Manual Cisco Systems CSACS3415K9

678 pages 9.08 mb

Download

Go to site of 678

Prev Next

Summary

Cisco Systems CSACS3415K9 - page 1

Americas Hea dquarters Cisc o Syst ems , Inc . 170 West Ta sman Driv e San Jos e, CA 95 134-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553- NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure Access Contr ol S ystem 5.4 No vember 20 1 3 Text Pa rt Numbe r: OL -26225-0 1 ...
Cisco Systems CSACS3415K9 - page 2

THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJE CT TO CHANGE WITHOUT NO TICE. ALL STATEMENT S, INFORMATI O N, AND RECOMME NDATIONS IN T HIS MANUAL ARE BELI EVED TO BE A CCURATE BUT ARE P RESENTED W ITHOUT WARRANTY OF ANY KIND, EXPRE SS OR IMPLIED. USERS MUST TA KE FULL RESPONSIBILITY FOR THEIR AP PLICATION OF ANY ...
Cisco Systems CSACS3415K9 - page 3

iii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CONTENTS Preface xx iii Audienc e xxiii Document Conventions xxiii Document ation Update s xxiv Relat ed D ocum ent atio n xxiv Obtain ing Documentat ion and Sub m itti ng a Serv ice Reque st xxv CHAPTER 1 Introdu cing ACS 5.4 1-1 Overvi ew of ACS 1-1 ACS Di stri bute d De plo ...
Cisco Systems CSACS3415K9 - page 4

Cont ents iv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Polic y Terminol ogy 3-3 Simp le P olici es 3-4 Rule- Based Po licies 3-4 Types of Poli cies 3-5 Acce ss Se rvic es 3-6 Ident ity P olicy 3-9 Group Map pin g Poli cy 3-11 Authori zation Poli cy for Devi ce Administrat i on 3-11 Proce ssing Rules with Multip le Co mman ...
Cisco Systems CSACS3415K9 - page 5

Content s v User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Agentl ess Netwo rk Access 4-12 Overvi ew of Agentl ess Network Access 4-12 Host L ookup 4-1 3 Authe nti cati on wi th C all Ch eck 4-14 Proces s Service-Type Ca ll Check 4-15 PAP/E AP-MD5 Authen tication 4-15 Agentl ess Ne twork Ac cess Flow 4-16 Adding a Hos t to an ...
Cisco Systems CSACS3415K9 - page 6

Cont ents vi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 My A ccoun t Pa ge 5-2 Login Ba nner 5-3 Usin g the Web In terface 5-3 Acce ssin g the We b Interf ace 5-4 Logg ing In 5-4 Loggin g Out 5-5 Underst anding the Web Int erface 5-5 Web In terf ace Des ign 5-6 Navigat ion Pane 5-7 Content Area 5-8 Impo rting and Export in ...
Cisco Systems CSACS3415K9 - page 7

Content s vii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Viewing and Perfor ming Bulk Operati ons fo r Network Dev ices 7-6 Export ing Network Device s and AAA Clients 7-7 Perfor ming Bulk Operati ons fo r Network Res ources and Users 7-8 Export ing Network Res ources and Users 7-10 Creati ng, Duplicati ng, and Edi ting Ne ...
Cisco Systems CSACS3415K9 - page 8

Cont ents viii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Viewing and Perf orming Bul k Opera tions fo r Intern al Identity St ore Hosts 8-18 Mana geme nt H ier arch y 8-19 Attri butes o f Management Hi erarchy 8-19 Config uring AAA Devices fo r Management Hierar chy 8-19 Config uring Users or Host s for Management Hie r a ...
Cisco Systems CSACS3415K9 - page 9

Content s ix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring an AD Identi ty Store 8-49 Select ing an AD Group 8-53 Config uring AD Attribu tes 8-54 Config uring Machine Access Re strict ions 8-56 RSA Secu rID Server 8-57 Config uring RSA SecurID Ag ents 8-58 Creati ng and Editing RSA Se curID Token Serve rs 8-59 R ...
Cisco Systems CSACS3415K9 - page 10

Cont ents x User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Managing Author izatio ns and Permiss ions 9-17 Creati ng, Duplicati ng, and Edi ting Authori zation Pr ofile s for Network Acce ss 9-18 Spec ifyin g Aut hor izatio n Pr ofile s 9-19 Specif ying Common Attrib utes in Aut horization Prof iles 9-19 Spec ifyin g RADI US A ...
Cisco Systems CSACS3415K9 - page 11

Content s xi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring a Group Mapp ing Po licy 10-27 Config uring Group Mapp ing Po licy Rul e Propertie s 10-29 Confi guri ng a Sess ion Auth oriz atio n Poli cy f or N etwo rk A cces s 10-30 Config uring Network Access Au thoriz ation Rule Prope rties 10-32 Confi guri ng De ...
Cisco Systems CSACS3415K9 - page 12

Cont ents xii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Adding Ta bs to the Dashboard 11-6 Adding App l icati ons to Tabs 11-7 Renaming Tabs in t he Dashboard 11- 7 Changin g the Dashboar d Layout 11-8 Deleti ng Tabs f rom t he Dash board 11 -8 CHAPTER 12 Managing A larms 12-1 Underst anding Al arms 12-1 Evalua ting Alarm ...
Cisco Systems CSACS3415K9 - page 13

Content s xiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CHAPTER 13 Managin g Reports 13-1 Work ing wit h Favo rite Report s 13-3 Adding Re ports to Your Favo rites Page 13-3 View ing Fa vorite -Re por t Param eters 13-4 Editi ng Favorite Reports 13-5 Runn ing F avori te R epo rts 13-5 Deleti ng Reports from Fav orites 13 ...
Cisco Systems CSACS3415K9 - page 14

Cont ents xiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Formatt ing String Data 13-33 Form attin g C ustom St ring Data 13-33 Formatt ing Date an d Time 13-35 Form attin g Cust om D ate an d Time 13 -35 Form attin g B ool ean D ata 13 -36 Applyi ng Condit i onal For mats 13-37 Settin g C ondit iona l Form att ing for Co l ...
Cisco Systems CSACS3415K9 - page 15

Content s xv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Hiding or Di splaying Det ail Ro ws in Groups or Section s 13-68 Work ing wit h Filte rs 13-69 Type s of Filt er Condit ions 13-70 Settin g Filt er V alues 13-71 Creati ng Filters 13-72 Modify ing or Cle arin g a F ilter 13-7 3 Creati ng a Filt er with Mult iple Cond ...
Cisco Systems CSACS3415K9 - page 16

Cont ents xvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 View ing Sc hedu led Jo bs 15-12 Viewing Proces s Status 15-14 Viewing Data Upgr ade Sta tus 15-15 Viewing Fail ure Reasons 15-15 Editin g Fa ilur e R eason s 15-15 Specif ying E-Mail Sett ings 15-16 Config uring SNMP Prefere nces 15-1 6 Underst anding Collec tion Fi ...
Cisco Systems CSACS3415K9 - page 17

Content s xvii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Ident ity Pol icy Rule Pr operties 16-1 8 Adminis trator Auth orizat ion Policy 16-19 Config uring Administ rator Authori zation Po licies 16-19 Config uring Administ rator Authori z ation Ru le Properties 16-20 Adminis t rator Login Process 16-21 Rese ...
Cisco Systems CSACS3415K9 - page 18

Cont ents xviii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Creati ng, Duplicati ng, Editing, and Del eting Sof tware Reposit ories 17-2 4 Managing Softwar e Reposit ories fr om the Web Interf ace and C LI 17-2 5 CHAPTER 18 Managing System Administ ration Conf igurations 18-1 Config uring Global Sys tem Options 18-1 Config ...
Cisco Systems CSACS3415K9 - page 19

Content s xix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Global Lo gging Categor ies 18-2 5 Config uring Per-Ins tance Loggi ng Categ ories 18-29 Config uring Per-I nstance Securi ty and Log Settin gs 18-30 Config uring Per-Ins tance Remote Sys log Targets 18-31 Displa ying Logging Cat egories 18-32 Config uri ...
Cisco Systems CSACS3415K9 - page 20

Cont ents xx User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Sessio n Access Request s (Device Adminis trati on [TACACS+] ) A-2 Command Au thorizatio n Requests A-2 Netw ork Acc ess ( RAD IUS Wit h an d W ith out EAP) A-2 RADIUS -Based F low Without EAP Auth entication A-3 RADIUS -Based Fl ows with EAP Authenti cation A-3 Acce ...
Cisco Systems CSACS3415K9 - page 21

Content s xxi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Privat e Keys an d Passwords Backup B-13 EAP-T LS Flow in A CS 5 .4 B-13 PEAP v0/1 B- 14 Overvi ew of PEAP B-15 Support ed PEAP Fe atures B-15 PEAP Flow in ACS 5. 4 B-17 Creati ng the TLS Tunnel B-18 Authe nti cati ng wi th MS CH APv2 B-19 EAP-F AS T B-19 Overvi ew o ...
Cisco Systems CSACS3415K9 - page 22

Cont ents xxii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Authent ication Pr otocol an d Identity Stor e Compatibil ity B-36 APPENDI X C Open Source Li cense Ackno wledgements C-1 Notice s C- 1 OpenSSL/ Open SSL Pr oject C-1 Licens e Issues C-1 C-3 G LOS SARY I NDEX ...
Cisco Systems CSACS3415K9 - page 23

xxiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Preface Revised: November 13, 2013 This gu ide de scribes h ow to use C isco Secur e Acce ss Contro l Syste m (ACS) 5.4. Audience This guid e is for secu rity adm inistra tors who use ACS, and who set up and ma intain ne twork and application security . Document Co nventions ...
Cisco Systems CSACS3415K9 - page 24

xxiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface Cautio n Means re a d e r b e c a re f u l . Y ou are cap able of doing something tha t might result in equipment dam age or loss of data. T imesaver Means t he d escri bed act ion saves tim e . Y ou can s ave time b y perform ing the actio n describ ed in the paragr ...
Cisco Systems CSACS3415K9 - page 25

xxv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Pre face Obtaining Do cumentation and Submitting a Service Reque st For informat ion on obtai ning docu menta tion, sub mittin g a service re quest, an d gathering additiona l inform ati on, see th e month ly What’ s New in Cisco Pr oduct Documenta tion , which also lists al ...
Cisco Systems CSACS3415K9 - page 26

xxvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface ...
Cisco Systems CSACS3415K9 - page 27

CH A P T E R 1-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 1 Introducing ACS 5.4 This section con tains the follo wing topics: • Overview of A CS, pa ge 1-1 • A CS Di stributed Deploymen t, page 1-2 • A CS Mana gement Inte rfac es, page 1-3 Overview of ACS A CS is a policy- b ased secur ity serve r that pro vides st ...
Cisco Systems CSACS3415K9 - page 28

1-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Distrib uted Deploy ment A CS pr ovides advanced monito ring, repor ting, an d troubl eshooting t ools that hel p you admini ster an d manage your ACS deploymen ts. For more inform ation on t he mon itori ng, rep orting , an d troub leshooti ...
Cisco Systems CSACS3415K9 - page 29

1-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Licensi ng Model A CS 4.x did not prov ide increm ental repli cation, only full replicatio n, and ther e was service d o wntime for replicati o n. A CS 5.4 provides incr emental replications with no service do wntime. Y ou c an also for ce a ...
Cisco Systems CSACS3415K9 - page 30

1-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Managem ent Interf aces • A CS W eb-b ased In terfa ce, pa ge 1-4 • A CS Command Lin e Interf ace, page 1- 4 • A CS Prog ram mati c Inter faces, page 1-5 ACS Web-ba sed Inte rface Y o u can use the ACS w eb-ba sed interfac e to fully c ...
Cisco Systems CSACS3415K9 - page 31

1-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Hardware Models Supported by ACS • Conf iguration—Use th ese commands to perform additional conf iguration tasks for the appliance serv er in an A DE-OS en vironme nt. Note The CLI includes an option to reset the conf iguration that, when iss ...
Cisco Systems CSACS3415K9 - page 32

1-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Har dware Models Suppor ted by ACS ...
Cisco Systems CSACS3415K9 - page 33

CH A P T E R 2-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 2 Migrating from ACS 4. x to ACS 5.4 A CS 4.x store s polic y and authenticatio n information , such as T A CAC S+ comman d sets, in the user and user gr o up recor d s. In A C S 5.4, polic y and authentica tion infor mation ar e inde pendent sha red comp onents t ...
Cisco Systems CSACS3415K9 - page 34

2-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Overvi ew of the Migr ation Proce ss Overview of the Migration Pro cess The Migration uti lity completes the data migr ation process in two phases: • Analys is and Expor t • Import In the Analy sis an d Expo rt ph ase, you iden ...
Cisco Systems CSACS3415K9 - page 35

2-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Before You Begin Note Y o u must install the la test patch for the supported migratio n version s listed here. Also , if you ha ve any other version of A CS 4.x inst alled, you must upgrade to one of the suppor ted versions and i ns ...
Cisco Systems CSACS3415K9 - page 36

2-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Migrating fr om ACS 4.x to ACS 5 .4 • User -Defi n ed Fields (from the Interf ace Conf igurati o n secti on) • User Groups • Shared Shell Com mand Author ization Sets • User T A C A CS+ Shell Ex ec Att ribut es (migrat ed to ...
Cisco Systems CSACS3415K9 - page 37

2-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 In A CS 5.4, you define au thoriza tions, shell profiles, a ttributes, a nd othe r poli cy elem ents a s independe nt, r eusab le obj ects, ...
Cisco Systems CSACS3415K9 - page 38

2-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Funct io nalit y Ma ppin g fro m AC S 4.x to AC S 5.4 Comm and sets (c ommand authorizatio n sets) One of the follo wing: • Shared P rofile Compon ents > Command Authori zation Set • User Se tup pa ge • Group Set up page Po ...
Cisco Systems CSACS3415K9 - page 39

2-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Common Scenarios in Migration The following a re some of th e co mmon scena rios t hat y ou en counte r wh ile mi grating to ACS 5.4: • Migr ati ng from A CS 4.2 on CSA CS 11 20 to A CS 5.4, pa ge 2 ...
Cisco Systems CSACS3415K9 - page 40

2-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration Migr ating from AC S 3.x t o ACS 5.4 If you have A CS 3.x deployed in your environment , you cannot d irectl y migrate to A C S 5.4. Y ou mu st do the follo wing: Step 1 Upgrad e to a migrat ion-sup p ...
Cisco Systems CSACS3415K9 - page 41

2-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Step 3 Perform bu lk import of data into A CS 5.4. For more inform ation on p erformi ng bulk i mport o f A CS obje cts, se e http://www .cisco.com /en/US/docs/net_m gmt/cisco_secure _access_contro l_ ...
Cisco Systems CSACS3415K9 - page 42

2-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration ...
Cisco Systems CSACS3415K9 - page 43

CH A P T E R 3-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 3 ACS 5.x Policy Model A CS 5.x i s a poli cy-based ac cess contro l syst em. The ter m policy model in A CS 5.x re fers t o the presenta tion of p olicy elem ents, obje cts, an d rules to t he policy adm inistrato r . A CS 5 .x uses a rule-ba sed policy mode l in ...
Cisco Systems CSACS3415K9 - page 44

3-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l For example, we u se t he inf ormat ion de scribe d for the group- based model : If identity-condition , r estriction-condition then authorization- pr o file In ACS 5.4, you define cond itions a nd resu lt ...
Cisco Systems CSACS3415K9 - page 45

3-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Poli cy Terminolo gy Ta b l e 3 - 2 descri bes the ru le-base d policy termin ology . T able 3-2 Rule-Based P olicy T er minology T erm Descript ion Access service Sequential set of polic ies used to process ...
Cisco Systems CSACS3415K9 - page 46

3-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l Simple Policies Y o u can configure al l of your ACS policies as rule-base d polici es. Howe ver , in some cases, you can choose to configu re a sim ple po licy , whic h selec ts a sing le re sult to appl ...
Cisco Systems CSACS3415K9 - page 47

3-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Types of P olicie s Ta b l e 3 - 3 descri bes the type s of policies that you can configure in A CS. The policies ar e listed in the order of their e valuation; an y attribute s that a polic y retrie ves can ...
Cisco Systems CSACS3415K9 - page 48

3-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s Access Services Access services are fundamental con structs i n AC S 5.x that al low yo u to con fig ure acce ss policies f or users and devices that connect to the network an d for network adm inistra tors who ad ministe r ne ...
Cisco Systems CSACS3415K9 - page 49

3-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Ta b l e 3 - 5 desc ribes an example of a set o f access se rvices. Ta b l e 3 - 6 describes a service selection policy . If A CS 5.4 recei ves a T ACA C S+ acces s request, it app lies Access Service A, which authenticate s the ...
Cisco Systems CSACS3415K9 - page 50

3-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s A CS accepts th e results o f the requ ests and re turns them to the N A S. Y ou must conf igure the e xternal RADIUS and T A CA CS+ serv ers in A CS for A CS to forw ard reque sts to them. Y ou can defi ne the timeo ut period ...
Cisco Systems CSACS3415K9 - page 51

3-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces A CS can simultaneously act as a proxy serv er to multiple e xternal RADIUS and T A CA CS+ serv ers. F or A CS to ac t as a proxy server, you must configure a RADIUS or T A CACS+ proxy serv ice in A C S. See Configuring Ge neral ...
Cisco Systems CSACS3415K9 - page 52

3-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s • Identity Sequen ce—Sequ ences of the identity data bases. The seque nce is used for authen tication and, if specif ied, an additional sequen ce is used to retrie ve only attrib utes. Y ou can selec t multiple identity m ...
Cisco Systems CSACS3415K9 - page 53

3-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Group Mapp ing Polic y The id entity group mapping policy i s a standa rd po licy . Condi tions ca n be ba sed on attr ibutes or group s retrie ved from the e xternal attrib ute stores only , or from certif icates, and the r e s ...
Cisco Systems CSACS3415K9 - page 54

3-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy Related Topics • Poli c y T erm inol ogy , p age 3-3 • Authori zation Profiles for N etwork A ccess, page 3-1 6 Exception Authorization Policy Ru les A commo n real -world pro blem i s that, i n day-t o-day operat ...
Cisco Systems CSACS3415K9 - page 55

3-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Base d Service Selection In the rules-based servic e selection mode, A CS decides which access servic e to use based on var ious configurab le opt ions. So me o f th em are : • AAA Proto col—The prot ocol used ...
Cisco Systems CSACS3415K9 - page 56

3-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy In this e xample, inst ead of cr eating the netwo rk acces s poli cy for 802.1 x, agentles s de vices, and gu est acces s in one access servic e, the polic y is divi ded into three acc ess serv ices. First-Match Rule ...
Cisco Systems CSACS3415K9 - page 57

3-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specif ies the policy result that A CS uses when no other rules exist, or when the attrib ute values in the acces s request do not mat ch any rules. A CS ev aluates a set of rules in the first- m atch r ...
Cisco Systems CSACS3415K9 - page 58

3-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Authori zation Pro files for Ne twork Ac cess Policy Conditions Y o u can define simple conditio ns in rule tab les based on attributes in: • Customiza ble con ditio ns—Y ou can create c ustom c ondit ions ba sed on protoc ol dict ionar ie ...
Cisco Systems CSACS3415K9 - page 59

3-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can def ine multiple au thorization prof iles as a network access p olic y result. I n this way , you mainta in a smalle r number of au thoriz ation profiles , because you can use the au thoriz ation p rofil ...
Cisco Systems CSACS3415K9 - page 60

3-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Policies and Network D evice Gr oups Related Topics • Managing Users and Identity S to res, pag e 8-1 • Poli c y T erm inol ogy , p age 3-3 • T ypes of Pol icies, page 3 -5 Policies and Netwo rk Device Groups Y o u can refe rence Net wor ...
Cisco Systems CSACS3415K9 - page 61

3-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 3-2 illustrates what this policy rule table could look like . Figur e 3-2 Sample Rule -Based P olicy Each ro w in the polic y table rep resents a single rule. Each ru le, e xcept for the l ast D ...
Cisco Systems CSACS3415K9 - page 62

3-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies • Added users to the inte r nal A CS identity store or add e xternal iden tity stores. See Creating Internal Users, pa ge 8-11 , Ma naging Iden tity A ttributes, page 8-7 , or Creating External ...
Cisco Systems CSACS3415K9 - page 63

3-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics • Poli c y T erm inol ogy , p age 3-3 • Policy Conditions, page 3-16 • Policy Results, page 3 -16 • Policies and Identi ty Attrib u tes, page 3-17 ...
Cisco Systems CSACS3415K9 - page 64

3-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies ...
Cisco Systems CSACS3415K9 - page 65

CH A P T E R 4-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 4 Common Scenarios Using ACS Network co ntrol refe rs to the pro cess of contro lling access to a networ k. T r aditio nally a user name and password was used to authe nticat e a user to a net work. Now a days with the rapid technolog ical advancemen ts, the t rad ...
Cisco Systems CSACS3415K9 - page 66

4-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation A CS organize s a sequenc e of independ ent policies into an access serv ice, which is used to proc ess an access reques t. Y ou can create multiple access servi ces to process dif ferent kinds of acc ...
Cisco Systems CSACS3415K9 - page 67

4-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Over view of D evi ce Ad min istr atio n If a c ommand is m atched to a comm and se t, the corre spondi ng perm it or deny set ting for the c omma nd is retrie ved. If multiple results are found in the rules that are matched, they are con ...
Cisco Systems CSACS3415K9 - page 68

4-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation Step 5 Conf igure an acce ss service p o lic y . See Acce ss Service Policy Creation, pa ge 10-4 . Step 6 Conf igure a service selec tion policy . See Serv ice Selection Pol icy Creation, page 10-4 . ...
Cisco Systems CSACS3415K9 - page 69

4-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access TACACS+ Cu stom Servic es an d Attributes This top ic describe s the conf iguration flo w to def ine T A CA CS+ cus tom attrib utes and s ervices. Step 1 Create a cu stom T ACA CS+ condi tion to move to T A C ...
Cisco Systems CSACS3415K9 - page 70

4-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s Note During pas swor d-base d access (or certi ficate-b ased access), t he user is not o nly authen ticated but also authorized accordin g to the ACS conf iguration . And if NAS sends accounti ng requests ...
Cisco Systems CSACS3415K9 - page 71

4-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access Passwo rd-Based Network A ccess Configura tion Flow This t opic de scribe s the end-to- end flow for passwo rd-based network access and lists t he tasks tha t you must perform . The inform ation about ho w to ...
Cisco Systems CSACS3415K9 - page 72

4-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s For RADIUS, non -EAP aut hentica tion met hods (RADI US/P AP , RADIUS/ CHAP , RADIUS/ MS-CHAP v1, RADIU S/MSCHAP v2), an d simple E AP met hods (E AP-MD5 an d LEAP ), you need to co nfigure only the protoc ...
Cisco Systems CSACS3415K9 - page 73

4-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Related Topics • Authentic ation in A CS 5.4, page B-1 • Network Devices and AAA Clients, page 7-5 • Managin g Access Poli cies, page 10 -1 • Creatin g, Duplic ating, an d Editing A ccess Service s ...
Cisco Systems CSACS3415K9 - page 74

