Cisco Systems CSACS3415K9 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Cisco Systems CSACS3415K9. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Cisco Systems CSACS3415K9 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Cisco Systems CSACS3415K9 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Cisco Systems CSACS3415K9, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Cisco Systems CSACS3415K9 debe contener:
- información acerca de las especificaciones técnicas del dispositivo Cisco Systems CSACS3415K9
- nombre de fabricante y año de fabricación del dispositivo Cisco Systems CSACS3415K9
- condiciones de uso, configuración y mantenimiento del dispositivo Cisco Systems CSACS3415K9
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Cisco Systems CSACS3415K9 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Cisco Systems CSACS3415K9 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Cisco Systems en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Cisco Systems CSACS3415K9, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Cisco Systems CSACS3415K9, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Cisco Systems CSACS3415K9. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    Americas Hea dquarters Cisc o Syst ems , Inc . 170 West Ta sman Driv e San Jos e, CA 95 134-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553- NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure Access Contr ol S ystem 5.4 No vember 20 1 3 Text Pa rt Numbe r: OL -26225-0 1[...]

  • Página 2

    THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJE CT TO CHANGE WITHOUT NO TICE. ALL STATEMENT S, INFORMATI O N, AND RECOMME NDATIONS IN T HIS MANUAL ARE BELI EVED TO BE A CCURATE BUT ARE P RESENTED W ITHOUT WARRANTY OF ANY KIND, EXPRE SS OR IMPLIED. USERS MUST TA KE FULL RESPONSIBILITY FOR THEIR AP PLICATION OF ANY[...]

  • Página 3

    iii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CONTENTS Preface xx iii Audienc e xxiii Document Conventions xxiii Document ation Update s xxiv Relat ed D ocum ent atio n xxiv Obtain ing Documentat ion and Sub m itti ng a Serv ice Reque st xxv CHAPTER 1 Introdu cing ACS 5.4 1-1 Overvi ew of ACS 1-1 ACS Di stri bute d De plo[...]

  • Página 4

    Cont ents iv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Polic y Terminol ogy 3-3 Simp le P olici es 3-4 Rule- Based Po licies 3-4 Types of Poli cies 3-5 Acce ss Se rvic es 3-6 Ident ity P olicy 3-9 Group Map pin g Poli cy 3-11 Authori zation Poli cy for Devi ce Administrat i on 3-11 Proce ssing Rules with Multip le Co mman[...]

  • Página 5

    Content s v User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Agentl ess Netwo rk Access 4-12 Overvi ew of Agentl ess Network Access 4-12 Host L ookup 4-1 3 Authe nti cati on wi th C all Ch eck 4-14 Proces s Service-Type Ca ll Check 4-15 PAP/E AP-MD5 Authen tication 4-15 Agentl ess Ne twork Ac cess Flow 4-16 Adding a Hos t to an [...]

  • Página 6

    Cont ents vi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 My A ccoun t Pa ge 5-2 Login Ba nner 5-3 Usin g the Web In terface 5-3 Acce ssin g the We b Interf ace 5-4 Logg ing In 5-4 Loggin g Out 5-5 Underst anding the Web Int erface 5-5 Web In terf ace Des ign 5-6 Navigat ion Pane 5-7 Content Area 5-8 Impo rting and Export in[...]

  • Página 7

    Content s vii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Viewing and Perfor ming Bulk Operati ons fo r Network Dev ices 7-6 Export ing Network Device s and AAA Clients 7-7 Perfor ming Bulk Operati ons fo r Network Res ources and Users 7-8 Export ing Network Res ources and Users 7-10 Creati ng, Duplicati ng, and Edi ting Ne[...]

  • Página 8

    Cont ents viii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Viewing and Perf orming Bul k Opera tions fo r Intern al Identity St ore Hosts 8-18 Mana geme nt H ier arch y 8-19 Attri butes o f Management Hi erarchy 8-19 Config uring AAA Devices fo r Management Hierar chy 8-19 Config uring Users or Host s for Management Hie r a[...]

  • Página 9

    Content s ix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring an AD Identi ty Store 8-49 Select ing an AD Group 8-53 Config uring AD Attribu tes 8-54 Config uring Machine Access Re strict ions 8-56 RSA Secu rID Server 8-57 Config uring RSA SecurID Ag ents 8-58 Creati ng and Editing RSA Se curID Token Serve rs 8-59 R[...]

