Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
15-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Process Status Viewing Process Status Use this page to view the status of processes running in your ACS environment. From the Monitoring & Report Viewer, select Monitoring Configuration > System Operations > Process Status. NoteYou can click the refresh symbol to refresh the contents of the page. Ta b l e 1 5 - 7 P r o c e s s S t a t u s P a g e Option Description Process NameDisplay only. Name of the process. Options can be: Database Management (ACS management subsystem) Runtime (ACS runtime subsystem) View-alertmanager View-collector View-database View-jobmanager View-logprocessor Status Display only. Indicates the status of the associated process. CPU UtilizationDisplay only. Indicates the CPU utilization of the associated process. Memory UtilizationDisplay only. Indicates the memory utilization of the associated process. UptimeDisplay only. Indicates the time that the process was started successfully, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd = A two-digit numeric representation of the day of the month, from 01 to 31. hh = A two-digit numeric representation of the hour of the day, from 00 to 23. mm = A two-digit numeric representation of the minute of the hour, from 00 to 59. ss = A two-digit numeric representation of the second of the minute, from 00 to 59. timezone = The time zone. yyyy = A four-digit representation of the year.
15-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Viewing Data Upgrade Status Viewing Data Upgrade Status After you upgrade to ACS 5.3, ensure that the Monitoring & Report Viewer database upgrade is complete. You can do this through the ACS web interface. Refer to the Installation Guide for the Cisco Secure Access Control System 5.3 for more information on the upgrade process. To view the status of Monitoring & Report Viewer data upgrade: Step 1From the Monitoring & Report Viewer, select Monitoring Configuration > System Operations > Data Upgrade Status. Step 2The Data Upgrade Status page appears with the following information: Status—Indicates whether or not the Monitoring & Report Viewer data upgrade is complete. Viewing Failure Reasons Use this page to view failure reasons. From the Monitoring & Report Viewer, select Monitoring Configuration > System Configuration > Failure Reasons Editor. Table 15-8 lists the field in the Failure Reasons page. Related Topic Editing Failure Reasons, page 15-14 Editing Failure Reasons Use this page to edit failure reasons and include possible resolution steps to assist administrators when they encounter failures. Step 1From the Monitoring & Report Viewer, select Monitoring Configuration > System Configuration > Failure Reasons Editor. Step 2Click: The name of the failure reason you want to edit. The radio button associated with the failure reason you want to edit, then click Edit. The Failure Reason Editor Page appears as described in Table 15-9. Table 15-8 Failure Reasons Page Option Description Failure Reasons Description of the possible failure reasons. Click a failure reason name to open the Failure Reasons Editor page.
15-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Specifying E-Mail Settings Related Topic Viewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address. From the Monitoring & Report Viewer, select Monitoring Configuration > System Configuration > Email Settings. Configuring SNMP Preferences You can configure SNMP preferences to authenticate access to MIB objects. The text string that you enter for SNMP preference functions as an embedded password. To configure SNMP preferences: Step 1From the Monitoring & Report Viewer, choose Monitoring Configuration > System Configuration > SNMP Settings. The SNMP Preferences page appears. Step 2Enter a password in the SNMP V2 Read Community String field to authenticate MIB objects. Step 3Click Submit. Table 15-9 Failure Reasons Editor Page Option Description Failure Reason Display only. The error code and associated failure reason name. Description Enter a free text description of the failure reason to assist administrators; use the text tools as needed. Resolution Steps Enter a free text description of possible resolution steps for the failure reason to assist administrators; use the text tools as needed. Table 15-10 Email Settings Page Option Description Mail Server Enter a valid e-mail host server. Mail From Enter the e-mail address name that you want to configure for users to see when they receive e-mail from the system.