4-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Certificate -Based Ne twork Ac cess Y o u can configure two types of cert ificates in A CS: • T rust certi fica te—Also kno wn as CA certif icate. Us ed to form CTL trus t hierar chy f or v erif ication of remote certif icates. • L ...
Cisco Systems CSACS3415K9 - page 75

4-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Y ou can create custom con ditions to use the certif icate’ s attrib utes as a polic y condition. See Creating, Duplicat ing, a nd Edi ting a Custom Se ssion Co ndition, pag e 9-5 , for details. Step 5 ...
Cisco Systems CSACS3415K9 - page 76

4-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A default L ocal Server Certificate is install ed on ACS so that you c an conne ct to ACS with your browser . The de fault ce rtificate is a se lf-sig ned cert ificate and cannot be m odified du ring instal la ...
Cisco Systems CSACS3415K9 - page 77

4-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access The defau lt securit y policy say s that 802.1x au thenticatio n must succee d before access to the networ k is grante d. The refore , by default , non- 802.1x-c apab le devices ca nnot get ac cess to an 802 .1x- ...
Cisco Systems CSACS3415K9 - page 78

4-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A CS supports host lo okup for the follo wing identity stores: • Intern al hosts • Exte rnal LDAP • Intern al users • Acti ve Directory Y ou can a ccess th e Act i ve Direct ory via the LD AP API. Y ou ...
Cisco Systems CSACS3415K9 - page 79

4-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access • T wel ve consec utive hexadecima l di gits wi thout any separa tors —0123456 789AB If the C alling-Sta tion-ID attribute is one of the four suppor ted MAC address form ats above, A C S copies it to the User ...
Cisco Systems CSACS3415K9 - page 80

4-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Agentless N etwork Acce ss Flow This topic describes the end -to-end flow for agentless netwo rk access and lists the tasks that you must perform. The inf ormation a bout ho w to conf igure the task s is locat ...
Cisco Systems CSACS3415K9 - page 81

4-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access Step 7 Def ine the se r vice selec tion. Step 8 Add the ac cess service to you r service selectio n polic y . For more informatio n, see Creating, Dupli cating, and Editing Serv ice Selection Rule s, page 10-8 . ...
Cisco Systems CSACS3415K9 - page 82

4-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Previ ous St ep: Network Devices and AAA Clients, page 7-5 Next Step : Conf iguring an Identity G r oup for Ho st Lookup Netwo rk Access Req uests, page 4-18 Related Topics • Creating External LD AP Identity ...
Cisco Systems CSACS3415K9 - page 83

4-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access c. Select Ne twork Access , and chec k Identity an d A ut horizati on . The group ma pping an d Externa l Policy opti ons are optio nal. d. Make sure you select Process Host Loo kup. If you want A CS t o detect P ...
Cisco Systems CSACS3415K9 - page 84

4-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Configuring an Authorization Policy for Host Lookup Requests T o con figure an author ization policy for Host L ookup requests: Step 1 Choose Access P o licies > Acce ss Servic es > <access_s ervic ena ...
Cisco Systems CSACS3415K9 - page 85

4-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS VPN Remo te Network Acces s Supported Authentic ation Protocols A CS 5. 4 supports th e following protoc ols for inner authenti cation inside the V PN tunnel: • RADIUS/P AP • RADIUS/CHA P • RADIUS/MS-C HAPv1 • RADIUS/MS-C HAPv2 W ...
Cisco Systems CSACS3415K9 - page 86

4-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Supporte d VPN Ne twork Ac cess Serve rs A CS 5. 4 supports th e following VPN networ k access ser vers: • Cisco ASA 5500 Se ries • Cisco VPN 3000 Se ries Related Topics • VPN Remote Netwo rk Access, page ...
Cisco Systems CSACS3415K9 - page 87

4-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Related Topics • VPN Remote Netwo rk Access, page 4-20 • Supported Au thenti cation Protoc ols, page 4-2 1 • Supported I dentity Stores, pag e 4-21 • Supported VPN Network Access Servers, pa ...
Cisco Systems CSACS3415K9 - page 88

4-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access 6. Conf ig uring EAP - F AST Settings f or Secur ity Group Access . 7. Creati ng an Access Ser v ice for Security Gr oup Access . 8. Creating a n En dpoint A dmissi on Contr ol Policy . 9. Creati ng a ...
Cisco Systems CSACS3415K9 - page 89

4-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Devices consid er on ly th e SGT value; the name a nd de scripti on of a sec urity group a re a m anag ement con ve nience an d are not con vey ed to the de vices. Th erefor e, chang ing the na me o ...
Cisco Systems CSACS3415K9 - page 90

4-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access T o conf igure an ND A C policy for a de vice: Step 1 Choose Access P olicies > Se curity Gr oup Access Control > Security Group Acce ss > Network Dev ice Access > Aut horization Poli cy . ...
Cisco Systems CSACS3415K9 - page 91

4-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Step 7 Click Fin ish . Creating an E ndpoint Admis sion Control P olicy After you crea te a servi ce, you configure t he endpoi nt adm ission co ntrol p olicy . The en dpoint ad mission control poli ...
Cisco Systems CSACS3415K9 - page 92

4-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access Initia lly , the m atrix c ontai ns the cell f or the unknown sour ce and unknown de stinat ion SG. Unknown refers to the prec onfigured SG, which i s not modifiable. When you add an SG , A CS adds a ...
Cisco Systems CSACS3415K9 - page 93

4-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts RADIUS and TACACS+ Proxy Requests Y ou can us e A CS to ac t as a proxy s erv er that recei ves authentic ation RADIUS re quests and authenti cation and auth orization T AC A CS+ reque sts fro m a ne ...
Cisco Systems CSACS3415K9 - page 94

4-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s • T A C_PLUS_A UTHOR • T A C_PLUS_A UTHEN 4. Recei ves the follo wing packets from the remote T A C A CS+ server and retu rns them back to the N AS: This be havior is configurabl e. • T A C_ PLU ...
Cisco Systems CSACS3415K9 - page 95

4-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts • Supporte d RAD IUS Att ributes, pag e 4-31 • Configuring Pr oxy Servi ce, p age 4- 32 Supporte d RADIUS A ttributes The follo wing supported RADIUS attrib utes are encr ypted: • User-P asswor ...
Cisco Systems CSACS3415K9 - page 96

4-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s Configuring Proxy Service T o co nfigure p roxy servic es: Step 1 Configure a set of rem ote RAD IUS and T A CACS+ servers. For informa tion on how to c onfigure re mote servers, see Cr eating, Duplic ...
Cisco Systems CSACS3415K9 - page 97

CH A P T E R 5-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 5 Understanding My Workspace The Ci sco Sec ure ACS web int erface is design ed to be v iewed using M icroso ft Int ernet E xplore r versions 6.x to 9.x and Moz illa Fire fox version s 3.x to 1 0.x. T he we b interfac e not o nly makes vi ewing and adm inister ing ...
Cisco Systems CSACS3415K9 - page 98

5-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Task Guides In A CS 5.4, you can also se e a ba nner in t he wel come page. Y o u ca n cu stomize this After L ogin banner text from the L ogin Banner pa ge. Task Guides From the M y W orkspace dr aw er , you can acce ss T asks Gui des. Wh ...
Cisco Systems CSACS3415K9 - page 99

5-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Login Bann er Related Topics • Conf iguring Authentica tion Settings for Administrators, page 16-10 • Chan ging the Admini stra tor Pas sword, page 1 6-22 Login Banner A CS 5.4 suppo rts cust omizin g of the login b anner t exts. Y ou ...
Cisco Systems CSACS3415K9 - page 100

5-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e • Comm on Errors, page 5-25 • Accessibi lity , page 5-27 Accessin g the Web Interface The ACS web inter face is suppo rted o n HT TPS-enable d Mic rosoft Int ernet Ex plorer versions 6. x to 9.x and Mozilla Fi ...
Cisco Systems CSACS3415K9 - page 101

5-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Note The license page only appears the f ir st time that you log in to A CS. Step 7 See In stalling a License File, page 18-35 to install a v alid license. • If your login i s successfu l, the mai n page of the A ...
Cisco Systems CSACS3415K9 - page 102

5-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Web Interface Design Figure 5-1 sh ows th e ove r all design of the A CS web interface. Figur e 5-1 ACS W eb Int erface The in terf ace contains : • Header , page 5- 6 • Na vigat ion P ane, pa ge 5- 7 • Cont ...
Cisco Systems CSACS3415K9 - page 103

5-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Navigation Pane Use the navigation pa ne to navigate through the drawers of the we b interface (see Fi gure 5-3 ). Figur e 5-3 Na vigatio n P ane Ta b l e 5 - 4 de scribes the functi on o f each drawer . T o ope n ...
Cisco Systems CSACS3415K9 - page 104

5-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T o h ide t he n avigation pane a nd expa nd the con tent area , cli ck th e c ollaps e ar row , which is cente red ver ticall y between the na vigation pane and con tent area. Click the collap se arro w again to ...
Cisco Systems CSACS3415K9 - page 105

5-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface • Seco ndary W indo ws, pa ge 5-13 • Rul e T able P ages, pa ge 5-16 Web Inter face Locat ion Y our curre nt loca tion in the inter face appear s at the top of the content area. Figure 5-5 shows that the locati ...
Cisco Systems CSACS3415K9 - page 106

5-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T able 5-5 Common Cont ent Ar ea But tons and Fields f or List P ages Button or Field Description Rows per pa ge U se th e dro p-down list to sp ecify the n umber of it ems t o dis play on this page . Options: ? ...
Cisco Systems CSACS3415K9 - page 107

5-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface T r ee table pages are a v a riati on of list page s (see Figure 5-6 ). Y ou can perf orm the s ame operat ions on tree tab le pages that you can on list pa ges, except for pa ging . In additi on, with tr ee table ...
Cisco Systems CSACS3415K9 - page 108

5-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Filtering Lar ge lists in a conten t area windo w or a secondar y windo w (see Figure 5-9 ) ca n be diff i cult to navigate through and selec t the data that you wa nt. Y ou can use the web interf ace to f ilter ...
Cisco Systems CSACS3415K9 - page 109

5-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface For pages that d o not have a Nam e or De scripti on co lumn , the so rting mechan ism m ay be supporte d in the le ft-most colum n of the pa ge, or the D escri ption c olum n. Plac e your curso r over a col umn h ...
Cisco Systems CSACS3415K9 - page 110

5-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Figur e 5-9 Secondary Windo w In addi tion to selec ting and f ilterin g data, you can create a select able objec t within a secondary wind ow . For examp le, if you attem pt to create a use rs internal i dentity ...
Cisco Systems CSACS3415K9 - page 111

5-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Figur e 5 -1 0 T ran sf er Bo x T able 5-7 T ransf er Bo x Fields and But tons Field or Button Description A vailabl e List of a va ilable items for select io n. Selected Order ed lis t of se lected items. Right a ...
Cisco Systems CSACS3415K9 - page 112

5-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Sche dule B oxes Schedu le boxes are a common ele ment in c ontent area pages (se e Fi gur e 5-10 ). Y ou use them to select acti ve times fo r a polic y element from a gr id, wher e each ro w represe nts a day o ...
Cisco Systems CSACS3415K9 - page 113

5-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Directly abov e the rule ta ble are tw o display o ptions: • Standard Polic y—Click to display the standard polic y rule table. • Exception Policy—Click to display th e ex ception p olicy r ule table, whic ...
Cisco Systems CSACS3415K9 - page 114

5-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Related Topic • A CS 5. x Policy Model Importing and Exporting ACS Object s through the Web In terface Y ou can use the import funct ionality in A CS to add, update, or d ...
Cisco Systems CSACS3415K9 - page 115

5-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Ta b l e 5 - 1 0 lists t he A CS objects, t h eir prop erties, a nd the pr operty data types. T he import template fo r each of the objects conta ins the prope rties described ...
Cisco Systems CSACS3415K9 - page 116

5-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Fields th at are optional can be l eft empty and A CS substitu tes the d efault values for those field s. KeywrapDispla yInHe x (Optio nal) Bo olean. Suppo rt T ACA CS (Req ...
Cisco Systems CSACS3415K9 - page 117

5-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface For example, when f ields that are rela ted to a hierarc hy are lef t blank, A CS assigns the v alue of the roo t node in the hierarch y . For netw ork devic es, if Security G ...
Cisco Systems CSACS3415K9 - page 118

5-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e • NDG – Locat ion— Network Resources > Network De v ice Gr oups > Location – De vice T ype— Netw ork Resources > Network De vice Groups > Device T ype ...
Cisco Systems CSACS3415K9 - page 119

5-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Adding Re cords to the ACS Internal Store When you ad d records to the A CS internal stor e, you add the re cords to the exis ting list. Th is is an append ope rati on, in whi ...
Cisco Systems CSACS3415K9 - page 120

5-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Figur e 5-13 Update Users–Im port File Note The second column, Upda ted name, is the addit ional column that you can add to the Update templ ate. Deleti ng Records f rom ...
Cisco Systems CSACS3415K9 - page 121

5-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Common E rrors Common Errors Y o u might en count er th ese co mmon er rors: • Concurre ncy Conflic t Errors , page 5- 25 • Deletio n Err ors, page 5- 26 • System Failure Err ors, page 5- 27 • Accessibi lity , page 5-27 Concurren ...
Cisco Systems CSACS3415K9 - page 122

5-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanati on Y ou attempted to edit o r duplicate an item tha t is referenc ing an item that anoth er user deleted whi le you tr ...
Cisco Systems CSACS3415K9 - page 123

5-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Accessibility System Failure Errors System f ailure errors occur when a syste m malfu nction is detec ted. When a system fa ilure e r ror is detecte d , a dia log box appe ars, wi th an error me ssage and OK b utton. Read the er ror mess ...
Cisco Systems CSACS3415K9 - page 124

5-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Accessi bility • Color use d as an enha ncem ent of inform atio n only , not as the onl y indi cator . For examp le, requ ired fi elds are associ ated with a r ed aster isk. • Conf irmation messages for important settings and actions. ...
Cisco Systems CSACS3415K9 - page 125

CH A P T E R 6-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of config uration tasks that you must pe rform to work with A CS. This chapter conta ins the f ollowing se ctions: • Configuring Mi nimal Sy stem Setu p, page 6 -1 • Conf igur ing A CS to Per ...
Cisco Systems CSACS3415K9 - page 126

6-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Perform Syst em Administr ation Tasks Configuring ACS to Pe rform System Administration Tasks Ta b l e 6 - 2 lists the set of system administration tasks that you must perform to administer A CS. T able 6-2 S ...
Cisco Systems CSACS3415K9 - page 127

6-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configu ring ACS to Perfor m System Admini strati on Tasks Step 8 Add use rs or hosts to the internal identity sto re, or def ine exter nal identity stores, or both. • For internal identity stores: Users an d Iden tity Store ...
Cisco Systems CSACS3415K9 - page 128

6-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Manage Acc ess Policies Configuring ACS to Mana ge Access Policies Ta b l e 6 - 3 li sts the s et of tasks t hat you must perform to ma nage a ccess re striction s and permi ssions. Configuring ACS to Moni tor ...
Cisco Systems CSACS3415K9 - page 129

6-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configuring ACS to Mon itor and Troubleshoot Problems in the Network Step 4 E nable syste m alarms and speci fy how yo u would like to receiv e notif ication. Monitori ng Co nfiguration > System C onfiguration > System A ...
Cisco Systems CSACS3415K9 - page 130

6-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Monitor and Troubl eshoot Prob lems in the Network ...
Cisco Systems CSACS3415K9 - page 131

CH A P T E R 7-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 7 Managing Network Resou rces The N etwork R esources drawer de fines element s withi n the network t hat issu e reque sts to A CS or tho se that A CS interacts with a s part of processing a request. This inclu des the netwo rk dev ices that issue the reques ts an ...
Cisco Systems CSACS3415K9 - page 132

7-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Network Devic e Groups In A CS, you can define net work device g roups (N DGs), which a re set s of de vice s. Th ese NDG s provid e logical groupi ng o f devices, for examp le, D evice Locat ion or T y pe, which y ...
Cisco Systems CSACS3415K9 - page 133

7-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Device Groups Step 4 Click Submit . The net work device group configurat ion is saved. The Networ k Device Groups pag e appear s with the new network device gr oup configu ration. Related Topics • Network Device Groups, page 7 - ...
Cisco Systems CSACS3415K9 - page 134

7-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Creating, Duplicating, an d Editing Network Device Gr oups Within a Hierarchy Y o u can arra nge the ne twork device group node hierarchy ac cordin g to your nee ds by choosing pare nt and ch ild relation ships fo ...
Cisco Systems CSACS3415K9 - page 135

7-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Deleting Netw ork Device Gro ups from a Hier archy T o d elete a net work device gr oup from wit hin a hiera rchy: Step 1 Choose Network Resour ces > Network Device Gr oups . The Networ k Device Groups ...
Cisco Systems CSACS3415K9 - page 136

7-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Y ou must install Securi ty Group Acces s licens e to enable Sec urity Grou p Access options. Th e Securit y Group Access optio ns only ap pear if y ou ha ve installe d the Secu rity Group Access lic ense ...
Cisco Systems CSACS3415K9 - page 137

7-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients – Descriptio n – NDG Locatio n – De vice T ype Y o u can specif y full IP address , or IP addre ss with wildca rd “*” or , with IP add ress range, suc h as [15- 20] in the IP ad dress search fiel ...
Cisco Systems CSACS3415K9 - page 138

7-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Step 1 Choose Network Resour ces > Netwo rk Devices and AAA Clients . The Networ k Device page appea rs. Step 2 Choose the f ilter condition and the Match if oper ator , and enter the f ilter criterio ...
Cisco Systems CSACS3415K9 - page 139

7-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The Oper ation di alog box appear s . Step 2 Click Next to downlo ad the .csv fi le template if you do not hav e it. Step 3 Click any one of the follo wing operations if you hav e previous ly created a tem ...
Cisco Systems CSACS3415K9 - page 140

7-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Exporting Netw ork Re sources and Users T o export a list of network resource s or users: Step 1 Click Export on the User s, Network Devices, or MAC Address page of the web inter face. The Networ k Devic ...
Cisco Systems CSACS3415K9 - page 141

7-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The first page of the Create Network D evice process app ears if you ar e crea ting a new networ k device. The Network D evice Proper ties p age for the sel ecte d device a ppears if you are dupl icatin g ...
Cisco Systems CSACS3415K9 - page 142

7-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients IP Rang e(s) By Mask Choose to ente r an IP address ra nge. Y ou can configure up t o 40 IP addre sses or subnet masks for each netw ork de vice. If y ou use a subnet m ask in thi s fi eld, all IP add re ...
Cisco Systems CSACS3415K9 - page 143

7-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Single C onnec t De vice Check to use a single T CP conn ection for all T A CAC S+ co mmunicati on with the netwo rk de vice. Choose one : • Legacy T ACA CS+ Single Conn ect Support • T A CACS+ Dra ft ...
Cisco Systems CSACS3415K9 - page 144

7-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Displaying N etwork Devic e Properties Choose Netwo rk Resour ces > Network De vices and AAA Clients , th en click a d ev ice name or check the chec k box ne xt to a de vice na me, and clic k Edit or ...
Cisco Systems CSACS3415K9 - page 145

7-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients IP Ran ge(s) By Mask Choo se to enter an IP address ra nge. Y ou can configure up t o 40 IP addresse s or subnet masks for each network de vice. If you use a su bnet mask in th is fie ld, all IP add resse ...
Cisco Systems CSACS3415K9 - page 146

7-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients RADIUS Sh ared Secret Shared secre t of the network device, i f you have enabled the RADIUS pro toco l. A shared secret is an expected stri ng of text, which a user must provide before the ne twork devic ...
Cisco Systems CSACS3415K9 - page 147

7-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Configuring a Default Network Device Related Topics: • V iewing and Pe rformi ng Bulk Opera tions fo r Ne twork Devices, page 7 -6 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Deleting N etwork Devices T ...
Cisco Systems CSACS3415K9 - page 148

7-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Configuring a D efault N etwork Dev ice Choose Network Resour ces > Default Netw o rk De vice to configure the de fault netwo rk device. The Default Net work Device page appea rs, displ aying the i nform ation desc ribed in Ta b l e ...
Cisco Systems CSACS3415K9 - page 149

7-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Working with External Proxy Ser vers Related Topics • Network Device Groups, page 7 -2 • Network Devices and AAA Clients, page 7-5 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Working with Ext ernal Pro ...
Cisco Systems CSACS3415K9 - page 150

7-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working wit h External Proxy Servers Step 2 Do one of the follo wing: • Click Cr eate . • Check the check box ne xt to the external proxy ser ver that you want to duplica te, then click Duplicate . • Click th e external proxy serv ...
Cisco Systems CSACS3415K9 - page 151

7-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Note If you want A CS to for ward unkn own RADIUS attributes you have to define VSAs for pro xy . Related Topics • RADIUS a nd T A CA CS+ Proxy Service s, page 3- 7 • RADIUS a nd T A CA CS+ Proxy Request s ...
Cisco Systems CSACS3415K9 - page 152

7-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s • Unknown —The certi ficate status is un known. The sta tus of the c ertificate is u nknown if the OCSP is no t configured to ha ndle the giv en certificate CA. In th is case, the c e rtif icate is h andl ...
Cisco Systems CSACS3415K9 - page 153

7-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Fail back T o Primary Server Enable this option to use th e secondary serv er for the gi ven amount of time when the pr imary is compl etely down. The time ra nge is 1 to 999 minu tes. Prima ry Ser ver URL Ent ...
Cisco Systems CSACS3415K9 - page 154

7-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s Step 4 Click Submit to sa ve you r changes. The OCSP Server con fig uratio n is sa ved. The O CSP Serv er page app ears w ith the ne w conf igurati on. Related Topics • Deleting OC SP Servers, page 7-24 Del ...
Cisco Systems CSACS3415K9 - page 155

CH A P T E R 8-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 8 Managing Users and Identity Stores Overview A CS manages your n etwork devices and other ACS clients by using the ACS network re source repositor ies and ident ity stores . When a host conn ects to the ne twork throug h A CS re questing a ccess to a part icular ...
Cisco Systems CSACS3415K9 - page 156

8-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Overvi ew Fixed compone nts ar e: • Name • Descriptio n • Password • Enable d or disable d status • Identity g roup to which user s belong Configurable compone nts ar e: • Enable passw ord for T A CACS+ authenticatio ...
Cisco Systems CSACS3415K9 - page 157

8-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Over view Identity Stores with Two-Factor A uthentication Y ou can use the RSA SecurID T oken Serv er an d RADIUS Id entity S erver to pro vide two-f a ctor authenti cation. These e xternal ident ity stores u se an O TP that pro v ...
Cisco Systems CSACS3415K9 - page 158

8-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Sequences Y ou can conf igure a comp lex condition wher e multiple id entity stores a nd prof iles are u sed to process a request. Y ou can def ine these identi ty methods i n an I dent ...
Cisco Systems CSACS3415K9 - page 159