  • Página 10

    Cont ents x User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Managing Author izatio ns and Permiss ions 9-17 Creati ng, Duplicati ng, and Edi ting Authori zation Pr ofile s for Network Acce ss 9-18 Spec ifyin g Aut hor izatio n Pr ofile s 9-19 Specif ying Common Attrib utes in Aut horization Prof iles 9-19 Spec ifyin g RADI US A[...]

  • Página 11

    Content s xi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring a Group Mapp ing Po licy 10-27 Config uring Group Mapp ing Po licy Rul e Propertie s 10-29 Confi guri ng a Sess ion Auth oriz atio n Poli cy f or N etwo rk A cces s 10-30 Config uring Network Access Au thoriz ation Rule Prope rties 10-32 Confi guri ng De [...]

  • Página 12

    Cont ents xii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Adding Ta bs to the Dashboard 11-6 Adding App l icati ons to Tabs 11-7 Renaming Tabs in t he Dashboard 11- 7 Changin g the Dashboar d Layout 11-8 Deleti ng Tabs f rom t he Dash board 11 -8 CHAPTER 12 Managing A larms 12-1 Underst anding Al arms 12-1 Evalua ting Alarm[...]

  • Página 13

    Content s xiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CHAPTER 13 Managin g Reports 13-1 Work ing wit h Favo rite Report s 13-3 Adding Re ports to Your Favo rites Page 13-3 View ing Fa vorite -Re por t Param eters 13-4 Editi ng Favorite Reports 13-5 Runn ing F avori te R epo rts 13-5 Deleti ng Reports from Fav orites 13[...]

  • Página 14

    Cont ents xiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Formatt ing String Data 13-33 Form attin g C ustom St ring Data 13-33 Formatt ing Date an d Time 13-35 Form attin g Cust om D ate an d Time 13 -35 Form attin g B ool ean D ata 13 -36 Applyi ng Condit i onal For mats 13-37 Settin g C ondit iona l Form att ing for Co l[...]

  • Página 15

    Content s xv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Hiding or Di splaying Det ail Ro ws in Groups or Section s 13-68 Work ing wit h Filte rs 13-69 Type s of Filt er Condit ions 13-70 Settin g Filt er V alues 13-71 Creati ng Filters 13-72 Modify ing or Cle arin g a F ilter 13-7 3 Creati ng a Filt er with Mult iple Cond [...]

  • Página 16

    Cont ents xvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 View ing Sc hedu led Jo bs 15-12 Viewing Proces s Status 15-14 Viewing Data Upgr ade Sta tus 15-15 Viewing Fail ure Reasons 15-15 Editin g Fa ilur e R eason s 15-15 Specif ying E-Mail Sett ings 15-16 Config uring SNMP Prefere nces 15-1 6 Underst anding Collec tion Fi[...]

  • Página 17

    Content s xvii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Ident ity Pol icy Rule Pr operties 16-1 8 Adminis trator Auth orizat ion Policy 16-19 Config uring Administ rator Authori zation Po licies 16-19 Config uring Administ rator Authori z ation Ru le Properties 16-20 Adminis t rator Login Process 16-21 Rese [...]

  • Página 18

    Cont ents xviii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Creati ng, Duplicati ng, Editing, and Del eting Sof tware Reposit ories 17-2 4 Managing Softwar e Reposit ories fr om the Web Interf ace and C LI 17-2 5 CHAPTER 18 Managing System Administ ration Conf igurations 18-1 Config uring Global Sys tem Options 18-1 Config [...]

  • Página 19

    Content s xix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Global Lo gging Categor ies 18-2 5 Config uring Per-Ins tance Loggi ng Categ ories 18-29 Config uring Per-I nstance Securi ty and Log Settin gs 18-30 Config uring Per-Ins tance Remote Sys log Targets 18-31 Displa ying Logging Cat egories 18-32 Config uri[...]

  • Página 20

    Cont ents xx User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Sessio n Access Request s (Device Adminis trati on [TACACS+] ) A-2 Command Au thorizatio n Requests A-2 Netw ork Acc ess ( RAD IUS Wit h an d W ith out EAP) A-2 RADIUS -Based F low Without EAP Auth entication A-3 RADIUS -Based Fl ows with EAP Authenti cation A-3 Acce [...]

