Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
21 Managing System Administration Configurations Configuring Local Server Certificates 4.Click Submit to extend the existing certificate’s validity. The Local Certificate Store page appears with the edited certificate. Related Topic Configuring Local Server Certificates, page 16 Deleting Certificates To delete a certificate: 1.Select System Administration > Configuration > Local Server Certificates > Local Certificates. 2.Check one or more check boxes the certificates that you want to delete. 3.Click Delete. 4.For confirmation, click Ye s or Cancel. The Certificate Store page appears without the deleted certificate(s). Table 19 Edit Certificate Store Properties Page Option Description Issuer Friendly Name Name that is associated with the certificate. DescriptionDescription of the certificate. Issued ToDisplay only. The entity to which the certificate is issued. The name that appears is from the certificate subject. Issued ByDisplay only. The certification authority that issued the certificate. Valid FromDisplay only. The start date of the certificate’s validity. An X509 certificate is valid only from the start date to the end date (inclusive). Valid To (Expiration)Display only. The last date of the certificate’s validity. Serial NumberDisplay only. The serial number of the certificate. Protocol EAP Check for ACS to use the local certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management InterfaceCheck for ACS to use the local certificate for SSL client authentication. Renew Self Signed Certificate Certificate Expires OnDisplay only. Date the certificate expires. Renew Self Signed CertificateCheck to allow the renewal of a self signed certificate that expired. Expiration TTL Expiration TTL is the number of days, months, weeks, or years that you want to extend the existing certificate for. Valid options are: one day, one month, one week, and one year. At a maximum, you can extend the certificate for a period of one year.
22 Managing System Administration Configurations Configuring Local Server Certificates Related Topic Configuring Local Server Certificates, page 16 Exporting Certificates To export a certificate: 1.Select System Administration > Configuration > Local Server Certificates > Local Certificates. 2.Check the box the certificates that you want to export, then click Export. The Export Certificate dialog box appears. 3.Select one of the following options: Export Certificate Only Export Certificate and Private Key 4.Enter your private key password in the Private Key Password field. 5.Enter the same password in the Confirm Password field. Note: Exporting the private key is not a secure operation and could lead to possible exposure of the private key. 6.Click OK or Cancel. Related Topic Configuring Local Server Certificates, page 16 Viewing Outstanding Signing Requests 1.Select System Administration > Configurations > Local Server Certificates > Outstanding Signing Request. The Certificate Signing Request page appears displaying the information described in Table 20 on page 22: 2.Click Export to export the local certificate to a client machine. Table 20 Certificate Signing Request Page Option Description Name Name of the certificate. Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field should automatically prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Timestamp Date certificate was created. Friendly Name Name that is associated with the certificate.
23 Managing System Administration Configurations Configuring Local and Remote Log Storage Configuring Local and Remote Log Storage Log records are generated for: Accounting messages AAA audit and diagnostics messages System diagnostics messages Administrative and operational audit messages The messages are arranged in tree hierarchy structure within the logging categories (see Configuring Logging Categories, page 27 for more information). You can store log messages locally or remotely, based on the logging categories and available disk spaces. This section contains the following topics: Configuring Remote Log Targets, page 23 Configuring the Local Log, page 27 Configuring Logging Categories, page 27 Configuring Global Logging Categories, page 27 Configuring Per-Instance Logging Categories, page 32 Displaying Logging Categories, page 34 Configuring the Log Collector, page 34 Viewing the Log Message Catalog, page 35 See Understanding Logging, page 1 for a description of the preconfigured global ACS logging categories and the messages that each contains. Configuring Remote Log Targets You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Understanding Logging, page 1 for more information on remote log targets. See Configuring Logging Categories, page 27, for more information on the preconfigured ACS logging categories. ACS 5.7 allows you to send secure syslog messages to a remote log target. If you choose the secure syslog option, ACS logs the following messages in the System Diagnostic reports. Remote syslog target is unavailable. Remote syslog target connection is resumed. Remote syslog target buffer is cleared. To create a new remote log target: 1.Choose System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears. 2.Do one of the following: Click Create.