8-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores • Authentic ation inf ormation Note A CS 5.4 sup ports authenti cation for intern al users against th e inter nal ident ity store on ly . This section con tains the follo wing topics: • Authen ...
Cisco Systems CSACS3415K9 - page 160

8-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Groups Y ou can assign each internal u ser to one identity gr oup. Identity groups are def ined within a hie rarchical structure . The y are lo gical entities that are associated w ith ...
Cisco Systems CSACS3415K9 - page 161

8-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Managing Users and Identity St ores, page 8-1 • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page ...
Cisco Systems CSACS3415K9 - page 162

8-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attrib utes in the internal user record. User Attributes Administra tors can cr eate and a d d user -define d attrib utes from the set o ...
Cisco Systems CSACS3415K9 - page 163

8-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores In A C S 5.4, you ca n configure id entity attributes th at are use d within your polic ies, in thi s order : 1. Def ine an identi ty attrib ute (using the use r dictionary). 2. Def ine custom con ...
Cisco Systems CSACS3415K9 - page 164

8-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 3 In the Advance d tab, enter the value s for the c riter ia that you want to configure for your u ser authenti cation proc ess. Ta b l e 8 - 3 desc ribes t he fields in the Advanced tab. ...
Cisco Systems CSACS3415K9 - page 165

8-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit . The user passw ord is c o nfi g ured w ith the d ef ined crit eria. These cr iteria w ill apply only f or futur e logins. Note If one of the users gets d isabled, t he faile ...
Cisco Systems CSACS3415K9 - page 166

8-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores The Chang e Password page appears. Step 3 Comple te the fields as describe d in Ta b l e 8 - 4 to c hange th e i nternal user pa ssword. • Click File Oper ations to: – Add—Adds intern al ...
Cisco Systems CSACS3415K9 - page 167

8-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores . T able 8-5 User s and Identity Sto r es > Int erna l Identity Stor e > User Pr operties P age Option Description General Name Username. Status Use t he drop- down list bo x to se lect the ...
Cisco Systems CSACS3415K9 - page 168

8-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 5 Click Submit . The use r co nfiguration is saved. The I nterna l Use rs page appea rs with the new con figuration. Related Topics • Conf iguring Authentica tion Settings for Users, pag ...
Cisco Systems CSACS3415K9 - page 169

8-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Deleting Users from In ternal Identity Stores T o delete a user from an int ernal identity store : Step 1 Select Use rs and Identity Stores > Internal Identity Store > Users . The In tern a ...
Cisco Systems CSACS3415K9 - page 170

8-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores – Delete—Choo se this o ption to delete the internal users listed in t he import file from A C S. See Performing Bulk O perati ons fo r Network Resou rces a nd User s, pa ge 7-8 for a detai ...
Cisco Systems CSACS3415K9 - page 171

8-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit to save changes. The M A C addre ss co nfiguration is saved. The I nterna l MAC list page app ears w ith the new configurat ion. Note Ho sts with wildc ards (suppo rted form a ...
Cisco Systems CSACS3415K9 - page 172

8-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores • V iewing and Per forming Bulk Operat ions fo r Inte rnal I dentity St ore Hosts, pa ge 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 • Conf iguring an Identity G r oup for Ho s ...
Cisco Systems CSACS3415K9 - page 173

8-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Host Look up, p age 4- 13 • Creating Hosts in Id entity St ores, page 8-16 • Del eti ng Int ern al Host s, page 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 • ...
Cisco Systems CSACS3415K9 - page 174

8-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Configuring Users or Hosts for Management Hierarchy A specif ic lev el of access is def ined to repres ent the to p-most no de in the Man agement Hier archy assigned f or ea ch user o r a h ost ...
Cisco Systems CSACS3415K9 - page 175

8-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 8 After succe ssfully creati n g the polic y , try authentica ting the user using the create d polic y . The user will be authen ticated only if the hierarch y defin ed for the user eq uals ...
Cisco Systems CSACS3415K9 - page 176

8-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Managing External Identity Stores A CS 5.4 inte grates with e xternal id entity system s in a number of way s. Y ou can le verage an ex ternal authenti cation se rvice or use an ex ternal syste ...
Cisco Systems CSACS3415K9 - page 177

8-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Configuring L D A P Group s, pa ge 8-33 • V iewing LDAP Attributes, pa ge 8-3 4 Directory Service The dire ctory servi ce is a softwa re applic ation , or a set of applic ation s, for stori ...
Cisco Systems CSACS3415K9 - page 178

8-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5. 4 supports fai lover between a prim ary LDAP server and secon dary LDAP server . In the context of LD AP authentica tion with A CS, f ailov er applies whe n an authent ication ...
Cisco Systems CSACS3415K9 - page 179

8-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Possible r easons f or a n LD AP server to retur n bind (authe nticat ion) err ors ar e: – Filterin g errors —A search using f ilter criteria fails. – Paramete r errors —Inv al id para me ...
Cisco Systems CSACS3415K9 - page 180

8-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • String • Unsigned In teger 32 • IP Address—T his can be either an IP version 4 (IPv4 ) or IP version 6 (IPv6) addr ess. For unsigned integer s and IP address attrib utes, AC S con ver ...
Cisco Systems CSACS3415K9 - page 181

8-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Check th e En able Passwor d Cha nge opt ion t o modif y the password, to d etect t he passwor d expiratio n, and to reset the passwo rd. Step 5 Click Next . Step 6 Continue w ith Configur ...
Cisco Systems CSACS3415K9 - page 182

8-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Anonymous Acces s Cli ck to ensur e that searc hes on t he LDAP directo ry occur anonymousl y . The se rver does not distinguish wh o the client is and will allo w the client read acce ss to an ...
Cisco Systems CSACS3415K9 - page 183

8-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue w ith Configur ing Extern al LDAP Director y Organization , page 8- 29 . Configuring External LDAP Directory Organization Use this page to conf igure an e xter ...
Cisco Systems CSACS3415K9 - page 184

8-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T able 8-8 LD AP: Dir ect ory Or ganization Pag e Option Description Schema Subject Obj ect class V alue of the LD AP o bjectClass attrib ute that identif ies the subject. Often, sub ject reco ...
Cisco Systems CSACS3415K9 - page 185

8-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Subje cts In Groups Ar e Stored In Me mber Attrib ute As Use the dr op-down list box to in dicate if the subjects i n groups are stored in me mber at tributes as either: • Username • Distingu ...
Cisco Systems CSACS3415K9 - page 186

8-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Click Fin ish . The e xternal ide ntity s tore th at yo u creat ed is sa ved. Username Pr efixSuf fix Strippi ng Strip sta rt of subje ct name up to the last occurr ence of the separato ...
Cisco Systems CSACS3415K9 - page 187

8-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Related Topics • Configuring L D A P Group s, pa ge 8-33 • Deleting Exter nal LD AP Id entity Stor es, page 8-33 Deleting External LDAP Identity Stores Y o u can delet e one or more external ...
Cisco Systems CSACS3415K9 - page 188

8-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Viewing LDAP Attribute s Use this page to vie w the ex ternal LD AP attrib utes. Step 1 Select Use rs and Identity Stores > External Identity St ores > LD AP . Step 2 Check the chec k box ...
Cisco Systems CSACS3415K9 - page 189

8-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores This me ans the swit ch port to wh ich th ese de vices att ach cannot authentic ate them using the 80 2.1X exchange of device or user creden tials an d must revert to an authe nticat ion mech ani ...
Cisco Systems CSACS3415K9 - page 190

8-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-1 LD AP Interf ace Configur ation in NA C Pr ofiler Step 5 Click Updat e Server . Step 6 Click the Configuration tab and click Apply Changes . The Upda te NA C Profiler Module s page ...
Cisco Systems CSACS3415K9 - page 191

8-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Choose Configuration > Endpoint Prof iles > V iew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve ...
Cisco Systems CSACS3415K9 - page 192

8-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T o edit t he N A C Prof iler templa te in A CS: Step 1 Choose Use rs and Identi ty Stores > External Iden tity Stores > LDAP . Step 2 Click on the name of the N A C Profi ler templat e o ...
Cisco Systems CSACS3415K9 - page 193

8-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Serv er Dialog Bo x For more inf ormati on, see Creating Exte rnal LD AP Identity Stores, page 8-26 . Note Th e defaul t password for L D A P is GBSbea con . If you want ...
Cisco Systems CSACS3415K9 - page 194

8-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-7 T est Configur ation Dialog Bo x Number of Subjects —This value maps to the actu al subject devices alre ady pro f iled by the Cisco N AC Prof iler (actual dev ices enable d for P ...
Cisco Systems CSACS3415K9 - page 195

8-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profi ler Integration T o tro ublesho ot MAB authe nticatio n while integratin g with NA C Pro filer and to veri fy tha t the e ndpoint is successfully aut ...
Cisco Systems CSACS3415K9 - page 196

8-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • Maximu m passwor d ag e is N day s. • Mini mum pas sw ord a ge is N da ys. • Mini mum passw ord length is N char acter s. • Password must meet complexity requirements. AD uses the “ ...
Cisco Systems CSACS3415K9 - page 197

8-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Note T o prevent A CS from using the outdate d ma ppings, you sh ould cr eate new AD grou ps in stead of chan ging or moving the existing ones. If you chang e or move the existing gro ups, you ha ...
Cisco Systems CSACS3415K9 - page 198

8-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Machin e authentica tion happens while star ting up a compu ter or whil e logging in to a computer . Supplicants, such as Funk Odysse y perform machine authe ntication perio dically wh ile the ...
Cisco Systems CSACS3415K9 - page 199

8-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores If the user has one of these limitati o ns, the AD1::Iden tityAccessR estricted attribu te on t h e AD dedicated dictionar y is se t to indic ate tha t the u ser has re strict ed acc ess. Y o u c ...
Cisco Systems CSACS3415K9 - page 200

8-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The E nginee rs' rule is an ex ampl e of MA R rule th at on ly allow s engineers acces s if their m achine was succes sfully authen ticated against windo ws DB. The Ma nagers' ru le i ...
Cisco Systems CSACS3415K9 - page 201

8-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The dist rib uted search is performe d based on the cach e entry qu ery attem pts and cach e entry query timeouts that are configu red in the A CS web interface. The MAR entr y search is also del ...
Cisco Systems CSACS3415K9 - page 202

8-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Callback Options fo r Dial-In users If the callba ck option is enabled , the serve r calls the caller back during the connecti o n process. The phone n umber that is used by the serv er is se t ...
Cisco Systems CSACS3415K9 - page 203

8-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The callb ack numb er v alue is also returned o n the RADI US respon se, usin g the RADI US attrib ute Cal lback Number (#19 ). • If callbac k option is Set b y Caller , the RADIUS response co ...
Cisco Systems CSACS3415K9 - page 204

8-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Note Whe n you upgrad e A CS t o A CS 5. 4 version using the Reimaging and Upgrad ing an ACS Se rver metho d, if you restor e a configurat ion in w hich the AD is defined, you nee d to join A C ...
Cisco Systems CSACS3415K9 - page 205

8-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration afte r you ...
Cisco Systems CSACS3415K9 - page 206

8-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 4 Click: • Joi n to join the selec ted nodes to th e AD do main. T he sta tus of the nodes are changed ac cording to the join results. • T est Connection to test the c onnection to e n ...
Cisco Systems CSACS3415K9 - page 207

8-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Click: • Leav e to disc onne ct th e sele cted nodes from AD do main. • Cancel to ca ncel the oper ation. Note Administrators can pe rform opera tions lik e join, lea ve, or te st conn ...
Cisco Systems CSACS3415K9 - page 208

8-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The Grou ps page appe ars. Th e Selec ted Dire ctory Gr oups field lists the AD groups you selected and sav ed. The AD groups yo u selec ted in the Extern al User Groups pag e are list ed and c ...
Cisco Systems CSACS3415K9 - page 209

8-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 3 Click: • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. T able 8-13 Activ e Dir ectory : Attr ibutes P age Option Description Name of e xample ...
Cisco Systems CSACS3415K9 - page 210

8-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration a fter y ou verify that ther e are no po licy rules that use custom co ndition s based o n the AD dicti ...
Cisco Systems CSACS3415K9 - page 211

8-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores AD Deployments with User s Belonging to Large Number of Groups In A CS 5.3 , when y ou move betwee n AD do mains, the user authe nticat ions show a ti meout err or if the user belongs t o a large ...
Cisco Systems CSACS3415K9 - page 212

8-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Thus wh en a cor rect t oken co de is sup plied toge ther w ith a PIN , ther e is a h igh degre e of cer taint y that the per son is a v alid user . Therefore, RSA SecurID server s provide a mo ...
Cisco Systems CSACS3415K9 - page 213

8-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Manually I ntervene to Remove a Down RSA Se curID Server When a n RSA Se curID serv er is do wn, the au tomatic exclusion m echanism does n ot alway s wo rk quickly . T o speed up this pro cess, ...
Cisco Systems CSACS3415K9 - page 214

8-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 5 Click the Adv anced tab . See Con figuring Advanced Options, page 8-6 2 for more i nfor matio n. Step 6 Click Submit to create an R SA SecurI D stor e. The RS A Secur ID T oke n Server p ...
Cisco Systems CSACS3415K9 - page 215

8-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Editing ACS Insta nce Settings Y ou can edit the A CS instance settings to: • Enab le the RSA opt ions file, page 8-61 • Reset Agent Files, page 8-61 Enable the RSA options file Y ou can enab ...
Cisco Systems CSACS3415K9 - page 216

8-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 1 Choose either of the follo wing options: • T o r eset node secret on t he agen t host, chec k th e Remove securid f ile on submit ch eck box . If you re set th e node se cret on the ag ...
Cisco Systems CSACS3415K9 - page 217

8-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Creatin g and E diting RSA Secu rID T oken Servers, pa ge 8-5 9 • Configuring ACS Instance Sett ings, pag e 8-60 • Editing A CS Instanc e Setti ngs, p age 8- 61 • Editing A CS Instanc e ...
Cisco Systems CSACS3415K9 - page 218

8-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5.4 allo ws you to co nfigur e multiple RADIUS identity stor es. Ea ch RADIUS id entity st ore can hav e pri mary a nd sec ondary RADI US se rvers. Whe n A CS is unabl e to c onne ...
Cisco Systems CSACS3415K9 - page 219

8-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores RADIUS Iden tity Store in Identity Sequenc e Y ou can add the RADIUS identity st ore for authentic ation sequen ce in an identi ty sequen ce. Ho wev e r , you cann ot add t he R ADIUS id entit y ...
Cisco Systems CSACS3415K9 - page 220

8-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Safeword token servers support both the formats. A CS works with various token servers. While configurin g a Saf eword server, you must c heck t he Safeword Server c heck b ox for ACS to parse ...
Cisco Systems CSACS3415K9 - page 221

8-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Check the check box next to the iden tity store you want to duplicate, th en click Duplicate . • Click the identity store name that you w ant to modify , or check the box next to the name a ...
Cisco Systems CSACS3415K9 - page 222

8-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 • Configuring Shel l Promp ts, page 8- 69 • Configuring ...
Cisco Systems CSACS3415K9 - page 223

8-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Configur ing She ll Prompts For T A CACS+ ASCII auth entication, A CS must return the passw ord prompt to the us er . RADIUS identity serv er supports th is functiona lity by the passw ord prompt ...
Cisco Systems CSACS3415K9 - page 224

8-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Do either of the foll ow ing: • Click Submit to save yo ur change s and retur n to t he RADIUS Iden tity Ser vers p age. • Click the Adv anced tab to confi g ure failur e message han ...
Cisco Systems CSACS3415K9 - page 225

8-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Click Submit to save t he RADIUS Id entity Ser ver . Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 Configuring CA ...
Cisco Systems CSACS3415K9 - page 226

8-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Note A CS buil d s a certif icate chain with the CA cer tific ates that you add to it and uses this chain during TLS nego tiations. Y ou must add the c ertific ate that signed th e serv er certific at ...
Cisco Systems CSACS3415K9 - page 227

8-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Editing a Certificate Authori ty and C onfiguring Certificate Revocation Lists Use this page to edit a trusted CA (Certif icate Author ity) certif icate. Step 1 Select Use rs and Identity Stores > C ...
Cisco Systems CSACS3415K9 - page 228

8-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Step 3 Click Submit . The Trust Cer tificat e pag e appe ars with th e ed ited certi ficate. The ad minist rator has th e righ ts to configure CRL and OCSP ver ification. I f both CRL and OCSP verific ...
Cisco Systems CSACS3415K9 - page 229

8-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring Certificate Authentication Profiles The T rust Certif icate page appea rs without th e delet ed certif icate(s). Related Topic • Overview of EAP-TLS, pa ge B-6 Exporting a Cer tificate Authority T o exp ort a trus t ...
Cisco Systems CSACS3415K9 - page 230

8-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring Ce rtificate A uthenticat ion Profiles When A CS processe s a certificat e-base d request for authen tica tion, one of t wo things happe ns: the userna me from the certif icate is co mpared to the us ername in AC S t ...
Cisco Systems CSACS3415K9 - page 231

8-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Step 4 Click Submit. The Cer tif icate Authenti cation Profile p age reap pears. Related Topics • V ie wing Identity Polic ies, page 10-22 • Conf igur ing Id enti ty Store Se quence s, p ...
Cisco Systems CSACS3415K9 - page 232

8-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Attribute Retrieval Sequence Y ou can optionally d ef ine a list o f databases f rom which to retrie ve additio nal attrib utes. These database s can be acces sed regar dless of wheth er yo ...
Cisco Systems CSACS3415K9 - page 233

8-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Password Base d Check this chec k box to use the password-ba sed authen ticatio n meth od. I f you choos e thi s option, you must cho ose the set of identit y stores that A CS will access on ...
Cisco Systems CSACS3415K9 - page 234

8-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Step 3 Click Submit . The Iden tity Store Sequences page reappea rs. Related Topics • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page 7 -8 • V ie wing Identity ...
Cisco Systems CSACS3415K9 - page 235

8-81 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Managing External Iden tity Stores, pa ge 8-22 • Conf iguring Cer tific ate Authen tication Pr ofile s , page 8-75 • Creating, Du ...
Cisco Systems CSACS3415K9 - page 236

8-82 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences ...
Cisco Systems CSACS3415K9 - page 237

CH A P T E R 9-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 9 Managing Policy Elements A polic y defines the authentica tion and au thorization processing of c lients that at tempt to access the A CS network. A cli ent c an be a user, a networ k device, or a us er associat ed with a network device. Policies are sets of ru ...
Cisco Systems CSACS3415K9 - page 238

9-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Y o u can m ap users and h osts to identit y gro ups by using the group ma pping policy . Y ou can include identi ty group s in con diti ons to c onfigure c ommon pol icy cond itions f or al l user s in the gro u ...
Cisco Systems CSACS3415K9 - page 239

9-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Creatin g, Dupl icat ing, and E diting a D ate and Time Conditi on, p age 9-3 • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 ? ...
Cisco Systems CSACS3415K9 - page 240

9-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o a dd date a nd time condi tions to a policy , yo u must first cu stomiz e the rule t able. See Cu stomizing a Policy , page 1 0-4 . Step 4 Click Submit . The date and time condition is sa ved. The Date and T ...
Cisco Systems CSACS3415K9 - page 241

9-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Related Topics • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 • Conf iguring Access Service Policies, page 10-22 Creating, Dupli ...
Cisco Systems CSACS3415K9 - page 242

9-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o ad d custom c onditio ns to a po licy , you must first cu stomiz e the rule table. Se e Customi zing a Pol icy , page 10-4 . Step 4 Click Submit . The ne w custom session condition is sa ved. The Custom Condi ...
Cisco Systems CSACS3415K9 - page 243

9-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note Th e filters in ACS 5.4 are similar to t he NARs in A CS 4.x. In A CS 4.x, the N ARs were base d on eithe r the user or us er gr oup. In 5.4, the filter s are i ndepen dent c onditio ns th at you can re ...
Cisco Systems CSACS3415K9 - page 244

9-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions The device dictionary (the NDG dictionary) cont ains networ k device group attributes s uch as Location , De vice T ype, or other d ynamically created attrib utes that r epresent NDGs. These attributes , in t urn ...
Cisco Systems CSACS3415K9 - page 245

9-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Step 5 Click Close to close the I mport Pr ogress window . Y o u can submi t only one .csv file to the system at on e t ime. If an i mpor t is u nder way , an addit ional import cann ot succeed until the ori ...
Cisco Systems CSACS3415K9 - page 246

9-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons, pag ...
Cisco Systems CSACS3415K9 - page 247

9-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Def ining MA C Address-Based End Station Filte rs, page 9-11 • Defining CLI or DNIS-B ased End Statio n Filters, page 9-1 1 Defining MAC Address-Based E nd Station Filters Y o u can crea te, dupli cat ...
Cisco Systems CSACS3415K9 - page 248

9-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Step 2 Check the CL I check box t o enter the CL I numbe r of the end stat ion. Y ou can optiona lly set t his fi eld to A NY to re fer to a ny CLI number . Step 3 Check the DNI S check box to enter the D NIS nu ...
Cisco Systems CSACS3415K9 - page 249

9-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons, ...
Cisco Systems CSACS3415K9 - page 250

9-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Defining Name-Based Device Filters Y o u can cr eate, duplica te, an d edi t the nam e of t he network d evice that yo u want t o permi t or deny ac cess to. T o do th is: Step 1 From the D e vice Nam e tab, do ...
Cisco Systems CSACS3415K9 - page 251

9-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Creating, Duplicating, and Editi ng Device Port Filters Use the De vice Port Filters page to create, duplic ate, and edit devi ce port f ilters. T o do this: Step 1 Choose Policy Elements > Session Condi ...
Cisco Systems CSACS3415K9 - page 252

9-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions • Check the check bo x next to the IP-b ased dev ice port f ilter that you want to duplicate , then click Duplicate . • Check the check box next to the IP- based de vice por t filter that you want to edit, t ...
Cisco Systems CSACS3415K9 - page 253

9-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 Check the Por t check box a nd enter t he port num ber . Step 4 Click OK . Related Topics • Managin g Network Conditi ons, pag e 9-6 • Creatin g, Duplic ating , and Editing D evice Por ...
Cisco Systems CSACS3415K9 - page 254

9-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions • Security groups and securi ty group ACLs for Cisco Securi ty Group Acce ss. See ACS and Cisco Security Group Acce ss, page 4-23 , for information on conf iguring these polic y elements. These to ...
Cisco Systems CSACS3415K9 - page 255

9-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons • Click t he nam e tha t y ou want t o mo dify; or , check the chec k box next to t he na me tha t you want t o modify a nd click Edit . The Aut horizat ion Profile Propert ies page appea rs. S ...
Cisco Systems CSACS3415K9 - page 256

9-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 1 Select P olicy Elements > A uthorization and Permissions > N etwork Access > A uthorizat ion Pr of iles , then click : • Cre a te to create a new network acc ess author izat ion de ...
Cisco Systems CSACS3415K9 - page 257

