Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules10-39 Configuring Compound Conditions10-40 Compound Condition Building Blocks10-40 Types of Compound Conditions10-41 Using the Compound Expression Builder10-44 Security Group Access Control Pages10-45 Egress Policy Matrix Page10-45 Editing a Cell in the Egress Policy Matrix10-46 Defining a Default Policy for Egress Policy Page10-46 NDAC Policy Page10-47 NDAC Policy Properties Page10-48 Network Device Access EAP-FAST Settings Page10-50 Maximum User Sessions10-50 Max Session User Settings10-51 Max Session Group Settings10-51 Max Session Global Setting10-52 Purging User Sessions10-53 Maximum User Session in Distributed Environment10-54 Maximum User Session in Proxy Scenario10-55 CHAPTER 11Monitoring and Reporting in ACS11-1 Authentication Records and Details11-2 Dashboard Pages11-2 Working with Portlets11-4 Working with Authentication Lookup Portlet11-5 Running Authentication Lookup Report11-6 Configuring Tabs in the Dashboard11-6 Adding Tabs to the Dashboard11-6 Adding Applications to Tabs11-7 Renaming Tabs in the Dashboard11-7 Changing the Dashboard Layout11-8 Deleting Tabs from the Dashboard11-8 CHAPTER 12Managing Alarms12-1 Understanding Alarms12-1 Evaluating Alarm Thresholds12-2 Notifying Users of Events12-3 Viewing and Editing Alarms in Your Inbox12-3
Contents xii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules12-9 Creating and Editing Alarm Schedules12-9 Assigning Alarm Schedules to Thresholds12-10 Deleting Alarm Schedules12-11 Creating, Editing, and Duplicating Alarm Thresholds12-11 Configuring General Threshold Information12-13 Configuring Threshold Criteria12-14 Passed Authentications12-14 Failed Authentications12-16 Authentication Inactivity12-18 TACACS Command Accounting12-19 TACACS Command Authorization12-20 ACS Configuration Changes12-21 ACS System Diagnostics12-22 ACS Process Status12-23 ACS System Health12-24 ACS AAA Health12-25 RADIUS Sessions12-26 Unknown NAD12-27 External DB Unavailable12-28 RBACL Drops12-29 NAD-Reported AAA Downtime12-31 Configuring Threshold Notifications12-32 Deleting Alarm Thresholds12-33 Configuring System Alarm Settings12-34 Understanding Alarm Syslog Targets12-35 Creating and Editing Alarm Syslog Targets12-35 Deleting Alarm Syslog Targets12-36 CHAPTER 13Managing Reports13-1 Working with Favorite Reports13-3 Adding Reports to Your Favorites Page13-3 Viewing Favorite-Report Parameters13-4 Editing Favorite Reports13-5 Running Favorite Reports13-5 Deleting Reports from Favorites13-6 Sharing Reports13-6 Working with Catalog Reports13-7 Available Reports in the Catalog13-7
Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports13-11 Deleting Catalog Reports13-13 Running Named Reports 13-13 Understanding the Report_Name Page13-15 Enabling RADIUS CoA Options on a Device13-18 Changing Authorization and Disconnecting Active RADIUS Sessions13-18 Customizing Reports13-20 Restoring Reports13-20 Viewing Reports13-21 About Standard Viewer13-21 About Interactive Viewer13-21 About Interactive Viewer’s Context Menus13-21 Navigating Reports13-23 Using the Table of Contents13-23 Exporting Report Data13-24 Printing Reports13-26 Saving Report Designs in Interactive Viewer13-26 Formatting Reports in Interactive Viewer13-27 Editing Labels13-27 Formatting Labels 13-28 Formatting Data13-28 Resizing Columns13-28 Changing Column Data Alignment 13-29 Formatting Data in Columns13-29 Formatting Data in Aggregate Rows13-29 Formatting Data Types13-30 Formatting Numeric Data13-31 Formatting Fixed or Scientific Numbers or Percentages13-32 Formatting Custom Numeric Data13-32 Formatting String Data13-33 Formatting Custom String Data13-33 Formatting Date and Time13-34 Formatting Custom Date and Time13-35 Formatting Boolean Data13-36 Applying Conditional Formats13-36 Setting Conditional Formatting for Columns13-37 Deleting Conditional Formatting13-39 Setting and Removing Page Breaks in Detail Columns13-40 Setting and Removing Page Breaks in a Group Column13-40
