Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
18-37 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic Upgrading the Base Server License, page 18-37 Upgrading the Base Server License You can upgrade the base server license. Step 1Select System Administration > Configuration > Licensing > Base Server License. The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses. Step 2Select a license, then click Upgrade. The Base Server License Edit page appears. Step 3Complete the fields as described in Table 18-31: Step 4Click Submit. Related Topics Licensing Overview, page 18-34 Types of Licenses, page 18-34 Installing a License File, page 18-35 Adding Deployment License Files, page 18-39 Deleting Deployment License Files, page 18-40 Table 18-31 Base Server License Edit Page Option Description ACS Instance License Configuration Version Displays the current version of the ACS software. ACS Instance Displays the name of the ACS instance, either primary or secondary. License Type Specifies the license type. Use this link to obtain a valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative. License Location License File Click Browse to navigate to the directory that contains the license file and select it.
18-38 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Feature Options Viewing License Feature Options You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the deployment information. Select System Administration > Configuration > Licensing > Feature Options. The Feature Options Page appears as described in Table 18-32: Table 18-32 Feature Options Page Option Description ACS Deployment Configuration Primary ACS Instance Name of the primary instance created when you login into the ACS 5.3 web interface. Number of Instances Current number of ACS instances (primary or secondary) in the ACS database. Current Number of Configured IP Addresses in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network device configuration. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Maximum Number of IP Addresses in Network DevicesMaximum number of IP addresses that your license supports: Base License—Supports 500 IP addresses. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Large Deployment—Supports an unlimited number of IP addresses. Use this link to obtain a valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative. Installed Deployment License Options FeatureLarge Deployment—Supports an unlimited number of managed devices. Security Group Access Control—Enables Cisco Trusted Server (SGA) management functionality. This requires an existing ACS base license. Licensed to Name of the company that this product is licensed to. License Type Specifies the license type (permanent, evaluation). Expiration Expiration date for the following features: Large Deployment SGA Add/Upgrade Click Add/Upgrade to access the Viewing License Feature Options and add a license file. Delete Select the radio button next to the license feature you wish to delete and click Delete.
18-39 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License Files Adding Deployment License Files To add a new base deployment license file: Step 1Select System Administration > Configuration > Licensing > Feature Options. The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See Viewing License Feature Options, page 18-38 for field descriptions. Step 2Click Add. The Feature Options Create page appears. Step 3Complete the fields as described in Table 18-33 to add a license: Step 4Click Submit to download the license file. The Feature Options page appears with the additional license. Table 18-33 Feature Options Create Page Option Description ACS Deployment Configuration Primary ACS Instance Name of the primary instance created when you login into the ACS 5.3 web interface. Number of Instances Current number of ACS instances (primary or secondary) in the ACS database. Current Number of Configured IP Addresses in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network device configuration. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Maximum Number of IP Addresses in Network DevicesMaximum number of IP addresses that your license supports: Base License—Supports 500 IP addresses. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. Large Deployment—Supports an unlimited number of IP addresses. Use this link to obtain a valid License FileDirects you to Cisco.com to purchase a valid license file from a Cisco representative. License Location License File Click Browse to browse to the location of the purchased license file you wish to install and select it.
18-40 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics Licensing Overview, page 18-34 Types of Licenses, page 18-34 Installing a License File, page 18-35 Viewing the Base License, page 18-36 Deleting Deployment License Files, page 18-40 Deleting Deployment License Files To delete deployment license files: Step 1Select System Administration > Configuration > Licensing > Feature Options. The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See the Table 18-32 for field descriptions. Step 2Select the radio button next to the deployment you wish to delete. Step 3Click Delete to delete the license file. Related Topics Licensing Overview, page 18-34 Types of Licenses, page 18-34 Installing a License File, page 18-35 Viewing the Base License, page 18-36 Adding Deployment License Files, page 18-39 Available Downloads This section contains information about the utilities and files that are available for download from the ACS web interface: Downloading Migration Utility Files, page 18-41 Downloading UCP Web Service Files, page 18-41 Downloading Sample Python Scripts, page 18-41 Downloading Rest Services, page 18-42
18-41 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Downloads Downloading Migration Utility Files To download migration application files and the migration guide for ACS 5.3: Step 1Choose System Administration > Downloads > Migration Utility. The Migration from 4.x page appears. Step 2Click Migration application files, to download the application file you want to use to run the migration utility. Step 3Click Migration Guide, to download Migration Guide for the Cisco Secure Access Control System 5.3. Downloading UCP Web Service Files You can download the WSDL file from this page to integrate ACS with your in-house portals and allow ACS users configured in the ACS internal identity store to change their own passwords. The UCP web service allows only the users to change their passwords. They can do so on the primary or secondary ACS servers. The UCP web service compares the new password that you provide with the password policy that is configured in ACS for users. If the new password conforms to the defined criteria, your new password takes effect. After your password is changed on the primary ACS server, ACS replicates it to all the secondary ACS servers. To download the UCP WSDL Files: Step 1Choose System Administration > Downloads > User Change Password. The User Change Password (UCP) web service page appears. Step 2Click one of the following: UCP WSDL to download the WSDL file. UCP Web application example to download the application file. Python Script for Using the User Change Password Web Service to download a sample Python script. For more information on how to use the UCP web service, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ucp.html. Downloading Sample Python Scripts The Scripts page contains sample Python scripts for: Using the UCP web service. Automating the bulk import and export operations.