9-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-5 A uthor ization Pr ofile: Common T asks P ag e Option Description ACLS Do wnloadable A CL Name Includes a def ined do wnload able A CL. See Creating, Duplic ating, a nd Editi ng Downlo ...
Cisco Systems CSACS3415K9 - page 258

9-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Specifying RADIUS Attribute s in Authorization Profil es Use this tab t o conf igure which RADIUS attrib utes to includ e in the Access -Accept p acket f or an authori zation prof ile. This tab also ...
Cisco Systems CSACS3415K9 - page 259

9-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 T o conf igure: • Basic informatio n of an authorizatio n profile ; see Specifyin g Auth orizat ion Pr ofiles, page 9-19 . • Common ta sks for an author izatio n profile; see Specifyin ...
Cisco Systems CSACS3415K9 - page 260

9-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Creating and Editing S ecurity Grou ps Use this pa ge to view names and det ails of secu rity gr oups and secu rity gr oup tags (SGTs) , and to open pages to cre ate, duplic ate, and ed it secu rity ...
Cisco Systems CSACS3415K9 - page 261

9-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons The Com mon T asks tab al lows you to select and c onfigure the fre quently used attributes for the pr ofile. The attrib utes that are inclu ded here are th ose def ined b y the T ACA CS protocol ...
Cisco Systems CSACS3415K9 - page 262

9-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Defining Gen eral Shell Prof ile Properties Use this page to defin e a shell prof ile’ s general properties. Step 1 Select Policy Elements > Authorization and Permissions > Device Adminis tr ...
Cisco Systems CSACS3415K9 - page 263

9-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-9 Shell P ro file: Comm on T asks Option Description Privileg e Level Default Privilege (Optiona l) Enable s the initia l privilege le vel assignmen t that you all ow for a clie nt, thr ...
Cisco Systems CSACS3415K9 - page 264

9-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 3 Click: • Submit to save your cha nges an d retu rn to t he She ll Profiles pa ge. • The Gene ral tab to conf igure the name a nd description for the auth orization p rofi le; see Defining ...
Cisco Systems CSACS3415K9 - page 265

9-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Defining Custom Attributes Use this tab to defin e custom attrib utes for the shell profile. This tab also displays the Common T asks Attributes th at you have chosen in t he Comm on T asks ta b ...
Cisco Systems CSACS3415K9 - page 266

9-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions After yo u create comm and sets, you c an use them in aut horizat ions and permissi ons wi thin rule tables. A rule ca n conta in mul tipl e comm and set s. Se e Creating, Duplicatin g, and Editing ...
Cisco Systems CSACS3415K9 - page 267

9-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 4 Click Submit . The com mand set is saved. Th e Comm and Se ts page appe ars with the c ommand set th at yo u create d or duplicat ed. T able 9-1 1 Command Set Pr oper ties P age Field Des ...
Cisco Systems CSACS3415K9 - page 268

9-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Related Topics • Creatin g, Duplic ating , and Editi ng Authori zation Profiles fo r Network Acce ss, page 9-18 • Creatin g, Duplic ating , and Editi ng a Shell Profile for Device Adm inistra ti ...
Cisco Systems CSACS3415K9 - page 269

9-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons – Click Start Export to export the D ACLs without any enc ryption . Step 3 Enter v alid conf iguration dat a in th e requir ed f ields as sho wn in Ta b l e 9 - 1 2 , an d define o ne o r mo re ...
Cisco Systems CSACS3415K9 - page 270

9-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Configurin g Security Grou p Acce ss Cont rol Lists Securi ty group ac cess cont rol list s (SGACLs) are applie d at Egress, ba sed on the sour ce an d destinat ion SGTs. Use this page to view , cre ...
Cisco Systems CSACS3415K9 - page 271

CH A P T E R 10-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 10 Managing Acc ess Policies In A CS 5.4, polic y dri ves all acti vities. Policies consist m ainly of rules th at determi ne the actio n of the polic y . Y ou create acc ess services to def ine authentica tion and authorization policies fo r requests. A global s ...
Cisco Systems CSACS3415K9 - page 272

10-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Policy Creation F low In short, you must determine th e: • Details of your ne twork configurat ion. • Access ser v ices that imp lement y our policie s. • Rules tha t define th e co nditi ons under whic h an access se rvice can run. ...
Cisco Systems CSACS3415K9 - page 273

10-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Policy Creation Flow Policy Elements in the Policy Creation Flow The web interf ace pro vides these de faults for def ining de vice groups and iden tity groups: • All Locatio ns • All De vice T ypes • All Gro ups The loca tions, de ...
Cisco Systems CSACS3415K9 - page 274

10-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Customizing a Pol icy Policy Creation Flow—Next Steps • Access Service Po licy Creation , page 10-4 • Service Selec tion Policy Crea tion , page 10-4 Access Service Policy Creation After you cre ate the basic elements, you can create ...
Cisco Systems CSACS3415K9 - page 275

10-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy If you have implemented Sec urity Group Acce ss functiona lity , you can al so custom ize results fo r authorizati o n policies. Cautio n If you have already d efined rules, be certain that a r ul ...
Cisco Systems CSACS3415K9 - page 276

10-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Note If you create and sav e a simple p olicy , and the n change to a rule-b ased polic y , the simple policy becomes the defau lt rule of th e rule-b ased poli cy . If you have sa ved a rule-bas ...
Cisco Systems CSACS3415K9 - page 277

10-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy T o conf igure a rule- based s ervice selection policy , see t h ese t o pics: • Creating, Duplicatin g, and Ed iting Service Selectio n Rules, page 10-8 • Deleting Ser vice Selection Rules, p ...
Cisco Systems CSACS3415K9 - page 278

10-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Creating, Duplicatin g, and Editing Servic e Selection Rules Create se rvice select ion rules to deter mine which a ccess service processes in coming r equests. Th e Defa ult Rule pr ovide s a def ...
Cisco Systems CSACS3415K9 - page 279

10-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy • The Defau lt Ru le— Y ou can chan ge onl y the acc ess se rvice. See T able 1 0-3 for field descr iptions: Step 4 Click OK. The Ser vice Sele ction Policy pag e appear s with th e rule th at ...
Cisco Systems CSACS3415K9 - page 280

10-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-base d Policy page. T o display this page, click Hit Count on the Rule-base d Policy page. Deleting Serv ...
Cisco Systems CSACS3415K9 - page 281

10-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Configuring Acce ss Services Access services cont ain the authen tication and authoriza tion policie s for r equests . Y ou can c reate sepa rate acc ess serv ices for dif feren t use cases ; for e xample, de ...
Cisco Systems CSACS3415K9 - page 282

10-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Edi t the fiel ds i n t he Al lowed Protoc ols tab as de scribed in Ta b l e 1 0 - 7 . Step 4 Click Submit to sa ve th e changes y ou hav e made to the de fault access ser vice. Creating, Duplicating, a ...
Cisco Systems CSACS3415K9 - page 283

10-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 2 Do one of the follo wing: • Click Cr eate . • Check t he check box next to t he ac cess ser vice that you wa nt to dupli cate; then cli ck Duplicate . • Click the a ccess serv ice name that you w ...
Cisco Systems CSACS3415K9 - page 284

10-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Description Description of the access service. Access Servi ce Policy Structu re Based on serv ice templat e Creates an access service conta ining policies b ased on a predefined te mplate. T his option is av ...
Cisco Systems CSACS3415K9 - page 285

10-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 3 Click Next to conf igure the allo wed protocols. See Configuring Access Service A llowed Protocols, page 10-1 6 . Related Topic • Configuring A ccess Service Al lowed Protocol s, page 1 0-16 • Conf ...
Cisco Systems CSACS3415K9 - page 286

10-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Configuring Access Service Allowed Protocols The allowed p rotoco ls ar e t he se cond part o f ac cess servi ce creat ion. A cce ss serv ice definiti ons co ntai n genera l and allowed proto col inform ation ...
Cisco Systems CSACS3415K9 - page 287

10-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-TLS Enables t he EAP-TLS Auth entication protocol a nd conf igures EA P-TLS settings. Y ou can specify ho w AC S ver ifies u ser iden tity as pres ented i n the E AP Ident ity resp onse from the en ...
Cisco Systems CSACS3415K9 - page 288

10-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Allo w EAP-F AST Enab les the EAP-F AST authentication protocol and EAP-F AST settings. The EAP-F AST proto col ca n suppo rt multip le int ernal pr otocol s on the same server . Th e defaul t inner m ethod i ...
Cisco Systems CSACS3415K9 - page 289

10-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-F AST (conti nued) PA C O p t i o n s • T unnel P A C T im e T o Li ve—The T ime T o Li ve (TTL) v alue restricts the lifetime o f the P A C. Specify the lifetim e v alue and units. Th e defaul ...
Cisco Systems CSACS3415K9 - page 290

10-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Click Fin ish to sa ve your changes to t h e acce ss service. T o enabl e an access service, you mu st add it to the se rvice sele ction pol icy . Configuring Access Services Templates Use a service tem ...
Cisco Systems CSACS3415K9 - page 291

10-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Deleting an Ac cess Service T o delete an access serv ice: Step 1 Select Ac cess Policies > Access Services . The Access Services p age appears with a list of configu red services . Step 2 Check one or mo ...
Cisco Systems CSACS3415K9 - page 292

10-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Acce ss Service Policies Y ou confi gure access se r vice policie s after you create th e access service: • V ie wing Identity Polic ies, page 10-22 • Conf iguring Identity Polic y Ru ...
Cisco Systems CSACS3415K9 - page 293

10-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies In the rule-b ased polic y , each rule contains one or mo re conditions an d a result, which i s the identity source to use for authentica tion. Y ou can create, duplic ate, edit, an d delete rules wi ...
Cisco Systems CSACS3415K9 - page 294

10-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Viewing Rules-Based Identi ty Policies Select Ac cess Policies > Access Services > service > Identity , wher e <ser vi ce> is the name of the acces s service. By def ault, the Simple I ...
Cisco Systems CSACS3415K9 - page 295

10-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 For informatio n about c onfig uring an id ...
Cisco Systems CSACS3415K9 - page 296

10-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T able 1 0-1 1 Identity Rule Pr oper ties P age Option Description General Rule Name N ame of the ru le. If you a re dupl icati ng a rul e, you must enter a uniq ue name as a m inimu m configura tion ...
Cisco Systems CSACS3415K9 - page 297

10-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring a Group Mapping Policy Conf ig ure a group mapping polic y to map groups and attrib utes that are retrie ved from extern al identity stores to A CS identity groups. When A CS processes a r ...
Cisco Systems CSACS3415K9 - page 298

10-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 2 Select a n identity group. Step 3 Click Sa ve C hanges to save th e policy . T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a ...
Cisco Systems CSACS3415K9 - page 299

10-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Deleting Po licy Ru les, page 10-40 Related Topics • V ie wing Identity Polic ies, page 10-22 • Configuring a Session Aut horizati on Policy for Network Acce ss, page 10- 30 • Configuring a ...
Cisco Systems CSACS3415K9 - page 300

10-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring a Session Authoriz ation Policy for Network Ac cess When yo u creat e an access serv ice for netw ork ac cess aut h orizat ion, it creates a Session Authori zation polic y . Y ou can then ...
Cisco Systems CSACS3415K9 - page 301

10-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T able 1 0-15 Networ k A ccess A uthor ization P olicy P age Option Description Status Rule sta tuses are: • Enabled—Th e rule is acti ve. • Disabl ed—ACS does not apply th e results of the ru ...
Cisco Systems CSACS3415K9 - page 302

10-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Ne twork Acce ss Au thorization R ule Properties Use this page to create, dup licate, and edit th e rules to determine acce ss permissions in a network acce s s service. Step 1 Select Ac ...
Cisco Systems CSACS3415K9 - page 303

10-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Device Administration Authorization Policies A device admi nistratio n autho rization policy det ermines the aut horizat ions an d permi ssions for network admini strat ors. Y o u crea te ...
Cisco Systems CSACS3415K9 - page 304

10-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Device Administratio n Authorization Rule Properties Use this page to creat e, duplicate , and edit the rules to determin e authoriza tions and permissions in a device administ ration ac ...
Cisco Systems CSACS3415K9 - page 305

10-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Shell/Command Authorizatio n Policies for Devi ce Administration When you cr eate an acc ess service and s elect a ser vice polic y structu re for De vice Admini strati on, A CS automatic ...
Cisco Systems CSACS3415K9 - page 306

10-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Configuring Au ...
Cisco Systems CSACS3415K9 - page 307

10-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Related Topics ...
Cisco Systems CSACS3415K9 - page 308

10-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Creating Policy Rules When you crea te rules, remember that the order of the rules is im portant. When A CS encounters a match as it proces ses the requ est of a client that tries to ac cess the ACS ...
Cisco Systems CSACS3415K9 - page 309

10-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Duplicating a Rule Y ou can duplicat e a rule if yo u want to create a ne w rule that is the same , or ve ry similar to , an e xisting rule. The dup licate rule na me is based on the origi nal rule wi ...
Cisco Systems CSACS3415K9 - page 310

10-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 4 Click OK . The Polic y page appears with the ed ited rule. Step 5 Click Sa ve C hanges to save th e new conf iguration. Step 6 Click Discard Chang es to cancel the edited i nformation. Related ...
Cisco Systems CSACS3415K9 - page 311

10-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Configuring Co mpound Conditions Use compound conditions to d efi ne a set of c onditions based on any at tributes allo wed in simple pol icy conditi ons. Y ou define compou nd condit ions in a policy ...
Cisco Systems CSACS3415K9 - page 312

10-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Note D ynamic at tribute mappi ng is not ap plica ble for Ex tern alGro ups attr ibute of T ype "String Enum" an d "T ime And Date " attrib ute of type "Date T ime Perio d". ...
Cisco Systems CSACS3415K9 - page 313

10-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Figur e 1 0-2 Compound Expr ession - At omic Conditio n Single Nested Compound Co ndition Consis ts of a singl e operat or follo wed b y a set of pr edicates (>=2) . The op erator is appl ied betwe ...
Cisco Systems CSACS3415K9 - page 314

10-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compou nd Expres sion with D ynamic va lue Y ou can selec t dynamic v alue to se lect anot her dic tionary attr ibu te to c ompare against the dictio na ...
Cisco Systems CSACS3415K9 - page 315

10-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Related Topics • Compound Con dition Buil ding Blocks, page 10-41 • Using the Com pound Ex pression Builder , page 10- 45 Using the Co mpound Expression Builder Y ou construct compound conditio ns ...
Cisco Systems CSACS3415K9 - page 316

10-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Related Topics • Compound Con dition Bui lding Blocks, page 10-41 • T ypes of Com pound Con ditions, page 10-42 Security Group Access Co ntrol Pages This section con tains the follo wing topics: ? ...
Cisco Systems CSACS3415K9 - page 317

10-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topic • Creatin g an Eg ress Po licy , page 4- 27 Editing a Cell in th e Egress Policy Matrix Use thi s page to co nf igure t he polic y for the select ed cell. Y ou can conf igure the SGA ...
Cisco Systems CSACS3415K9 - page 318

10-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s NDAC Policy Page The N etwork Device Admission Cont rol (N DA C) pol icy deter mines t he SGT for ne twork d evices in a Security Group Access e n vi ronment . The ND AC policy hand les: • Peer a ut ...
Cisco Systems CSACS3415K9 - page 319

10-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topics: • Conf igur ing an ND A C Polic y , page 4 -25 • ND AC Policy Propert ies Page, page 10 -49 NDAC Policy Pr o perties Page Use this pa ge to creat e, duplicate, and edit ru les to ...
Cisco Systems CSACS3415K9 - page 320

10-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Note For end point adm ission con trol, you must de f ine an a ccess serv ice and s ession aut horizatio n policy . See Conf iguring Network Access Authorization Rule Properties, page 1 0-32 for infor ...
Cisco Systems CSACS3415K9 - page 321

10-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Network Dev ice Acce ss EAP- FAST Settings Page Use this page to conf igure parameters f or the E AP-F AST protocol t h at the ND A C polic y uses. T o d isplay t his page, choose Access Polic ies > Securit y ...
Cisco Systems CSACS3415K9 - page 322

10-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Max Session User Settings Y o u can configure ma ximu m user session to impose maxim um sessi on value for each users. T o con f igure ma ximum user sessions: Step 1 Choose Ac cess Polici es > Max User Session P o ...
Cisco Systems CSACS3415K9 - page 323

10-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Unlimited is select ed by defau lt. Grou p le ve l session is a p plied based on t he hierarch y . For e xample: The group hi erarc hy is Americ a:US:W est:CA an d the maxim um sessions ar e as follo ws: • Amer ...
Cisco Systems CSACS3415K9 - page 324

10-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Related topics • Maximum User Sessi ons, pa ge 10-51 • Max Session Us er Settings, pa ge 10-52 • Max Session Group Settings, page 10-5 2 • Pur ging U ser S ess ions , pa ge 10 -54 • Maximum User Se ssion in ...
Cisco Systems CSACS3415K9 - page 325

10-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions The Purge User Ses sion pag e appear s with a lis t of all AAA cli ents. Step 2 Select the AAA client for which you want to purge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged ...
Cisco Systems CSACS3415K9 - page 326

10-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Maximu m User Sessio n in Proxy Scenar io Authentic ation and accoun ting requests should be sent to the same A CS serve r , else the Maximum Session fe ature w ill not work as desi red. Related topics • Maximum Us ...
Cisco Systems CSACS3415K9 - page 327

CH A P T E R 11-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 11 Monitoring and Reporting in ACS The Monitori ng a nd Repo rts d rawer a ppears i n the pri mary w eb in terface wind ow and conta ins the Launch Moni tori ng an d Rep ort V iewer optio n. The Monitoring and Report V iewer pro vides monitoring , reporting, and ...
Cisco Systems CSACS3415K9 - page 328

11-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Authent ication Records and D etails • Support for n on-Engl ish cha racter s (UTF -8)—Y ou ca n have non-Eng lish ch aracters in: – Sysl og me ssag es—C onf igurab le attr ib ute v alue , user name , and A CS na med co ...
Cisco Systems CSACS3415K9 - page 329

11-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Dashbo ard Pa ges Note Th ese tabs ar e custom izable , and you ca n modify or delete th e following tabs. • General—Th e General tab lists the follo wing: – Fiv e most rece nt alarm s—Whe n you clic k the nam e of the a lar ...
Cisco Systems CSACS3415K9 - page 330

11-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Work ing wit h Port lets – Authentic ation Snapsh ot—Prov ides a snap shot of au thenticatio ns in t he graphic al and ta bular format s for up to the p ast 30 days. In th e grap hica l rep resen tation, t he f ield based on ...
Cisco Systems CSACS3415K9 - page 331

11-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Working with Portlets Figur e 1 1 -1 P ortlets T op 5 Alar ms an d My Favorite Report s appea r in sep arate windows. Y ou can e dit e ach of thes e portle ts separately . T o ed it a por tlet, c lick the edit button ( ) at th e upp ...
Cisco Systems CSACS3415K9 - page 332

11-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Related Topic • Das hbo ard P ages, page 1 1-2 • Running A uthenti cation Lo okup Rep ort, page 11-6 Running Authentication Lookup Report When you run an Authent icat ion Look up repor t, ...
Cisco Systems CSACS3415K9 - page 333

11-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Step 5 Click Add Page . A new tab of your choi ce is crea ted. Y ou can ad d the ap plicat ions that yo u most frequ ently mo nitor i n this tab Adding Applications to Tabs T o add an applic ation t ...
Cisco Systems CSACS3415K9 - page 334

11-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Changing the Dash board L ayout Y o u can chan ge the loo k and fee l of the Dash board . A CS provi des you wit h nine different in-built layouts. T o ch oose a differen t layout: Step 1 From ...
Cisco Systems CSACS3415K9 - page 335

CH A P T E R 12-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 12 Managing Alarms The Moni torin g featur e in A C S genera tes alarm s to notify you of critic al system co nditi ons. The monitori ng comp onent r etrieves data fro m ACS. Y ou can configure thresho lds and r ules on this da ta to manage alar ms. Alarm n otifi ...
Cisco Systems CSACS3415K9 - page 336

12-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarms System Alarms System alarms notify you of critica l conditions encountered du ring the ex ecution of the A CS Monitoring and Reportin g vie wer . System alarms also provide in formational st atus of system acti vities, such as ...
Cisco Systems CSACS3415K9 - page 337

12-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Notifying Users of Events When a threshold is reached o r a s ystem alarm i s gen erated, the alarm appears in t he Alarms I nbox o f the web in terfa ce. From th is page, you ca n vie w the alarm de ...
Cisco Systems CSACS3415K9 - page 338

12-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Ti m e Displ ay only . Indicates t he time of the as sociate d alarm ge neration in the f ormat Ddd Mmm dd hh:mm: ss timezon e yyyy , wher e: • Ddd = Sun, Mon, Tue, W ed, Th u, Fri, Sat. • Mmm = J an, ...
Cisco Systems CSACS3415K9 - page 339

12-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Configure Inc rement al Back up Dat a Reposito ry as Rem ote Rep ository otherwi se backup will fail and I ncremental bac kup mode will be chang ed to off. Wa r n i n g Configure Re mote R epository ...
Cisco Systems CSACS3415K9 - page 340

12-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Full Database Pur ge Backup f ailed: Exception Details Critical Incremental Back up Fa iled: Excepti o n Details Critical Log Recover y Log Message Reco very failed : Excepti on Details Critical View Comp ...
Cisco Systems CSACS3415K9 - page 341

12-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Note Th e Alarm for A CS dat abase exceedi ng the quot a is sent only wh en the total size of the A CS database exceeds the quo ta. T otal size of ACS database = acs*. log + acs. db where acs*.log is ...
Cisco Systems CSACS3415K9 - page 342

12-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Note ACS cannot be use d as a rem ote syslog server . But , you can us e an external server as a s ysl og ser ver . If you use an external server as a syslog ser ver , no al arms can be gene rated in the ...
Cisco Systems CSACS3415K9 - page 343

12-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Understandi ng Alarm Sch edules Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Understandin g Alarm Schedules Y ou can creat e alarm schedule s to specif y when a ...
Cisco Systems CSACS3415K9 - page 344

12-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Al arm Schedu les Step 3 Click Submit to sa ve th e alarm schedu le. The schedule that y ou create is added to the Schedule list box in the Thre shold pages. Assigning A larm Sched ules to Thresho lds When you crea te an alarm thres ...
Cisco Systems CSACS3415K9 - page 345

12-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Deleting Alarm Schedules Note Before you delete an alar m schedule, ensu re that it is not referenced by an y thresholds tha t are def ined in A CS. Y ou ca nnot dele te the defaul t sched ule ...
Cisco Systems CSACS3415K9 - page 346

12-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Step 2 Do one of the follo wing: • Click Cr eate . • Check th e check box next to the a larm t hat you want to duplicat e, then click Duplicate . • Click t he al arm name t hat y ou want ...
Cisco Systems CSACS3415K9 - page 347

12-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hresho ld Cri teria, page 12- 14 • Configuring T hreshol d Notifications, page 12- 32 Config ...
Cisco Systems CSACS3415K9 - page 348

