Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
31 Managing System Administration Configurations Configuring Local and Remote Log Storage Related Topic Configuring Per-Instance Logging Categories, page 32 Viewing ADE-OS Logs, page 31 Viewing ADE-OS Logs The logs listed in Table 24 on page 29 are written to the ADE-OS logs. From the ACS CLI, you can use the following command to view the ADE-OS logs: show logging system ade/ADE.log This command lists all the ADE-OS logs and your output would be similar to the following example. Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=admin Sep 29 23:24:34 cd-acs5-13-179 sshd(pam_unix)[20017]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad min Sep 29 23:24:36 cd-acs5-13-179 sshd[20017]: Failed password for admin from 10.77.137.95 port 3635 ssh2 Sep 30 00:47:44 cd-acs5-13-179 sshd(pam_unix)[20946]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad min Sep 30 00:47:46 cd-acs5-13-179 sshd[20946]: Failed password for admin from 10.77.137.95 port 3953 ssh2 Sep 30 00:54:59 cd-acs5-13-179 sshd(pam_unix)[21028]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad min Sep 30 00:55:01 cd-acs5-13-179 sshd[21028]: Failed password for admin from 10.77.137.95 port 3962 ssh2 Sep 30 00:55:35 cd-acs5-13-179 last message repeated 5 times Sep 30 00:55:39 cd-acs5-13-179 sshd[21028]: Accepted password for admin from 10.77.137.95 port 3962 ssh2 Sep 30 00:55:39 cd-acs5-13-179 sshd(pam_unix)[21038]: session opened for user admin by (uid=0) Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: successfully loaded debug config Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[118] [admin]: Invoked carsGetConsoleConfig Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[135] [admin]: No Config file, returning defaults Sep 30 01:22:20 cd-acs5-13-179 sshd[21038]: Received disconnect from 10.77.137.95: 11: Connection discarded by broker Sep 30 01:22:20 cd-acs5-13-179 sshd(pam_unix)[21038]: session closed for user admin Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: successfully loaded debug config Sep 30 02:48:54 cd-acs5-13-179 sshd[22500]: Accepted password for admin from 10.77.137.58 port 4527 ssh2 Sep 30 02:48:54 cd-acs5-13-179 sshd(pam_unix)[22504]: session opened for user admin by (uid=0) Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: successfully loaded debug config You can view the logs grouped by the module that they belong to. For example, the monitoring and troubleshooting logs contain the string MSGCAT and the debug logs contain the string debug. From the ACS CLI, you can enter the following two commands to view the monitoring and troubleshooting logs and the administrative logs respectively: show logging system | include MSGCAT show logging system | include debug The output of the show logging system | include MSGCAT would be similar to:
![](/img/blank.gif)
32 Managing System Administration Configurations Configuring Local and Remote Log Storage Sep 27 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed Sep 28 13:00:03 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed Sep 29 06:28:17 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 8363 Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migration enable Sep 29 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed Sep 29 13:56:36 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migration disable Sep 29 13:57:02 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migration disable Sep 29 13:57:25 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed successfully - interface migration enable Sep 30 10:57:10 cd-acs5-13-103 MSGCAT58010/admin: info:[ACS backup] ACS backup completed For more information on the show logging command, refer to CLI Reference Guide for Cisco Secure Access Control System 5.7. Configuring Per-Instance Logging Categories You can define a custom logging category configuration for specific, overridden ACS instances, or return all instances to the default global logging category configuration. To view and configure per-instance logging categories: 1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance. The Per-Instance page appears; from here, you can view the individual ACS instances of your deployment. 2.Click the radio button associated with the name of the ACS instance you want to configure, and choose one of these options: Click Override to override the current logging category configuration for selected ACS instances. Click Configure to display the Logging Categories page associated with the ACS instance. You can then edit the logging categories for the ACS instance. See Displaying Logging Categories, page 34 for field descriptions. Click Restore to Global to restore selected ACS instances to the default global logging category configuration. Your configuration is saved and the Per-Instance page is refreshed. Related Topic Configuring Per-Instance Security and Log Settings, page 32 Configuring Per-Instance Security and Log Settings You can configure the severity level and local log settings in a logging category configuration for a specific overridden or custom ACS instance. Use this page to: View a tree of configured logging categories for a specific ACS instance. Open a page to configure a logging category’s severity level, log target, and logged attributes for a specific ACS instance. 1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.