  • Página 21

    Content s xxi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Privat e Keys an d Passwords Backup B-13 EAP-T LS Flow in A CS 5 .4 B-13 PEAP v0/1 B- 14 Overvi ew of PEAP B-15 Support ed PEAP Fe atures B-15 PEAP Flow in ACS 5. 4 B-17 Creati ng the TLS Tunnel B-18 Authe nti cati ng wi th MS CH APv2 B-19 EAP-F AS T B-19 Overvi ew o[...]

  • Página 22

    Cont ents xxii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Authent ication Pr otocol an d Identity Stor e Compatibil ity B-36 APPENDI X C Open Source Li cense Ackno wledgements C-1 Notice s C- 1 OpenSSL/ Open SSL Pr oject C-1 Licens e Issues C-1 C-3 G LOS SARY I NDEX[...]

  • Página 23

    xxiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Preface Revised: November 13, 2013 This gu ide de scribes h ow to use C isco Secur e Acce ss Contro l Syste m (ACS) 5.4. Audience This guid e is for secu rity adm inistra tors who use ACS, and who set up and ma intain ne twork and application security . Document Co nventions[...]

  • Página 24

    xxiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface Cautio n Means re a d e r b e c a re f u l . Y ou are cap able of doing something tha t might result in equipment dam age or loss of data. T imesaver Means t he d escri bed act ion saves tim e . Y ou can s ave time b y perform ing the actio n describ ed in the paragr [...]

  • Página 25

    xxv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Pre face Obtaining Do cumentation and Submitting a Service Reque st For informat ion on obtai ning docu menta tion, sub mittin g a service re quest, an d gathering additiona l inform ati on, see th e month ly What’ s New in Cisco Pr oduct Documenta tion , which also lists al[...]

  • Página 26

    xxvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface[...]

  • Página 27

    CH A P T E R 1-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 1 Introducing ACS 5.4 This section con tains the follo wing topics: • Overview of A CS, pa ge 1-1 • A CS Di stributed Deploymen t, page 1-2 • A CS Mana gement Inte rfac es, page 1-3 Overview of ACS A CS is a policy- b ased secur ity serve r that pro vides st[...]

  • Página 28

    1-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Distrib uted Deploy ment A CS pr ovides advanced monito ring, repor ting, an d troubl eshooting t ools that hel p you admini ster an d manage your ACS deploymen ts. For more inform ation on t he mon itori ng, rep orting , an d troub leshooti [...]

  • Página 29

    1-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Licensi ng Model A CS 4.x did not prov ide increm ental repli cation, only full replicatio n, and ther e was service d o wntime for replicati o n. A CS 5.4 provides incr emental replications with no service do wntime. Y ou c an also for ce a [...]

  • Página 30

    1-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Managem ent Interf aces • A CS W eb-b ased In terfa ce, pa ge 1-4 • A CS Command Lin e Interf ace, page 1- 4 • A CS Prog ram mati c Inter faces, page 1-5 ACS Web-ba sed Inte rface Y o u can use the ACS w eb-ba sed interfac e to fully c [...]

  • Página 31

    1-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Hardware Models Supported by ACS • Conf iguration—Use th ese commands to perform additional conf iguration tasks for the appliance serv er in an A DE-OS en vironme nt. Note The CLI includes an option to reset the conf iguration that, when iss[...]

  • Página 32

    1-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Har dware Models Suppor ted by ACS[...]

  • Página 33

    CH A P T E R 2-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 2 Migrating from ACS 4. x to ACS 5.4 A CS 4.x store s polic y and authenticatio n information , such as T A CAC S+ comman d sets, in the user and user gr o up recor d s. In A C S 5.4, polic y and authentica tion infor mation ar e inde pendent sha red comp onents t[...]

  • Página 34

    2-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Overvi ew of the Migr ation Proce ss Overview of the Migration Pro cess The Migration uti lity completes the data migr ation process in two phases: • Analys is and Expor t • Import In the Analy sis an d Expo rt ph ase, you iden [...]

  • Página 35

    2-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Before You Begin Note Y o u must install the la test patch for the supported migratio n version s listed here. Also , if you ha ve any other version of A CS 4.x inst alled, you must upgrade to one of the suppor ted versions and i ns[...]

  • Página 36

    2-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Migrating fr om ACS 4.x to ACS 5 .4 • User -Defi n ed Fields (from the Interf ace Conf igurati o n secti on) • User Groups • Shared Shell Com mand Author ization Sets • User T A C A CS+ Shell Ex ec Att ribut es (migrat ed to[...]

  • Página 37

    2-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 In A CS 5.4, you define au thoriza tions, shell profiles, a ttributes, a nd othe r poli cy elem ents a s independe nt, r eusab le obj ects, [...]

