Cisco Acs 57 User Guide

							1   
Managing Reports
Available Filters
Table 3 Available Filters
Option Description
User Enter a valid username on which to configure your threshold.
MAC Address Enter a valid MAC address on which to run your report.
Identity Group Enter a valid identity group name on which to run your report.
Device Name Enter a valid device name on which to run your report.
Device IP Enter a valid device IP address on which to run your report.
SNMP Community Configure SNMP preferences to authenticate access to MIB objects. For more information, see 
Configuring SNMP Preferences, page 17. This community string is used by ACS to query information 
using SNMP on AAA client, and cannot used by SNMP manager to query MIB information on ACS.
Device Group Enter a valid device group name on which to run your report.
Access Service Enter a valid access service name on which to run your report
Identity Store Enter a valid identity store name on which to run your report.
ACS Instance  Enter an valid ACS instance name on which to run your report.
Failure Reason Enter a valid failure reason name on which to run your report.
Protocol Use the drop down list box to select which protocol on which you want to run your report. Valid options 
are:
RADIUS
TACACS+
Authentication 
StatusUse the drop down list box to select which authentication status on which you want to run your report. 
Valid options are:
Pass Or Fail
Pass
Fail
Radius Audit 
Session IDEnter the RADIUS audit session identification name on which you want to run a report.
ACS Session ID Enter the ACS session identification name on which you want to run a report.
Severity Use the drop down list box to select the severity level on which you want to run a report. This setting 
captures the indicated severity level and those that are higher within the threshold. Valid options are:
Fatal
Error
Warning
Info
Debug
End Point IP 
AddressEnter the end point IP address on which you want to run a report.
Command 
Accounting OnlyCheck the check box to enable your report to run for command accounting. 
						

							2
Managing Reports
 
Available Filters
Top Use the drop down list box to select the number of top (most frequent) authentications by access 
service on which you want to run your report. Valid options are:
10
50
100
500
1000
5000
By Use the drop down list box to select the type of authentications on which you want to run your report. 
Valid options are:
Passed Authentications
Failed Authentications
Total Authentications
Administrator Name Enter the administrator username for which you want to run your report.
Object Type Enter a valid object type on which you want to run your report.
Object Name Enter the name of the object on which you want to run your report.
Authorization Status Use the drop down list box to select which authentication status on which you want to run your report. 
Valid options are:
Pass Or Fail
Pass
Fail
Time  Range Use the drop down list box to select the time range on which you want to run your report. Valid options 
are:
Last 30 Minutes (for AAA Protocol reports and ACS Health Summary report only)
Last Hour (for AAA Protocol reports and ACS Health Summary report only)
Last 12 Hours (for AAA Protocol reports and ACS Health Summary report only)
To d a y
Ye s t e r d a y
Last 7 Days
Last 30 Days
Custom—You must configure a Start Date and End Date, or a Day.
Note: Some options are not valid for some Time Range entries of the various reports.
Start Date Enter a date, or click the date selector icon to enter the start date for which you want run your report.
End Date Enter a date, or click the date selector icon to enter the end date for which you want run your report.
Table 3 Available Filters (continued)
Option Description 
						

							2   
Managing Reports
Changing Authorization for RADIUS Active Sessions Dynamically
Related Topics
ACS Reports, page 2
Favorite Reports, page 13
Available Reports, page 14
Running Reports, page 3
Changing Authorization for RADIUS Active Sessions Dynamically
ACS provides the Dynamic Change of Authorization (CoA) feature through a new report, the RADIUS Active Sessions report, 
which allows you to dynamically control active RADIUS sessions. With this feature, you can send a reauthenticate or disconnect 
request to a NAD to:
Troubleshoot issues related to authentication—You can use the Disconnect:None option to follow up with an attempt to 
reauthenticate again.
You must not use the disconnect option to restrict access. To restrict access, use the shutdown option.
Block a problematic host—You can use the Disconnect:Port Disable option to block an infected host that sends a lot of traffic 
over the network.
The RADIUS protocol currently does not support a method for re-enabling a port that is shut down.
Force endpoints to reacquire IP addresses—You can use the Disconnect:Port Bounce option for endpoints that do not have 
a supplicant or client to generate a DHCP request after VLAN change.
Push an updated authorization policy to an endpoint—You can use the Re-Auth option to enforce an updated policy 
configuration, such as a change in the authorization policy on existing sessions based on the administrator’s discretion.
For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the 
endpoint’s identity and posture are known, it is possible to send the CoA Re-Auth command to the endpoint for the 
endpoint to acquire the actual authorization policy based on its posture.
Legacy NAS devices do not support the CoA feature. Cisco plans to support CoA in all its devices as part of the NPF program.
Note: For the CoA commands to be understood correctly by the device, it is important that you configure the options 
appropriately.
For the CoA feature to work properly, you must configure in ACS the shared secret of each and every device for which you want 
to dynamically change the authorization. ACS uses the shared secret configuration, both for requesting access from the device 
and for issuing CoA commands to it.
This section contains the following topics: 
Enabling RADIUS CoA Options on a Device, page 22
Changing Authorization and Disconnecting Active RADIUS Sessions, page 22 Start Time Enter the start time you want to run the report. 
End Time Enter the end time you want to run the report. 
Day Enter a date, or click the date selector icon to enter the end date for which you want run your report.
Run Click to run the report for which you have made selections.
Table 3 Available Filters (continued)
Option Description 
						

