Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
14-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 10Click Done to return to the Expert Troubleshooter. The Monitoring & Report Viewer provides you the diagnosis, steps to resolve the problem, and troubleshooting summary to help you resolve the problem. NoteYou can launch the RADIUS authentication troubleshooter from the RADIUS authentication report pages as well. You must drill down to the details page of a particular RADIUS authentication to launch this diagnostic tool. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Executing the Show Command on a Network Device The Execute Network Device Command diagnostic tool allows you to run any show command on a network device from the ACS web interface. The result of the show command is precisely what you would see on a console and can be used to identify problems in the device configuration. To run a show command on any network device: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2Select Execute Network Device Command from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and lists the fields described in Ta b l e 1 4 - 7. Table 14-6 Results Summary Page Option Description Diagnosis and Resolution Diagnosis The diagnosis for the problem is listed here. Resolution The steps for resolution of the problem are detailed here. Troubleshooting Summary SummaryA step-by-step summary of troubleshooting information is provided here. You can expand any step to view further details. Any configuration errors are indicated by red text.
14-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 3Click Run to run the show command on the specified network device. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input. Step 4Click the User Input Required button and modify the fields as described in Table 14-5. Step 5Click Submit to run the show command on the network device and view the output. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Evaluating the Configuration of a Network Device You can use this diagnostic tool to evaluate the configuration of a network device and identify any missing or incorrect configuration. The Expert Troubleshooter compares the configuration on the device with the standard configuration. To do this: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2Click Evaluate Configuration Validator from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and lists the fields described in Ta b l e 1 4 - 8. Table 14-7 Execute Show Command on a Network Device Option Description Enter Information Network Device IP Enter the IP address of the network device on which you want to run the show command. Command Enter the show command that you want to run. Table 14-8 Evaluate Configuration Validator Option Description Enter Information Network Device IP Enter the IP address of the network device whose configuration you want to evaluate. Select the configuration items below that you want to compare against the recommended template. AAA Checked by default. RADIUS Checked by default. Device Discovery Checked by default. Logging Checked by default.
14-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 3Click Run. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input. Step 4Click the User Input Required button and modify the fields as described in Table 14-5. The Troubleshooting Progress Details page appears. The Expert Troubleshooter retrieves the CLI response from the network device. A new window appears and prompts you to select the interfaces for which you want to analyze the interface configuration. Step 5Check the check boxes next to the interfaces that you want to analyze, and click Submit to evaluate the configuration of the interfaces. The Progress Details page appears with a summary. Step 6Click Show Results Summary to view the troubleshooting summary. The Results Summary page appears with the information described in Table 14-6. The missing configurations appear in red. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Comparing SGACL Policy Between a Network Device and ACS For Security Group Access-enabled devices, ACS assigns an SGACL for every source SGT-destination SGT pair based on the Egress policy matrix that you configure in ACS. The Egress policy diagnostic tool does the following: 1.Connects to the device whose IP address you provide and obtains the ACLs for each source SGT— destination SGT pair. 2.Checks the Egress policy that is configured in ACS and obtains the ACLs for each source SGT— destination SGT pair. Web Authentication Check this check box if you want to compare the web authentication configuration. Profiler Configuration Check this check box if you want to compare the Profiler configuration. SGA Check this check box if you want to compare Security Group Access configuration. 802.1X Check this check box if you want to compare the 802.1X configuration, and choose one of the following options: Open Mode Low Impact Mode (Open Mode + ACL) High Security Mode (Closed Mode) Table 14-8 Evaluate Configuration Validator Option Description
14-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter 3.Compares the SGACL policy obtained from the network device with the SGACL policy obtained from ACS. 4.Displays the source SGT —destination SGT pair if there is a mismatch. Also, displays the matching entries as additional information. To compare the SGACL policy between a network device and ACS: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2Select Egress (SGACL) Policy from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and shows the Network Device IP field. Step 3Enter the IP address of the Security Group Access device whose SGACL policy you want to compare with ACS. Step 4Click Run to compare the SGACL policy between ACS and the network device. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input. Step 5Click the User Input Required button and modify the fields as described in Table 14-5. Step 6Click Submit. The Progress Details page appears with a brief summary of the results. Step 7Click Show Results Summary to view the diagnosis and resolution steps. The Results Summary page appears with the information described in Table 14-6. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Comparing the SXP-IP Mappings Between a Device and its Peers Security Group Access devices communicate with their peers and learn their SGT values. The Security Exchange Protocol-IP (SXP)-IP Mappings diagnostic tool connects to the device whose IP address you provide and lists the peer devices’ IP addresses and SGT values. You must select one or more of the device’s peers. This tool connects to each of the peers that you select and obtains their SGT values to verify that these values are the same as the values that it learned earlier. Use this diagnostic tool to compare the SXP-IP mappings between a device and its peers. To do this: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2Select SXP-IP Mappings from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and shows the Network Device IP field. Step 3Enter the IP address of the network device.
