Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

View all the pages

Add page 351 to Favourites

image text

Enable zoom

12-23
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
ACS Process Status
When ACS evaluates this threshold, it examines the accounting records that it received during the
interval between the previous and current alarm evaluation cycle.
If one or more accounting records match, it calculates the time that has lapsed since the previous alarm
evaluation cycle. When it reaches two, three, or five minutes depending on the number of active
thresholds, ACS determines whether any ACS process has failed during that time.
If ACS detects one or more failures, an alarm is triggered. You can limit the check to particular processes
or a particular ACS instance or both.
Choose this category to define threshold criteria based on ACS process status. Modify the fields in the
Criteria tab as described in Table 12-17.
Table 12-16 ACS System Diagnostics
Option Description
Severity at and above Use the drop-down list box to choose the severity level on which you want to configure your
threshold. This setting captures the indicated severity level and those that are higher within the
threshold. Valid options are:
Fatal
Error
Wa r n i n g
Info
Debug
Message Text Enter the message text on which you want to configure your threshold. Maximum character limit is
1024.
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Table 12-17 ACS Process Status
Option Description
Monitor Processes
ACS Database Check the check box to add the ACS database to your threshold configuration.
ACS Management Check the check box to add the ACS management to your threshold
configuration.
ACS Runtime Check the check box to add the ACS runtime to your threshold configuration.
Monitoring and Reporting Database Check the check box to have this process monitored. If this process goes down,
an alarm is generated.

Add page 352 to Favourites

image text

Enable zoom

12-24
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
ACS System Health
When ACS evaluates this threshold, it examines whether any system health parameters have exceeded
the specified threshold in the specified time interval up to the previous 60 minutes. These health
parameters include percentage of CPU utilization, percentage of memory consumption, and so on.
If any of the parameters exceed the specified threshold, an alarm is triggered. By default, the threshold
applies to all ACS instances in your deployment. If you want, you can limit the check to just a single
ACS instance.
Choose this category to define threshold criteria based on the system health of ACS. Modify the fields
in the Criteria tab as described in Table 12-18. Monitoring and Reporting Collector Check the check box to have this process monitored. If this process goes down,
an alarm is generated.
Monitoring and Reporting Alarm Manager Check the check box to have this process monitored. If this process goes down,
an alarm is generated.
Monitoring and Reporting Job Manager Check the check box to have this process monitored. If this process goes down,
an alarm is generated.
Monitoring and Reporting Log Processor Check the check box to have this process monitored. If this process goes down,
an alarm is generated.
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your
threshold.
Table 12-17 ACS Process Status
Option Description
Table 12-18 ACS System Health
Option Description
Average over the past Use the drop-down list box to select the amount of time you want to configure
for your configuration, where is minutes and can be:
15
30
45
60
CPU Enter the percentage of CPU usage you want to set for your threshold
configuration. The valid range is from 1 to 100.
Memory Enter the percentage of memory usage (greater than or equal to the specified
value) for your threshold configuration. The valid range is from 1 to 100.

Add page 353 to Favourites

image text

Enable zoom

12-25
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
ACS AAA Health
When ACS evaluates this threshold, it examines whether any ACS health parameters have exceeded the
specified threshold in the specified time interval up to the previous 60 minutes. ACS monitors the
following parameters:
RADIUS Throughput
TACACS Throughput
RADIUS Latency
TA C A C S L a t e n c y
If any of the parameters exceed the specified threshold, an alarm is triggered. By default, the threshold
applies to all monitored ACS instances in your deployment. If you want, you can limit the check to just
a single ACS instance.
Modify the fields in the Criteria tab as described in Table 12-19. Disk I/O Enter the percentage of disk usage you want to set (greater than or equal to the
specified value) for your threshold configuration. The valid range is from 1 to
100.
Disk Space Used/opt Enter the percentage of /opt disk space usage you want to set (greater than or
equal to the specified value) for your threshold configuration. The valid range
is from 1 to 100.
Disk Space Used/local disk Enter the percentage of local disk space usage you want to set (greater than or
equal to the specified value) for your threshold configuration. The valid range
is from 1 to 100.
Disk Space Used/ Enter the percentage of the / disk space usage you want to set (greater than or
equal to the specified value) for your threshold configuration. The valid range
is from 1 to 100.
Disk Space Used/tmp Enter the percentage of temporary disk space usage you want to set (greater
than or equal to the specified value) for your threshold configuration. The valid
range is from 1 to 100.
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your
threshold.
Table 12-18 ACS System Health
Option Description