15-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Understanding Collection Filters Understanding Collection Filters You can create collection filters that allow you to filter and drop syslog events that are not used for monitoring or troubleshooting purposes. When you configure collection filters, the Monitoring & Report Viewer does not record these events in the database and saves much needed disk space. This section contains the following topics: Creating and Editing Collection Filters, page 15-16 Deleting Collection Filters, page 15-17 Creating and Editing Collection Filters Use this page to create or edit collection filters. To do this: Step 1From the Monitoring & Report Viewer, choose Monitoring Configuration > System Configuration > Collection Filters. The Collection Filters page appears. Step 2In the Filters area, do one of the following: Click Create to create a collection filter. Check the check box of the syslog attribute that you want to edit, then click Edit. Check the check box of the syslog attribute that you want to delete, then click Delete. The Add or Edit Collection Filters page described in Table 15-11 appears. Step 3Click Submit. Table 15-11 Add or Edit Collection Filters Page Option Description Syslog Attribute In the Add Filter page, choose any one of the following syslog attributes: –NAS IP Address –Access Service –MAC Address –User In the Edit Filter page, this field is Display only. Value Enter the value of the syslog attribute: NAS IP Address—Enter the IP address of the NAS that you want to filter. Access Service—Enter the name of the access service that you want to filter. MAC Address—Enter the MAC address of the machine that you want to filter. User—Enter the username of the user you want to filter.
15-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring System Alarm Settings Related Topics Creating and Editing Collection Filters, page 15-16 Deleting Collection Filters, page 15-17 Deleting Collection Filters To delete a collection filter: Step 1Choose Monitoring Configuration > System Configuration > Collection Filters. The Collection Filters page appears. Step 2Check the check box of the collection filter or filters that you want to delete, then click Delete. The following message appears: Are you sure you want to delete the selected item(s)? Step 3Click Ye s. The Collection Filters page appears without the deleted collection filter. Configuring System Alarm Settings See Configuring System Alarm Settings, page 12-34 for a description of how to configure system alarm settings. Configuring Alarm Syslog Targets See Understanding Alarm Syslog Targets, page 12-35 for a description of how to configure the syslog targets. Configuring Remote Database Settings Use this page to configure a remote database to which you can export the Monitoring & Report Viewer data. ACS exports data to this remote database at specified intervals. You can schedule the export job to be run once every 1, 2, 4, 6, 8, 12, or 24 hours. You can create custom reporting applications that interact with this remote database. ACS supports the following databases: Oracle SQL Developer Microsoft SQL Server 2005 NoteACS does not support remote database with cluster setup. To configure a remote database:
15-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitoring & Report Viewer Configuring Remote Database Settings Step 1From the Monitoring & Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings. The Remote Database Settings Page appears as described in Table 15-12. Step 2Click Submit to configure the remote database. NoteYou can view the status of your export job in the Scheduler. See Viewing Scheduled Jobs, page 15-11 for more information. NoteIf there are two log collector servers that have been configured to export data to a remote database, only one log collector server can export data to the remote database at a time. If a second log collector is pointed to the same remote database, it can cause issues such as over-writing of existing entries in the tables. Table 15-12 Remote Database Settings Page Option Description Publish to Remote Database Check the check box for ACS to export data to the remote database periodically. By default, ACS exports data to the remote database every 4 hours. Server Enter the DNS name or the IP address of the remote database. Port Enter the port number of the remote database. Username Enter the username for remote database access. Password Enter the password for remote database access. Publish data every n hours Choose a time interval from the drop-down list box for ACS to export data at the specified interval. Valid options are 1, 2, 4, 6, 8, 12, and 24 hours. The default interval is 4 hours. Database Type The type of remote database that you want to configure: Click Microsoft Database radio button to configure a Microsoft database, and enter the name of the remote database. Click Oracle SID radio button to configure an Oracle database, and enter the system identifier for the Oracle database. Download Remote Database schema filesClick this link to download the remote database schema files. The following two schema files are downloaded: acsview_microsoft_schema.sql acsview_oracle_schema.sql
CH A P T E R 16-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators are responsible for deploying, configuring, maintaining, and monitoring the ACS servers in your network. They can perform various operations in ACS through the ACS administrative interface. When you define an administrator in ACS, you assign a password and a role or set of roles that determine the access privilege the administrator has for the various operations. When you create an administrator account, you initially assign a password, which the administrator can subsequently change through the ACS web interface. Irrespective of the roles that are assigned, the administrators can change their own passwords. ACS provides the following configurable options to manage administrator passwords: Password Complexity—Required length and character types for passwords. Password History—Prevents repeated use of same passwords. Password Lifetime—Forces the administrators to change passwords after