Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
55 Managing Access Policies Maximum Login Failed Attempts Policy Maximum Login Failed Attempts Policy ACS 5.7 allows the administrator to disable the user accounts after n successive failed attempts. You can configure the maximum login failed attempts count from ACS web interface. This feature is applicable only for internal users. You can configure this feature at user level, identity group level, and globally. ACS 5.7 introduces the maximum login failed attempt count configuration at user level and identity groups level. The global maximum login failed attempt count configuration is already available in ACS. Note: ACS counts the failed attempts until you reach the maximum failed attempts count or make a successful login attempt. ACS does not have a specific time range (such as within 15 minutes, 30 minutes, 1 hour and so on) configured for consecutive failed attempts count calculation. Note: If a user is configured with less number of maximum login failed attempt count and the user group is configured with more number of maximum login failed attempt count, then ACS considers the maximum login failed attempt count at the user level even though it is less. When a user enters an incorrect login credentials, ACS executes the following maximum login failed attempts policy algorithm: 1.If the maximum login failed attempt count is configured at user level: ACS disables the user account if the maximum login failed attempts count is reached. ACS allows the user to enter the credentials and try logging in again if the maximum login failed attempts count is not reached. If the maximum login failed attempt count is not configured at user level, then ACS proceeds to identity group level check. 2.If the maximum login failed attempt count is configured at the identity group that is associated with the user: ACS disables the user account if the maximum login failed attempts count is reached. ACS allows the user to enter the credentials and try logging in again if the maximum login failed attempts count is not reached. If the maximum login failed attempt count is not configured at the immediate group that is associated with the user, then ACS proceeds to the parent identity group level. 3.If the maximum login failed attempt count is configured at the parent identity group: ACS disables the user account if the maximum login failed attempts count is reached. ACS allows the user to enter the credentials and try logging in again if the maximum login failed attempts count is not reached. If the maximum login failed attempt count is not configured at the parent group, then ACS proceeds to the next level in the hierarchy until it reaches the root of the hierarchical groups. If the maximum login failed attempt count is not configured at any group including the root, then ACS proceeds to the global maximum login failed attempt count check. 4.If the maximum login failed attempts count is configured globally: ACS disables the user account if the maximum login failed attempts count is reached. ACS allows the user to enter the credentials and try logging in again if the maximum login failed attempts count is not reached. If the global maximum login failed attempts count configuration is not available, then ACS never disables the user account and allows the user to enter the login credentials and try logging in again and again.
56 Managing Access Policies Maximum Login Failed Attempts Policy This section describes the following: Configuring Maximum Login Failed Attempts Count for Users, page 56. Configuring Maximum Login Failed Attempts Count for Identity Groups, page 56. Configuring Maximum Login Failed Attempts Count for Users Globally, page 56 Configuring Maximum Login Failed Attempts Count for Users To configure maximum login failed attempt count for internal users: 1.Choose Users and Identity Stores > Internal Identity Store > Users. The Internal Users page appears. 2.Perform one of the following actions: Click Create. Click the username to whom you want to configure the maximum login failed attempts count, or check the check box next to the name and click Edit. 3.Check the Disable account after n successive failed attempts check box and enter the maximum login failed attempts count in the text box provided. 4.Click Submit. The maximum login failed attempt count for the selected user is configured. The Internal Users page appears with the new configuration. Configuring Maximum Login Failed Attempts Count for Identity Groups To configure failed attempts count for identity groups: 1.Choose Access Policies > Max Login Failed Attempts Policy > Max Login Failed Attempts Group Settings. All the configured identity groups are listed. 2.Check the check box next to the group name for which you want to configure the maximum login failed attempts count. 3.Click Edit. The Edit Identity Groups page appears with the identity group name and the description. 4.Check the Disable account after n successive failed attempts check box and enter the failed attempts count in the text box provided under Max Login Failed Attempts Group Settings area. 5.Click Submit. The maximum login failed attempt count for the selected identity group is configured. Configuring Maximum Login Failed Attempts Count for Users Globally To configure failed attempts count for users globally: 1.Choose System Administration > Users > Authentication Settings > Advanced.
