i nside the tunnel. The local certificate ...
Cisco Systems OL-24201-01 - page 598

B-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireles s client credentials with MSCHAPv2: At the end of this mutu al authentication e xchange, the wireless client has prov ided ...
Cisco Systems OL-24201-01 - page 599

B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST is a client-server security architecture that encrypts EA P transactions with a TLS tunn el. While similar to PEAP in this respect, it differs sign ifican tly in that EAP-F AST tunnel establishment is based on strong secret ...
Cisco Systems OL-24201-01 - page 600

B-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST can protect t he username in all EAP-F AST transaction s. A CS does not perform user authentication based on a username that is presented in phase one, howe ver , whether the username is protected during phase one depends ...
Cisco Systems OL-24201-01 - page 601

B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST • A CS-Supported Features for P A Cs, page B-24 • Master Key Generation and P A C TTLs, page B -26 • EAP-F AST for Allo w TLS Renegotiation, page B-26 About Master-Keys EAP-F AST master-ke ys are strong secrets that A CS automa ...
Cisco Systems OL-24201-01 - page 602

B-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes A CS supports out-of-band and in-band pro visioning modes. The in- band provision ing mode operates inside a TLS tunnel raised by Anonymou s DH or Authenticated DH or RSA algorithm for k ey agreement. T o minimize ...
Cisco Systems OL-24201-01 - page 603

B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The v arious means by which an end- user client can rece i ve P ACs are: • P A C pro visioning —Requi red when an end-user client has no P A C. For mor e information about ho w master-k ey and P AC states determine whet her P A C ...
Cisco Systems OL-24201-01 - page 604

B-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o cont rol whether A CS performs Automatic In-Band P A C Provision ing, use the options on the Global System Options pages in the Syst em Administration dra wer . For more information, see EAP-F AST , page B-18 . Manual PAC Provis ...
Cisco Systems OL-24201-01 - page 605

B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proacti ve P A C update time is conf igured for the A CS server in the Allo wed Protocols Page. Thi s mechanism allows the client to be alw ays updated with a valid P A C. Note There is no proacti ve P A C update for Machine and ...
Cisco Systems OL-24201-01 - page 606

B-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The v alues for master ke y generation and P AC TTLs determine their states, as described in About Master-K eys, page B-21 and T ypes of P ACs, page B-22 . Master k ey and P AC states determine whe ...
Cisco Systems OL-24201-01 - page 607

B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o enable A CS to perform EAP-F AST authentication: Step 1 Config ure an identity store that supp orts EAP-F AST authen tication. T o determine which i dentity stores support EAP-F AST authent ication, see Authentication Pro tocol a ...
Cisco Systems OL-24201-01 - page 608

B-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme impro ves the secu rity by reducing the amount of cry ptographic sensiti ve material that is transmitted. This section contains the following topics: • Ke y Distribution Algorith m, page B-28 • EAP-F AST P A C-Opaque ...
Cisco Systems OL-24201-01 - page 609

B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RA DIUS Key Wrap PAC Migration from ACS 4.x Although the conf iguration can be migrated from 4.x, the P A Cs themselves, as being stored only in supplicants, m ay still be issued from versions a s far back as A CS 3.x. ...
Cisco Systems OL-24201-01 - page 610

B-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshak e Authentication Prot ocol (MSCHAP v2) provi des two-way authentica tion, also known as mutu al authentication. The remote access client re ceiv es verif ication that the remote access s ...
Cisco Systems OL-24201-01 - page 611

B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for ma chine auth entication. EAP-MSCHAPv2 W indows machine authentication is the same as u ser authentication. The dif ference is that you must use the Acti ve Directory ...
Cisco Systems OL-24201-01 - page 612

B-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes A CS parses the follo wing client certifi cate’ s attributes: • Certif icate serial-number (in binary format) • Encoded certificate (in binary DER format) • Subject’ s CN attribute • ...
Cisco Systems OL-24201-01 - page 613

B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes A CS collects client certificate te xtual attributes and places them in the A CS context dictionary . A CS can apply any r ule based policy on these attr ibutes as with an y rule att ...
Cisco Systems OL-24201-01 - page 614

B-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Au thentication • For auto matic do wnloading, you def ine the amount of time before the CRL f ile expires, should A CS do wnload it. The CRL e xpiration time is tak en from the CRL ne xtUpdate fie l d . For both modes, if the do w ...
Cisco Systems OL-24201-01 - page 615