14-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 4Click SXP-IP Mappings from the list of troubleshooting tools. The Expert Troubleshooter page refreshes and shows the following field: Network Device IP—Enter the IP address of the network device. Step 5Click Run. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input. Step 6Click the User Input Required button and modify the fields as described in Table 14-5. The Troubleshooting Progress Details page appears. The Expert Troubleshooter retrieves SGA SXP connections from the network device and again prompts you to select the peer SXP devices. Step 7Click the User Input Required button. A new window appears with the fields as described in Table 14-9. Step 8Check the check box of the peer SXP devices for which you want to compare the SXP mappings and enter the Common Connection Parameters as described in Table 14-9. Step 9Click Submit. The Progress Details page appears with a brief summary of the results. Table 14-9 Peer SXP Devices Option Description Peer SXP Devices Peer IP Address IP address of the peer SXP device. VRF VRF instance of the peer device. Peer SXP Mode SXP mode of the peer device; for example, whether it is a speaker or a listener. Self SXP Mode SXP mode of the network device; for example, whether it is a speaker or a listener. Connection State Status of the connection. Common Connection Parameters User Common Connection ParametersCheck this check box to enable common connection parameters for all the peer SXP devices. If the common connection parameters are not specified or if they do not work for some reason, the Expert Troubleshooter again prompts you for connection parameters for that particular peer device. Username Enter the username of the peer SXP device. Password Enter the password to gain access to the peer device. Protocol Choose the protocol from the Protocol drop-down list box. Valid options are: –Te l n e t –SSHv2 Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device. Port Enter the port number. The default port number for Telnet is 23 and SSH is 22. Enable Password Enter the enable password if it is different from your login password. Same as login passwordCheck this check box if your enable password is the same as your login password.
14-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 10Click Show Results Summary to view the diagnosis and resolution steps. The Results Summary page appears with the information described in Table 14-6. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records For Security Group Access-enabled devices, ACS assigns each user an SGT value through RADIUS authentication. The IP User SGT diagnostic tool connects to the network device whose IP address you provide and does the following: 1.Obtains a list of all IP-SGT assignments on the network device. 2.Checks the RADIUS authentication and accounting records for each IP-SGT pair to find out the IP-SGT-User value that ACS has assigned to it most recently. 3.Displays the IP-SGT pairs in a tabular format and identifies whether the SGT values most recently assigned by ACS and those on the device are the same or different. Use this diagnostic tool to compare the IP-SGT values on a device with ACS-assigned SGT. To do this: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. Step 2Click IP User SGT from the list of troubleshooting tools. The Expert Troubleshooter page refreshes and lists the fields described in Table 14-10. Step 3Click Run. The Progress Details page appears. The Monitoring & Report Viewer prompts you for additional input. Step 4Click the User Input Required button and modify the fields as described in Table 14-5. Step 5Click Submit. The Progress Details page appears with a brief summary of the results. Table 14-10 IP User SGT Option Description Enter Information Network Device IP Enter the IP address of the network device. Filter Results Username Enter the username of the user whose records you want to troubleshoot. User IP Address Enter the IP address of the user whose records you want to troubleshoot. SGT Enter the user SGT value.
14-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 6Click Show Results Summary to view the diagnosis and resolution steps. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Comparing Device SGT with ACS-Assigned Device SGT For Security Group Access-enabled devices, ACS assigns each network device an SGT value through RADIUS authentication. The Device SGT diagnostic tool connects to the network device whose IP address you provide and does the following: 1.Obtains the network device’s SGT value. 2.Checks the RADIUS authentication records to determine the SGT value that ACS had assigned to it most recently. 3.Displays the Device-SGT pairs in a tabular format and identifies whether the SGT values are the same or different. Use this diagnostic tool to compare the device SGT with ACS-assigned device SGT. To do this: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. The Expert Troubleshooter page appears. Step 2Click Device SGT from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and lists the fields described in Table 14-11. Table 14-11 Device SGT Option Description Enter Information Network Device IPs (comma-separated list)Enter the network device IP addresses (whose device SGT you want to compare with an ACS-assigned device SGT) separated by commas.
