Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
18-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Generating a Certificate Signing Request Step 1Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. Step 2Select Generate Certificate Signing Request > Next. Step 3Enter the information in the ACS Import Server Certificate as described in Table 18-15: Step 4Click Finish. The following message is displayed: A server certificate signing request has been generated and can be viewed in the “Outstanding Signing Requests list. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Binding CA Signed Certificates Use this page to bind a CA signed certificate to the request that was used to obtain the certificate from the CA.Management InterfaceCheck to associate the certificate with the management interface. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections. Table 18-14 Generate Self Signed Certificate Step 2 Option Description Table 18-15 Generate Signing Requests Step 2 Option Description Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Digest to Sign with Select either SHA1 or SHA256 as management certificates, from the dropdown list.
18-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. Step 2Select Bind CA Signed Certificate > Next. Step 3Enter the information in the ACS Import Server Certificate as described in Table 18-16: Step 4Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Related Topics Configuring Local Server Certificates, page 18-14 Certificate-Based Network Access for EAP-TLS, page 4-10 Editing and Renewing Certificates You can renew an existing self-signed certificate without having to remove it and adding a new certificate. This ensures that any service that uses the local certificate continues without any interruption. To renew or extend a local server certificate: Step 1Select System Administration > Configuration > Local Server Certificates > Local Certificates. Step 2Click the name that you want to modify; or, check the check box for the Name, and click Edit. Step 3Enter the certificate properties as described in Table 18-17: Table 18-16 Bind CA Signed Certificate Step 2 Option Description Certificate File Browse to the client machine and select the certificate file to be imported. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management Interface Check to associate the certificate with the management interface. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections. Table 18-17 Edit Certificate Store Properties Page Option Description Issuer Friendly Name Name that is associated with the certificate. DescriptionDescription of the certificate. Issued ToDisplay only. The entity to which the certificate is issued. The name that appears is from the certificate subject.
18-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4Click Submit to extend the existing certificate’s validity. The Local Certificate Store page appears with the edited certificate. Related Topic Configuring Local Server Certificates, page 18-14 Deleting Certificates To delete a certificate: Step 1Select System Administration > Configuration > Local Server Certificates > Local Certificates. Step 2Check one or more check boxes next to the certificates that you want to delete. Step 3Click Delete. Step 4For confirmation, click Ye s or Cancel. The Certificate Store page appears without the deleted certificate(s). Related Topic Configuring Local Server Certificates, page 18-14 Issued ByDisplay only. The certification authority that issued the certificate. Va l i d F r o mDisplay only. The start date of the certificate’s validity. An X509 certificate is valid only from the start date to the end date (inclusive). Valid To (Expiration)Display only. The last date of the certificate’s validity. Serial NumberDisplay only. The serial number of the certificate. Protocol EAP Check for ACS to use the local certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management Interface Check for ACS to use the local certificate for SSL client authentication. Renew Self Signed Certificate Certificate Expires OnDisplay only. Date the certificate expires. Renew Self Signed CertificateCheck to allow the renewal of a self signed certificate that expired. Expiration TTL Expiration TTL is the number of days, months, weeks, or years that you want to extend the existing certificate for. Valid options are: one day, one month, one week, and one year. At a maximum, you can extend the certificate for a period of one year. Table 18-17 Edit Certificate Store Properties Page (continued) Option Description
18-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates To export a certificate: Step 1Select System Administration > Configuration > Local Server Certificates > Local Certificates. Step 2Check the box next to the certificates that you want to export, then click Export. The Export Certificate dialog box appears. Step 3Select one of the following options: Export Certificate Only Export Certificate and Private Key Step 4Enter your private key password in the Private Key Password field. Step 5Enter the same password in the Confirm Password field. NoteExporting the private key is not a secure operation and could lead to possible exposure of the private key. Step 6Click OK or Cancel. Related Topic Configuring Local Server Certificates, page 18-14 Viewing Outstanding Signing Requests Step 1Select System Administration > Configurations > Local Server Certificates > Outstanding Signing Request. The Certificate Signing Request page appears displaying the information described in Table 18-18: Step 2Click Export to export the local certificate to a client machine. Table 18-18 Certificate Signing Request Page Option Description Name Name of the certificate. Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field should automatically prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Timestamp Date certificate was created. Friendly Name Name that is associated with the certificate.
18-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Logs Log records are generated for: Accounting messages AAA audit and diagnostics messages System diagnostics messages Administrative and operational audit messages The messages are arranged in tree hierarchy structure within the logging categories (see Configuring Logging Categories, page 18-24 for more information). You can store log messages locally or remotely, based on the logging categories and maintenance parameters. This section contains the following topics: Configuring Remote Log Targets, page 18-21 Configuring the Local Log, page 18-23 Configuring Logging Categories, page 18-24 Configuring Global Logging Categories, page 18-24 Configuring Per-Instance Logging Categories, page 18-29 Displaying Logging Categories, page 18-32 Configuring the Log Collector, page 18-33 Viewing the Log Message Catalog, page 18-33 See Chapter 19, “Understanding Logging” for a description of the preconfigured global ACS logging categories and the messages that each contains. Configuring Remote Log Targets You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 19, “Understanding Logging” for more information on remote log targets. See Configuring Logging Categories, page 18-24 for more information on the preconfigured ACS logging categories. To create a new remote log target: Step 1Select System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears. Step 2Do one of the following: Click Create. Check the check box next to the remote log target that you want to duplicate and click Duplicate. Click the name of the remote log target that you want to modify; or check the check box next to the name of the remote log target that you want to modify and click Edit. One of these pages appears: Remote Log Targets > Create, if you are creating a new remote log target.