B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol an d Identity Store Compatibility Note Microsoft PEAP clients may also ini tiate machine authen tication whene ver a user logs of f. This feature prepares the netwo rk connection for the ne xt user login. Mi crosoft PE ...
Cisco Systems OL-24201-01 - page 616

B-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authenti cation protoc ol support. T able B-5 EAP A uthentication Pr otocol and User D atabase Compatibility Identity Store E AP-MD5 EAP-TLS 1 1. In EAP-TL ...
Cisco Systems OL-24201-01 - page 617

C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX C Open Source License Acknowledgments See http://www .cisco.com/en/US/produ cts/ps9911 /produ cts_licensing_infor mation_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The follo wing notices pertain ...
Cisco Systems OL-24201-01 - page 618

C-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments Notices 4. The names “OpenSSL T oolkit” and “OpenSSL Projec t” must no t be used to endorse or promote products deri ved from this softw are without prior written permi ssion. F or written permission, please contact openss ...
Cisco Systems OL-24201-01 - page 619

C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgmen ts 4. If you include an y W indows specif ic code (or a deri vati ve ther eof) from the apps dir ectory (application code) you must include an ackno wle dgement: “Thi s product includes sof tware written by T im Hudson (tjh@cryptsoft ...
Cisco Systems OL-24201-01 - page 620

C-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments ...
Cisco Systems OL-24201-01 - page 621

GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAA Authentication, autho rization, and accounting (AAA ) is a term for a frame work for intelligently controlling access to computer re sources, enforcing policies, auditin g usage, and providi ng the information necessary t o bill fo r services. These combined proce ...
Cisco Systems OL-24201-01 - page 622

Glossary GL-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 accounts The capability of A CS to record user sessions in a log f ile. ACS System Administrators Ad m i ni s t ra t or s w it h di ff e re n t access privile ges define d under the System Conf iguratio n section of the A CS web interface. The y administer and manage A ...
Cisco Systems OL-24201-01 - page 623

Glossar y GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticity The v alidity and conformance of the or iginal information. authorization The approv al, permission, or empowermen t for someone or something to do so mething. authorization profile The basic "permissions container" for a RADIUS -based network ac ...
Cisco Systems OL-24201-01 - page 624

Glossary GL-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 certificate-based authentication The use of Secure Sockets Layer (SSL) and certifi cates to authenticate and encrypt HTTP traf fic. certificate Digital representation of user or de vice attrib utes, including a public k ey , that is sig ned with an authoritati ve pri v ...
Cisco Systems OL-24201-01 - page 625

Glossar y GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration management The process of es tablishing a k nown baseline condition and managin g it. cookie Data exchanged between an HTTP server and a browser ( a client of the server) to store state information on the client side an d retrie ve it later for serv er us ...
Cisco Systems OL-24201-01 - page 626

Glossary GL-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 D daemon A program which is often started at the time the system boots and runs continuo usly without interventi on from any of the u sers on the system. The daemon program forwards the requ ests to other programs (or processes) as appropri ate. The term da emon is a U ...
Cisco Systems OL-24201-01 - page 627

Glossar y GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelope An en crypted message with the encr ypted session key . digital sign ature A hash of a message that uniquely identifies the se nder of the messag e and prov es the message hasn't changed since transmission. DSA digital signature algorithm. An asym ...
Cisco Systems OL-24201-01 - page 628

Glossary GL-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 dumpsec A security tool that du mps a variet y of informati on about a system's users, file system, re gistry , permissions, password policy , and services. DLL Dynamic Link Library . A collection of small programs , an y of which can be called when needed by a la ...
Cisco Systems OL-24201-01 - page 629

Glossar y GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Extensible Authenticatio n Protocol. A protocol for wireless netw orks that expands on Au thentication methods used by the PPP (Point-to-Point Protocol), a protocol oft en used when connecting a computer to the Internet. EAP can support multiple auth entication mec ...
Cisco Systems OL-24201-01 - page 630

Glossary GL-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 G gateway A network point that acts as an entrance to another netw ork. global system options Configuring T ACA CS+, EAP-TTLS, PEAP , and EAP- F AST runtime character istics and generating EAP-F AST P A C. H hash func tions Used to generate a one way "check sum&q ...
Cisco Systems OL-24201-01 - page 631