24 Managing System Administration Configurations Configuring Local and Remote Log Storage Check the check box the remote log target that you want to duplicate and click Duplicate. Click the name of the remote log target that you want to modify; or check the check box the name of the remote log target that you want to modify and click Edit. One of these pages appears: Remote Log Targets > Create, if you are creating a new remote log target. Remote Log Targets > Duplicate: “log_target”, where log-target is the name of the remote log target you selected in 2.Do one of the following:, page 23, if you are duplicating a remote log target. Remote Log Targets > Edit: “log_target”, where log-target is the name of the remote log target that you selected in 2.Do one of the following:, page 23, if you are modifying a remote log target. 3.Complete the required fields as described in Table 21 on page 24: Table 21 Remote Log Targets Configuration Page Option Description General Name Name of the remote log target. Maximum name length is 32 characters. Description Description of the remote log target. Maximum description length is 1024 characters. Type Type of remote log target—Syslog (the only option). Target Configuration IP Address IP address of the remote log target, in the format x.x.x.x. Target Type Select the type of syslog target type. By default it is set to UDP Syslog. The available target types are: UDP Syslog—The log messages are sent to the remote syslog target over a UDP connection. TCP Syslog—The log messages are sent to the remote syslog target over a TCP connection. Secure TCP Syslog—The log messages are sent to the remote syslog target over a secure TCP connection. The administrator has to configure CA and server certificates in both ACS and the remote syslog target. ACS verifies the server certificates from the remote syslog server and if the certificates are valid, it establishes a secure TCP connection between ACS and the remote syslog target to send the log messages. Use Advanced Syslog OptionsClick to enable the advanced syslog options—port number, facility code, maximum length, buffer messages when server down, buffer size, reconnect timeout, select certificate authority, accept any syslog server. ACS displays the Advanced Syslog Options according to the selected target type. Port Port number of the remote log target used as the communication channel between the ACS and the remote log target. The default port number for UDP Syslog is 514. The default port number for TCP Syslog is 1468. The default port number for Secure TCP Syslog is 6514.
25 Managing System Administration Configurations Configuring Local and Remote Log Storage 4.Click Submit. The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration. Facility Code Facility code. Valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) Maximum LengthMaximum length of the remote log target messages. Valid options are from 200 to 8192. The default value is 1024. Buffer Messages When Server DownCheck this check box if you want ACS to buffer the syslog messages when the TCP syslog targets and secure syslog targets are unavailable. ACS retries sending the messages to the target when the connection is re-established. After the connection is re-established, messages are sent in order from oldest to newest and buffered messages are always sent before new messages. If the buffer is full, old messages are discarded. Buffer Size (Required only when you check the Buffer Messages When Server Down check box.) Maximum size (in MB) of the buffer messages that can be stored in ACS when the remote syslog server is down. By default, it is set to 100 MB. The valid range is from 10 to 100 MB. Changing the buffer size clears the buffer and all existing buffered messages for the specific target are lost. These buffer messages are cleared when you edit some of the options in the Remote Log Targets page. See the note below for more details. Reconnect Ti m e o u t(Applicable only for TCP Syslog and Secure TCP Syslog targets.) The t ime interval at whi ch ACS tr ies to reconnect to the remote syslog ser ver when the remote sysl og server is down and disconnected from ACS. The valid range is from 30 to 120 seconds. The default value is 30 seconds. Select Certificate Authority(Required only for Secure TCP Syslog targets.) The administrator have to choose one of the installed CA certificates in the CTL to be used for Secure Syslog. ACS tries to find a first valid local certificate that was signed by the selected CA for TLS negotiation with the syslog server. The administrator cannot choose the specific certificate. If ACS cannot find a valid installed local certificate, it uses the management certificate. Accept Any SysLog Server(Applicable only for Secure TCP Syslog targets.) Check this check box if you want ACS to ignore server certificate validation and accept any syslog server. By default, this option is unchecked. Table 21 Remote Log Targets Configuration Page Option Description