							2
Managing Reports
 
Changing Authorization for RADIUS Active Sessions Dynamically
Enabling RADIUS CoA Options on a Device
To view all the RADIUS Active Session reports you have to enable RADIUS CoA options on the device.
To configure the RADIUS CoA options:
1.Configure MAB, 802.1X and Web Authentication on the NAD against ACS RADIUS Server.
2.Configure CoA on the NAD as follows, which is connected to the supplicant. 
aa server radius dynamic-author
client { - } [vrf ] [server-key]
server-key [0 - 7] 
port 
auth-type {any - all - session-key}
ignore session-key
ignore server-key
3.Configure the authentication order.
Changing Authorization and Disconnecting Active RADIUS Sessions
Note: S o m e  o f  t h e  N A D s  i n  y o u r  d e p l o y m e n t  d o  n o t  s e n d  a n  A c c o u n t i n g Stop or Accounting Off packet after a reload. As a result 
of this, you might find two sessions in the Session Directory reports, one of which has expired. Hence, when you want to 
dynamically change the authorization of an active RADIUS session or disconnect an active RADIUS session, ensure that you 
always choose the most recent session. 
To change authorization or disconnect an active RADIUS session:
1.Run the RADIUS Active Sessions report under Session Directory. 
See Running Reports, page 3 for information on how to run a RADIUS Active Sessions report.
A report similar to the one shown in Figure 7 on page 22 appears.
Figure 7 RADIUS Active Session Report
2.Click the CoA link from the RADIUS session that you want to reauthenticate or terminate.
The Change of Authorization Request page appears. 
						

							2   
Managing Reports
Understanding Charts
3.Select a CoA option from the CoA option drop-down list box shown in Figure 8 on page 23.
Valid options are:
Disconnect:None—Do not terminate the session.
Disconnect:Port Bounce—Terminate the session and restart the port.
Disconnect:Port Disable—Terminate the session and shut down the port.
Re-Auth—Reauthenticate the user.
Figure 8 CoA Options
4.Click Run to reauthenticate or disconnect the RADIUS session.
If your change of authorization fails, it might be because of any of the following reasons:
Device does not support CoA
Changes to the identity or authorization policy
Shared secret mismatch
5.See the Troubleshooting RADIUS Authentications, page 6 to troubleshoot a failed change of authorization attempt. 
A failed dynamic CoA will be listed under failed RADIUS authentications.
Understanding Charts
A chart is a graphical representation of data or the relationships among data sets. Charts display complex data in an 
easy-to-assimilate format. In ACS 5.7, you cannot customize the charts from Reports web interface. 
Figure 9 on page 24 shows the parts of a basic bar chart. A chart displays data as one or more sets of points. The chart 
organizes data points into sets of values called series. The two types of series are:
Category series— The category series typically determines what text, numbers, or dates you see on the x-axis. 
Value series—The value series typically determines the text, numbers, or dates on the y-axis. 
In Figure 9 on page 24, the category series contains a set of regions, and the value series contains a set of sales figure values. 
						

							2
Managing Reports
 
Understanding Charts
Figure 9 Parts of a Basic Bar Chart
There are a variety of chart types. Some types of data are best depicted with a specific type of chart. Charts can be used as 
reports in themselves and they can be used together with tabular data report styles.  
						