Glossar y GL-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 I I18N Intern ationaliza tion and loca liza tion are means of adapting softwa re for non-nati ve en vironments, especially other nations and culture s. Internationalizati on is the adaptation of products fo r potential use virtually ev erywhere, while localization is ...
Cisco Systems OL-24201-01 - page 632

Glossary GL-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ISO International Or ganization for Stand ardization, a volun tary , non-treaty , non-go vernmen t organizat ion, established in 1947 , with vo ting members that ar e de signated standards bodies of participatin g nations and non-v oting observ er org anizations. ISP ...
Cisco Systems OL-24201-01 - page 633

Glossar y GL-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 M MAC Address A physical address; a numeric v alue that uniquely identif ies that netw ork de vice from e very ot her de vice on the planet. matchingRul e (LDAP) The method by which an attrib ute is compared in a search operation. A matchingRule i s an ASN.1 defini ti ...
Cisco Systems OL-24201-01 - page 634

Glossary GL-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 PI (Programm atic Interface) The A CS PI is a programmatic interf ace that provides e xternal applic ations the ability to communicate with A CS to configure and operate A CS; this includes performing the follo wing operations on A CS objects: create, update, delete a ...
Cisco Systems OL-24201-01 - page 635

Glossar y GL-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 R RDN (LDAP) Th e Relative Distinguished Name (fre quently but incorrectly written as Relati vely Distinguished Name). The name gi ven to an attri bute(s) that is unique at its le vel in the hierarch y . RDNs may be single v alued or multi-v alued in which case two or ...
Cisco Systems OL-24201-01 - page 636

Glossary GL-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Schema (LDAP) A package of attr ibut es and object classes that a r e sometimes (nominally) related. The sch ema(s) in which the object classes and attributes that the applic ation will u se (ref erence) are packaged are identif ied to the LD AP server so that it can ...
Cisco Systems OL-24201-01 - page 637

Glossar y GL-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 SOAP (Simple Object Access Protocol) A lightweight XML-based pr otocol for ex change of information in a decentrali zed, distrib uted en vironment. SOAP consists of three parts: an env elope tha t defines a framework for describing what is in a message and ho w to pro ...
Cisco Systems OL-24201-01 - page 638

Glossary GL-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 U UDP User Datagram Protocol. A communicati ons protocol that of fers a limited amount of service when messages are exchanged between computers in a ne twork that uses the Internet Protocol (IP) URL Uniform Resource Locator . The un ique address for a file that is acc ...
Cisco Systems OL-24201-01 - page 639

Glossar y GL-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 X X.509 A standard for pub lic ke y infrastructure. X.509 spec if ies, amongst other things, standard formats for public ke y certif icates and a certificatio n path v alidation algorith m. XML (eXtensi ble Markup Language) XML is a flexib le way to create common info ...
Cisco Systems OL-24201-01 - page 640

Glossary GL-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ...
Cisco Systems OL-24201-01 - page 641

IN-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 INDEX Symbols ! formatting symbol 13-33 % operator 13-60 & formatting symbol 13-33 & operator 13-60 * operator 13-60 + operat or 13-60 / operator 13-60 <= operator 13-60 <> operator 13-60 < formatting symbol 13-33 < operat or 13-60 = operat or 13-60 >= ...
Cisco Systems OL-24201-01 - page 642

Index IN-2 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Arrange Columns dialog 13-42 ascending sort order 13-47 AVERAGE function 13-53 Average function 13-63 averages 13-53, 13-57, 13-59, 13-63 B background colors 13-39 Between condition 13-68, 13-73 BETWEEN function 13-53 Between operator 13-38 blank characters 13-59 Boolean ...
Cisco Systems OL-24201-01 - page 643

Index IN-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 formatting data and 13-36 context menus 13-21 conversions 13-33 COUNT_DISTINCT func tion 13-54 COUNT function 13-54 Count function 13-63 Count Value function 13-63 creating aggregate rows 13-64, 13-65 calculated columns 13-51, 13-60 data filter s 13-68, 13-70, 13-71, 13-72 ...
Cisco Systems OL-24201-01 - page 644