Contents xiv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Organizing Report Data13-41 Displaying and Organizing Report Data13-41 Reordering Columns in Interactive Viewer13-42 Removing Columns13-43 Hiding or Displaying Report Items13-44 Hiding Columns13-44 Displaying Hidden Columns13-45 Merging Columns13-45 Selecting a Column from a Merged Column13-46 Sorting Data13-47 Sorting a Single Column13-47 Sorting Multiple Columns13-47 Grouping Data13-48 Adding Groups13-50 Grouping Data Based on Date or Time13-50 Removing an Inner Group13-51 Creating Report Calculations13-51 Understanding Supported Calculation Functions13-53 Understanding Supported Operators13-60 Using Numbers and Dates in an Expression13-60 Using Multiply Values in Calculated Columns13-61 Adding Days to an Existing Date Value13-61 Subtracting Date Values in a Calculated Column13-62 Working with Aggregate Data13-62 Creating an Aggregate Data Row13-64 Adding Additional Aggregate Rows13-65 Deleting Aggregate Rows13-66 Hiding and Filtering Report Data13-66 Hiding or Displaying Column Data13-66 Displaying Repeated Values13-67 Hiding or Displaying Detail Rows in Groups or Sections13-67 Working with Filters13-68 Types of Filter Conditions13-69 Setting Filter Values13-70 Creating Filters13-71 Modifying or Clearing a Filter13-72 Creating a Filter with Multiple Conditions13-72 Deleting One Filter Condition in a Filter that Contains Multiple Conditions13-74 Filtering Highest or Lowest Values in Columns13-74 Understanding Charts13-75
Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Charts13-76 Filtering Chart Data13-76 Changing Chart Subtype13-77 Changing Chart Formatting13-77 CHAPTER 14Troubleshooting ACS with the Monitoring & Report Viewer14-1 Available Diagnostic and Troubleshooting Tools14-1 Connectivity Tests14-1 ACS Support Bundle14-1 Expert Troubleshooter14-2 Performing Connectivity Tests14-3 Downloading ACS Support Bundles for Diagnostic Information14-4 Working with Expert Troubleshooter14-5 Troubleshooting RADIUS Authentications14-6 Executing the Show Command on a Network Device14-9 Evaluating the Configuration of a Network Device14-10 Comparing SGACL Policy Between a Network Device and ACS14-11 Comparing the SXP-IP Mappings Between a Device and its Peers14-12 Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records14-14 Comparing Device SGT with ACS-Assigned Device SGT14-15 CHAPTER 15Managing System Operations and Configuration in the Monitoring & Report Viewer15-1 Configuring Data Purging and Incremental Backup15-3 Configuring NFS stagging15-6 Restoring Data from a Backup15-7 Viewing Log Collections15-7 Log Collection Details Page15-9 Recovering Log Messages15-11 Viewing Scheduled Jobs15-11 Viewing Process Status15-13 Viewing Data Upgrade Status15-14 Viewing Failure Reasons15-14 Editing Failure Reasons 15-14 Specifying E-Mail Settings15-15 Configuring SNMP Preferences15-15 Understanding Collection Filters15-16 Creating and Editing Collection Filters15-16 Deleting Collection Filters15-17