![](/img/blank.gif)
33 Managing System Administration Configurations Configuring Local and Remote Log Storage The Per-Instance: Configuration page appears as described in Table 25 on page 33: 2.Do one of the following: Click the name of the logging category you want to configure. Select the radio button associated with the name of the logging category you want to configure, and click Edit. The Per-Instance: General page appears. From here, you can configure the security level and local log settings in a logging category configuration for a specific ACS instance. See Table 26 on page 33: Table 25 Per-Instance: Configuration Page Option Description Name Expandable tree structure of AAA service logging categories. Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name is the name of the logging category. Table 26 Per-Instance: General Page Option Description Configure Log Category Log Severity Use the list box to select the severity level for diagnostic logging categories. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are: FATAL—Emergency. The ACS is not usable and you must take action immediately. ERROR—Critical or error condition. WARN—Normal, but significant condition. (Default) INFO—Informational message. DEBUG—Diagnostic bug message. Configure Local Setting for Category Log to Local Target Check to enable logging to the local target. For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled. Local Target is CriticalUsable for accounting and for passed authentication logging category types only. Check the check box to make this local target the critical target. For administrative and operational audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target. Configure Logged Attributes —Display only. All attributes are logged to the local target.
![](/img/blank.gif)
34 Managing System Administration Configurations Configuring Local and Remote Log Storage Configuring Per-Instance Remote Syslog Targets Use this page to configure remote syslog targets for logging categories. 1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure. The Per-Instance: Configuration page appears as described in Table 25 on page 33. 2.Do one of the following actions: Click the name of the logging category you want to configure. Select the radio button associated with the name of the logging category you want to configure, and click Edit. 3.Click the Remote Syslog Target tab. The Per-Instance: Remote Syslog Targets page appears as described in Table 27 on page 34: Displaying Logging Categories You can view a tree of configured logging categories for a specific ACS instance. In addition, you can configure a logging category’s severity level, log target, and logged attributes for a specific ACS instance. 1.Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure. 2.Complete the fields as described in Table 28 on page 34: Configuring the Log Collector Use the Log Collector page to select a log data collector and suspend or resume log data transmission. 1.Select System Administration > Configuration > Log Configuration > Log Collector. The Log Collector page appears. Table 27 Per-Instance: Remote Syslog Targets Page Option Description Configure Syslog Targets Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration. Table 28 Per-Instance: Configuration Page Option Description Name Expandable tree structure of AAA services logging categories. Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name is the name of the logging category.
![](/img/blank.gif)
35 Managing System Administration Configurations Configuring Local and Remote Log Storage 2.Complete the Log Collector fields as described in Table 29 on page 35: 3.Do one of the following: Click Suspend to suspend the log data transmission to the configured log collector. Click Resume to resume the log data transmission to the configured log collector. Your configuration is saved and the Log Collector page is refreshed. Viewing the Log Message Catalog Use the Log Message Catalog page to view all possible log messages. Choose System Administration > Configuration > Log Configuration > Log Message Catalog. The Log Message Catalog page appears, with the fields described in Table 30 on page 35, from which you can view all possible log messages that can appear in your log files. Exporting Messages from the Log Message Catalog ACS 5.7 provides the option to download syslog messages with message codes and description in the form of a CSV file. When you export the syslog messages, the filtering option does not work. ACS exports all syslog messages that are available in the Log Message Catalog page. The progress bar is not displayed during the export operation. If the export operation fails, ACS does not prompt to save the .csv file or the file can be empty. Use the Log Message Catalog page to export log messages. 1.Choose System Administration > Configuration > Log Configuration > Log Message Catalog. Table 29 Log Collector Page Option Description Log Data Collector Current Log CollectorDisplay only. Identifies the machine on which the local log messages are sent. Select Log CollectorUse the drop-down list box to select the machine on which you want local log messages sent. Set Log Collector Click to configure the log collector according to the selection you make in the Select Log Collector option. Table 30 Log Messages Page Option Description Message CodeDisplay only. A unique message code identification number associated with a message. SeverityDisplay only. The severity level associated with a message. CategoryDisplay only. The logging category to which a message belongs. Message ClassDisplay only. The group to which a message belongs. Message TextDisplay only. English language message text (name of the message). Description Display only. English language text that describes the associated message.
![](/img/blank.gif)
36 Managing System Administration Configurations Licensing Overview The Log Message Catalog page appears, with the fields described in Table 30 on page 35, from which you can view all possible log messages that can appear in your log files. 2.Click Export. ACS exports all syslog messages that are available in the Log Message Catalog page as a .csv file. 3.Specify a location and click Save. The .csv file is saved in the specified location. Licensing Overview To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license. Note: Each server requires a unique base license in a distributed deployment.