Index IN-4 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 downloads 18-40 duplicate values 13-66, 13-67 E EAP-FAST enabling B-26 identity protection B-20 logging B-19 master keys definition B-21 PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 refresh B-26 phases B-19 EAP-FAST settings configuring 18-3 ...
Cisco Systems OL-24201-01 - page 645

Index IN-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 G General Date format op tion 13-30 General N umber fo rmat opti on 13-30 Go to page pick li st 13-23 Greater Than conditi on 13-69 greater than operator 13-60 Greater Than or Eq ual to condition 13-69 greater than or equal to operator 13-60 Group Detail dial og 13-50 grou ...
Cisco Systems OL-24201-01 - page 646

Index IN-6 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 locales creating charts and 13-77 customizing formats for 13-30, 13-31, 13-35 locating text valu es 13-54, 13-58 logical operators 13-60 Long Date fo rmat option 13-30 Long Time format option 13-30 lowercase characters 13-56 Lowercase format option 13-31 LOWER function 13 ...
Cisco Systems OL-24201-01 - page 647

Index IN-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 numeric data types 13-30 numeric expression s 13-60, 13-61 numeric values 13-24, 13-32 O opening exported data files 13-25 Interactive Viewer 13-21 operators 13-38, 13-60 OR operator 13-60, 13-74 P PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 ...
Cisco Systems OL-24201-01 - page 648

Index IN-8 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 report viewers 13-21 resizing columns 13-25, 13-28 RIGHT function 13-58 ROUNDDOWN func tion 13-58 ROUND function 13-58 rounding 13-53, 13-58 ROUNDUP func tion 13-58 row-by-row comparisons 13-54 rows 13-66, 13-67 RUNNINGSUM function 13-58 running total s 13-58 S Save As di ...
Cisco Systems OL-24201-01 - page 649

Index IN-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 time data types 13-30 time formats 13-30, 13-34 timesaver, descript ion of ii-xxiv time stamps 13-57, 13-58 time values 13-34, 13-50 TODAY function 13-58 Top N condition 13-69 Top Percent condition 13-69 totals 13-37, 13-58, 13-63 trailing characters 13-59 TRIM function 13 ...
Cisco Systems OL-24201-01 - page 650

Index IN-10 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 X x-axis values 13-75 Y y-axis values 13-75 YEAR function 13-59 ...

Manufacturer Cisco Systems Category Camera Accessories

Documents that we receive from a manufacturer of a Cisco Systems OL-24201-01 can be divided into several groups. They are, among others:
- Cisco Systems technical drawings
- OL-24201-01 manuals
- Cisco Systems product data sheets
- information booklets
- or energy labels Cisco Systems OL-24201-01
All of them are important, but the most important information from the point of view of use of the device are in the user manual Cisco Systems OL-24201-01.

A group of documents referred to as user manuals is also divided into more specific types, such as: Installation manuals Cisco Systems OL-24201-01, service manual, brief instructions and user manuals Cisco Systems OL-24201-01. Depending on your needs, you should look for the document you need. In our website you can view the most popular manual of the product Cisco Systems OL-24201-01.

Similar manuals

A complete manual for the device Cisco Systems OL-24201-01, how should it look like?
A manual, also referred to as a user manual, or simply "instructions" is a technical document designed to assist in the use Cisco Systems OL-24201-01 by users. Manuals are usually written by a technical writer, but in a language understandable to all users of Cisco Systems OL-24201-01.

A complete Cisco Systems manual, should contain several basic components. Some of them are less important, such as: cover / title page or copyright page. However, the remaining part should provide us with information that is important from the point of view of the user.

1. Preface and tips on how to use the manual Cisco Systems OL-24201-01 - At the beginning of each manual we should find clues about how to use the guidelines. It should include information about the location of the Contents of the Cisco Systems OL-24201-01, FAQ or common problems, i.e. places that are most often searched by users in each manual
2. Contents - index of all tips concerning the Cisco Systems OL-24201-01, that we can find in the current document
3. Tips how to use the basic functions of the device Cisco Systems OL-24201-01 - which should help us in our first steps of using Cisco Systems OL-24201-01
4. Troubleshooting - systematic sequence of activities that will help us diagnose and subsequently solve the most important problems with Cisco Systems OL-24201-01
5. FAQ - Frequently Asked Questions
6. Contact detailsInformation about where to look for contact to the manufacturer/service of Cisco Systems OL-24201-01 in a specific country, if it was not possible to solve the problem on our own.