12-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Configuring Threshold Criteria A CS 5. 4 provides the foll owing threshold categories to define different threshold cri teria: • Passed Authenticati ons, page 12-14 • Faile d Authenticatio ...
Cisco Systems CSACS3415K9 - page 349

12-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Note Y o u can specify one or more filter s to limit the passed aut hentications that are consi dered for thresho ld e valuation. Each fi lter is asso ciated with a particular attrib ute in th ...
Cisco Systems CSACS3415K9 - page 350

12-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 351

12-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds An alar m is triggere d because at least one De vice IP has gr eater than 10 fai led authen tications in the past 2 hours. Note Y o u can spec if y one or mor e f ilters to limit th e fail ed ...
Cisco Systems CSACS3415K9 - page 352

12-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 353

12-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds The aggr egation job b egins at 00:05 hou rs every day . From 23:50 ho urs, up u ntil the t ime the a ggregation job compl et es, th e auth ent icat ion in activity alar ms are s upp resse d. ...
Cisco Systems CSACS3415K9 - page 354

12-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 355

12-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 356

12-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 357

12-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 358

12-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 359

12-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 360

12-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 361

12-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Unknown NAD When A CS e v aluates this threshol d, it e x amines th e RADIUS o r T A CA CS+ failed a uthenticat ions that ha ve occu rred during the specif ied time interv al up to the pre vio ...
Cisco Systems CSACS3415K9 - page 362

12-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 363

12-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Y ou can spec ify one o r more f ilters to lim it the f ailed authentic ations t h at are co nsider ed for threshold e valuation. E ach f ilter is associated wi th a partic ular attrib ute in ...
Cisco Systems CSACS3415K9 - page 364

12-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds If, in the p ast fo ur hou rs, RBA CL d rops have occu rred fo r two differe nt sourc e group tags as shown in the f ollo wing tab le, an alarm i s trigge red, bec ause at least on e SGT has a ...
Cisco Systems CSACS3415K9 - page 365

12-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds NAD-Reported AAA Downtime When A CS e v aluates this thresh old, it e xamines the N AD-reported AAA d o wn e vents that occurred during the specified inter val up to the previous 24 hour s. Th ...
Cisco Systems CSACS3415K9 - page 366

12-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications ...
Cisco Systems CSACS3415K9 - page 367

12-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Deleting Ala rm Threshol ds Related Topics • V iewing and E diti ng Alar ms in Y our Inbo x, page 1 2-3 • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Deleting Alarm T hresho ...
Cisco Systems CSACS3415K9 - page 368

12-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Configuring Sy stem Ala rm Settings Configuring System Alarm Settings System alarms ar e used to no tify use rs of: • Error s that ar e enco unte red by the Mo nito ring and Repo rting ser vic es • Informa tion on data purging Use this pa ge t ...
Cisco Systems CSACS3415K9 - page 369

12-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Unders tanding Alarm Sy slog Targ ets Understandin g Alarm Syslog Targets Alarm syslog tar gets are the destinations where alarm syslog messages are sent. The Monitoring and Report V iewer sends alar m notificatio n in the form of sysl og message ...
Cisco Systems CSACS3415K9 - page 370

12-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarm Sysl og Targe ts Step 4 Click Submit . Related Topics • Understa nding A larm Sysl og T argets, pag e 12-35 • Deleting A larm Syslog T argets, pa ge 12-36 Deleting A larm Syslog Ta rgets Note Y ou ca nnot de lete t he defa ...
Cisco Systems CSACS3415K9 - page 371

CH A P T E R 13-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 13 Managing Reports The Moni toring a nd Report V i ewer component of A CS co llect s log and configurat ion data from various A CS server s in you r deploy ment, ag gre gates it, and pro vides interacti ve r eports that h elp you analyze the dat a. The Mon itori ...
Cisco Systems CSACS3415K9 - page 372

13-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports • Catalog— Monitoring and Reports > Reports > Catalog > < rep o r t _ t y pe > For easy acces s, you can add reports to yo ur Fa vorites page , from whi ch you can cus tomiz e and dele te reports . Y ou can customi ze the re ...
Cisco Systems CSACS3415K9 - page 373

13-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports This chapte r describes in detail the follo wing: • W ork ing wi th F av orite Re ports, pa ge 13-3 • Sharing Re ports, page 1 3-6 • W orkin g with Cata log Report s, page 13-7 • V iewing Reports, pag e 13-20 ...
Cisco Systems CSACS3415K9 - page 374

13-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Favor ite Report s Step 5 Click Add to F a vorite . The repor t is added to your Favorites page. Related Topics • W orki ng wit h Fav orite R eports, page 13- 3 • V iewing Fa vorite -Rep ort Paramete rs, page 13- 4 • Editing ...
Cisco Systems CSACS3415K9 - page 375

13-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports Editing Favorite Reports After you view the existing parame ters in your favorite report , you can edit th em. T o edit the parame ters in your fav o rite report s: Step 1 Choose Monitoring and Reports > Report s ...
Cisco Systems CSACS3415K9 - page 376

13-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Sharing Repor ts The repor t is gener ated i n the page . Step 3 Click Launch Int e ractiv e V iewer for more optio ns. Related Topics • Adding Re ports t o Y our Favorites Page, page 13-3 • V iewing Fa vorite -Rep ort Paramete rs, page 13- ...
Cisco Systems CSACS3415K9 - page 377

13-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Step 7 Click Sa ve . The repo rt is sa ved in yo ur Shared folder a nd is a vailab le for al l users. Note Th e shared re ports that were created i n older versio ns of A CS do not work afte r you upgr ade an older ve ...
Cisco Systems CSACS3415K9 - page 378

13-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s T A CA CS Authentication Provides T ACA CS+ authentic ation details for a select ed time per iod. P assed authentica tions, failed att e mpts T A CA CS Authorization Provides T ACA CS+ authorizatio n details for a ...
Cisco Systems CSACS3415K9 - page 379

13-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports A CS Log Info rmat ion Provides ACS log inform ation for a parti cular log cate gory and A CS serve r for a selected tim e peri od. All log cate go ries A CS Operations Audit Pro vides all t he operation al changes d ...
Cisco Systems CSACS3415K9 - page 380

13-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Networ k Devic e Au then tic ati on Su mm ary Pro vides the RADIUS and T ACA C S+ authen tica tion summ ary in forma tion for a particu lar ne twork d evice for a sele cted t ime period , along wi th the gr aphi ...
Cisco Systems CSACS3415K9 - page 381

13-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Running C atalog Re ports T o run a repo rt th at is in th e Ca tal og: Step 1 Select Monitori ng and Reports > Re ports > Catalog > re p o rt _ t y p e , where r e port_t ype is the type of report yo u want ...
Cisco Systems CSACS3415K9 - page 382

13-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s The av ailable reports for the report type you select ed are disp layed with the informa tion shown in T able 13- 3 . Step 2 Click the radio b utton next to the report na me you want to run, then select one of th ...
Cisco Systems CSACS3415K9 - page 383

13-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Note Y ou cannot delete system re ports fro m the Reports > Catalog pages; y ou can de lete cu stomize d reports only . Step 2 Check one or more chec k boxes next to the repo rts you want to de lete, and click Del ...
Cisco Systems CSACS3415K9 - page 384

13-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Related Topics • W orki ng with Cata log Repor ts, page 13 -7 • Understa nding the Repor t_Name Page, page 13-14 Understanding the Report_Name P age Note Not all options listed in T a ble 13-5 are used i n se ...
Cisco Systems CSACS3415K9 - page 385

13-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Identity Group Enter an identity group nam e or click Select to enter a v a lid iden tity gr oup name on which to run yo ur repor t. Device Name Ent er a device name or click Sele ct to ent er a valid device name on ...
Cisco Systems CSACS3415K9 - page 386

13-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Comm and Accounting On ly Check the ch eck box to enable yo ur repo rt to run for comm and acco unting . T o p Use the dro p down list box to sele ct the numb er of top (most freq uent) auth entic ation s by acce ...
Cisco Systems CSACS3415K9 - page 387

13-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Related Topics • W orkin g with Cata log Report s, page 13-7 • W ork ing wi th F av orite Re ports, pa ge 13-3 • A vailab le Reports in the Cata log, page 13-7 • Running Cat alog Report s, page 13-1 1 Enablin ...
Cisco Systems CSACS3415K9 - page 388

13-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Changing Authorizatio n and Discon necting Active RA DIUS Session s Note Som e of th e N ADs i n you r deploym ent do not send an Ac counti ng Stop or Acc ountin g Off packet af ter a reload. As a result of t his ...
Cisco Systems CSACS3415K9 - page 389

13-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Figur e 13-3 CoA Options Step 4 Click Run to reauthenti cate or disc onnect the RADIU S session. If your cha nge o f auth orizat ion fai ls, i t mig ht b e beca use of any of the following r easons : • Device does ...
Cisco Systems CSACS3415K9 - page 390

13-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Note If you save the customi zed report with t he same name a s the original system repo rt (overwriting the or igina l system repo rt), yo u ca nnot de lete i t. T o rest ore a cust omized rep ort to the default , preconf ig ...
Cisco Systems CSACS3415K9 - page 391

13-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports About St andard Viewer From Stand ard V iewer , you ca n open a tab le of content s, navigate the repo rt, export data t o spreadshe et format , and prin t the repo rt. You can cli ck Launch Interacti ve V iewer to close Sta n da ...
Cisco Systems CSACS3415K9 - page 392

13-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Figur e 13-5 Cont ext Men u f or Labels in Int era ctive Viewer If the rep ort contai ns a chart, you can use the con text menu for ch arts, sho wn in Figure 13-6 , to modify the chart’ s formatting, subtype, and other prop ...
Cisco Systems CSACS3415K9 - page 393

13-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Using the Table of Contents In the viewer , you can open a ta ble of conte nts to view the report struc ture and n avigate t he re port . T o open the table of co nten ts, ch oose the t able of content s button in th e toolba r . ...
Cisco Systems CSACS3415K9 - page 394

13-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Exporting Re port Da ta The vie wer supports the ability to e x port report da ta to an Excel spread sheet as a comma-sep arated values (.csv ) file, p ipe-se parated values (. psv) file, or a ta b-separa ted values (.tsv) fi ...
Cisco Systems CSACS3415K9 - page 395

13-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Figur e 13-12 The Expor t Da ta Dialog Box A vailab le Result Sets lists the tables in the report. A vailable Co lumn s lists the colu mns you c an export fr om the speci fied table. Y ou can export a ny of the data the report us ...
Cisco Systems CSACS3415K9 - page 396

13-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Printing Reports Y o u can p rint a report that ap pears i n the viewer in H TML or PDF f ormat. Becau se you can modify the report in I nteracti ve V iewer , Interac ti ve V iewer supports print ing either the o riginal repo ...
Cisco Systems CSACS3415K9 - page 397

13-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-13 Sav e Dialog Bo x Step 2 Nav igate to the location wher e you want to sa ve the f ile. Step 3 T ype a file na me an d cli ck Save . Step 4 Click OK i n the conf irmation messa ge that app ea ...
Cisco Systems CSACS3415K9 - page 398

13-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The text of a column header come s from t he data s ource. If the da ta source disp lays colu mn headers i n capital letters wi th no sp aces between words, t h e report d esign di splays column h ea ...
Cisco Systems CSACS3415K9 - page 399

13-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer • Modify the f ont, col or , style , and other propert ies of the text . • Specify t hat t he column disp lays up percase or lowercase. • Modify the de fault forma tting of the data v alue in an agg ...
Cisco Systems CSACS3415K9 - page 400

13-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer Formatting Data in Aggregate Rows An aggr eg ate row dis plays a total , aver age, or ot her summary da ta for a colu mn. Y ou learn ho w to create an aggre gate ro w in a later chapte r . Figure 13- ...
Cisco Systems CSACS3415K9 - page 401

13-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer . Formatting N umeric Data Numeric data can t ake s e veral f orms. A colum n of postal codes require s differen t fo rmatti ng fro m a column of sal es figures. Figu re 13 -16 shows the numeri c formats ...
Cisco Systems CSACS3415K9 - page 402

13-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The data type of a column is deter mined by the data source . Ke ep in mind that a text or str ing data type can conta in nu meric d igits. A telephon e numbe r , for example , is freq uent ly string ...
Cisco Systems CSACS3415K9 - page 403

13-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Formatting C ustom Numeric Data T o def ine a custom form at, you use special sy mbols to constru ct a format pattern. A format pat tern show s where to place curr enc y symbol s , thou sands sep arators, ...
Cisco Systems CSACS3415K9 - page 404

13-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer 415-555-2121 Y o u can cr eate c ustom formats for str ing data . T ab le 13-8 describ es the sy mbols yo u can use to define custom string formats . T able 13- 9 sho ws exampl es of cust om str ing ...
Cisco Systems CSACS3415K9 - page 405

13-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Step 4 Click A pply . Formatting Date and Time The appe aranc e of date and tim e data depends on t he loca le in whi ch you are working. For example, the follo wing date and time are correc t for the U.S ...
Cisco Systems CSACS3415K9 - page 406

13-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o create a cust om date or time fo rmat, Step 1 Sele ct a dat e-an d-ti me co lumn , th en clic k Fo r m a t . The Date or T ime column form at windo w appears. Step 2 In Form at D ate o r Time As ...
Cisco Systems CSACS3415K9 - page 407

13-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-1 7 Specifying Disp lay V alues f or T r ue an d F alse Applying Condition al Formats Conditional formattin g changes th e formatti ng of data whe n a certain condition i s true. F or e x ample ...
Cisco Systems CSACS3415K9 - page 408

13-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer After you c reate the con dition, you set th e format in which to displ a y data tha t meets the co ndition. Th e format applies to the co lumn in Sele ct Column, not to the column you use to set the ...
Cisco Systems CSACS3415K9 - page 409

13-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-20 T wo Compar ison V alue Fields A ppear f or the Be tween Op era tor The values for the com pari son can be typed i n direc tly or de riv ed from the sp ecified repo rt col umn. Select Ch ang ...
Cisco Systems CSACS3415K9 - page 410

13-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o add additional conditio nal formatting rules, select Add Rule an d repeat s teps 3 an d 4 for eac h ne w rule. Step 6 Click A pply . The report design appear s with the specif ied conditional for ...
Cisco Systems CSACS3415K9 - page 411

13-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 4 Click A pply . Setting a nd Removing Page Breaks in a Group C olumn In Inte ractive V i ewer , if your r eport design h as groupe d data, you ca n set p age bre aks bef ore or a fter t he grouped da ta. Step 1 Selec ...
Cisco Systems CSACS3415K9 - page 412

13-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Displaying a nd Organizin g Repo rt Data After you access a data source and se lect the data set to use, you d etermine t he best w ay to display the data in a repo rt. Ther e are se veral way s to org anize data sets: ...
Cisco Systems CSACS3415K9 - page 413

13-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-25 Report Displ aying Cust omers Gr ouped by Country Step 2 Select Column > Move t o Group Header . The Mo ve to Gro up He ader wind o w appears, as sho wn in Figure 13-26 . Figur e 13-26 Mov e to Gr oup Head ...
Cisco Systems CSACS3415K9 - page 414

13-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-27 Report Displ aying Cust omer Name in Ea ch Gr oup Header Removin g Column s T o remov e a column, select the column and click Delete . When y ou re move a co lumn from the repor t, you are not deletin g th ...
Cisco Systems CSACS3415K9 - page 415

13-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 3 Select any items you want to hide or Dese lect any hidden items you want to displ ay . T o display all hidden items, cli ck Clear . Step 4 Click A pply . Hiding Columns T o hide or di spla y colu mns: Step 1 Select ...
Cisco Systems CSACS3415K9 - page 416

13-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-29 Separat e Columns In Figur e 13-30 , the data f rom these two columns is me rged into on e column. Figu re 13-30 M erged Colu mn T o merge data in multiple co lumns: Step 1 Selec t and right- clic k the co ...
Cisco Systems CSACS3415K9 - page 417

13-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Selectin g a Colu mn from a Merged C olumn Y ou can aggrega te, filter , and group data in a colu mn that contain s data that is mer ged from multiple column s. Y o u must first select one of the colum ns on which to aggre ...
Cisco Systems CSACS3415K9 - page 418

13-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data When you sort multiple columns, it is important t o unders tand the order of precedence for the sort. I n Adv anced Sort, the fi rst column y ou select is the pri mary sorting col umn. Report data is sor ted f irst b y ...
Cisco Systems CSACS3415K9 - page 419

13-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Grouping Data A report can conta in a great deal of data. Consider the task of listing e very item a corporation o wns, along w ith infor mation suc h as the pur chas e price, pu rchase da te, inve ntory ta g numbe r , a n ...
Cisco Systems CSACS3415K9 - page 420

13-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-33 Groupe d D ata Y o u can group da ta in the re port desi gn editor or i n Intera ctive V iewer . The chan ges you ma ke in the viewer do not affect the report design . If you work in En terpri se mode, yo ...
Cisco Systems CSACS3415K9 - page 421

13-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 2 From the co ntext menu , select Group > A dd Group . The Grou p Detail dialog box appe ars, as shown in Figure 13- 35 . Figur e 13-35 Groupi ng D at e or Time D ata Step 3 T o sho w ev ery date or tim e v alue, l ...
Cisco Systems CSACS3415K9 - page 422

13-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Step 2 From the co ntext menu , select Group > Delete Inner Group . Creating Rep ort Calculation s Most report s requir e some sort of calc ulation s to track sales, finances, inv entory , an d other cr itical b usin ...
Cisco Systems CSACS3415K9 - page 423

13-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-38 Selecting a F unction Understanding Supported C alculation Functions T able 13- 11 provides examples of the functi ons you ca n use to create calcula tions. Note Th e Calcula tion dialo g box does not supp or ...
Cisco Systems CSACS3415K9 - page 424

13-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data AND Combines tw o condition s and retur n s records that match bot h cond itions . For example, you ca n reque st records from cus tomers w ho spend more than $50,0 00 a year and al so have a cre dit r ank o f A. This f ...
Cisco Systems CSACS3415K9 - page 425

13-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data False The B oolean False. Thi s funct ion i s used in expression s to in dicate that an argumen t is f a lse. In the follo wing exampl e, False ind icates that the se cond argume nt, asc ending, is false and th erefor e th ...
Cisco Systems CSACS3415K9 - page 426

13-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data ISBO TTOMN(e xpr, n) Displays T rue if the value is withi n the lo west n va lues for th e e xpress ion, and Fals e ot herwi s e. ISBOTTOMN([OrderTotals], 50) ISBO TTOMN(expr, n, groupL ev e l) Displays T rue if the val ...
Cisco Systems CSACS3415K9 - page 427

13-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data LIKE(str ) Displays T rue if the va lues match, and F alse otherwise. Use SQL syntax to specify the string pattern. The foll owing rules apply: • Literal patt ern charac ters must match e xactly . LIKE is case-sensiti ve ...
Cisco Systems CSACS3415K9 - page 428

13-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data OR The logical OR operator . This functio n is used to connect cl auses in an expression and do es not take arguments. PERCENTIL E(expr , pc t) Displays a per centile v alue, a v alue on a sc ale of 100 that i ndica tes ...
Cisco Systems CSACS3415K9 - page 429

13-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data R OUNDDO W N(num) Rounds a nu mber do wn. ROUNDDOWN([StockPrice]) R OUNDDO W N(num, dec) Rounds a number do wn, awa y from 0, to the spe cified numbe r of digi ts. Th e defa ult value for dec is 0. ROUNDDOWN([StockPrice], ...
Cisco Systems CSACS3415K9 - page 430

13-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data WEEKD A Y(date, option) Displays the day of the week in one of the follo wing format opti ons: • 1 - Re tur ns the day n umber, from 1 ( Sund ay) throu gh 7 (Saturda y). 1 is the defau lt option . • 2 - Re turns t h ...
Cisco Systems CSACS3415K9 - page 431

13-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Understanding Supported Operat ors T able 13- 12 descr ibes t he ma themat ical and l ogica l op erators you c an u se in w riting expressi ons tha t create ca lculat ed columns. Using Numbers and Dates in an Expression Wh ...
Cisco Systems CSACS3415K9 - page 432

13-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Using Multiply Values i n Calculated Columns T o use multiply v alues in calculated columns: Step 1 Selec t a col umn. In t he repo rt, the new calc ulate d co lumn appears to the right of the column yo u select . Step ...
Cisco Systems CSACS3415K9 - page 433

13-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 7 For the second argume nt, typ e the numbe r of days to ad d. In this ca se, type 7. Step 8 V alidate t he e xpressi on, the n click A pply . The ne w calculat ed column ap pears i n the r eport . Fo r e very v alue ...
Cisco Systems CSACS3415K9 - page 434

13-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-39 Aggr egat e Row f or a Gr oup T able 13- 13 shows the aggregate functions that you ca n use. T a bl e 1 3-1 3 A ggregate Func ti ons Aggr egat e fun ctio ns Desc rip tion A verage C alculat es the av erage ...
Cisco Systems CSACS3415K9 - page 435

13-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Creating an Ag gregate Data Row T o create an aggre gate data r ow: Step 1 Select a column , then selec t Aggregation . The Aggre gation di alog box appe ars. The name of the co lumn you selected is lis ted in the Selec te ...
Cisco Systems CSACS3415K9 - page 436

13-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Adding Addi tional Aggregate Rows After y ou cr eat e a si ngle a ggregate row for a colu mn, y ou can add u p to two mor e ag gregate r ows for the same column. For an item total co lumn, for e xample, you can create a ...
Cisco Systems CSACS3415K9 - page 437

13-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Deleting A ggregate Ro ws T o delete an aggre gate row : Step 1 Select the calcul ated co lumn that contains the agg reg ation y ou wa nt to re mov e, then sel ect Aggregati on . The Aggregatio n dial og bo x ...
Cisco Systems CSACS3415K9 - page 438

13-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-43 Suppr essed V alues Y o u can sup press d uplicat e values to ma ke your report easier t o read . Y ou can su ppress only co nsecu tiv e occurre nces of dup licate v alues. In the Locatio n col ...
Cisco Systems CSACS3415K9 - page 439

13-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Figur e 13-44 Gr oup D etail Row s Display ed Figure 13-45 shows the results of hidin g the detail rows for the creditra nk groupin g. Figur e 13-45 Gr oup D etail Rows Hidden • T o col lapse a group or sec ...
Cisco Systems CSACS3415K9 - page 440

13-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Types of Filter Conditions T able 13- 15 describes the types of filt er conditions and provides e xamples of how f ilter conditions are translat ed into i n structions to the d ata sourc e. Bottom N Returns ...
Cisco Systems CSACS3415K9 - page 441

13-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Setting Filter Values After y ou choose a co nditi on, you set a filte r value. Step 1 T o vie w all the v alues for th e selected column, se lect Select V alues . Additiona l fields appear in the Filte r dial ...
Cisco Systems CSACS3415K9 - page 442