14-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 3Click Run. The Progress Details page appears with a summary. Step 4Click Show Results Summary to view the results of device SGT comparison. The Results Summary page appears with the diagnosis, resolution, and troubleshooting summary. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Common Connection Parameters Use Common Connection ParametersCheck this check box to use the following common connection parameters for comparison: Username—Enter the username of the network device. Password—Enter the password. Protocol—Choose the protocol from the Protocol drop-down list box. Valid options are: –Te l n e t –SSHv2 Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device. Port—Enter the port number. The default port number for Telnet is 23 and SSH is 22. Enable Password Enter the enable password if it is different from your login password. Same as login passwordCheck this check box if your enable password is the same as your login password. Table 14-11 Device SGT Option Description
CH A P T E R 15-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 15 Managing System Operations and Configuration in the Monitoring & Report Viewer This chapter describes the tasks that you must perform to configure and administer the Monitoring & Report Viewer. The Monitoring Configuration drawer allows you to: Manage data—The Monitoring & Report Viewer handles large volumes of data from ACS servers. Over a period of time, the performance and efficiency of the Monitoring & Report Viewer depends on how well you manage the data. To do so efficiently, you must back up the data and transfer it to a remote repository on a periodic basis. You can automate this task by scheduling jobs to run periodically. See Configuring Data Purging and Incremental Backup, page 15-3 for more information on data backup. View log collections—The Monitoring & Report Viewer collects log and configuration data from ACS servers in your deployment, stores the data in the Monitoring & Report Viewer server, and processes it to generate reports and alarms. You can view the details of the logs collected from any of the servers in your deployment. See Viewing Log Collections, page 15-7 for more information. Recovering Log Messages—The Monitoring & Report Viewer recovers the logging entries that are missed during the log collection. The log messages are missed when the Monitoring & Report Viewer server is down or the connectivity between the Monitoring & Report Viewer and ACS server is broken. When connectivity is regained, the Monitoring & Report Viewer discovers the entries that were missed, and notifies the ACS server. When the ACS server receives this notification, it resends the entries to the Monitoring & Report Viewer. See Recovering Log Messages, page 15-11 for more information. View scheduled jobs—The Monitoring & Report Viewer allows you schedule tasks that you must perform periodically. For example, you can schedule an incremental or full backup to be run at regular intervals. You can use the Scheduler to view the details of these tasks. See Viewing Scheduled Jobs, page 15-11 for more information on the Scheduler. View process status—You can view the status of the various processes that run in the Monitoring & Report Viewer. See Viewing Process Status, page 15-13 for more information on the various processes that run in the Monitoring & Report Viewer. View data upgrade status—After you upgrade from ACS 5.2 to ACS 5.3 through the CLI, you must ensure that the Monitoring & Report Viewer data upgrade is complete. You can view the Monitoring & Report Viewer data upgrade status through the web interface and switch the Monitoring & Report Viewer database if upgrade is complete. See Viewing Data Upgrade Status, page 15-14 for more information.
15-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configure and edit failure reasons—The Monitoring & Report Viewer allows you to configure the description of the failure reason code and provide instructions to resolve the problem. See Vi ew i n g Failure Reasons, page 15-14 for more information on how to edit the failure reason description and instructions for resolution. Configure e-mail settings—You can configure the e-mail server and administrator e-mail address. See Specifying E-Mail Settings, page 15-15 for more information. Configure collection filters—The Monitoring & Report Viewer provides you the option to filter data that is not used for monitoring or troubleshooting purposes. The data that is filtered is not stored in the database and hence saves much needed disk space. See Understanding Collection Filters, page 15-16 for more information on how to configure collection filters. Configure system alarms—System alarms notify you of critical conditions encountered during the execution of the ACS Monitoring and Reporting viewer. You can configure if and how you would like to receive notification of system alarms. See Configuring System Alarm Settings, page 15-17 for more information. Configure Syslog targets—If you have configured the Monitoring & Report Viewer to send system alarm notifications as Syslog messages, then you must configure a Syslog target to receive the notification. See Configuring Alarm Syslog Targets, page 15-17 for more information. Export Monitoring & Report Viewer data—You can configure a remote database, which could either be an Oracle SID or Microsoft AD to which you can export the Monitoring & Report Viewer data. You can create and run custom reporting applications using the data in your remote database. See Configuring Remote Database Settings, page 15-17 for more information on how to configure a remote database with the Monitoring & Report Viewer. ACS provides you the option to schedule jobs in the Monitoring & Report Viewer. By scheduling jobs, you can automate the monitoring tasks to be run at specified intervals. You can view the status of the scheduled jobs, control events, and intervene whenever necessary. You can schedule the following jobs: Data Purge Backup Event notification (system and threshold alarms) Export of Monitoring & Report Viewer data to a remote database This chapter contains the following sections: Configuring Data Purging and Incremental Backup, page 15-3 Restoring Data from a Backup, page 15-7 Viewing Log Collections, page 15-7 Recovering Log Messages, page 15-11 Viewing Scheduled Jobs, page 15-11 Viewing Process Status, page 15-13 Viewing Data Upgrade Status, page 15-14 Viewing Failure Reasons, page 15-14 Editing Failure Reasons, page 15-14 Specifying E-Mail Settings, page 15-15 Configuring SNMP Preferences, page 15-15 Understanding Collection Filters, page 15-16 Configuring System Alarm Settings, page 15-17