57 Managing Access Policies Maximum Login Failed Attempts Policy The User Authentication Settings page appears with the Advanced tab. 2.Check the Disable account if check box. 3.Check the Failed Attempts Exceed check box and enter the maximum login failed attempts count in the text box provided. 4.Click Submit. The maximum login failed attempt count for internal users is configured globally. Note: If the authentication points of the primary and secondary instances are in different geographical locations, you can expect a delay in Distributed Deployment update across the Wide Area Network, thereby leading to a delayed update from the secondary instance to the primary instance. In this case, if you authenticate a user against a secondary instance in a deployment which is in a geographical location other than where the primary instance is located, the feature “Disable User after N failed attempt count” will not work properly.
58 Managing Access Policies Maximum Login Failed Attempts Policy
1 Cisco Systems, Inc.www.cisco.com Monitoring and Reporting in ACS The Monitoring and Reports drawer appears in the primary web interface window and contains the Launch Monitoring and Report Viewer option. The Monitoring and Report Viewer provides monitoring, reporting, and troubleshooting capabilities for the ACS servers in your network. You can extract consolidated log, configuration, and diagnostic data from one or more ACS servers for advanced reporting and troubleshooting purposes. You can configure the network access devices (NADs) in your network to send syslog messages to the Monitoring and Report Viewer. To do this, you must configure the logging port on the NAD to UDP 20514. For example, to enable a NAD in your network to send syslog messages to the Monitoring and Report Viewer, you must enter the following commands on the NAD through the CLI configuration mode: 1.logging monitor informational 2.logging origin-id ip 3.logging host ip transport udp port 20514—where ip is the IP address of the Log Collector in your network. 4.epm logging Click Launch Monitoring and Report Viewer to open the Monitoring and Reports Viewer in a secondary web interface window, which contains these drawers: Monitoring and Reports Monitoring Configuration. (See Managing System Operations and Configuration in the Monitoring and Report Viewer, page 1.) The Monitoring and Reports drawer provides the following functionality: Dashboard—Provides a high-level summary, updated in real time, of the ACS servers in the deployment, the authentication activity, and a summary of authentications against each identity store. See Dashboard Pages, page 2. Alarms—You can define thresholds to represent acceptable system performance. Measurements are taken on an ongoing basis and compared against these thresholds. If the thresholds are exceeded, alarms are generated. See Understanding Alarms, page 1. Reports— A rich set of reports are available. See Managing Reports, page 1. Troubleshooting— Provides tools to assist in troubleshooting the ACS system, including tests for system connectivity and a tool to download support bundles. See Troubleshooting ACS with the Monitoring and Report Viewer, page 1. Support for non-English characters (UTF-8)—You can have non-English characters in: —Syslog messages—Configurable attribute value, user name, and ACS named configuration objects —GUI input fields —Query pages —Reports
2 Monitoring and Reporting in ACS Authentication Records and Details —Alarms —Dashboard lookup —Failure reason text Note: In Monitoring and Reports drawer pages, you can use the page area’s down arrow (v) to hide an area’s content, and the right arrow (>) to show its content. Related Topic Authentication Records and Details, page 2 Authentication Records and Details A primary source of information for reports are the authentication records. Reports are provided that analyze these records according to multiple categories such as the Access Service used for the request, the user or host referenced in the request, the device making the request, etc. ACS provides summaries of the authentications per instance in each category, and administrators can get additional details. Within each authentication record there is an option to view the details of the authentication record. The details contain the following information: Authentication Details—Full details of the authentication, which includes details from the request, the service, policies and rules selected for the requests, and the results returned in the response. Authentication Result—The contents of the result response. Steps—Lists the sequence of steps performed when processing the request. The authentication details information is very helpful when trying to understand why a specific successful response was returned, or to track the steps performed when a failed response was returned. Dashboard Pages When you launch the Monitoring and Report Viewer, the Dashboard appears in a secondary web interface window. ACS 5.7 provides a new customizable dashboard that contains tabs and portlets, where the Monitoring and Report Viewer consolidates your favorite queries, recent alarms and reports, and health status of ACS instances. Each of these tabs can have multiple portlets with each portlet containing an application of your choice. You can select an application from the list the list of available applications. By default, the Monitoring and Report Viewer provides the following tabs and applications in the Dashboard: Note: These tabs are customizable, and you can modify or delete the following tabs. General—The General tab lists the following: —Five most recent alarms—When you click the name of the alarm, a dialog box appears with the details and the status of the alarm. You can update the information in the Status tab of this dialog box to track the alarm. See Table 115 on page 7 for a description of the fields in the Status tab. —Favorite reports—The favorite reports are displayed in alphabetical order. To view a report, click the name of the report. You can view this report in the Interactive Viewer. You can customize this list to include your favorite reports and can quickly launch them from the dashboard. Troubleshooting—The Troubleshooting tab contains the following panes: —Live Authentications—View live authentications for the day. You can filter the records that appear in this pane. —My Links—You can add your favorite links to this pane.