13-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-46 Selecting a Fil ter V alue in In ter active V iewer Step 2 T o sear ch for a valu e, type the v alue in the Fin d V alue f ield, t hen clic k Fi nd . All v alues that match you r f ilter te xt ...
Cisco Systems CSACS3415K9 - page 443

13-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 3 From the Conditi o n pulldo wn menu, select a c o ndition. T able 1 3-14 descri bes t he cond itions you ca n select . • If yo u sele ct Be tween or No t Betwee n , Va l u e F r o m and Va l u e To , ...
Cisco Systems CSACS3415K9 - page 444

13-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-47 The A dvance d Filter D ialog Bo x in Inte rac tiv e V iewe r Adv anced Filter provides a great d eal of flex ibility in settin g the filte r valu e. For conditions that test equality and for t ...
Cisco Systems CSACS3415K9 - page 445

13-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 7 V alidate the fi lter syntax b y clic king V alidate . Y ou hav e no w created a filte r with one conditi on. The nex t step is to add conditi o ns. Step 8 Foll ow steps Step 3 to Step 7 to create ea ch ...
Cisco Systems CSACS3415K9 - page 446

13-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Step 2 From the Fi lter pul ldown menu, se lect a pa rticular numbe r of rows or a p ercenta ge of rows, a s shown in Figure 13-48 . Step 3 Enter a v alue in the f ield next t o the Filter pu lldow n menu to specif y the ...
Cisco Systems CSACS3415K9 - page 447

13-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-49 Parts of a Basi c Bar Chart Ther e are a variety of ch art types. Some typ es of data are best depic ted wit h a specific type of ch art . Charts can be use d as reports in them selves a nd they can be used ...
Cisco Systems CSACS3415K9 - page 448

13-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Changing Chart Subtype char ts have subtyp es, w hich you ca n cha nge as nee ded: • Bar char t—Side-by-Side , Stacked, Per cent Stacked • Line c hart—Ov erlay , Stack ed, Percent Stacked • Area c hart—Ov erl ...
Cisco Systems CSACS3415K9 - page 449

13-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-50 Ch art For matting Opti ons Y o u use this page to: • Edit a nd format the default chart title. • Edit an d format the defaul t title for the categor y , or x-, axis. • Modify settin gs for t he la bel ...
Cisco Systems CSACS3415K9 - page 450

13-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s ...
Cisco Systems CSACS3415K9 - page 451

CH A P T E R 14-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 14 Troubleshooting ACS with the Monitoring an d Report Viewer This ch ap ter de scribes the diagnost ic an d tro ubleshoo ting tools that t he Mo nito ring and Repor t V iewer prov ides for the Cisco Secure Access Control System . This chap ter cont ains the foll ...
Cisco Systems CSACS3415K9 - page 452

14-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Availa ble Diagn ostic and Troubl eshootin g Tools Support bundles typ icall y con tain t he A CS dat abas e, log files, core files, an d Moni toring and Re port V iewer support files. Y ou can exclude cert ...
Cisco Systems CSACS3415K9 - page 453

14-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Performing Connectivity Tests Performing Connectivit y Tests Y o u can test your conne ctivity to a network device with th e device’ s hostna me or IP ad dress. For exa mple, you can v erify you r conn ...
Cisco Systems CSACS3415K9 - page 454

14-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Downlo ading ACS Sup port Bundl es for Di agnosti c Informati on Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 • Connecti vity T ests, page 14-1 • A CS Su pport B u ...
Cisco Systems CSACS3415K9 - page 455

14-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Downloading ACS Support Bundles for Diagnostic Information • Include lo cal l ogs—Check this check box to i nclude loca l logs, then cli ck All , or click Recent and enter a v alue from 1 to 999 in t ...
Cisco Systems CSACS3415K9 - page 456

14-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Working with Exp ert Troubleshooter The fo llowing sect ions descri be how to use the Expe rt Troublesho oter d iagnost ic tool s: • T r oublesh ooting RADIUS Auth en ...
Cisco Systems CSACS3415K9 - page 457

14-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 4 Click Sear ch to di splay the RADIUS authe ntications that match your se arch criteria. The Search Resu lt table i s populated wi th the resu lts of your sea rch ...
Cisco Systems CSACS3415K9 - page 458

14-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er The Ex pert Troubleshoot er begins to troub lesho ot your RAD IUS au thent icatio n. The M onitor ing and Report V iewer prompt s you for ad ditiona l input, if req uir ...
Cisco Systems CSACS3415K9 - page 459

14-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 8 Click Done to return to the Expert T roubleshooter . The Progress Details page refreshes periodic ally to display the tasks that are performed as troublesh ootin ...
Cisco Systems CSACS3415K9 - page 460

14-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Executing the Show C ommand on a N etwork De vice The Execut e Network Device Comma nd diagn ostic tool allows you to run any sho w command on a network device fr om t ...
Cisco Systems CSACS3415K9 - page 461

14-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progress Detail s page appears. The Mo nitoring and Report V iewe r prompts you for additio nal input. Step 4 Click the User Input Required butt ...
Cisco Systems CSACS3415K9 - page 462

14-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Comparing SGACL P olicy Betwe en a Netwo rk Device and ACS For Security Group Access- enabled devices, A C S assigns an SGACL for e very source SGT -destination SGT pa ...
Cisco Systems CSACS3415K9 - page 463

14-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Use this dia gnostic tool to compa re the SXP-IP mappi ngs betwee n a device and its peers. T o do this: Step 1 Choose Monitoring and Reports > T roubleshooting > ...
Cisco Systems CSACS3415K9 - page 464

14-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 4 Click S XP-IP Mappings from the list of troublesh ooting tools. The Ex pert Tr ouble shooter page refre shes an d shows the foll owing fi eld: Network Device IP ...
Cisco Systems CSACS3415K9 - page 465

14-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 10 Click Show Results Summary to vie w the diagnos is and resol ution steps. The Results Summary page appea rs with the in formation d escribed in Ta b l e 1 4 - ...
Cisco Systems CSACS3415K9 - page 466

14-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 6 Click Show Re sults Summary to view the diagnosis and re solution steps. Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 • ...
Cisco Systems CSACS3415K9 - page 467

14-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progre ss Details page appea rs with a summa ry . Step 4 Click Show Re sults Summary to vie w the results o f de vice SGT co mparison. The Re su ...
Cisco Systems CSACS3415K9 - page 468

14-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er ...
Cisco Systems CSACS3415K9 - page 469

CH A P T E R 15-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 15 Managing System Operat ions and Configuration in the Monitoring an d Report Viewer This cha pter descr ibes the tasks that you must perfo rm to configure an d admi nister th e Monitor ing an d Report V iewer . The M oni toring Co nfiguration drawer a llows you ...
Cisco Systems CSACS3415K9 - page 470

15-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er • Configure an d edit failu re reaso ns—Th e Mon itoring a nd Rep ort V iewer allows you t o configure the description o f the f ailure reason code and prov ide instructi o n ...
Cisco Systems CSACS3415K9 - page 471

15-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up • Configuring Syste m Alarm Set tings, pag e 15-18 • Configuring A larm Syslog T argets, p age 15- 18 • Conf iguring Re ...
Cisco Systems CSACS3415K9 - page 472

15-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up If yo u en able increm ent al ba ckup, data is purged daily at 4 :00 a.m. at th e lo cal t ime zone where the A CS instan ce t ...
Cisco Systems CSACS3415K9 - page 473

15-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up only the log c olle ctor se rvices durin g co mpress op erat ion a nd wi ll be u p and runn ing af ter the com press operatio ...
Cisco Systems CSACS3415K9 - page 474

15-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up From the Monitoring an d Report V ie wer, select Monitoring Configurat ion > System Oper ations > Data Ma nagement > ...
Cisco Systems CSACS3415K9 - page 475

15-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Restoring Data from a Backup Configuring NF S Stagin g If the utiliza tion of /opt exceeds 30 percen t, then you are re quired to use NFS staging with a re mote repositor y in or ...
Cisco Systems CSACS3415K9 - page 476

15-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Step 2 Choose a backu p file that you want to r estore. Note If you cho ose an inc remental back up file to restor e, ACS restores a ll pr e viousl y as ...
Cisco Systems CSACS3415K9 - page 477

15-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic Log Collec tion Deta ils Page, page 15-10 T able 15-3 Log Collec tion Pag e Option Description A CS Serv er Name of the A CS server . Clic ...
Cisco Systems CSACS3415K9 - page 478

15-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Log Collection Details Page Use this page to vi ew the rec ently col lected log names for an A CS serv er . Step 1 From the Monitoring an d Report V ie ...
Cisco Systems CSACS3415K9 - page 479

15-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic • V iewing Log C ollecti ons, page 15-8 T able 15-4 Log Collec tion Details P age Option Description Log Name Name of t he log file. La ...
Cisco Systems CSACS3415K9 - page 480

15-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Recove ring Log Me ssage s Recovering Log Me ssages A CS server sends syslog m essages to the Monitoring and Report V iewer for the a ctivities such as passed authe nticat ion, ...
Cisco Systems CSACS3415K9 - page 481

15-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Sc hedul ed Jobs Note Whe n you cha nge any sche dule thro ugh th e A CS web inte rface, f or the n ew schedule to take effect, you must manua lly restart th e Job Man a ...
Cisco Systems CSACS3415K9 - page 482

15-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Viewing Proce ss Status Viewing Process Status Use this pag e to view the status of processe s running i n your A CS en vi ronmen t. From the Monitoring an d Report V ie wer, se ...
Cisco Systems CSACS3415K9 - page 483

15-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Data Upgrade Status Viewing Data Upgra de Status After y ou upg rade to A C S 5. 4, ensur e that the M onitori ng and Repor t V iewer databa se up grade is comp let e. Y ...
Cisco Systems CSACS3415K9 - page 484

15-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Spec ifyi ng E -Ma il Se ttin gs Related Topic V iewing Failure Reason s, page 15-1 5 Specifying E-Mail Settings Use this page to specify the e-mail serv er and administra tor e ...
Cisco Systems CSACS3415K9 - page 485

15-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Understanding Collection Filters Understandin g Collection Filters Y ou can create collection f ilters that allo w you to filte r and drop syslog e ve nts that are not used for ...
Cisco Systems CSACS3415K9 - page 486

15-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Sy stem Ala rm Settings Step 3 Click Submit . Related Topics • Creating a nd E diting Col lection Filters, p age 15- 17 • Deleting Colle ction Filters, page 15-1 ...
Cisco Systems CSACS3415K9 - page 487

15-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuring Remote Database Settings Note A CS does not supp ort remo te data base with cl uster setup . T o conf igure a remo te databas e: Step 1 From the M onitor ing and Rep ...
Cisco Systems CSACS3415K9 - page 488

15-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Re mote Da tabase Setti ngs Note Y ou ca n view the statu s of y our expor t job in th e Schedul er . Se e V iewing Schedul ed Jobs, page 15-1 2 for more i nform ati ...
Cisco Systems CSACS3415K9 - page 489

CH A P T E R 16-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 16 Managing System Administrators System adm inistra tors ar e respon sible for depl oying, c onfiguring, m aintaini ng, and monitori ng the A C S servers in your network. Th ey can perform va rious opera tions in ACS through the A CS administra tiv e interface. ...
Cisco Systems CSACS3415K9 - page 490

16-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Adminis trator Roles and Ac count s • Conf igure administrator session setting • Conf igure ad ministr ator a ccess settin g The first time y ou log in to A C S 5.4, you ar e promp ted for th e predefined adm inis ...
Cisco Systems CSACS3415K9 - page 491

16-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Config uring Syst em Admini strator s and Accounts When these steps are co mpleted , def ined administr ators can lo g in and star t working in the syste m. Understanding Authentication An authenti cation request is the f irst ope ...
Cisco Systems CSACS3415K9 - page 492

16-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s • Dynamic Role assign ment—Rol es are a ssigned ba sed on the rul es in the A A C authoriz ation policy . Assigning Static Roles A CS 5.4 allows you to assign the administrator roles static ally to an inter ...
Cisco Systems CSACS3415K9 - page 493

16-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Underst anding Ro les Predefined Roles T able 16- 1 shows the pred efin ed roles included in A CS: T able 16-1 Pr edefined Role Descr iptions Role Privileges Change Admin Password This role is in tended for A CS ad ministr ators w ...
Cisco Systems CSACS3415K9 - page 494

16-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s Note At first logi n, only the Su per Ad min is assigne d to a spec ific admini strator . Related Topics • Administrator Accounts an d Role Association • Creating, Duplicating, Editing, and Deleting Adminis ...
Cisco Systems CSACS3415K9 - page 495

16-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Creating, Duplicating, Editing, and Deleting Administrator Accounts Only appr opriate a dministrators can conf igure ident ities and certif icates. The iden tities co nfi gured in t he System Administr ation dra wer are av ailable ...
Cisco Systems CSACS3415K9 - page 496

16-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Creating, Du plica ting, Edit ing, and Del eting Ad minis trator Ac counts Step 2 Do any of the f ollowing: • Click Cr eate . • Check t he check box next to the a ccount that you want to du plicat e an d cli ck Duplicate . • C ...
Cisco Systems CSACS3415K9 - page 497

16-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Viewing Predefined Roles Step 4 Click Submit . The new account is sav ed. The Admi nistrat ors page app ear s, with the new account th at you cre ated or duplicat ed. Related Topics • Understa nding R oles, p age 16- 3 • Admin ...
Cisco Systems CSACS3415K9 - page 498

16-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring A uthenti cation Set tings for Ad ministra tors Choose System Administratio n > Administrators > Roles . The Rol es pag e ap pears with a li st of pr edefine d role s. T able 16-4 describes the Roles page fields. ...
Cisco Systems CSACS3415K9 - page 499

16-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Authentication Settings for Administrators The Pa ssword Polic ies page a ppears with t he Passw ord Comple xity and Ad v anced tabs. Step 2 In the Pas sw ord C omp lexi ty tab, c heck each check box th at y ou w ant ...
Cisco Systems CSACS3415K9 - page 500

16-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring Se ssion Idl e Timeout Note A CS auto matical ly deact iv ates o r disable s your a ccount ba sed on yo ur last l ogin, la st password chan ge, or numbe r of login retrie s. Th e CL I and PI us er a ccount s are b loc k ...
Cisco Systems CSACS3415K9 - page 501

16-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Administrator Access Settings Step 1 Choose System Administration > Administrators > Settings > Session . The GUI Session pa ge appears. Step 2 Enter the Session Idle T imeout v alue in minutes. V a lid v alu ...
Cisco Systems CSACS3415K9 - page 502

16-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Step 1 Choose System Administration > Administrators > Settings > Access . The IP A ddresses Filter ing page appears. Step 2 Click Reject connections from liste d IP a ddresses ra ...
Cisco Systems CSACS3415K9 - page 503

16-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control The AA C service process es thes e two pol icies in a sequence . Y ou need to con fig ure bot h the Administra tor identity polic y and the Administrator authorizat ion p olic y . The de ...
Cisco Systems CSACS3415K9 - page 504

16-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control In cases whe re Den y Access is sel ected as the resu lt, the acce ss of the admini strator is denied. In a rule-ba sed polic y , each rule contain s one or more condition s and a result, ...
Cisco Systems CSACS3415K9 - page 505

16-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleti ...
Cisco Systems CSACS3415K9 - page 506

16-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Identity Po licy Rule Properties Y ou can crea te, duplicate , or edit an identity polic y rule to determin e the iden tity datab ases that a re used to authentic ate the admin ...
Cisco Systems CSACS3415K9 - page 507

16-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administrator Authorization Policy The au thoriza tion poli cy in the Admin istrative Access Contro l is used for dynami call y assigni ng roles to admini strators upon login . The role ...
Cisco Systems CSACS3415K9 - page 508

16-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Administ rator Au thorization Rule Properties Use this page to create, dupli cate, an d edit th e rules t o determine administrato r roles in the AA C access service. Select Sy ...
Cisco Systems CSACS3415K9 - page 509

16-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administra tor Login Process When an adm inistrator l o gs in to the A CS web interface , AC S 5.4 perfor m s the auth enticatio n as gi ven below . If an a dministrator accou nt is co n ...
Cisco Systems CSACS3415K9 - page 510

16-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Rese ttin g th e Adm inis tra tor P assw or d Note If the adm inist rator password o n the AD or LDAP server is expir ed or reset, then ACS denies the administrato r access to the web interf ace. Resetting the Administrat or Passwo ...
Cisco Systems CSACS3415K9 - page 511

16-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Changing t he Admini strat or Password The ad ministra tor password i s created. Y o u can also use the acs reset- password command to reset your ACSAdmin account pa ssword. For more informatio n on this command, refer to http:// ...
Cisco Systems CSACS3415K9 - page 512

16-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Changing the A dministr ator Passwor d ...
Cisco Systems CSACS3415K9 - page 513

CH A P T E R 17-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 17 Configuring System Operation s Y o u can configure an d deploy A CS instanc es so that one ACS i nstan ce becom es the primar y instance and th e other A CS instances c an be re gister ed to the primary as secondary instances . An A CS ins tan ce represe nts A ...
Cisco Systems CSACS3415K9 - page 514

17-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t • Using th e Deploym ent Ope ratio ns Page to Creat e a Local Mo de Instan ce, pa ge 17-2 3 Understandin g Distributed Deployment Y ou can conf igure multiple ACS servers in a deplo yment. W i ...
Cisco Systems CSACS3415K9 - page 515

17-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment A CS 5. 4 supports one primary and twen ty second ary servers in a large A CS deployme nt. The me dium A CS depl oyment co nsists of one pri mar y and twelve secon dary servers. Also, all A CS ...
Cisco Systems CSACS3415K9 - page 516

17-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t Removin g Seco ndary S ervers T o p ermane ntly r emove a seconda ry ser ver from a depl oyment, you mu st first deregi ster t he seco ndary serv er and then delete it fr om the primary . Y o u ...
Cisco Systems CSACS3415K9 - page 517

17-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment When t he conn ecti on to t he pri mar y server r esume s, you can r econne ct th e disc onnect ed seco ndary instance in Local Mode to the prima ry serve r . From the secon dary instance in Lo ...
Cisco Systems CSACS3415K9 - page 518

17-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Scheduled B ackups Step 3 Y ou must acti va te the se condary ser ver on t he primary , eith er automa tically or by issuing a manua l request. Related Topics • V iewing and Editing a Primary Inst ance, pag e 17-9 • V iewing and E ...
Cisco Systems CSACS3415K9 - page 519

17-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Scheduled Backups Step 2 Click Submit to schedule the bac kup. Related Topic Backin g Up Pr imary and Se condar y Insta nces, p age 17- 8 T able 1 7-2 Sch eduled Backup s P age Option Description Backup D ata Filename cr eated b y b ...
Cisco Systems CSACS3415K9 - page 520

17-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Backing U p Primary and Seconda ry Instan ces Backing Up Primary and Secondary Insta nces A CS provides yo u the o ption to bac k up t he pri mary a nd se condary instan ces at any time apar t from the regular sch eduled backups. For a ...
Cisco Systems CSACS3415K9 - page 521

17-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Synchr onizing Primary and Sec ondary Inst ances Af ter Back up and Resto r e Synchronizin g Primary and Sec ondary Instanc es After Backup and Restore When yo u specify that a syst em back up is res tored on a primar y instan ce, t ...
Cisco Systems CSACS3415K9 - page 522

17-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances T able 1 7 -4 Distr ibuted S ystem Ma nag ement P age Option Description Primary I nstance Name H ostna me o f th e prim ary ins tance . IP Addre ss IP address of the pri mary instan ce. Online Status Indi cates if ...
Cisco Systems CSACS3415K9 - page 523

17-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Step 2 From the Pr imary I nstance t able, click t he primar y instance that yo u wan t to mod ify , or check th e Name check box a nd c lick Edit . Step 3 Complete the fields in the Distributed System Manage ment ...
Cisco Systems CSACS3415K9 - page 524

17-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances Step 4 Click Submit . The Prim ary In stance table on the Distri buted System Mana geme nt page app ears wi th the edit ed prim ary inst ance . Related Topics • Replicatin g a Secondar y Inst ance from a Primary I ...
Cisco Systems CSACS3415K9 - page 525

17-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Viewing and Editing a Secondary Instance T o edit a secondary in stanc e: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gement pa ge app ...
Cisco Systems CSACS3415K9 - page 526

17-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Activa ting a Secon dary In stance Activating a Sec ondary Instance T o acti vate a seco ndary ins tance: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gemen ...
Cisco Systems CSACS3415K9 - page 527

17-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Registeri ng a Seco ndary In stance to a Primary In stance . T able 1 7- 6 S ystem Oper ations: Deplo yment Oper ations P age Option Description Instance Status Curr ent Stat us I dent ifies the ins tance of the node you log i nto ...
Cisco Systems CSACS3415K9 - page 528

17-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Registering a Secondar y Inst ance to a Pri mary Insta nce Step 3 Speci fy th e appro pria te values in th e Regist ratio n Sec tion. Step 4 Click Register to Primary . The following wa rning m essag e i s disp layed. This oper ation ...
Cisco Systems CSACS3415K9 - page 529

17-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Deregist ering Seco ndary Instances fr om the Distribute d System Managemen t Page Deregistering Secon dary Instances from the Di stributed Syste m Management Page T o deregister secondary instances from the Distributed System Mana ...
Cisco Systems CSACS3415K9 - page 530

17-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Promoting a Se condary Instanc e from the Di stribut ed System M anagem ent Page The syste m displays th e following warnin g mess age: This oper ation w ill de regist er this serve r as a sec ondary with t he pri mary s erver. ACS wi ...
Cisco Systems CSACS3415K9 - page 531

17-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Promot ing a Sec ondary I nstance f rom the Depl oyment Operation s Page Promoting a Second ary Instance from the De ployment Operations Page T o pro mote a second ary inst ance to a primary inst ance fro m the Dep loyment Operati ...
Cisco Systems CSACS3415K9 - page 532

17-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Replicating a Seco ndary Inst ance fro m the D istributed S ystem Mana geme nt Page Note All A CS appliances mu st be in sy nc with th e AD domain clo ck. T o repli cate a s ...
Cisco Systems CSACS3415K9 - page 533

17-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Replicating a Secondary Instance from a Primary Instance The Distr ibuted System Mana gement page appe ars. On th e Seconda ry Instanc e table, the Repli cation Status colu mn shows UPD A TED . Replic ation is compl ete on the sec ...
Cisco Systems CSACS3415K9 - page 534

17-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Failover A CS 5.4 allo ws you to conf igure multip le A CS instance s for a d eploym ent scenar io. Ea ch deplo yment can have one pr imary and multipl e sec ondar y A CS se ...
Cisco Systems CSACS3415K9 - page 535

17-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Cleanup.. ..... Starting ACS .... The database on the primary server is restored successfully . Now , you ca n observe that all second ary ser vers in the d ...
Cisco Systems CSACS3415K9 - page 536

17-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance Y o u can use the con f igura tion info rmation on t he A CS Configuration Audit repor t to manuall y restore the conf iguration information for this insta nce. ...
Cisco Systems CSACS3415K9 - page 537