  • Página 38

    2-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Funct io nalit y Ma ppin g fro m AC S 4.x to AC S 5.4 Comm and sets (c ommand authorizatio n sets) One of the follo wing: • Shared P rofile Compon ents > Command Authori zation Set • User Se tup pa ge • Group Set up page Po[...]

  • Página 39

    2-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Common Scenarios in Migration The following a re some of th e co mmon scena rios t hat y ou en counte r wh ile mi grating to ACS 5.4: • Migr ati ng from A CS 4.2 on CSA CS 11 20 to A CS 5.4, pa ge 2[...]

  • Página 40

    2-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration Migr ating from AC S 3.x t o ACS 5.4 If you have A CS 3.x deployed in your environment , you cannot d irectl y migrate to A C S 5.4. Y ou mu st do the follo wing: Step 1 Upgrad e to a migrat ion-sup p[...]

  • Página 41

    2-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Step 3 Perform bu lk import of data into A CS 5.4. For more inform ation on p erformi ng bulk i mport o f A CS obje cts, se e http://www .cisco.com /en/US/docs/net_m gmt/cisco_secure _access_contro l_[...]

  • Página 42

    2-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration[...]

  • Página 43

    CH A P T E R 3-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 3 ACS 5.x Policy Model A CS 5.x i s a poli cy-based ac cess contro l syst em. The ter m policy model in A CS 5.x re fers t o the presenta tion of p olicy elem ents, obje cts, an d rules to t he policy adm inistrato r . A CS 5 .x uses a rule-ba sed policy mode l in[...]

  • Página 44

    3-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l For example, we u se t he inf ormat ion de scribe d for the group- based model : If identity-condition , r estriction-condition then authorization- pr o file In ACS 5.4, you define cond itions a nd resu lt[...]

  • Página 45

    3-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Poli cy Terminolo gy Ta b l e 3 - 2 descri bes the ru le-base d policy termin ology . T able 3-2 Rule-Based P olicy T er minology T erm Descript ion Access service Sequential set of polic ies used to process [...]

  • Página 46

    3-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l Simple Policies Y o u can configure al l of your ACS policies as rule-base d polici es. Howe ver , in some cases, you can choose to configu re a sim ple po licy , whic h selec ts a sing le re sult to appl [...]

  • Página 47

    3-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Types of P olicie s Ta b l e 3 - 3 descri bes the type s of policies that you can configure in A CS. The policies ar e listed in the order of their e valuation; an y attribute s that a polic y retrie ves can [...]

  • Página 48

    3-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s Access Services Access services are fundamental con structs i n AC S 5.x that al low yo u to con fig ure acce ss policies f or users and devices that connect to the network an d for network adm inistra tors who ad ministe r ne[...]

  • Página 49

    3-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Ta b l e 3 - 5 desc ribes an example of a set o f access se rvices. Ta b l e 3 - 6 describes a service selection policy . If A CS 5.4 recei ves a T ACA C S+ acces s request, it app lies Access Service A, which authenticate s the [...]

  • Página 50

    3-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s A CS accepts th e results o f the requ ests and re turns them to the N A S. Y ou must conf igure the e xternal RADIUS and T A CA CS+ serv ers in A CS for A CS to forw ard reque sts to them. Y ou can defi ne the timeo ut period[...]

  • Página 51

    3-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces A CS can simultaneously act as a proxy serv er to multiple e xternal RADIUS and T A CA CS+ serv ers. F or A CS to ac t as a proxy server, you must configure a RADIUS or T A CACS+ proxy serv ice in A C S. See Configuring Ge neral [...]

  • Página 52

    3-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s • Identity Sequen ce—Sequ ences of the identity data bases. The seque nce is used for authen tication and, if specif ied, an additional sequen ce is used to retrie ve only attrib utes. Y ou can selec t multiple identity m[...]

  • Página 53

    3-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Group Mapp ing Polic y The id entity group mapping policy i s a standa rd po licy . Condi tions ca n be ba sed on attr ibutes or group s retrie ved from the e xternal attrib ute stores only , or from certif icates, and the r e s[...]

  • Página 54

    3-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy Related Topics • Poli c y T erm inol ogy , p age 3-3 • Authori zation Profiles for N etwork A ccess, page 3-1 6 Exception Authorization Policy Ru les A commo n real -world pro blem i s that, i n day-t o-day operat[...]