							1
Cisco Systems, Inc.www.cisco.com
 
Troubleshooting ACS with the Monitoring 
and Report Viewer
This chapter describes the diagnostic and troubleshooting tools that the Monitoring and Report Viewer provides for the 
Cisco Secure Access Control System.
This chapter contains the following sections:
Available Diagnostic and Troubleshooting Tools, page 1
Performing Connectivity Tests, page 3
Downloading ACS Support Bundles for Diagnostic Information, page 4
Working with Expert Troubleshooter, page 5
Available Diagnostic and Troubleshooting Tools
The Monitoring and Report Viewer provides the following:
Connectivity Tests, page 1
ACS Support Bundle, page 1
Expert Troubleshooter, page 2
Connectivity Tests
When you have authentication problems, you can perform a connectivity test to check for connectivity issues. You can 
enter the hostname or the IP address of the network device that you are trying to connect with and execute the following 
commands from the web interface: ping, traceroute, and nslookup. 
The Monitoring and Report Viewer displays the output of these commands. See Performing Connectivity Tests, page 3 
for detailed instructions on how to perform the connectivity tests.
ACS Support Bundle
You can use the ACS support bundle to prepare diagnostic information for TAC to troubleshoot problems with ACS.
Support bundles typically contain the ACS database, log files, core files, and Monitoring and Report Viewer support files. 
You can exclude certain files from the support bundle, per ACS node. You can download the support bundle to your local 
computer. The browser (depending on its configuration) displays the progress of the download and prompts you to save 
the support bundle to an appropriate location.
If the ACS server is a primary instance, the support bundle includes an export of the ACS configuration. 
If the ACS server is a secondary instance, the ACS database is not included. 
If the ACS server is a log collector, the support bundle includes an export of the monitoring and report configuration 
and collected AAA audit and diagnostic logs. 
						

							2
Troubleshooting ACS with the Monitoring and Report Viewer
 
Available Diagnostic and Troubleshooting Tools
If the ACS server is not the log collector, the monitoring and reporting configuration is not included in the support 
bundle. See Downloading ACS Support Bundles for Diagnostic Information, page 4 for detailed instructions on how 
to download ACS support bundles.
Expert Troubleshooter
Expert Troubleshooter is an easy-to-use, web-based troubleshooting utility that helps you diagnose and troubleshoot 
problems in ACS deployments. It reduces the time that you take to diagnose the problem and provides you detailed 
instructions on how to resolve the problem.
You can use Expert Troubleshooter to diagnose and troubleshoot passed and failed authentications. For example, if a 
user is unable to gain access to the network, you can use the Expert Troubleshooter to diagnose the cause of this 
problem.
Expert Troubleshooter provides you the option to run show commands on any network device from the ACS web 
interface. The output of the show command is returned to you in precisely the same manner as the output appears on a 
console.
You can use Expert Troubleshooter to evaluate the configuration of any network device to see if there are any 
discrepancies that cause the problem. ACS 5.7 supports evaluating communication with network devices over IPv6 along 
with IPv4. 
In addition, Expert Troubleshooter provides you four diagnostic tools for troubleshooting Security Group Access 
device-related problems.
The Expert Troubleshooter identifies the cause of the problem and lists an appropriate course of action that you can take 
to resolve the problem. See Working with Expert Troubleshooter, page 5 for more information on the various tools that 
Expert Troubleshooter offers.
Table 1 on page 2 describes the diagnostic tools that ACS 5.7 offers:
Table 1 Expert Troubleshooter - Diagnostic Tools
Diagnostic Tool Description
RADIUS Authentication Troubleshooting Troubleshoots a RADIUS authentication. See Troubleshooting RADIUS 
Authentications, page 6 for more information.
Execute Network Device Command Executes any show command on a network device. See Executing the Show 
Command on a Network Device, page 9 for more information.
Evaluate Configuration Validator Evaluates the configuration of a network device. See Evaluating the Configuration 
of a Network Device, page 10 for more information. 
						