17-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Step 4 Click Submit . The n ew so ftware repo sito ry i s sa ved. The S oftw are Repo sito ry pa ge appea rs, wi th the ne w sof tware repos itory that you ...
Cisco Systems CSACS3415K9 - page 538

17-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance ...
Cisco Systems CSACS3415K9 - page 539

CH A P T E R 18-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 18 Managing System Administration Configurations After y ou inst all Ci sco Secu re ACS, you must configure a nd a dminister it to mana ge your network eff icient ly . The A CS web inter face allows you to easil y configure A CS to perform various oper ations . F ...
Cisco Systems CSACS3415K9 - page 540

18-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring G lobal Sys tem Op tions Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Admi nist ration > Conf iguration > Global Syst ...
Cisco Systems CSACS3415K9 - page 541

18-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Config uring Glo bal System Options Configuring PEAP Settings Use the PEAP Settings p age to conf igure PEAP runtime charact eristics. Select System Admi nist ration > Conf iguration > Global System Options &g ...
Cisco Systems CSACS3415K9 - page 542

18-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Gener ate P A C page to ge nerate a us er or machi ne P A C. Step 1 Select System Administration > Configuration > Global System ...
Cisco Systems CSACS3415K9 - page 543

18-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 3 Click Submit to conf igure the RSA SecurID Prompts. Managing Diction aries The fol lo wing tasks a re a v ailable when y ou select Sy stem Administration > Configuration > Dicti ...
Cisco Systems CSACS3415K9 - page 544

18-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es • RADIUS (Cisc o BBSM) • RADIUS (Cisc o VPN 3000) • RADIUS (Cisc o VPN 5000) • RADIUS (Jun iper) • RADIUS (N ortel [Bay Net works]) • RADIUS (Red Creek) • RADIUS (US Roboti ...
Cisco Systems CSACS3415K9 - page 545

18-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es • Click Cr eate . • Check t he check box next to t he R ADIUS VS A tha t you wa nt t o dupli cate , then clic k Duplicate . • Check the check bo x next to the RADIU S VSA that you want ...
Cisco Systems CSACS3415K9 - page 546

18-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es T able 18-9 Cr eating, Dupl icating, and Editing RADIU S Subat tr ibutes Option Description General Attrib ute Name of the suba ttrib ute. The name must b e unique. Descri ption (O ption ...
Cisco Systems CSACS3415K9 - page 547

18-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 4 Click Submit to save the subattrib ute. Viewing RADIUS Vendo r-Specific Subattributes T o v iew the at tributes t hat are supp orted by a part icular RADIU S vendor: Step 1 Choose Sys ...
Cisco Systems CSACS3415K9 - page 548

18-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Related Topic Creatin g, Duplic ating , and Edit ing RADIU S V en dor-Specific Attribute s, page 18-6 Configuring Iden tity Dictionar ies This section con tains the follo wing topics: ? ...
Cisco Systems CSACS3415K9 - page 549

18-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Configuring Internal Identity Attributes T able 18- 10 describes the f ields in the interna l < users | hosts > identity attrib utes. T able 18-1 0 Identity Attr ibute Pr operties Pag ...
Cisco Systems CSACS3415K9 - page 550

18-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Deleting an Internal Us er Identity Attribute T o delete an interna l user identity attrib ute: Step 1 Select System Admi nist ration > Conf iguration > Dictionaries > Ide ntit ...
Cisco Systems CSACS3415K9 - page 551

18-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Creating, Duplicating, and Editing an Internal Host Identity Attribute T o create, duplica te, and edit an internal host identity attr ibu te: Step 1 Select System Admi nist ration > Con ...
Cisco Systems CSACS3415K9 - page 552

18-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ocal Server Certificates Adding Static IP address to Users in Internal Identity Store T o add static IP address to a user in In ternal Identity Store: Step 1 Add a static IP attrib ute to intern ...
Cisco Systems CSACS3415K9 - page 553

18-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 2 Click Add . Step 3 Enter the inform ation in the Loca l Certif icate Store Proper ties page as describe d in T ab le 18-12 : Importing Server Certificat es and Associating Ce ...
Cisco Systems CSACS3415K9 - page 554

18-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating Self-Si gned Certificates Step 1 ...
Cisco Systems CSACS3415K9 - page 555

18-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating a Certificat e Signing Request Step 1 Sel ...
Cisco Systems CSACS3415K9 - page 556

18-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Binding CA Sig ned Certific ates Use this page to bind a CA signed ce rtif icate to the request that was use d to obtain the c ertif icate f rom the CA. Step 1 Select System ...
Cisco Systems CSACS3415K9 - page 557

18-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Submit to extend the e xisting certif icate’ s v alidity . The Local Certif icate Store page appears with the edited certi fica te. Related Topic • Conf iguring Loc ...
Cisco Systems CSACS3415K9 - page 558

18-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates The Cert ificate Store page ap pears wit hout the deleted cert ificate( s). Related Topic • Conf iguring Local Serv er Certificate s, page 18-14 Exporting Certificates T o ...
Cisco Systems CSACS3415K9 - page 559

18-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 2 Click Export to export the loc al certif icate to a client machi ne. Configuring Log s Log recor ds ar e genera ted fo r: • Acco unti ng messa ges • AAA audi t and diagnostic s messages ...
Cisco Systems CSACS3415K9 - page 560

18-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 1 Select System Admi nist ration > Configuration > Log Configuration > Remote Log T argets . The Remote Log T a rgets pa ge ap pears . Step 2 Do one of the follo wing: • Clic ...
Cisco Systems CSACS3415K9 - page 561

18-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 4 Click Submit . The remo te log target co nfiguration i s sav e d. The Remote Log T argets pa ge appears w ith the new rem ote log target configurati on. Related Topic • Delet ing a Remote ...
Cisco Systems CSACS3415K9 - page 562

18-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring th e Local Lo g Use the Local Conf iguration page to conf igure the maximum days to retai n your local log data. Step 1 Select System Admi nist ration > Configuration > Log ...
Cisco Systems CSACS3415K9 - page 563

18-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Global Logging Categorie s T o vie w and conf igure gl obal loggin g categ ories: Step 1 Select System Admi nist ration > Configuration > Log Configuration > Logging C ategori ...
Cisco Systems CSACS3415K9 - page 564

18-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 6 Click Submit . The Lo gging Cat egories pag e appe ars, with your co nfigured log ging cat egory . Administr ative and operati onal aud it me ssages inc lude aud it messa ges o f the ...
Cisco Systems CSACS3415K9 - page 565

18-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Related Topic • Configuring Pe r-Instance L ogging Categories, p age 18- 29 • V iewing ADE-OS Log s, page 18 -28 Fil e-Man ag emen t • A CS_DELETE_ CORE—A CS core files delet ed • A CS_D ...
Cisco Systems CSACS3415K9 - page 566

18-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Viewing A DE-OS Logs The log s listed in T able 1 8-22 are w ritten t o the A DE-OS logs. Fr om the A CS CLI, you can use th e follo wing command to vie w the ADE-OS logs: show logging syste ...
Cisco Systems CSACS3415K9 - page 567

18-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep ...
Cisco Systems CSACS3415K9 - page 568

18-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring Per-Instanc e Security and Log Settings Y o u can configure the severity le vel and loca l log setting s in a loggi ng category configuration for a specif ic ov erridden or custo ...
Cisco Systems CSACS3415K9 - page 569

18-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Per-Instanc e Remote Syslog Targets Use this page to conf igure remote syslog targets for logging cate gories. Step 1 Select System Admi nist ration > Conf iguration > Log Config ...
Cisco Systems CSACS3415K9 - page 570

18-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Displaying L ogging Ca tegories Y o u can view a tree of configured loggi ng categorie s for a speci fic A CS inst ance. In additi on, you can configure a logg ing ca tegory’ s severity le ...
Cisco Systems CSACS3415K9 - page 571

18-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring th e Log C ollector Use the Log Collector page to selec t a log data coll ector and suspend or re sume log da ta transmissi on. Step 1 Select System Admi nist ration > Configuration ...
Cisco Systems CSACS3415K9 - page 572

18-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Licensi ng Overv iew Licensing Overvi ew T o operate A C S, you mus t instal l a v alid li cense. A CS prompts y ou to install a valid bas e license wh en you first acc ess the we b interfac e. Each ACS insta ...
Cisco Systems CSACS3415K9 - page 573

18-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topics • Licen sing Overview , page 18-3 4 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 18 -36 • Adding Deployme nt Lice nse File s, pa ge 1 ...
Cisco Systems CSACS3415K9 - page 574

18-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Installin g a Licens e File Viewing the Base Lice nse T o u pgrad e t he bas e li cen se: Step 1 Select System Admi nist ration > Conf iguration > Licensing > Ba se Serve r License . The Ba se Ser ve ...
Cisco Systems CSACS3415K9 - page 575

18-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topic • Upgrad ing the Ba se Server Licens e, page 18- 37 Upgrading th e Base S erver Lice nse Y o u can upgra de the base server licens e. Step 1 Select System Admi nist ration ...
Cisco Systems CSACS3415K9 - page 576

18-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Viewing Licens e Feature Options Viewing License Feature Optio ns Y o u can add, upgra de, or delete existi ng depl oyment l icen ses. The con figuration pane a t the top of the pag e sho ws the de ployme nt ...
Cisco Systems CSACS3415K9 - page 577

18-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding De ployment Lic ense Files Adding Deployme nt License Files T o a dd a n ew base de ployment licen se file: Step 1 Select System Administration > Configuration > Licensing > F eature Options . The F ...
Cisco Systems CSACS3415K9 - page 578

18-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Deleti ng Deploy men t License File s Related Topics • Licens ing Overview , page 18-34 • T ypes of Li censes, page 18-34 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 1 ...
Cisco Systems CSACS3415K9 - page 579

18-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Available Downloads Downloading Migration Utility Files T o do wnload migration ap plication f iles and the m igration g uide for A CS 5.4: Step 1 Choose System Administration > Downl o ads > Migration Utilit ...
Cisco Systems CSACS3415K9 - page 580

18-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Availa ble Do wnloads T o do wnload the s e sample scripts: Step 1 Choose System Administration > Downl o ads > Sample Python Script s . The Samp le Python Scr ipts page ap pear s. Step 2 Click one of t ...
Cisco Systems CSACS3415K9 - page 581

CH A P T E R 19-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 19 Understanding Logging This c hapter d escrib es loggin g func tional ity in A C S 5.4. A dmini strators and u sers u se t he various managem ent i nterf aces of A CS to per form dif ferent tasks . Using the ad minist rativ e access control featu re, you can a ...
Cisco Systems CSACS3415K9 - page 582

19-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Using Log Targets Y ou can specify to send customer log informatio n to multip le cons umers or Log T ar gets and s pecify wheth er the lo g mes sages a re store d locall y in text form at or forwarde d to syslog se rvers. ...
Cisco Systems CSACS3415K9 - page 583

19-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Note F or comple x configuratio n items or attrib utes, such as policy or D ACL con tents, the ne w attrib ute val ue is reported as "Ne w/Updated" and the au dit does not c ontain the ac tu al attrib ute va l u e or ...
Cisco Systems CSACS3415K9 - page 584

19-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Each log message contains the follo wing information : • Event code— A unique message code. • Logging categor y—Iden tifies the catego ry to wh ich a log message belon gs. • Se verity le vel—Identif ies the le ...
Cisco Systems CSACS3415K9 - page 585

19-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Local Store T arget Log messages in the local store ar e text f iles that are sent to one log file, located at /opt/CSCOacs/lo gs/localSto r e/ , regar dless of w hich lo gging ca tegory they be long to . The loca l store can ...
Cisco Systems CSACS3415K9 - page 586

19-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging T able 19-2 Local Sto r e and S yslog Messag e F orma t Field Description timestamp Date of the mess age gene ratio n, acc ording t o the loca l cloc k of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh ...
Cisco Systems CSACS3415K9 - page 587

19-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Y o u can use the web in terface to con figure the numbe r of days to retain local store l og files; how ev er , the defa ult setting is to pur ge data when it excee d s 5 MB or each day , whichev er limit is f irst attained. ...
Cisco Systems CSACS3415K9 - page 588

19-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging When you configure a critical log target, and a me ssage is sent to that critical log target, the messa ge is also se nt to the con figured noncriti cal log target on a best- effort basis. • When you conf igure a critica ...
Cisco Systems CSACS3415K9 - page 589

19-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging T able 19-3 Remote S yslog M essag e Header F orma t Field Description pri_nu m Priority v alue of the message; a combination of the fac ility va lue and the se verity v alue of the me ssage. Priority v alue = ( facility v alu ...
Cisco Systems CSACS3415K9 - page 590

19-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging The syslog messag e data or pa yload is the same as the Loca l Store Me ssage Format , which i s describe d in T abl e 19-2 . The remote syslog ser ver tar gets are identif ied by the facility co de names LOCAL0 to LOCAL7 ...
Cisco Systems CSACS3415K9 - page 591

19-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging The M onitori ng and R eport V iewer has t wo drawer o ptions: • Moni tori ng and R eports—Us e this dra wer to vie w and conf igure al arms , view l og repo rts, and perform trouble shoot ing tasks . • Monitori ng C on ...
Cisco Systems CSACS3415K9 - page 592

19-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng ACS 4.x Versus ACS 5.4 Logging If you are familiar with the logging f unctionality in A C S 4. x, ensure that you familiarize yourself with the loggin g func tionality of A CS 5.4, which is consid erably ...
Cisco Systems CSACS3415K9 - page 593

19-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng ACS 4 .x Vers us ACS 5.4 Loggi ng Configuration Use the Sy stem Configuration > Logging page to d ef ine: • Logge rs an d individual lo gs • Critical loggers • Remote logging • CSV log file • Syslog log • ODBC log See Config ...
Cisco Systems CSACS3415K9 - page 594

19-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng ...
Cisco Systems CSACS3415K9 - page 595

A- 1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX A AAA Protocols This section con tains the follo wing topics: • T ypical Use Cases, page A-1 • Access Prot ocols—T ACA CS+ and RADIUS, page A -5 • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 Typical Use Case s This section con ta ...
Cisco Systems CSACS3415K9 - page 596

A- 2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases Session Access Requests (Device Administration [TACAC S+]) Note Th e numbe rs refer to Figur e A-1 on pa ge A-1 . For session reque st: 1. An admini strator logs i nto a network device. 2. The network device sends a T A CACS+ acces ...
Cisco Systems CSACS3415K9 - page 597

A-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Typical Use Cases – EAP proto cols that inv ol ve a TLS handshake and in whic h the clie nt uses the ACS server certi ficate t o perfo rm serve r auth ent icat ion: PEAP , using one of the fol lowing inner method s: PEAP/EAP- MSCH APv2 and PEAP/EAP ...
Cisco Systems CSACS3415K9 - page 598

A- 4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP me thods that us e certificat es fo r bot h ser ver and c lient aut hent icatio n – EAP- TLS – PEAP/EAP-T LS Whene ver EAP is in volv ed in the authen tication process, i ...
Cisco Systems CSACS3415K9 - page 599

A-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Access Protoco ls—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section con tains the follo wing topics: • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 A CS 5. 4 can use the T ACA C S+ an d RADIUS acc ess pr ...
Cisco Systems CSACS3415K9 - page 600

A- 6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Overview of RADIUS This section con tains the follo wing topics: • RADIUS VSAs, page A-6 • A CS 5.4 as t he AAA Server , page A-7 • RADIUS Att ribute Support in ACS 5.4, page A-8 • RADIUS Acc e ss Requests, pag e A-11 RAD ...
Cisco Systems CSACS3415K9 - page 601

A-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS ACS 5.4 as the AAA Se rver A AAA serv er is a server program th at handle s user req uests for acc ess to computer res ourc es, and fo r an enterp rise, pro vides AAA services. The AAA ser ver typically intera cts with netw ork acc ...
Cisco Systems CSACS3415K9 - page 602

A- 8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S RADIUS Attribute Support in ACS 5.4 A CS 5. 4 supports the RA DIUS prot ocol as RFC 2865 descri bes. A CS 5. 4 supports th e following types of RADIUS att ributes: • IETF RADI US attrib utes • Generic an d Cisco VS As • Oth ...
Cisco Systems CSACS3415K9 - page 603

A-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS Authentication A CS supports various aut hentica tion p rotocols transpor ted over RADI US. The support ed prot ocols tha t do not include EAP are: • PA P • CHAP • MSCHA Pv1 • MSCHA Pv2 In addi tion, various EAP-b ased pr o ...
Cisco Systems CSACS3415K9 - page 604

A-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Admin istrator can co nfigure th e att ribute opera tion cl ause fo r a spe cific proxy access servic e. Wh en this service i s selected , A CS pe rforms th e operat ion on the acce ss request and fo rwards the upda ted acce ss r ...
Cisco Systems CSACS3415K9 - page 605

A-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS • If the Mu ltiple attrib utes are allo wed, then the update o peration remo ves all the occu rrences of th is attribute a nd adds one attribute with a new value. Example: Login-IP- Host – a ttribu te Multi p le allo wed: On t ...
Cisco Systems CSACS3415K9 - page 606

A-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S When th e RADI US serv er recei ves t h e acces s-req uest fro m the N AD, it se arches a database fo r the user name . Dependi ng on the r esul t of t he databa se qu ery , an acce pt or rejec t is sent . A te xt messa ge can ac ...
Cisco Systems CSACS3415K9 - page 607

B-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX B Auth enticat ion in ACS 5 .4 Authentic ation v erif ies user informa tion to c onfi rm the u ser's ide ntity . T r aditional a u thenticati o n uses a name a nd a fixed passwo rd. Mor e secu re m ethods use cryp tograp hic techn iques, such as those used ...
Cisco Systems CSACS3415K9 - page 608

B-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PAP This ap pen dix d escr ibe s th e foll owing : • RADIUS-based authenticat ion that does not include EAP: – P AP , page B-2 – CHAP , page B- 32 – MSCHA Pv1 – EAP-MSCHA Pv2, pa ge B-30 • EAP family of prot ocols tran sported ...
Cisco Systems CSACS3415K9 - page 609

B-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP RADIUS PAP Authentication Y ou can use dif ferent le ve ls of security concurre ntly with A CS for dif ferent requiremen ts. P AP applies a tw o-w ay hand shaking pr ocedur e. If authentication succeed s, A CS returns a n ackno wledge ...
Cisco Systems CSACS3415K9 - page 610

B-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP In A CS 5.4 , EAP is en capsulate d in the RADIUS prot ocol . Incoming and outg oing EAP mes sages are stored in a RA DIUS EAP-M essage att ribute (79). A single RADIU S packet ca n contai n multip le EAP-Mes sage att rib utes whe n th ...
Cisco Systems CSACS3415K9 - page 611

B-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-MD5 A CS sup ports ful l EAP infrast ructu re, inclu ding EAP ty pe negotiati on, message s equenci ng and message r etransmi ssion. Al l protoc ols supp ort fr agme ntation of big message s. In A CS 5.4, you conf igure EAP methods fo ...
Cisco Systems CSACS3415K9 - page 612

B-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Overvi ew of EAP- TLS EAP-TL S is one of th e me thods in the EAP au thenti cation framework, and is base d on the 80 2.1x and EAP archi tecture. Components in volv ed in th e 802.1x and EAP authentic ation proc ess are the: • Ho ...
Cisco Systems CSACS3415K9 - page 613

B-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS • Using a third-par ty signature, usually from a CA, that v erifies the information in a certif icate. This third-pa rty bindin g is similar to the real-world eq uiv ale nt of the sta mp on a passport. Y ou trust the passport b ...
Cisco Systems CSACS3415K9 - page 614

B-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Y ou can conf igure the timeo ut for each sessio n in the cac he, for eac h protocol indi vidually . The lif etime of a sessi on is measur ed fr om th e beginni ng of th e co n versation an d is d eterm ined when t he TLS s ession ...
Cisco Systems CSACS3415K9 - page 615

B-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS For HTTPS, SFTP , SSH and Acti veM Q, an auto-generate d self-si gned certif icates can be use d as the means fo r serv er authenticati on. Fixed Management Certificates A CS gene rates and use s self-signe d certificates t o ide ...
Cisco Systems CSACS3415K9 - page 616

B-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS • Initial Sel f-Signed Certific ate Generation, page B-10 • Certificate Gene ration, page B-10 Importing the ACS Ser ver Certificate When yo u manual ly impor t and A CS serve r certificat e you must supply t he certif icate f ...
Cisco Systems CSACS3415K9 - page 617

B-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS There are tw o types of certif icate gener ation : • Self-sign ing c ertificat e gene ration— A C S sup ports ge nerat ion of an X. 509 c ertificate and a PKCS#12 p riv ate ke y . The pass phrase u sed to encr ypt the pri v ...
Cisco Systems CSACS3415K9 - page 618

B-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Credentia ls Distributio n All certif icates are kept in the A CS database which is distrib uted and shared between all A CS nodes. The A CS serv er cer tificates ar e associated and desig nated f or a specif ic node, wh ich uses ...
Cisco Systems CSACS3415K9 - page 619

B-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS Private Keys an d Passwords Backup The entir e A CS database is dist rib uted and ba cked-up on the prim ary A CS along with all the ce rtif icates, priv at e-keys and the en crypte d priv a te-key-pass words. The private-key-pa ...
Cisco Systems CSACS3415K9 - page 620

B-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Note All co mmuni cation between t he host and A CS goes thro ugh the net work device. EAP-TLS authentic ation fails if the: • Serv er fails to v erify the cl ient’ s certif icate, an d reje cts EAP- TLS au thenticat ion. • ...
Cisco Systems CSACS3415K9 - page 621

B-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 • Cisco AC 3.x • Funk Ody ssey Access C lient 4 .0.2 an d 5.x • Intel Supplican t 12.4.x Overvi ew of PE AP PEAP is a client -server sec urity ar chi tecture t hat you use to e ncrypt E AP transa ction s, there by protec ...
Cisco Systems CSACS3415K9 - page 622

B-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 • Fast Reconnect, page B-16 • Session R esume, page B- 16 • Protecte d Ex chan ge of A rbitra ry Param eters, pa ge B-17 • Cryptobin ding TL V Ex tensio n, page B-17 Server Aut henticated and Unauthent icated Tunnel Estab ...
Cisco Systems CSACS3415K9 - page 623

B-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 Protected E xchange of Arbitrar y Parame ters TL V tuples pro vide a way to e xchange ar bitrary informat ion betwee n the peer and A CS within a secure ch annel. Cryptobindi ng TLV Extensi on The cryp tobind ing TL V extensio ...
Cisco Systems CSACS3415K9 - page 624

B-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Figur e B-3 PEAP Pr ocessin g Flo w Creating the TLS Tunnel The fo llowing describes th e process for creatin g the TLS tun nel: 271629 Phase 1 Phase 2 User authentication credentials are sent through TLS Tunnel again using EAP . ...
Cisco Systems CSACS3415K9 - page 625

B-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Authenticatin g with MS CHAP v2 After the TLS tunnel is created, follo w these steps to authentica te the wireless clien t credentials with MSCHA Pv2: At the end of this mutual a uthentication e xchange, the wir eless clien t h ...
Cisco Systems CSACS3415K9 - page 626