  • Página 55

    3-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Base d Service Selection In the rules-based servic e selection mode, A CS decides which access servic e to use based on var ious configurab le opt ions. So me o f th em are : • AAA Proto col—The prot ocol used [...]

  • Página 56

    3-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy In this e xample, inst ead of cr eating the netwo rk acces s poli cy for 802.1 x, agentles s de vices, and gu est acces s in one access servic e, the polic y is divi ded into three acc ess serv ices. First-Match Rule [...]

  • Página 57

    3-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specif ies the policy result that A CS uses when no other rules exist, or when the attrib ute values in the acces s request do not mat ch any rules. A CS ev aluates a set of rules in the first- m atch r[...]

  • Página 58

    3-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Authori zation Pro files for Ne twork Ac cess Policy Conditions Y o u can define simple conditio ns in rule tab les based on attributes in: • Customiza ble con ditio ns—Y ou can create c ustom c ondit ions ba sed on protoc ol dict ionar ie[...]

  • Página 59

    3-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can def ine multiple au thorization prof iles as a network access p olic y result. I n this way , you mainta in a smalle r number of au thoriz ation profiles , because you can use the au thoriz ation p rofil[...]

  • Página 60

    3-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Policies and Network D evice Gr oups Related Topics • Managing Users and Identity S to res, pag e 8-1 • Poli c y T erm inol ogy , p age 3-3 • T ypes of Pol icies, page 3 -5 Policies and Netwo rk Device Groups Y o u can refe rence Net wor[...]

  • Página 61

    3-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 3-2 illustrates what this policy rule table could look like . Figur e 3-2 Sample Rule -Based P olicy Each ro w in the polic y table rep resents a single rule. Each ru le, e xcept for the l ast D[...]

  • Página 62

    3-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies • Added users to the inte r nal A CS identity store or add e xternal iden tity stores. See Creating Internal Users, pa ge 8-11 , Ma naging Iden tity A ttributes, page 8-7 , or Creating External[...]

  • Página 63

    3-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics • Poli c y T erm inol ogy , p age 3-3 • Policy Conditions, page 3-16 • Policy Results, page 3 -16 • Policies and Identi ty Attrib u tes, page 3-17[...]

  • Página 64

    3-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies[...]

  • Página 65

    CH A P T E R 4-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 4 Common Scenarios Using ACS Network co ntrol refe rs to the pro cess of contro lling access to a networ k. T r aditio nally a user name and password was used to authe nticat e a user to a net work. Now a days with the rapid technolog ical advancemen ts, the t rad[...]

  • Página 66

    4-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation A CS organize s a sequenc e of independ ent policies into an access serv ice, which is used to proc ess an access reques t. Y ou can create multiple access servi ces to process dif ferent kinds of acc[...]

  • Página 67

    4-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Over view of D evi ce Ad min istr atio n If a c ommand is m atched to a comm and se t, the corre spondi ng perm it or deny set ting for the c omma nd is retrie ved. If multiple results are found in the rules that are matched, they are con[...]

  • Página 68

    4-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation Step 5 Conf igure an acce ss service p o lic y . See Acce ss Service Policy Creation, pa ge 10-4 . Step 6 Conf igure a service selec tion policy . See Serv ice Selection Pol icy Creation, page 10-4 . [...]

  • Página 69

    4-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access TACACS+ Cu stom Servic es an d Attributes This top ic describe s the conf iguration flo w to def ine T A CA CS+ cus tom attrib utes and s ervices. Step 1 Create a cu stom T ACA CS+ condi tion to move to T A C[...]

  • Página 70

    4-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s Note During pas swor d-base d access (or certi ficate-b ased access), t he user is not o nly authen ticated but also authorized accordin g to the ACS conf iguration . And if NAS sends accounti ng requests [...]

  • Página 71

    4-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access Passwo rd-Based Network A ccess Configura tion Flow This t opic de scribe s the end-to- end flow for passwo rd-based network access and lists t he tasks tha t you must perform . The inform ation about ho w to[...]

  • Página 72

    4-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s For RADIUS, non -EAP aut hentica tion met hods (RADI US/P AP , RADIUS/ CHAP , RADIUS/ MS-CHAP v1, RADIU S/MSCHAP v2), an d simple E AP met hods (E AP-MD5 an d LEAP ), you need to co nfigure only the protoc[...]