Add page 354 to Favourites

image text

Enable zoom

12-26
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
RADIUS Sessions
When ACS evaluates this threshold, it determines whether any authenticated RADIUS sessions have
occurred in the past 15 minutes where an accounting start event has not been received for the session.
These events are grouped by device IP address, and if the count of occurrences for any device IP exceeds
the specified threshold, an alarm is triggered. You can set a filter to limit the evaluation to a single device
IP.
Choose this category to define threshold criteria based on RADIUS sessions. Modify the fields in the
Criteria tab as described in Table 12-20.
Table 12-19 ACS AAA Health
Option Description
Average over the past Use the drop-down list box to select the amount of time you want to configure
for your configuration, where is minutes and can be:
15
30
45
60
RADIUS Throughput Enter the number of RADIUS transactions per second you want to set (lesser
than or equal to the specified value) for your threshold configuration. The valid
range is from 1 to 999999.
TACACS Throughput Enter the number of TACACS+ transactions per second you want to set (lesser
than or equal to the specified value) for your threshold configuration. The valid
range is from 1 to 999999.
RADIUS Latency Enter the number in milliseconds you want to set for RADIUS latency (greater
than or equal to the specified value) for your threshold configuration. The valid
range is from 1 to 999999.
TACACS Latency Enter the number in milliseconds you want to set for TACACS+ latency (greater
than or equal to the specified value) for your threshold configuration. The valid
range is from 1 to 999999.
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your
threshold.

Add page 355 to Favourites

image text

Enable zoom

12-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Unknown NAD
When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that
have occurred during the specified time interval up to the previous 24 hours. From these failed
authentications, ACS identifies those with the failure reason Unknown NAD.
The unknown network access device (NAD) authentication records are grouped by a common attribute,
such as ACS instance, user, and so on, and a count of the records within each of those groups is
computed. If the count of records for any group exceeds the specified threshold, an alarm is triggered.
This can happen if, for example, you configure a threshold as follows:
Unknown NAD count greater than 5 in the past 1 hour for a Device IP
If in the past hour, failed authentications with an unknown NAD failure reason have occurred for two
different device IP addresses as shown in the following table, an alarm is triggered, because at least one
device IP address has a count greater than 5.
You can specify one or more filters to limit the failed authentications that are considered for threshold
evaluation. Each filter is associated with a particular attribute in the records and only those records that
match the filter condition are counted. If you specify multiple filter values, only the records that match
all the filter conditions are counted.
Choose this category to define threshold criteria based on authentications that have failed because of an
unknown NAD. Modify the fields in the Criteria tab as described in Table 12-21.
Table 12-20 RADIUS Sessions
Option Description
More than num authenticated sessions in the past 15 minutes,
where accounting start event has not been received for a
Device IPnum—A count of authenticated sessions in the past 15
minutes.
Filter
ACS Instance Click Select to choose a valid ACS instance on which to
configure your threshold.
Device IP Click Select to choose or enter a valid device IP address on
which to configure your threshold.
Device IP Count of Unknown NAD Authentication Records
a.b.c.d 6
e.f.g.h 1

Add page 356 to Favourites

image text

Enable zoom

12-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
External DB Unavailable
When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that
have occurred during the specified interval up to the previous 24 hours.
From these failed authentications, ACS identifies those with the failure reason, External DB unavailable.
Authentication records with this failure reason are grouped by a common attribute, such as ACS
instance, user, and so on, and a count of the records within each of those groups is computed.
If the count of records for any group exceeds the specified threshold, an alarm is triggered. This can
happen if, for example, you configure a threshold as follows:
External DB Unavailable count greater than 5 in the past one hour for a Device IP
If in the past hour, failed authentications with an External DB Unavailable failure reason have occurred
for two different device IP addresses as shown in the following table, an alarm is triggered, because at
least one device IP address has a count greater than 5.
Table 12-21 Unknown NAD
Option Description
Unknown NAD count greater than num in the past time Minutes|Hours for a object, where:
num values can be any five-digit number greater than or equal to zero (0).
time values can be 1 to 1440 minutes, or 1 to 24 hours.
Minutes|Hours value can be Minutes or Hours.
object values can be:
–ACS Instance
–Device IP
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold.
Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid
options are:
RADIUS
TA C A C S +
Device IP Count of External DB Unavailable Authentication Records
a.b.c.d 6
e.f.g.h 1

Add page 357 to Favourites

image text

Enable zoom

12-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
You can specify one or more filters to limit the failed authentications that are considered for threshold
evaluation. Each filter is associated with a particular attribute in the records and only those records that
match the filter condition are counted. If you specify multiple filter values, only the records that match
all the filter conditions are counted.
Choose this category to define threshold criteria based on an external database that ACS is unable to
connect to. Modify the fields in the Criteria tab as described in Table 12-22.
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
RBACL Drops
When ACS evaluates this threshold, it examines Cisco Security Group Access RBACL drops that
occurred during the specified interval up to the previous 24 hours. The RBACL drop records are grouped
by a particular common attribute, such as NAD, SGT, and so on.
A count of such records within each of those groups is computed. If the count for any group exceeds the
specified threshold, an alarm is triggered. For example, consider the following threshold configuration:
RBACL Drops greater than 10 in the past 4 hours by a SGT.
Table 12-22 External DB Unavailable
Option Description
External DB Unavailablepercent|count greater than num in the past time Minutes|Hours for a object, where:
Percent|Count value can be Percent or Count.
num values can be any one of the following:
–0 to 99 for percent
–0 to 99999 for count
time values can be 1 to 1440 minutes, or 1 to 24 hours.
Minutes|Hours value can be Minutes or Hours.
object values can be:
–ACS Instance
–Identity Store
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Identity Group Click Select to choose a valid identity group name on which to configure your threshold.
Identity Store Click Select to choose a valid identity store name on which to configure your threshold.
Access Service Click Select to choose a valid access service name on which to configure your threshold.
Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold.
Valid options are:
RADIUS
TA C A C S +