a specified time period. Account Inactivity—Disables the administrator account if it has not been in use for a specified time period. Password Failures—Disables the administrator account after a specified number of consecutive failed login attempts. In addition, ACS provides you configurable options that determine the IP addresses from which administrators can access the ACS administrative web interface and the session duration after which idle sessions are logged out from the system. You can use the Monitoring & Report Viewer to monitor administrator access to the system. The Administrator Access report is used to monitor the administrators who are currently accessing or attempting to access the system. You can view the Administrator Entitlement report to view the access privileges that the administrators have, the configuration changes that are done by administrators, and the administrator access details. In addition, you can use the Configuration Change and Operational Audit reports to view details of specific operations that each of the administrators perform. The System Administrator section of the ACS web interface allows you to: Create, edit, duplicate, or delete administrator accounts Change the password of other administrators View predefined roles Associate roles to administrators Configure authentication settings that include password complexity, account lifetime, and account inactivity
16-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Administrator Roles and Accounts Configure administrator session setting Configure administrator access setting The first time you log in to ACS 5.3, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. When you register a secondary instance to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance apply to the secondary instance. NoteAfter installation, the first time you log in to ACS, you must do so through the ACS web interface and install the licenses. You cannot log in to ACS through the CLI immediately after installation. This section contains the following topics: Understanding Administrator Roles and Accounts, page 16-2 Configuring System Administrators and Accounts, page 16-3 Understanding Roles, page 16-3 Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 16-6 Viewing Predefined Roles, page 16-8 Configuring Authentication Settings for Administrators, page 16-9 Configuring Session Idle Timeout, page 16-11 Configuring Administrator Access Settings, page 16-11 Resetting the Administrator Password, page 16-12 Changing the Administrator Password, page 16-13 Understanding Administrator Roles and Accounts The first time you log in to ACS 5.3, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). NoteYou cannot rename, disable, or delete the ACSAdmin account. After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. If you do not need granular access control, the Super Admin role is most convenient, and this is the role assigned to the predefined ACSAdmin account. To create further granularity in your access control, follow these steps: 1.Define Administrators. See Configuring System Administrators and Accounts, page 16-3. 2.Associate roles to administrators. See Understanding Roles, page 16-3 When these steps are completed, defined administrators can log in and start working in the system.
16-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Administrators and Accounts Understanding Authentication An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out. ACS 5.3 authenticates every login operation by using user credentials (username and password). Then, by using the administrator and role definitions, ACS fetches the appropriate permissions and answers subsequent authorization requests. The ACS user interface displays the functions and options for which you have the necessary administrator privileges only. NoteAllow a few seconds before logging back in so that changes in the system have time to propagate. Related Topics Understanding Administrator Roles and Accounts, page 16-2 Configuring System Administrators and Accounts, page 16-3 Configuring System Administrators and Accounts This section contains the following topics: Understanding Roles Administrator Accounts and Role Association Creating, Duplicating, Editing, and Deleting Administrator Accounts Viewing Role Properties Understanding Roles Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task. You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 16-6 for more information. NoteThe ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not have permissions for the functions in that drawer.
16-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Roles Permissions A permission is an access right that applies to a specific administrative task. Permissions consist of: A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements. Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed. A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available. If no permission is defined for an object, the administrator cannot access this object, not even for reading. NoteYou cannot make permission changes. Predefined Roles Table 16-1 shows the predefined roles included in ACS: Table 16-1 Predefined Role Descriptions Role Privileges ChangeAdminPassword This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators. ChangeUserPassword This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users. NetworkDeviceAdmin This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions: Read and write permissions on network devices Read and write permissions on NDGs and all object types in the Network Resources drawer PolicyAdmin This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions: Read and write permissions on all the elements used in policies, such as authorization profile, NDGs, IDGs, conditions, and so on Read and write permissions on services policy ReadOnlyAdmin This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface. This role has read-only access to all resources ReportAdmin This role is intended for administrators who need access to the ACS Monitoring & Report Viewer to generate and view reports or monitoring data only. This role has read-only access on logs.