3 Monitoring and Reporting in ACS Dashboard Pages —NAD Show Command—You can run any show command on any NAD device from this pane. To run a NAD show command, you must: a.Enter either the IPv4 or IPv6 IP address of the NAD (Required). b.Enter the username and password for the NAD. c.Choose the protocol, Telnet or SSHv2 (Required). d.Enter the port number. The default is 23 (Required). e.Enter the enable password. f.Check the Use Console Server check box if you want to use the console server. g.Enter either the Ipv4 or Ipv6 address of the console server—This field is required if you check the Use Console Server check box. h.Enter the show command that you want to run on the NAD (Required). When the Monitoring and Report Viewer executes the NAD show command, it might sometimes prompt you for additional details. See Table 5 on page 8 for a description of the fields in the Progress Details page. After you click Done, you can click Show Results Summary to view the result as shown in Table 6 on page 9. —Authentication Lookup—You can use this portlet to run an authentication report with default parameters, find authentication records for a user or MAC address, and run user or endpoint summary report for a user or end point respectively. For more information on the Authentication Lookup Portlet, see Working with the Authentication Lookup Portlet, page 4. Authentication Trends—The Authentication Trends tab contains the following panes: —Authentication Trend—Provides a graphical and tabular representation of the authentication trend for up to the past 30 days. In the graphical representation, the time is plotted on the X-axis and the authentications are plotted on the Y-axis. The tabular representation provides the number of passed, failed, and dropped authentications for each day. The button at the lower-right corner of the chart ( )allows you to toggle between the two views. —Top Authentications—Provides a graphical representation of the top authentications. Time is plotted on the X-axis and authentications are plotted on the Y-axis. —Authentication Snapshot—Provides a snapshot of authentications in the graphical and tabular formats for up to the past 30 days. In the graphical representation, the field based on which the records are grouped together is plotted on the X-axis and the authentications are plotted on the Y-axis. The tabular representation provides the Category; Pass Count; Daily, Weekly, or Monthly Pass Count; Fail Count; and Daily, Weekly, or Monthly Fail Count. The button at the lower-right corner of the chart ( ) allows you to toggle between the two views. ACS Health—The ACS Health tab provides the system and AAA health of ACS instances. This information is available in a tabular format. —System status is determined by the following parameters—CPU utilization, memory utilization, disk input/output utilization, and disk usage for /opt and /local disk. —AAA status is determined by RADIUS and TACACS+ latency Hovering the mouse over the legend (Critical, Warning, Healthy) provides the criteria that determines the status of the ACS instance. For a detailed graphical representation of the ACS instance health, click the name of the ACS instance. The ACS health summary report appears. You can view this report in the Interactive Viewer.