							3   
Troubleshooting ACS with the Monitoring and Report Viewer
Performing Connectivity Tests
Performing Connectivity Tests
You can test your connectivity to a network device with the dev i c e ’s  h os t n am e o r  I P a d d re ss.  Fo r  e x am p l e ,  you  c an  ver i f y  
your connection to an identity store by performing a connectivity test. In ACS 5.7, you can also test the connectivity of 
remote machines. 
To test connectivity between your ACS and a device’s hostname or IP address:
1.Select Monitoring and Reports > Troubleshooting > Connectivity Tests.
The Connectivity Tests page appears.
2.Click the IPv4 or IPv6 radio button to select the appropriate IP address type.
3.Modify the fields in the Connectivity Tests page as described in Table 2 on page 3.
4.Click ping, traceroute, or nslookup, depending upon your test.
The output of the ping, traceroute, or nslookup command appears.
Related Topics
Available Diagnostic and Troubleshooting Tools, page 1 Trust Sec Tools
Egress (SGACL) Policy Compares the Egress Policy (SGACL) between a network device and ACS. See 
Comparing SGACL Policy Between a Network Device and ACS, page 11 for more 
information.
SXP-IP  Mappings Compares SXP mappings between a device and peers. See Comparing the SXP-IP 
Mappings Between a Device and its Peers, page 12 for more information.
IP User SGT Compares IP-SGTs on a device with ACS authentication-assigned User-IP-SGT 
records. See Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT 
Records, page 14 for more information.
Device SGT Compares device SGT with ACS-assigned SGT. See Comparing Device SGT with 
ACS-Assigned Device SGT, page 15 for more information.
Table 1 Expert Troubleshooter - Diagnostic Tools (continued)
Diagnostic Tool Description
Table 2 Connectivity Tests
Option Description
Hostname or IP Address Enter the hostname or IP address of a connection you want to test. Click Clear to clear the 
hostname or IP address that you have entered.
ping Click to see the ping command output, where you can view the packets sent and received, packet 
loss (if any) and the time for the test to complete.
traceroute Click to see the traceroute command output, where you can view the intermediary IP addresses 
(hops) between your ACS and the tested hostname or IP address, and the time for each hop to 
complete.
nslookup Click to see the nslookup command output, where you can see the server and IP address of your 
tested domain name server hostname or IP address. 
						

							4
Troubleshooting ACS with the Monitoring and Report Viewer
 
Downloading ACS Support Bundles for Diagnostic Information
Connectivity Tests, page 1
ACS Support Bundle, page 1
Expert Troubleshooter, page 2
Downloading ACS Support Bundles for Diagnostic Information
To create and download an ACS support bundle:
1.Select Monitoring and Reports > Troubleshooting > ACS Support Bundle.
The ACS Support Bundle page appears with the fields described in Table 3 on page 4:
2.Choose a server and click Get Support Bundle. 
The Download Parameters for the Server page appears. You can create and download an ACS support bundle for 
the associated ACS node instance. 
Note: ACS 5.7 allows you to download the support bundle to an IPv6 URL-specified destination.
3.Select the download options you want to incorporate in your ACS support.tar.gz file. 
Downloading a support bundle can be slow if the size of the file is extremely large. For faster downloads, do not 
include core files and View support files in the support bundle.
The options are:
Encrypt Support Bundle—Check this box to encrypt the support bundle. Specify the decrypting password in 
Passphrase and confirm the password in Confirm Passphrase.
Include full configuration database—Check this box to have the whole database included in the support bundle. If this 
option in not checked, only a subset of the database is included in the support bundle. Click Include sensitive 
information or Exclude sensitive information to include or exclude sensitive information in the logs.
Sensitive information consists of passwords in the encrypted format, ACS configuration data, and so on.
Include debug logs—Check this check box to include debug logs, then click All, or click Recent and enter a value 
from 1 to 999 in the file(s) field to specify which debug logs to include. 
Include local logs—Check this check box to include local logs, then click All, or click Recent and enter a value from 
1 to 999 in the file(s) field to specify which debug logs to include.
Include core files—Check this check box to include core files, then click All or click Include files from the last and 
enter a value from 1 to 365 in the day(s) field.
Include monitoring and reporting logs—Check this check box to include monitoring and reporting logs, then click All 
or click Include files from the last and enter a value from 1 to 365 in the day(s) field. 
Specify which monitoring and reporting logs to include: 
Table 3 ACS Support Bundle Page
Option Description
Server Name of an ACS node instance. Click to display the Download Parameters for the Server page, 
to create and download an ACS support bundle for the ACS node instance.
IP AddressDisplay only. Indicates the IP address of an associated ACS node.
Node DesignationDisplay only. Indicates the primary or secondary instance of an associated ACS node.