18-42 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Downloads To download these sample scripts: Step 1Choose System Administration > Downloads > Sample Python Scripts. The Sample Python Scripts page appears. Step 2Click one of the following: Python Script for Using the User Change Password Web Service—To download the sample script for the UCP web service. Python Script for Performing CRUD Operations on ACS Objects—To download the sample script for the import and export process. Step 3Save the script to your local hard drive. The scripts come with installation instructions. For more information on how to use the scripts, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ acs_sdk.html. NoteThe Cisco Technical Assistance Center (TAC) supports only the default Python Script. TAC does not offer any support for modified scripts. Downloading Rest Services ACS Rest Service allows to create, update, delete and retrieve objects from ACS Database. NoteYou must enable the Rest Service using the command line for reading the WADL files. To download ACS Rest Service WADL files: Step 1Choose System Administration > Downloads > Rest Service. The Rest Service Page appears. Step 2Click one of the following: Common or Identity—To download XSD files that describe the structure of the objects supported on ACS 5.3 Rest interfaces. Schema files—To download the Schema files. SDK Samples—To download the SDK Samples. For more information on how to use the Rest Services, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/rest.html.
CH A P T E R 19-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logging functionality in ACS 5.3. Administrators and users use the various management interfaces of ACS to perform different tasks. Using the administrative access control feature, you can assign permissions to administrators and users to perform different tasks. Apart from this, you also need an option to track the various actions performed by the administrators and users. ACS offers you several logs that you can use to track these actions and events. This chapter contains the following sections: About Logging, page 19-1 ACS 4.x Versus ACS 5.3 Logging, page 19-12 About Logging You can gather the following logs in ACS: Customer Logs—For auditing and troubleshooting your ACS, including logs that record daily operations, such as accounting, auditing, and system-level diagnostics. Debug logs—Low-level text messages that you can export to Cisco technical support for evaluation and troubleshooting. You configure ACS debug logs, using the command line interface. Specifically, you enable and configure severity levels of the ACS debug logs using the command line interface. See Command Line Interface Reference Guide for Cisco Secure Access Control System 5.3 for more information. Platform logs—Log files generated by the ACS appliance operating system. Debug and platform logs are stored locally on each ACS server. Customer logs can be viewed centrally for all servers in a deployment. You can use the following ACS interfaces for logging: Web interface—This is the primary logging interface. You can configure which messages to log and to where you want the messages logged. Command line interface (CLI)—Allows you to display and download logs, debug logs, and debug backup logs to the local target. The CLI also allows you to display and download platform logs. See Command Line Interface Reference Guide for Cisco Secure Access Control System 5.3 for more information.
19-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Using Log Targets You can specify to send customer log information to multiple consumers or Log Targets and specify whether the log messages are stored locally in text format or forwarded to syslog servers. By default, a single predefined local Log Target called Local Store stores data in text format on an ACS server and contains log messages from the local ACS server only. You can view records stored in the Local Store from the CLI. In addition, you can specify that logs be forwarded to a syslog server. ACS uses syslog transport to forward logs to the Monitoring and Reports component. You can also define additional syslog servers to receive ACS log messages. For each additional syslog server you specify, you must define a remote log target. In a distributed deployment, you should designate one of the secondary ACS servers as the Monitoring and Reports server, and specify that it receive the logs from all servers in the deployment. By default, a Log Target called the LogCollector identifies the Monitoring and Reports server. In cases where a distributed deployment is used, the Log Collector option on the web interface designates which server collects the log information. It is recommended that you designate a secondary server within the deployment to act as the Monitoring and Reports server. This section contains the following topics: Logging Categories, page 19-2 Log Message Severity Levels, page 19-4 Local Store Target, page 19-5 Viewing Log Messages, page 19-10 Debug Logs, page 19-11 Logging Categories Each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain. A logging category is a bundle of message codes which describe a function of ACS, a flow, or a use case. The categories are arranged in a hierarchical structure and used for logging configuration. Each category has: Name—A descriptive name Type—Audit, Accounting, or Diagnostics Attribute list—A list of attributes that may be logged with messages associated with a category, if applicable ACS provides these preconfigured global ACS logging categories, to which you can assign log targets (see Local Store Target, page 19-5): Administrative and Operational audit, which can include: –ACS configuration changes—Logs all configuration changes made to ACS. When an in item is added or edited, the configuration change events also include details of the attributes that were changed and their new values. If an edit request resulted in no attributes having new values, no configuration audit record is created.