4 Monitoring and Reporting in ACS Working with Portlets You can configure the tabs in the Dashboard to suit your needs. See Configuring Tabs in the Dashboard, page 5 for more information on how to configure tabs in the Dashboard and add applications to the tabs. Related Topics Working with Portlets, page 4 Configuring Tabs in the Dashboard, page 5 Adding Applications to Tabs, page 6 Working with Portlets A portlet is a small, self-contained window within a dashboard that displays information in the form of real-time charts, tabular reports, and so on. Each tab in the Dashboard consists of one or more portlets. Figure 29 on page 4 shows two portlets from the General tab. Figure 29 Portlets Top 5 Alarms and My Favorite Reports appear in separate windows. You can edit each of these portlets separately. To edit a portlet, click the edit button ( ) at the upper-right corner of the window. The Monitoring and Report Viewer allows you to customize the information in the portlets to suit your needs. You can add, edit, and delete tabs; edit application settings in portlets; and delete portlets. Working with the Authentication Lookup Portlet You can add the Authentication Lookup Portlet to the Dashboard. To add the Authentication Lookup Portlet, see Adding Applications to Tabs, page 6. The Authentication Lookup Portlet contains the following fields:
5 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Username/MAC Address—(Required for summary reports) Username of the user or the MAC address in aa-bb-cc-dd-ee-ff format. The Monitoring and Report Viewer does not accept MAC address in any other format. View—Choose Authentication to run an authentication report or Summary for a summary report. Time Range—Depending on the View option that you choose, the Time Range drop-down list is populated. Choose the time range for which you want to generate the report. Start Date—(Enabled when you choose the Custom time range option) Choose the start date. End Date—(Enabled when you choose the Custom time range option) Choose the end date. Protocol—Choose either RADIUS or TACACS+ from the Protocol drop-down list. The protocol is not taken into account for endpoint summary reports. Related Topics Dashboard Pages, page 2 Running the Authentication Lookup Report, page 5 Running the Authentication Lookup Report When you run an Authentication Lookup report, consider the following: If you have provided the username or MAC address value in the format aa-bb-cc-dd-ee-ff, an authentication report is run for this MAC address. If you have provided the username or MAC address value in any other format, the value is considered an username and authentication report is run for that user. If the Username or MAC address field is empty, an authentication report with default parameters is run for the chosen protocol and time range (similar to running a RADIUS or TACACS Authentication report in the catalog pages). If you provide a valid MAC address value for the Username or MAC address field and choose the Summary View option, an endpoint summary report is run. Irrespective of the protocol that you choose, an endpoint summary report is always run for the RADIUS protocol. If the MAC address value that you provide is not in the prescribed format, it is assumed to be a username and a user authentication summary report is run for the chosen time range and protocol. Configuring Tabs in the Dashboard This section describes how to configure tabs in the Dashboard and add applications to it. This section contains: Adding Tabs to the Dashboard, page 5 Renaming Tabs in the Dashboard, page 6 Changing the Dashboard Layout, page 7 Deleting Tabs from the Dashboard, page 7 Adding Tabs to the Dashboard The Monitoring and Report Viewer Dashboard allows you to customize the tabs in the dashboard and the applications that are available from them. To add tabs to the Dashboard: 1.From the Monitoring and Report Viewer, choose Monitoring and Reports > Dashboard.
6 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard The Dashboard page appears. 2.Click the Configure drop-down list at the upper-right corner of the Dashboard page. 3.Click Add New Page. Enter the name of the tab that you want to create in the Add New Page text box. 4.Click Add Page. A new tab of your choice is created. You can add the applications that you most frequently monitor in this tab Adding Applications to Tabs To add an application to a tab: 1.From the Monitoring and Report Viewer > choose Monitoring and Reports > Dashboard. The Dashboard page appears. 2.Select the tab to which you want to add an application. If you want to add applications to a new tab, you must add the new tab to the Dashboard before you can add applications to it. 3.Click the Configure drop-down list at the upper-right corner of the Dashboard page. 4.Click Add Application. An Add Application window appears. 5.Click View Dashboard to see the list of applications that you can add to the Dashboard. Alternatively, you can enter the name of the application in the Search Content text box. A list of applications appears. 6.Click the Add link the application that you want to add. The application of your choice is added to the tab. You can edit the parameters in this tab. Renaming Tabs in the Dashboard To rename existing tabs in the Dashboard: 1.From the Monitoring and Report Viewer > choose Monitoring and Reports > Dashboard. The Dashboard page appears. 2.Select the tab that you want to rename. 3.Click the Configure drop-down list at the upper-right corner of the Dashboard page. 4.Click Rename Page. 5.Enter the new name in the Rename Page text box. 6.Click Update.