Contents xvi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings15-17 Configuring Alarm Syslog Targets15-17 Configuring Remote Database Settings15-17 CHAPTER 16Managing System Administrators16-1 Understanding Administrator Roles and Accounts16-2 Understanding Authentication16-3 Configuring System Administrators and Accounts16-3 Understanding Roles16-3 Permissions16-4 Predefined Roles16-4 Changing Role Associations16-5 Administrator Accounts and Role Association16-6 Creating, Duplicating, Editing, and Deleting Administrator Accounts16-6 Viewing Predefined Roles16-8 Viewing Role Properties16-8 Configuring Authentication Settings for Administrators16-9 Configuring Session Idle Timeout16-11 Configuring Administrator Access Settings16-11 Resetting the Administrator Password16-12 Changing the Administrator Password16-13 Changing Your Own Administrator Password16-13 Resetting Another Administrator’s Password16-14 CHAPTER 17Configuring System Operations17-1 Understanding Distributed Deployment17-2 Activating Secondary Servers17-3 Removing Secondary Servers17-3 Promoting a Secondary Server17-4 Understanding Local Mode17-4 Understanding Full Replication17-5 Specifying a Hardware Replacement17-5 Scheduled Backups17-6 Creating, Duplicating, and Editing Scheduled Backups17-6 Backing Up Primary and Secondary Instances17-8 Synchronizing Primary and Secondary Instances After Backup and Restore17-9 Editing Instances17-9
Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance17-9 Viewing and Editing a Secondary Instance17-13 Deleting a Secondary Instance17-13 Activating a Secondary Instance17-14 Registering a Secondary Instance to a Primary Instance17-14 Deregistering Secondary Instances from the Distributed System Management Page17-17 Deregistering a Secondary Instance from the Deployment Operations Page17-17 Promoting a Secondary Instance from the Distributed System Management Page17-18 Promoting a Secondary Instance from the Deployment Operations Page17-19 Replicating a Secondary Instance from a Primary Instance17-19 Replicating a Secondary Instance from the Distributed System Management Page17-20 Replicating a Secondary Instance from the Deployment Operations Page17-20 Changing the IP address of a Primary Instance from the Primary Server17-21 Failover17-22 Using the Deployment Operations Page to Create a Local Mode Instance17-23 Creating, Duplicating, Editing, and Deleting Software Repositories17-25 Managing Software Repositories from the Web Interface and CLI17-26 CHAPTER 18Managing System Administration Configurations18-1 Configuring Global System Options18-1 Configuring TACACS+ Settings18-1 Configuring EAP-TLS Settings18-2 Configuring PEAP Settings18-3 Configuring EAP-FAST Settings18-3 Generating EAP-FAST PAC18-4 Configuring RSA SecurID Prompts18-4 Managing Dictionaries18-5 Viewing RADIUS and TACACS+ Attributes18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes18-6 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes18-7 Viewing RADIUS Vendor-Specific Subattributes18-9 Configuring Identity Dictionaries18-10 Creating, Duplicating, and Editing an Internal User Identity Attribute18-10 Configuring Internal Identity Attributes18-11 Deleting an Internal User Identity Attribute18-12 Creating, Duplicating, and Editing an Internal Host Identity Attribute18-13 Deleting an Internal Host Identity Attribute18-13 Adding Static IP address to Users in Internal Identity Store18-14