19-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging NoteFor complex configuration items or attributes, such as policy or DACL contents, the new attribute value is reported as New/Updated and the audit does not contain the actual attribute value or values. –ACS administrator access—Logs all events that occur when an administrators accesses the system until the administrator logs out. It logs whether the administrator exits ACS with an explicit request or if the session has timed out. This log also includes login attempts that fail due to account inactivity. Login failures along with failure reasons are logged. –ACS operational changes—Logs all operations requested by administrators, including promoting an ACS from your deployment as the primary, requesting a full replication, performing software downloads, doing a backup or restore, generating and restoring PACs, and so on. –Internal user password change—Logs all changes made to internal user passwords across all management interfaces. In addition, the administrative and operational audit messages must be logged to the local store. You can optionally log these messages to remote logging targets (see Local Store Target, page 19-5). AAA audit, which can include RADIUS and TACACS+ successful or failed authentications, command-access passed or failed authentications, password changes, and RADIUS request responses. AAA diagnostics, which can include authentication, authorization, and accounting information for RADIUS and TACACS+ diagnostic requests and RADIUS attributes requests, and identity store and authentication flow information. Logging these messages is optional. System diagnostic, which can include system startup and system shutdown, and logging-related diagnostic messages: –Administration diagnostic messages related to the CLI and web interface –External server-related messages –Local database messages –Local services messages –Certificate related messages Logging these messages is optional. System statistics, which contains information on system performance and resource utilization. It includes data such as CPU and memory usage and process health and latency for handling requests. Accounting, which can contain TACACS+ network access session start, stop, and update messages, as well as messages that are related to command accounting. In addition, you can log these messages to the local store. Logging these messages is optional. The log messages can be contained in the logging categories as described in this topic, or they can be contained in the logging subcategories. You can configure each logging subcategory separately, and its configuration does not affect the parent category. In the ACS web interface, choose System Administration > Configuration > Logging Categories > Global to view the hierarchical structure of the logging categories and subcategories. In the web interface, choose Monitoring and Reports > Catalog to run reports based on your configured logging categories.
19-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Each log message contains the following information: Event code—A unique message code. Logging category—Identifies the category to which a log message belongs. Severity level—Identifies the level of severity for diagnostics. See Log Message Severity Levels, page 19-4 for more information. Message class—Identifies groups of messages of similar context, for example, RADIUS, policy, or EAP-related context. Message text—Brief English language explanatory text. Description—English language text that describes log message reasons, troubleshooting information (if applicable), and external links for more information. Failure reason (optional)—Indicates whether a log message is associated with a failure reason. Passwords are not logged, encrypted or not. Global and Per-Instance Logging Categories By default, a single log category configuration applies to all servers in a deployment. For each log category, the threshold severity of messages to be logged, whether messages are to be logged to the local target, and the remote syslog targets to which the messages are to be sent to, are defined. The log categories are organized in a hierarchical structure so that any configuration changes you make to a parent category are applied to all the child categories. However, the administrator can apply different configurations to the individual servers in a deployment. For example, you can apply more intensive diagnostic logging on one server in the deployment. The per-instance logging category configuration displays all servers in a deployment and indicates whether they are configured to utilize the global logging configuration or have their own custom configuration. To define a custom configuration for a server, you must first select the Override option, and then configure the specific log category definitions for that server. You can use the Log Message Catalog to display all possible log messages that can be generated, each with its corresponding category and severity. This information can be useful when configuring the logging category definitions. Log Message Severity Levels You can configure logs of a certain severity level, and higher, to be logged for a specific logging category and add this as a configuration element to further limit or expand the number of messages that you want to save, view, and export. For example, if you configure logs of severity level WARNING to be logged for a specific logging category, log messages for that logging category of severity level WARNING and those of a higher priority levels (ERROR and FATAL) are sent to any configured locations. Table 19-1 describes the severity levels and their associated priority levels.