B-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST EAP-F AST is a c lient-server security architec ture that encrypts EAP tran sactions with a TLS tunnel. While similar to PE AP in this respect, it d if fers signif icantly in that EAP-F AST tunnel establis hment is based o n stro ...
Cisco Systems CSACS3415K9 - page 627

B-21 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST EAP-F AST can protect the username in all EAP-F AST transac tions. A CS does no t perform user authenti cation based on a use r name that is presented in phase one, ho wev er , whether the user name is protec ted d uring ph ase ...
Cisco Systems CSACS3415K9 - page 628

B-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST • A CS- Supported Fea tures for P A Cs, pag e B-25 • Master Key Genera tion an d P A C TTL s, page B-27 • EAP-F AST for Allow TLS R enegotiatio n, page B -27 About Master-Keys EAP-F AST mas ter- keys are strong se crets tha ...
Cisco Systems CSACS3415K9 - page 629

B-23 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Provisioning Modes A CS sup ports out- of-band and in-ban d provisioning mo des. The in -band provision ing mod e operate s inside a TLS tunnel raised by Anonymous DH or Authenticate d DH or RSA algorithm for k ey agre eme nt. ...
Cisco Systems CSACS3415K9 - page 630

B-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The v arious means b y whi ch an end- user client can r eceiv e P A Cs are : • P A C provisioning —Requ ired w hen an e nd-user c lient has no P AC. For more infor mation a bout how maste r-ke y and P A C states dete rmine wh ...
Cisco Systems CSACS3415K9 - page 631

B-25 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST T o con trol whet her A CS perform s Automa tic In- Band P A C Provisioni ng, use t he options on th e Globa l System Options pages in the System Administration drawer . For more information, see EAP-F AST , page B-19 . Manual ...
Cisco Systems CSACS3415K9 - page 632

B-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The proac tive P AC update time is con figured for th e A CS se rver in the Allowed Protocols Page. Th is mecha nism all ows the client to be always updated wi th a valid P A C. Note There is no proacti ve P A C update for Mach i ...
Cisco Systems CSACS3415K9 - page 633

B-27 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Master Key Generation and PAC TTLs The values for master key genera tion and P A C TTLs deter mine their states, as d escrib ed in About Master-Ke ys, page B-22 and T ypes of P ACs, page B-23 . Master k ey and P A C states d et ...
Cisco Systems CSACS3415K9 - page 634

B-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST For informat ion about how master key generatio n and P AC TTL v a lues det ermin e wheth er P A C provisioning or P A C re fresh ing is requ ired, see Ma ster Key Genera tion and P A C TT Ls, page B- 27 . Step 3 Determ ine whe t ...
Cisco Systems CSACS3415K9 - page 635

B-29 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST • P A C M igrat ion fr om A CS 4.x, pag e B-29 Key Distribution Algorithm The comm on seed- key is a rela tiv e ly la rge and a com plete ly ra ndom buffer th at is genera ted by t he primar y A CS server . T he see d-key is ...
Cisco Systems CSACS3415K9 - page 636

B-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP Authe ntication wi th RADIUS Key Wrap • A list of retire d A C S 4.x master-keys. The list is taken fro m the A CS 4. x configurati on and plac ed in a ne w table in A CS 5.4. Each migrat ed master -ke y is associate d with its expe ...
Cisco Systems CSACS3415K9 - page 637

B-31 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-M SCHAPv 2 Overview of EAP-MSCHAPv2 Some of the specif ic members of the EAP family of authen tication proto cols, specif ically EAP-F AST and PEAP , support th e notion of an “EAP inner method. ” This means tha t another EAP- ba ...
Cisco Systems CSACS3415K9 - page 638

B-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 CHAP EAP- MS CHAPv2 Flo w in ACS 5.4 Components in vo lve d in the 802.1x and MSCHAPv2 authentication process a re the: • Host—The e nd entity , or en d user’ s machine. • AAA clien t—The netw ork access point. • Authentic ati ...
Cisco Systems CSACS3415K9 - page 639

B-33 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Certificate Attributes • Subject ’ s ST attr ibut e (State Pro vince) • Subject ’ s E a ttrib ute (e Mail) • Subject ’ s SN at tribute (Subject Seria l Numbe r) • Issue r I attrib ute • SAN (Sub ject Alternati ve N ame) Y ...
Cisco Systems CSACS3415K9 - page 640

B-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Cert ific ate At tr ibute s • Subject 's ST attrib ute (State Provi nce) • Subject 's E attr ibute (eMail) • Subject 's SN a ttrib ute (Subjec t Serial Number) • Issue r I attrib ute • SAN (Subje ct Alternati ve N ...
Cisco Systems CSACS3415K9 - page 641

B-35 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Machine Authentication The conf iguration of URLs an d their association to CA's is distrib uted to the entire A CS domain. The downloaded CRLs are not dist ributed and are autono mously populate d in parallel i n each A CS server . ...
Cisco Systems CSACS3415K9 - page 642

B-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility Related Topics • Micr osof t AD, pa ge 8 -41 • Managin g Exte rnal I denti ty Stores , p age 8- 22 Authentication Protocol and Identity Store Compatibili ty A CS supports va ...
Cisco Systems CSACS3415K9 - page 643

B-37 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Authentication Protocol and Identity Store Compatibility ...
Cisco Systems CSACS3415K9 - page 644

B-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility ...
Cisco Systems CSACS3415K9 - page 645

C-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX C Open Source License Acknowledgements See http://www .ci sco.co m/en/U S/produc ts/ps991 1/produc ts_lic ensing_i nforma tion_li sting.ht ml for all the Ope n Source and T hird Party L icens es use d in Cisc o Sec ure Acc ess Cont rol Syste m, 5.4. Notices The ...
Cisco Systems CSACS3415K9 - page 646

C-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s Notices 4. The name s “OpenSSL T oolki t” and “Ope nSSL Projec t” must not be us ed to endor se or prom ote products derived from this software without pr ior written permission. For written permission, please conta c ...
Cisco Systems CSACS3415K9 - page 647

C-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix C Open Sourc e License Acknow ledg ements 4. If you incl ude any W indows specific co de (or a derivati ve th ereo f) from the apps dir ectory (applic ation code) you must i nclude an ackn owledgemen t: “Th is produc t incl udes so ftware wr itten by T im Hud son ( ...
Cisco Systems CSACS3415K9 - page 648

C-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s ...
Cisco Systems CSACS3415K9 - page 649

GL-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 GLOSSAR Y A AAA Authentic ation, authorization , and accountin g (AAA) is a term for a fr ame work for intell igently contro lling access to comp uter res ources, e nforcin g policie s, auditi ng usage, an d providing t he informatio n necessary to bill for service s. These c ...
Cisco Systems CSACS3415K9 - page 650

Glos sary GL-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 accounts The cap ability of A CS to record user sessions in a log file. ACS System Administrators Ad m in i st r a to r s w i th di ff er en t access pri v ileges d efined u nder the System Conf iguration section o f the A CS web interface. T hey administer and man ...
Cisco Systems CSACS3415K9 - page 651

Glossary GL-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 authenticity The validity and conf orman ce of the or igin al info rmati on. authorization The approval, p ermissi on, or empowerm ent fo r so meone or som ethin g to do some thing. authorization profile The basi c "permi ssions cont ainer" for a RADIUS -ba ...
Cisco Systems CSACS3415K9 - page 652

Glos sary GL-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 certificate-based authentication The u se of Secure Sockets La yer (SSL) an d certif icate s to au thenticate and en crypt HTTP t r af fic. certificate Digital represe ntation of user or de vice attrib utes, includ ing a public ke y , that is signed with an author i ...
Cisco Systems CSACS3415K9 - page 653

Glossary GL-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 configuration manageme nt The proce ss of establi shing a kno wn baselin e condit ion and ma naging it. cookie Data exchan ged betwe en an HTTP ser ver an d a browser ( a cl ient o f the server ) to st ore s tate i nfor mat ion on the client si de and retrieve it lat ...
Cisco Systems CSACS3415K9 - page 654

Glos sary GL-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 D daemon A program wh ich i s often starte d at the time the sys tem bo ots and runs conti nuously wi thout intervent ion from a ny of the users o n the system. The daem on progr am forward s the re quests to other program s (or proc esses) as a ppropriat e. Th e te ...
Cisco Systems CSACS3415K9 - page 655

Glossary GL-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 digital envelop e An en crypted message with the encry p ted sess ion ke y . digital signature A hash of a message tha t uniquely identifies the sender of the messag e and proves the message hasn't chan ged s ince t ran smissi on. DSA digita l signatur e algori ...
Cisco Systems CSACS3415K9 - page 656

Glos sary GL-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 dumpsec A security tool that dumps a variety of information a bout a sy stem's users, file system, registry , permis sions, passwor d policy , and services . DLL Dynamic Link Librar y . A coll ection of small programs, any of whi ch can be calle d when ne eded ...
Cisco Systems CSACS3415K9 - page 657

Glossary GL-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 EAP Extens ible Aut hentic ation Protoc ol. A p rotoco l for w ireless networks that expand s on A uthenti cation methods used by the PPP ( Point-to-Point Protocol) , a protocol often used wh en connecting a computer to the I nternet. EAP can support m ultiple authen ...
Cisco Systems CSACS3415K9 - page 658

Glos sary GL-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 G gateway A n etwork point tha t acts as an entrance to anot her netwo rk. global system options Conf igur ing T A CA CS+, EAP-T TLS, PEAP , and EAP-F AST ru ntime cha racteris tic s and ge neratin g EAP-F AST P A C. H hash func tions Used to g enerate a one way &q ...
Cisco Systems CSACS3415K9 - page 659

Glossary GL-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 I I18N Int ernationaliza tion and localizatio n are m eans of adapting sof tware for non- nati ve en vironments, especi ally other nations and cultur es. Interna tiona lizati on is the a dapta tion o f pro ducts f or po tentia l use virtual ly ev erywhere, while loc ...
Cisco Systems CSACS3415K9 - page 660

Glos sary GL-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 ISO Interna tional Or ganization for Standardizat ion, a volu ntary , non-treaty , non-go vernment o rg anization, establi shed in 194 7, with voting membe rs that ar e designat ed standar ds bodies of participa ting natio ns and non -voting observer organizati ons ...
Cisco Systems CSACS3415K9 - page 661

Glossary GL-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 M MAC Address A physical addres s; a numeri c value tha t uni quely ident ifies that network device from every other device on the plane t. matchingRul e (LDAP) The m ethod b y which an attri bute is c o mpar ed in a sear ch opera tion. A matchi ngRule is an ASN. 1 ...
Cisco Systems CSACS3415K9 - page 662

Glos sary GL-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 PI (Programma tic Interface) The A CS PI is a prog rammatic in terface that provides e xternal ap plicati ons the ability to communicate with ACS to configure an d opera te A C S; this incl udes perf ormi ng the following op eration s on A CS objects: creat e, upda ...
Cisco Systems CSACS3415K9 - page 663

Glossary GL-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 R RDN (LDAP) Th e Relative Distinguished N ame (freque ntly but incorre ctly writte n as Relatively Distinguish ed Name). The name gi ven to an attrib ute(s) that is unique at its le vel in the hierarchy . RDNs may be single v alued or multi-v alued in which ca se t ...
Cisco Systems CSACS3415K9 - page 664

Glos sary GL-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Schema (LDAP) A package o f attrib utes and object clas ses that ar e someti mes (nomi n ally) re lated. Th e schema (s) in which th e object classes an d attrib utes that th e appli cation will u se (re ference) a r e packag ed ar e identif ied to the LD AP server ...
Cisco Systems CSACS3415K9 - page 665

Glossary GL-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 SOAP (Simple Object Acce ss Prot oc ol) A lightw eight X ML- based p rotocol for excha nge o f infor mation in a decent ralized , distr ibuted en viro nment. SO AP consis ts of th ree pa rts: an en v elope that def ines a fra me work f or de scri bing what is in a m ...
Cisco Systems CSACS3415K9 - page 666

Glos sary GL-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 U UDP User D atagram Prot ocol. A com munica tions pro tocol that o ffers a li mited a mount of se rvice when messag es ar e e xchang ed betw een comput ers in a networ k that uses t h e Int ernet Protoc ol (IP) URL Unifor m Resource Locat or . The uni que addr ess ...
Cisco Systems CSACS3415K9 - page 667

Glossary GL-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 X X.509 A standard for public key infrastruct ure. X .509 specifies, am ongst ot her things, standar d format s for public k ey ce rtif icates and a certif ication path v alidation algorithm. XML (eXtensible Markup Lan guage) XML is a fle xible wa y to create co mmo ...
Cisco Systems CSACS3415K9 - page 668

Glos sary GL-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 ...
Cisco Systems CSACS3415K9 - page 669

IN-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 INDEX Symbols ! format ting symb ol 13-34 % operat or 13-61 & formatt ing symbol 13-34 & operator 13-61 * operator 13-61 + oper ator 13-61 / oper ato r 13-61 <= opera tor 13-61 <> opera tor 13-61 < format ting symbol 13-34 < oper ator 13-61 = oper ator ...
Cisco Systems CSACS3415K9 - page 670

Index IN-2 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 Arrang e Columns di alog 13-42 ascendin g sort order 13-47 AVERAGE functio n 13-54 Averag e functi on 13-64 aver ages 13-54, 13-57, 13-60, 13-64 B backgro und c olor s 13-39 Between condition 13-69, 13-74 BETWEEN function 13-54 Bet ween oper ator 13-38 blank ch arac t ...
Cisco Systems CSACS3415K9 - page 671

Inde x IN-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 formatti n g data and 13-37 conte xt m enus 13-21 conversi ons 13-34 COUNT_DI STINCT function 13-54 COUNT fu nction 13-54 Count function 13-64 Count Value function 13-64 crea ting aggreg ate rows 13-65, 13-66 calc ulate d co lumns 13-52, 13-61 data filte rs 13-69, 13-7 ...
Cisco Systems CSACS3415K9 - page 672

Index IN-4 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 download s 18-40 duplicat e values 13-67, 13-68 E EAP-FAST enab lin g B-27 identity pro tection B-21 logging B- 20 mas ter ke ys definition B- 22 PAC automatic p rovisioning B-24 definition B- 22 manual prov isioning B-25 refresh B- 27 phases B-2 0 EAP-FAST settings c ...
Cisco Systems CSACS3415K9 - page 673

Inde x IN-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 G General D a te format o ption 13-31 General N u mber f ormat optio n 13-31 Go to page pick list 13-22 Greater Than co nditio n 13-70 greate r than operator 13-61 Greater Than o r Equal to condition 13-70 greater than or equa l to opera tor 13-6 1 Group D etail dial o ...
Cisco Systems CSACS3415K9 - page 674

Index IN-6 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 locales creat ing ch arts and 13-78 customiz ing forma ts for 13-30, 13-32, 13-35 locating text valu es 13-55, 13-59 logical ope rators 13-61 Long Dat e format option 13-31 Long Tim e forma t option 13-31 lowerc ase characters 13-57 Lowe rcas e form at opti on 13-31 L ...
Cisco Systems CSACS3415K9 - page 675

Inde x IN-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 numeric da ta types 13-31 numeric expr essions 13-61, 13-62 numeric va lues 13-24, 13-33 O opening exported data files 13-25 Inter active Vi ewer 13-21 operator s 13-38, 13-61 OR oper ator 13-61, 13-75 P PAC automatic p rovisioning B-24 definition B- 22 manual prov isi ...
Cisco Systems CSACS3415K9 - page 676

Index IN-8 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 report viewer s 13-21 resizing colu mns 13-24, 13-29 RIGHT functi o n 13-58 ROUNDDOWN fu nction 13-59 ROUND fu nction 13-5 8 roundin g 13-54, 13-58 ROUNDUP fun ction 13-59 row-by- row co mpariso ns 13-55 rows 13-67, 13-68 RUNNING SUM functio n 13-59 running total s 13 ...
Cisco Systems CSACS3415K9 - page 677

Inde x IN-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 time data types 13-31 time form ats 13-31, 13-35 timesav er, descr iption of ii-xxi v time stamps 13-57, 13-59 time values 13-35, 13-50 TODAY functi on 13-59 Top N condition 13-70 Top Percen t condition 13-70 totals 13-37, 13-59, 13-64 trailin g charact ers 13-59 TRIM ...
Cisco Systems CSACS3415K9 - page 678

Index IN- 10 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 X x-axis va lues 13-7 6 Y y-axis va lues 13-7 6 YEAR fu nction 13-60 ...

Manufacturer Cisco Systems Category Computer Accessories

Documents that we receive from a manufacturer of a Cisco Systems CSACS3415K9 can be divided into several groups. They are, among others:
- Cisco Systems technical drawings
- CSACS3415K9 manuals
- Cisco Systems product data sheets
- information booklets
- or energy labels Cisco Systems CSACS3415K9
All of them are important, but the most important information from the point of view of use of the device are in the user manual Cisco Systems CSACS3415K9.

A group of documents referred to as user manuals is also divided into more specific types, such as: Installation manuals Cisco Systems CSACS3415K9, service manual, brief instructions and user manuals Cisco Systems CSACS3415K9. Depending on your needs, you should look for the document you need. In our website you can view the most popular manual of the product Cisco Systems CSACS3415K9.

Similar manuals

Cisco Systems 1552H

164 pages
Cisco Systems AIRCAP1552HAK9

164 pages
Cisco Systems 2600

32 pages
Cisco Systems Computer Accessories

6 pages

A complete manual for the device Cisco Systems CSACS3415K9, how should it look like?
A manual, also referred to as a user manual, or simply "instructions" is a technical document designed to assist in the use Cisco Systems CSACS3415K9 by users. Manuals are usually written by a technical writer, but in a language understandable to all users of Cisco Systems CSACS3415K9.

A complete Cisco Systems manual, should contain several basic components. Some of them are less important, such as: cover / title page or copyright page. However, the remaining part should provide us with information that is important from the point of view of the user.

1. Preface and tips on how to use the manual Cisco Systems CSACS3415K9 - At the beginning of each manual we should find clues about how to use the guidelines. It should include information about the location of the Contents of the Cisco Systems CSACS3415K9, FAQ or common problems, i.e. places that are most often searched by users in each manual
2. Contents - index of all tips concerning the Cisco Systems CSACS3415K9, that we can find in the current document
3. Tips how to use the basic functions of the device Cisco Systems CSACS3415K9 - which should help us in our first steps of using Cisco Systems CSACS3415K9
4. Troubleshooting - systematic sequence of activities that will help us diagnose and subsequently solve the most important problems with Cisco Systems CSACS3415K9
5. FAQ - Frequently Asked Questions
6. Contact detailsInformation about where to look for contact to the manufacturer/service of Cisco Systems CSACS3415K9 in a specific country, if it was not possible to solve the problem on our own.

Do you have a question concerning Cisco Systems CSACS3415K9?

Use the form below

If you did not solve your problem by using a manual Cisco Systems CSACS3415K9, ask a question using the form below. If a user had a similar problem with Cisco Systems CSACS3415K9 it is likely that he will want to share the way to solve it.

Manual Cisco Systems CSACS3415K9

Summary

Cisco Systems CSACS3415K9 - page 1

Cisco Systems CSACS3415K9 - page 2

Cisco Systems CSACS3415K9 - page 3

Cisco Systems CSACS3415K9 - page 4

Cisco Systems CSACS3415K9 - page 5

Cisco Systems CSACS3415K9 - page 6

Cisco Systems CSACS3415K9 - page 7

Cisco Systems CSACS3415K9 - page 8

Cisco Systems CSACS3415K9 - page 9

Cisco Systems CSACS3415K9 - page 10

Cisco Systems CSACS3415K9 - page 11

Cisco Systems CSACS3415K9 - page 12

Cisco Systems CSACS3415K9 - page 13

Cisco Systems CSACS3415K9 - page 14

Cisco Systems CSACS3415K9 - page 15

Cisco Systems CSACS3415K9 - page 16

Cisco Systems CSACS3415K9 - page 17

Cisco Systems CSACS3415K9 - page 18

Cisco Systems CSACS3415K9 - page 19

Cisco Systems CSACS3415K9 - page 20

Cisco Systems CSACS3415K9 - page 21

Cisco Systems CSACS3415K9 - page 22

Cisco Systems CSACS3415K9 - page 23

Cisco Systems CSACS3415K9 - page 24

Cisco Systems CSACS3415K9 - page 25

Cisco Systems CSACS3415K9 - page 26

Cisco Systems CSACS3415K9 - page 27

Cisco Systems CSACS3415K9 - page 28

Cisco Systems CSACS3415K9 - page 29

Cisco Systems CSACS3415K9 - page 30

Cisco Systems CSACS3415K9 - page 31

Cisco Systems CSACS3415K9 - page 32

Cisco Systems CSACS3415K9 - page 33

Cisco Systems CSACS3415K9 - page 34

Cisco Systems CSACS3415K9 - page 35

Cisco Systems CSACS3415K9 - page 36

Cisco Systems CSACS3415K9 - page 37

Cisco Systems CSACS3415K9 - page 38

Cisco Systems CSACS3415K9 - page 39

Cisco Systems CSACS3415K9 - page 40

Cisco Systems CSACS3415K9 - page 41

Cisco Systems CSACS3415K9 - page 42

Cisco Systems CSACS3415K9 - page 43

Cisco Systems CSACS3415K9 - page 44

Cisco Systems CSACS3415K9 - page 45

Cisco Systems CSACS3415K9 - page 46

Cisco Systems CSACS3415K9 - page 47

Cisco Systems CSACS3415K9 - page 48

Cisco Systems CSACS3415K9 - page 49

Cisco Systems CSACS3415K9 - page 50

Cisco Systems CSACS3415K9 - page 51

Cisco Systems CSACS3415K9 - page 52

Cisco Systems CSACS3415K9 - page 53

Cisco Systems CSACS3415K9 - page 54

Cisco Systems CSACS3415K9 - page 55

Cisco Systems CSACS3415K9 - page 56

Cisco Systems CSACS3415K9 - page 57

Cisco Systems CSACS3415K9 - page 58

Cisco Systems CSACS3415K9 - page 59

Cisco Systems CSACS3415K9 - page 60

Cisco Systems CSACS3415K9 - page 61

Cisco Systems CSACS3415K9 - page 62

Cisco Systems CSACS3415K9 - page 63

Cisco Systems CSACS3415K9 - page 64

Cisco Systems CSACS3415K9 - page 65

Cisco Systems CSACS3415K9 - page 66

Cisco Systems CSACS3415K9 - page 67

Cisco Systems CSACS3415K9 - page 68

Cisco Systems CSACS3415K9 - page 69

Cisco Systems CSACS3415K9 - page 70

Cisco Systems CSACS3415K9 - page 71

Cisco Systems CSACS3415K9 - page 72

Cisco Systems CSACS3415K9 - page 73

Cisco Systems CSACS3415K9 - page 74

Cisco Systems CSACS3415K9 - page 75

Cisco Systems CSACS3415K9 - page 76

Cisco Systems CSACS3415K9 - page 77

Cisco Systems CSACS3415K9 - page 78