Contents xviii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Configuring Local Server Certificates18-14 Adding Local Server Certificates18-14 Importing Server Certificates and Associating Certificates to Protocols18-15 Generating Self-Signed Certificates18-16 Generating a Certificate Signing Request18-17 Binding CA Signed Certificates18-17 Editing and Renewing Certificates18-18 Deleting Certificates18-19 Exporting Certificates18-20 Viewing Outstanding Signing Requests18-20 Configuring Logs18-21 Configuring Remote Log Targets18-21 Deleting a Remote Log Target18-23 Configuring the Local Log18-23 Deleting Local Log Data18-23 Configuring Logging Categories18-24 Configuring Global Logging Categories18-24 Configuring Per-Instance Logging Categories18-29 Configuring Per-Instance Security and Log Settings18-30 Configuring Per-Instance Remote Syslog Targets 18-31 Displaying Logging Categories18-32 Configuring the Log Collector18-33 Viewing the Log Message Catalog18-33 Licensing Overview18-34 Types of Licenses18-34 Installing a License File18-35 Viewing the Base License18-36 Upgrading the Base Server License 18-37 Viewing License Feature Options18-38 Adding Deployment License Files18-39 Deleting Deployment License Files18-40 Available Downloads18-40 Downloading Migration Utility Files18-41 Downloading UCP Web Service Files18-41 Downloading Sample Python Scripts18-41 Downloading Rest Services18-42 CHAPTER 19Understanding Logging19-1 About Logging19-1
Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets19-2 Logging Categories19-2 Global and Per-Instance Logging Categories19-4 Log Message Severity Levels19-4 Local Store Target19-5 Critical Log Target19-7 Remote Syslog Server Target19-8 Monitoring and Reports Server Target19-10 Viewing Log Messages19-10 Debug Logs19-11 ACS 4.x Versus ACS 5.3 Logging19-12 APPENDIX AAAA ProtocolsA-1 Typical Use CasesA-1 Device Administration (TACACS+)A-1 Session Access Requests (Device Administration [TACACS+])A-2 Command Authorization RequestsA-2 Network Access (RADIUS With and Without EAP)A-2 RADIUS-Based Flow Without EAP AuthenticationA-3 RADIUS-Based Flows with EAP AuthenticationA-3 Access Protocols—TACACS+ and RADIUSA-5 Overview of TACACS+A-5 Overview of RADIUSA-6 RADIUS VSAsA-6 ACS 5.3 as the AAA ServerA-7 RADIUS Attribute Support in ACS 5.3A-8 RADIUS Access RequestsA-9 APPENDIX BAuthentication in ACS 5.3B-1 Authentication ConsiderationsB-1 Authentication and User DatabasesB-1 PAPB-2 RADIUS PAP AuthenticationB-3 EAPB-3 EAP-MD5B-5 Overview of EAP-MD5B-5 EAP- MD5 Flow in ACS 5.3B-5 EAP-TLSB-5
Contents xx User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Overview of EAP-TLSB-6 User Certificate AuthenticationB-6 PKI AuthenticationB-7 PKI CredentialsB-8 PKI UsageB-8 Fixed Management CertificatesB-9 Importing Trust CertificatesB-9 Acquiring Local CertificatesB-9 Importing the ACS Server CertificateB-10 Initial Self-Signed Certificate GenerationB-10 Certificate GenerationB-10 Exporting CredentialsB-11 Credentials DistributionB-12 Hardware Replacement and CertificatesB-12 Securing the Cryptographic Sensitive MaterialB-12 Private Keys and Passwords BackupB-13 EAP-TLS Flow in ACS 5.3B-13 PEAPv0/1B-14 Overview of PEAPB-15 Supported PEAP FeaturesB-15 PEAP Flow in ACS 5.3B-17 Creating the TLS TunnelB-17 Authenticating with MSCHAPv2B-18 EAP-FASTB-18 Overview of EAP-FASTB-18 EAP-FAST BenefitsB-20 EAP-FAST in ACS 5.3B-20 About Master-KeysB-21 About PACsB-21 Provisioning ModesB-22 Types of PACsB-22 ACS-Supported Features for PACsB-24 Master Key Generation and PAC TTLsB-26 EAP-FAST for Allow TLS RenegotiationB-26 EAP-FAST Flow in ACS 5.3.B-26 EAP-FAST PAC ManagementB-27 Key Distribution AlgorithmB-28 EAP-FAST PAC-Opaque Packing and UnpackingB-28 Revocation MethodB-28 PAC Migration from ACS 4.xB-29