![](/img/blank.gif)
37 Managing System Administration Configurations Licensing Overview Types of Licenses Table 31 on page 37 shows the ACS 5.7 license support: Related Topics Licensing Overview, page 36 Installing a License File, page 38 Viewing and Upgrading the Base Server License, page 38 Adding Deployment License Files, page 41 Deleting Deployment License Files, page 42 Table 31 ACS License Support License Description Base License Required for all software instances deployed, as well as for all appliances. The base license enables you to use all the ACS functionality except license controlled features, and it enables all reporting features. Base license is: Required for each ACS instance, primary and secondary. Required for all appliances. Supports deployments with up to 500 network devices (AAA clients). Base licenses are of two types: Permanent—Supports up to 500 network devices (AAA clients). Eval—Supports up to 50 network devices and expires in 90 days. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. If your evaluation license expires or is about to expire, you cannot use another evaluation license or extend your current license. Before your evaluation license expires, you must upgrade to a Permanent license. Add-on Licenses Supports an unlimited number of managed devices. Requires an existing ACS permanent base license. There are also evaluation-type licenses for add-on licenses. The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. However, the permanent Security Group Access feature license can be used only with a permanent base license. Also, the large deployment license can only be used only with a permanent base license. Evaluation License (standard)Enables standard centralized reporting features. Cannot be reused on the same platform. You can only install one evaluation license per platform. You cannot install additional evaluation licenses. Supports 50 managed devices. Expires 90 days from the time the license is installed.
![](/img/blank.gif)
38 Managing System Administration Configurations Installing a License File Installing a License File You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file: 1.Log into the ACS web interface. The Initial Licenses page appears when you log in to the ACS machine for the first time. 2.Click Cisco Secure ACS License Registration. This link directs you to Cisco.com to purchase a valid license file from a Cisco representative. 3.Click Install to install the license file that you purchased. The ACS web interface log in page reappears. You can now work with the ACS application. Related Topics Licensing Overview, page 36 Viewing and Upgrading the Base Server License, page 38 Adding Deployment License Files, page 41 Deleting Deployment License Files, page 42 Viewing and Upgrading the Base Server License ACS 5.7 allows you to upgrade or modify a base license without performing the reset config operation. To view and upgrade the base license: 1.Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses, page 37 for a list of deployment licenses. Table 32 on page 38 describes the fields in the Base Server License page. Table 32 Base Server License Page Option Description ACS Deployment Configuration Primary ACS Instance Name of the primary instance created when you logged into the ACS 5.7 web interface. Number of Instances Current number of ACS instances (primary or secondary) in the ACS database. Current Number of Configured IP Addresses in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network device configuration. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.
![](/img/blank.gif)
39 Managing System Administration Configurations Installing a License File 2.Select the radio button the instance whose license you want to upgrade and click Upgrade/Modify. The Base Server License Edit page appears. The administrator can upgrade or modify a base license from ACS 5.7 web interface without resetting the configuration. 3.Complete the fields as described in Table 33 on page 39: 4.Click Submit. Maximum Number of IP Addresses in Network DevicesMaximum number of IP addresses that your license supports: Base License—Supports 500 IP addresses. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Large Deployment—Supports an unlimited number of IP addresses. Use this link to obtain a valid License FileDirects you to Cisco.com to generate a valid license file using the Product Activation Key (PAK) Base License Configuration ACS Instance Name of the ACS instance, either primary or secondary. Identifier Name of the base license. License Type Specifies the base license type (permanent, evaluation). Expiration Specifies the expiration date for evaluation licenses. For permanent licenses, the expiration field indicates permanent. Licensed to Name of the company that this product is licensed to. PAK Name of the Product Activation Key (PAK) received from Cisco. Version Current version of the ACS software. Table 32 Base Server License Page (continued) Option Description Table 33 Base Server License Edit Page Option Description ACS Instance License Configuration Version Displays the current version of the ACS software. ACS Instance Displays the name of the ACS instance, either primary or secondary. License Type Specifies the license type. Use this link to obtain a valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative. License Location License File Click Browse to navigate to the directory that contains the license file and select it.
![](/img/blank.gif)
40 Managing System Administration Configurations Viewing License Feature Options Related Topics Licensing Overview, page 36 Types of Licenses, page 37 Installing a License File, page 38 Adding Deployment License Files, page 41 Deleting Deployment License Files, page 42 Viewing License Feature Options You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the deployment information. Select System Administration > Configuration > Licensing > Feature Options. The Feature Options Page appears as described in Table 34 on page 40: Table 34 Feature Options Page Option Description ACS Deployment Configuration Primary ACS Instance Name of the primary instance created when you login into the ACS 5.7 web interface. Number of Instances Current number of ACS instances (primary or secondary) in the ACS database. Current Number of Configured IP Addresses in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network device configuration. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Maximum Number of IP Addresses in Network DevicesMaximum number of IP addresses that your license supports: Base License—Supports 500 IP addresses. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Large Deployment—Supports an unlimited number of IP addresses. Use this link to obtain a valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative. Installed Deployment License Options FeatureLarge Deployment—Supports an unlimited number of managed devices. Security Group Access Control—Enables Cisco Trusted Server (SGA) management functionality. This requires an existing ACS base license. Licensed to Name of the company that this product is licensed to. License Type Specifies the license type (permanent, evaluation).