Add page 358 to Favourites

image text

Enable zoom

12-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
If, in the past four hours, RBACL drops have occurred for two different source group tags as shown in
the following table, an alarm is triggered, because at least one SGT has a count greater than 10.
You can specify one or more filters to limit the RBACL drop records that are considered for threshold
evaluation. Each filter is associated with a particular attribute in the RBACL drop records and only those
records that match the filter condition are counted. If you specify multiple filter values, only the records
that match all the filter conditions are counted.
Modify the fields in the Criteria tab as described in Table 12-23.
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32 SGT Count of RBACL Drops
117
314
Table 12-23 RBACL Drops
Option Description
RBACL drops greater than num in the past time Minutes|Hours by a object, where:
num values can be any five-digit number greater than or equal to zero (0).
time values can be 1 to 1440 minutes, or 1 to 24 hours.
Minutes|Hours value can be Minutes or Hours.
object values can be:
–NAD
–SGT
–DGT
–DST_IP
Filter
Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold.
SGT Click Select to choose or enter a valid source group tag on which to configure your threshold.
DGT Click Select to choose or enter a valid destination group tag on which to configure your
threshold.
Destination IP Click Select to choose or enter a valid destination IP address on which to configure your
threshold.

Add page 359 to Favourites

image text

Enable zoom

12-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
NAD-Reported AAA Downtime
When ACS evaluates this threshold, it examines the NAD-reported AAA down events that occurred
during the specified interval up to the previous 24 hours. The AAA down records are grouped by a
particular common attribute, such as device IP address or device group, and a count of records within
each of those groups is computed.
If the count for any group exceeds the specified threshold, an alarm is triggered. For example, consider
the following threshold configuration:
AAA Down count greater than 10 in the past 4 hours by a Device IP
If, in the past four hours, NAD-reported AAA down events have occurred for three different device IP
addresses as shown in the following table, an alarm is triggered, because at least one device IP address
has a count greater than 10.
You can specify one or more filters to limit the AAA down records that are considered for threshold
evaluation. Each filter is associated with a particular attribute in the AAA down records and only those
records that match the filter condition are counted. If you specify multiple filter values, only the records
that match all the filter conditions are counted.
Choose this category to define threshold criteria based on the AAA downtime that a network access
device reports. Modify the fields in the Criteria tab as described in Table 12-24. Device IP Count of NAD-Reported AAA Down Events
a.b.c.d 15
e.f.g.h 3
i.j.k.l 9
Table 12-24 NAD-Reported AAA Downtime
Option Description
AAA down greater than num in the past time Minutes|Hours by a object, where:
num values can be any five-digit number greater than or equal to zero (0).
time values can be 1 to 1440 minutes, or 1to 24 hours.
Minutes|Hours value can be Minutes or Hours.
object values can be:
–Device IP
–Device Group

Add page 360 to Favourites

image text

Enable zoom

12-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 12 Managing Alarms
Creating, Editing, and Duplicating Alarm Thresholds
Related Topics
Creating, Editing, and Duplicating Alarm Thresholds, page 12-11
Configuring General Threshold Information, page 12-13
Configuring Threshold Notifications, page 12-32
Configuring Threshold Notifications
Use this page to configure alarm threshold notifications.
Step 1Select Monitoring and Reports > Alarms > Thresholds, then do one of the following:
Click Create to create a new alarm threshold.
Click the name of an alarm threshold, or check the check box next to an existing alarm threshold
and click Edit to edit a selected alarm threshold.
Click the name of an alarm threshold, or check the check box next to an existing alarm threshold
and click Duplicate to duplicate a selected alarm threshold.
Step 2Click the Notifications tab.
The Thresholds: Notifications page appears as described in Table 12-25:
Filter
ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold.
Device Group Click Select to choose a valid device group name on which to configure your threshold.
Table 12-24 NAD-Reported AAA Downtime
Option Description
Table 12-25 Thresholds: Notifications Page
Option Description
Severity Use the drop-down list box to select the severity level for your alarm threshold. Valid options are:
Critical
Wa r n i n g
Info
Send Duplicate
NotificationsCheck the check box to be notified of duplicate alarms. An alarm is considered a duplicate if a
previously generated alarm for the same threshold occurred within the time window specified for the
current alarm.

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 5x User Guide

Cisco Acs 57 User Guide
584 pages | Cisco Control System