26 Managing System Administration Configurations Configuring Local and Remote Log Storage Note: When you edit the IP Address, Target Type, Buffer Size, Maximum Length, or Port fields of a remote log target, ACS displays the following message in a pop up window: Your changes will delete all not sent messages in buffer. Do you want to continue? You can click OK to delete the buffer messages and save the changes made in the fields. Click Cancel if you do not want to delete the buffer messages. Note: When you use multiple remote log targets for an ACS instance and edit the IP Address, Target Type, Buffer Size, Maximum Length, or Port fields of a remote log target, the buffer messages specific only to the edited remote log target are deleted. This operation does not affect the buffer messages that are associated with the unedited other remote log targets. Note: When a remote log target of an ACS deployment goes down, ACS stores the log messages in the relevant instance’s buffer. For example, if the log message is created in the primary instance, ACS stores the messages in the primary instance’s buffer. If the log message is created in the secondary instances, ACS stores the messages in the corresponding secondary instance’s buffer. Note: In an ACS deployment, the server certificate issued by the remote log target’s CA should be installed in all ACS instances. Note: When you select Secure TCP as the target type for a remote log target, the log collector acts as both the syslog server and the client (internal communication is through SSL). In this case, the root CA that has issued the log collector’s management certificate must be installed in the CA trust list for the SSL handshake to be successful. Note: If the management certificate of the log collector has Key Usage (KU), Enhanced Key Usage (EKU), and Netscape certificate type fields, then both the server and client authentication details must be set in these fields where as the other ACS instances in the deployment must have only the client authentication details. Note: To s e n d a l l C A R S r e l a t e d l o g m e s s a g e s t o t h e r e m o t e s y s l o g s e r v e r, e x e c u t e t h e logging command from ACS CLI. After executing this command, ACS does not send CARS related messages to the log collector server. Related Topic Deleting a Remote Log Target, page 26 Deleting a Remote Log Target To delete a remote log target: 1.Select System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears, with a list of configured remote log targets. 2.Check one or more check boxes the remote log targets you want to delete. 3.Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? 4.Click OK. The Remote Log Targets page appears without the deleted remote log targets. Related Topic Configuring Remote Log Targets, page 23
27 Managing System Administration Configurations Configuring Local and Remote Log Storage Configuring the Local Log Use the Local Configuration page to configure the maximum days to retain your local log data. 1.Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. 2.In the Maximum log retention period box, enter the number of days for which you want to store local log message files, where is the number of days you enter. Valid options are 1 to 365. (Default = 7.) Note: If you reduce the number of days for which to store the local log message files, the log message files older than the number of days you specify are deleted automatically. You can click Delete Logs Now to delete the local logs, including all non-active log files, immediately. See Deleting Local Log Data, page 27 for more information on deleting log data. 3.Click Submit to save your changes. Your configuration is saved and the Local Configuration page is refreshed. Deleting Local Log Data Use the Local Configuration page to manually delete your local log data. You can use this option to free up space when the local store is full. See Local Store Target, page 4 for more information about the local store. 1.Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. 2.Click Delete Logs Now to immediately delete all local log data files, except the log data in the currently active log data file. The Local Configuration page is refreshed. Configuring Logging Categories This section contains the following topics: Configuring Global Logging Categories, page 27 Configuring Per-Instance Logging Categories, page 32 All configuration performed for a parent logging category affects the children within the logging category. You can select a child of a parent logging category to configure it separately, and it does not affect the parent logging category or the other children. Configuring Global Logging Categories To view and configure global logging categories: 1.Select System Administration > Configuration > Log Configuration > Logging Categories > Global. The Logging Categories page appears; from here, you can view the logging categories.