18-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Remote Log Targets > Duplicate: “log_target”, where log_target is the name of the remote log target you selected in Step 2, if you are duplicating a remote log target. Remote Log Targets > Edit: “log_target”, where log_target is the name of the remote log target you selected in Step 2, if you are modifying a remote log target. Step 3Complete the required fields as described in Table 18-19: Step 4Click Submit. The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration. Related Topic Deleting a Remote Log Target, page 18-23 Table 18-19 Remote Log Targets Configuration Page Option Description General Name Name of the remote log target. Maximum name length is 32 characters. Description Description of the remote log target. Maximum description length is 1024 characters. Type Type of remove log target—Syslog (the only option). Target Configuration IP Address IP address of the remote log target, in the format x.x.x.x. Use Advanced Syslog OptionsClick to enable the advanced syslog options—port number, facility code, and maximum length. Port Port number of the remote log target used as the communication channel between the ACS and the remote log target (default = 514). This option is only visible if you click Use Syslog Options. Facility Code Facility code. Valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) This option is only visible if you click Use Advanced Syslog Options. Maximum LengthMaximum length of the remote log target messages. Valid options are from 200 to 1024. This option is only visible if you click Use Advanced Syslog Options.
18-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Deleting a Remote Log Target To delete a remote log target: Step 1Select System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page appears, with a list of configured remote log targets. Step 2Check one or more check boxes next to the remote log targets you want to delete. Step 3Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? Step 4Click OK. The Remote Log Targets page appears without the deleted remote log targets. Related Topic Configuring Remote Log Targets, page 18-21 Configuring the Local Log Use the Local Configuration page to configure the maximum days to retain your local log data. Step 1Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. Step 2In the Maximum log retention period box, enter the number of days for which you want to store local log message files, where is the number of days you enter. Valid options are 1 to 365. (Default = 7.) NoteIf you reduce the number of days for which to store the local log message files, the log message files older than the number of days you specify are deleted automatically. You can click Delete Logs Now to delete the local logs, including all non-active log files, immediately. See Deleting Local Log Data, page 18-23 for more information on deleting log data. Step 3Click Submit to save your changes. Your configuration is saved and the Local Configuration page is refreshed. Deleting Local Log Data Use the Local Configuration page to manually delete your local log data. You can use this option to free up space when the local store is full. See Local Store Target, page 19-5 for more information about the local store.
18-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1Select System Administration > Configuration > Log Configuration > Local Log Target. The Local Configuration page appears. Step 2Click Delete Logs Now to immediately delete all local log data files, except the log data in the currently active log data file. The Local Configuration page is refreshed. Configuring Logging Categories This section contains the following topics: Configuring Global Logging Categories, page 18-24 Configuring Per-Instance Logging Categories, page 18-29 All configuration performed for a parent logging category affects the children within the logging category. You can select a child of a parent logging category to configure it separately, and it does not affect the parent logging category or the other children. Configuring Global Logging Categories To view and configure global logging categories: Step 1Select System Administration > Configuration > Log Configuration > Logging Categories > Global. The Logging Categories page appears; from here, you can view the logging categories. Step 2Click the name of the logging category you want to configure; or, click the radio button next to the name of the logging category you want to configure and click Edit. Step 3Complete the fields as described in Table 18-20. Table 18-20 Global: General Page Option Descriptions Configure Log Category Log Severity For diagnostic logging categories, use the drop-down list box to select the severity level. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are: FATAL—Emergency. ACS is not usable and you must take action immediately. ERROR—Critical or error condition. WARN—Normal, but significant condition. (Default) INFO—Informational message. DEBUG—Diagnostic bug message.
18-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs If you have completed your configuration, proceed to Step 6. Step 4To configure a remote syslog target, click the Remote Syslog Target and proceed to Step 5. Step 5Complete the Remote Syslog Target fields as described in Table 18-21: Step 6Click Submit. The Logging Categories page appears, with your configured logging category. Administrative and operational audit messages include audit messages of the following types: Configuration changes Internal user change password Administrator access Operational audit Some of the operational audit messages are not logged in the local log target. See Table 18-22 for a list of administrative and operational logs that are not logged in the local target. See Viewing ADE-OS Logs, page 18-28 for information on how you can view these logs from the ACS CLI. Configure Local Setting for Category Log to Local Target Check to enable logging to the local target. For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled. Local Target is CriticalUsable for accounting and for AAA audit (passed authentication) logging category types only. Check the check box to make this local target the critical target. For administrative and operational audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target. If you make local target as the critical target and the logging operation fails, authentication request will be rejected and accounting response will not be sent to the device. Configure Logged Attributes —Display only. All attributes are logged to the local target. Table 18-20 Global: General Page (continued) Option Descriptions Table 18-21 Global: Remote Syslog Target Page Option Description Configure Syslog Targets Available targets List of available targets. You can select a target from this list and move it to the Selected Targets list. Selected targets List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
18-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Table 18-22 lists a set of administrative and operational logs under various categories that are not logged to the local target. Table 18-22 Administrative and Operational Logs Not Logged in the Local Target Category Log and Description Process-Management ACS_START_PROCESS—ACS process started ACS_STOP_PROCESS—ACS process stopped ACS_START—All ACS processes started ACS_STOP—All ACS processes stopped WD_RESTART_PROCESS—ACS process restarted by watchdog WD_CONFIG_CHANGE—Watchdog configuration reloaded ACS_START_STOP_ERROR—ACS process reported start/stop error DB-Management CARS_BACKUP—CARS backup complete CARS_RESTORE—CARS restore complete ACS_BACKUP—ACS DB backup complete ACS_RESTORE—ACS DB restore complete ACS_SUPPORT—ACS support bundle collected ACS_RESET—ACS DB reset File-Management ACS_DELETE_CORE—ACS core files deleted ACS_DELETE_LOG—ACS log files deleted