Do you have a question concerning Cisco Systems OL-24201-01?

Use the form below

If you did not solve your problem by using a manual Cisco Systems OL-24201-01, ask a question using the form below. If a user had a similar problem with Cisco Systems OL-24201-01 it is likely that he will want to share the way to solve it.

Manual Cisco Systems OL-24201-01

Summary

Cisco Systems OL-24201-01 - page 1

Cisco Systems OL-24201-01 - page 2

Cisco Systems OL-24201-01 - page 3

Cisco Systems OL-24201-01 - page 4

Cisco Systems OL-24201-01 - page 5

Cisco Systems OL-24201-01 - page 6

Cisco Systems OL-24201-01 - page 7

Cisco Systems OL-24201-01 - page 8

Cisco Systems OL-24201-01 - page 9

Cisco Systems OL-24201-01 - page 10

Cisco Systems OL-24201-01 - page 11

Cisco Systems OL-24201-01 - page 12

Cisco Systems OL-24201-01 - page 13

Cisco Systems OL-24201-01 - page 14

Cisco Systems OL-24201-01 - page 15

Cisco Systems OL-24201-01 - page 16

Cisco Systems OL-24201-01 - page 17

Cisco Systems OL-24201-01 - page 18

Cisco Systems OL-24201-01 - page 19

Cisco Systems OL-24201-01 - page 20

Cisco Systems OL-24201-01 - page 21

Cisco Systems OL-24201-01 - page 22

Cisco Systems OL-24201-01 - page 23

Cisco Systems OL-24201-01 - page 24

Cisco Systems OL-24201-01 - page 25

Cisco Systems OL-24201-01 - page 26

Cisco Systems OL-24201-01 - page 27

Cisco Systems OL-24201-01 - page 28

Cisco Systems OL-24201-01 - page 29

Cisco Systems OL-24201-01 - page 30

Cisco Systems OL-24201-01 - page 31

Cisco Systems OL-24201-01 - page 32

Cisco Systems OL-24201-01 - page 33

Cisco Systems OL-24201-01 - page 34

Cisco Systems OL-24201-01 - page 35

Cisco Systems OL-24201-01 - page 36

Cisco Systems OL-24201-01 - page 37

Cisco Systems OL-24201-01 - page 38

Cisco Systems OL-24201-01 - page 39

Cisco Systems OL-24201-01 - page 40

Cisco Systems OL-24201-01 - page 41

Cisco Systems OL-24201-01 - page 42

Cisco Systems OL-24201-01 - page 43

Cisco Systems OL-24201-01 - page 44

Cisco Systems OL-24201-01 - page 45

Cisco Systems OL-24201-01 - page 46

Cisco Systems OL-24201-01 - page 47

Cisco Systems OL-24201-01 - page 48

Cisco Systems OL-24201-01 - page 49

Cisco Systems OL-24201-01 - page 50

Cisco Systems OL-24201-01 - page 51

Cisco Systems OL-24201-01 - page 52

Cisco Systems OL-24201-01 - page 53

Cisco Systems OL-24201-01 - page 54

Cisco Systems OL-24201-01 - page 55

Cisco Systems OL-24201-01 - page 56

Cisco Systems OL-24201-01 - page 57

Cisco Systems OL-24201-01 - page 58

Cisco Systems OL-24201-01 - page 59

Cisco Systems OL-24201-01 - page 60

Cisco Systems OL-24201-01 - page 61

Cisco Systems OL-24201-01 - page 62

Cisco Systems OL-24201-01 - page 63

Cisco Systems OL-24201-01 - page 64

Cisco Systems OL-24201-01 - page 65

Cisco Systems OL-24201-01 - page 66

Cisco Systems OL-24201-01 - page 67

Cisco Systems OL-24201-01 - page 68

Cisco Systems OL-24201-01 - page 69

Cisco Systems OL-24201-01 - page 70

Cisco Systems OL-24201-01 - page 71

Cisco Systems OL-24201-01 - page 72

Cisco Systems OL-24201-01 - page 73

Cisco Systems OL-24201-01 - page 74

Cisco Systems OL-24201-01 - page 75

Cisco Systems OL-24201-01 - page 76

Cisco Systems OL-24201-01 - page 77

Cisco Systems OL-24201-01 - page 78