28 Managing System Administration Configurations Configuring Local and Remote Log Storage 2.Click the name of the logging category you want to configure; or, click the radio button the name of the logging category you want to configure and click Edit. 3.Complete the fields as described in Table 22 on page 28. If you have completed your configuration, proceed to 6.Click Submit., page 28. 4.To configure a remote syslog target, click the Remote Syslog Target and proceed to 5.Complete the Remote Syslog Target fields as described in Table 23 on page 28:. 5.Complete the Remote Syslog Target fields as described in Table 23 on page 28: 6.Click Submit. The Logging Categories page appears, with your configured logging category. Table 22 Global: General Page Option Descriptions Configure Log Category Log Severity For diagnostic logging categories, use the drop-down list box to select the severity level. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are: FATAL—Emergency. ACS is not usable and you must take action immediately. ERROR—Critical or error condition. WARN—Normal, but significant condition. (Default) INFO—Informational message. DEBUG—Diagnostic bug message. Configure Local Setting for Category Log to Local Target Check to enable logging to the local target. For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled. Local Target is CriticalUsable for accounting and for AAA audit (passed authentication) logging category types only. Check the check box to make this local target the critical target. For administrative and operational audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target. Configure Logged Attributes —Display only. All attributes are logged to the local target. Table 23 Global: Remote Syslog Target Page Option Description Configure Syslog Targets Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
29 Managing System Administration Configurations Configuring Local and Remote Log Storage Administrative and operational audit messages include audit messages of the following types: Configuration changes Internal user change password Administrator access Operational audit Some of the operational audit messages are not logged in the local log target. See Table 24 on page 29 for a list of administrative and operational logs that are not logged in the local target. See Viewing ADE-OS Logs, page 31 for information on how you can view these logs from the ACS CLI. Table 24 on page 29 lists a set of administrative and operational logs under various categories that are not logged to the local target. Table 24 Administrative and Operational Logs Not Logged in the Local Target Category Log and Description Process-ManagementACS_START_PROCESS—ACS process started ACS_STOP_PROCESS—ACS process stopped ACS_START—All ACS processes started ACS_STOP—All ACS processes stopped WD_RESTART_PROCESS—ACS process restarted by watchdog WD_CONFIG_CHANGE—Watchdog configuration reloaded ACS_START_STOP_ERROR—ACS process reported start/stop error DB-ManagementCARS_BACKUP—CARS backup complete CARS_RESTORE—CARS restore complete ACS_BACKUP—ACS DB backup complete ACS_RESTORE—ACS DB restore complete ACS_SUPPORT—ACS support bundle collected ACS_RESET—ACS DB reset
30 Managing System Administration Configurations Configuring Local and Remote Log Storage File-ManagementACS_DELETE_CORE—ACS core files deleted ACS_DELETE_LOG—ACS log files deleted Software-ManagementACS_UPGRADE—ACS upgraded ACS_PATCH—ACS patch installed UPGRADE_SCHEMA_CHANGE—ACS schema upgrade complete UPGRADE_DICTIONARY—ACS dictionary upgrade complete UPGRADE_DATA_MANIPULATION—ACS upgrade - data manipulation stage complete UPGRADE_AAC—ACS AAC upgrade complete UPGRADE_PKI—ACS PKI upgrade complete UPGRADE_VIEW—ACS View upgrade complete CLI_ACS_UPGRADE—ACS upgrade started CLI_ACS_INSTALL—ACS install started System-ManagementACS_MIGRATION_INTERFACE—ACS migration interface enabled/disabled ACS_ADMIN_PSWD_RESET—ACS administrator password reset CLI_CLOCK_SET—Clock set CLI_TZ_SET—Time zone set CLI_NTP_SET—NTP Server set CLI_HOSTNAME_SET—Hostname set CLI_IPADDRESS_SET—IP address set CLI_IPADDRESS_STATE—IP address state CLI_DEFAULT_GATEWAY—Default gateway set CLI_NAME_SERVER—Name server set ADEOS_XFER_LIBERROR—ADE OS Xfer library error ADEOS_INSTALL_LIBERROR—ADE OS install library error AD_JOIN_ERROR—AD agent failed to join AD domain AD_JOIN_DOMAIN—AD agent joined AD domain AD_LEAVE_DOMAIN—AD agent left AD domain IMPORT_EXPORT_PROCESS_ABORTED—Import/Export process aborted IMPORT_EXPORT_PROCESS_STARTED—Import/Export process started IMPORT_EXPORT_PROCESS_COMPLETED—Import/Export process completed IMPORT_EXPORT_PROCESS_ERROR—Error while Import/Export process Table 24 Administrative and Operational Logs Not Logged in the Local Target (continued) Category Log and Description