  • Página 73

    4-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Related Topics • Authentic ation in A CS 5.4, page B-1 • Network Devices and AAA Clients, page 7-5 • Managin g Access Poli cies, page 10 -1 • Creatin g, Duplic ating, an d Editing A ccess Service s[...]

  • Página 74

    4-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Certificate -Based Ne twork Ac cess Y o u can configure two types of cert ificates in A CS: • T rust certi fica te—Also kno wn as CA certif icate. Us ed to form CTL trus t hierar chy f or v erif ication of remote certif icates. • L[...]

  • Página 75

    4-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Y ou can create custom con ditions to use the certif icate’ s attrib utes as a polic y condition. See Creating, Duplicat ing, a nd Edi ting a Custom Se ssion Co ndition, pag e 9-5 , for details. Step 5 [...]

  • Página 76

    4-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A default L ocal Server Certificate is install ed on ACS so that you c an conne ct to ACS with your browser . The de fault ce rtificate is a se lf-sig ned cert ificate and cannot be m odified du ring instal la[...]

  • Página 77

    4-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access The defau lt securit y policy say s that 802.1x au thenticatio n must succee d before access to the networ k is grante d. The refore , by default , non- 802.1x-c apab le devices ca nnot get ac cess to an 802 .1x-[...]

  • Página 78

    4-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A CS supports host lo okup for the follo wing identity stores: • Intern al hosts • Exte rnal LDAP • Intern al users • Acti ve Directory Y ou can a ccess th e Act i ve Direct ory via the LD AP API. Y ou[...]

  • Página 79

    4-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access • T wel ve consec utive hexadecima l di gits wi thout any separa tors —0123456 789AB If the C alling-Sta tion-ID attribute is one of the four suppor ted MAC address form ats above, A C S copies it to the User[...]

  • Página 80

    4-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Agentless N etwork Acce ss Flow This topic describes the end -to-end flow for agentless netwo rk access and lists the tasks that you must perform. The inf ormation a bout ho w to conf igure the task s is locat[...]

  • Página 81

    4-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access Step 7 Def ine the se r vice selec tion. Step 8 Add the ac cess service to you r service selectio n polic y . For more informatio n, see Creating, Dupli cating, and Editing Serv ice Selection Rule s, page 10-8 . [...]

  • Página 82

    4-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Previ ous St ep: Network Devices and AAA Clients, page 7-5 Next Step : Conf iguring an Identity G r oup for Ho st Lookup Netwo rk Access Req uests, page 4-18 Related Topics • Creating External LD AP Identity[...]

  • Página 83

    4-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access c. Select Ne twork Access , and chec k Identity an d A ut horizati on . The group ma pping an d Externa l Policy opti ons are optio nal. d. Make sure you select Process Host Loo kup. If you want A CS t o detect P[...]

  • Página 84

    4-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Configuring an Authorization Policy for Host Lookup Requests T o con figure an author ization policy for Host L ookup requests: Step 1 Choose Access P o licies > Acce ss Servic es > <access_s ervic ena[...]

  • Página 85

    4-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS VPN Remo te Network Acces s Supported Authentic ation Protocols A CS 5. 4 supports th e following protoc ols for inner authenti cation inside the V PN tunnel: • RADIUS/P AP • RADIUS/CHA P • RADIUS/MS-C HAPv1 • RADIUS/MS-C HAPv2 W[...]

  • Página 86

    4-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Supporte d VPN Ne twork Ac cess Serve rs A CS 5. 4 supports th e following VPN networ k access ser vers: • Cisco ASA 5500 Se ries • Cisco VPN 3000 Se ries Related Topics • VPN Remote Netwo rk Access, page[...]

  • Página 87

    4-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Related Topics • VPN Remote Netwo rk Access, page 4-20 • Supported Au thenti cation Protoc ols, page 4-2 1 • Supported I dentity Stores, pag e 4-21 • Supported VPN Network Access Servers, pa[...]

  • Página 88

    4-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access 6. Conf ig uring EAP - F AST Settings f or Secur ity Group Access . 7. Creati ng an Access Ser v ice for Security Gr oup Access . 8. Creating a n En dpoint A dmissi on Contr ol Policy . 9. Creati ng a[...]

  • Página 89

    4-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Devices consid er on ly th e SGT value; the name a nd de scripti on of a sec urity group a re a m anag ement con ve nience an d are not con vey ed to the de vices. Th erefor e, chang ing the na me o[...]

  • Página 90

    4-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access T o conf igure an ND A C policy for a de vice: Step 1 Choose Access P olicies > Se curity Gr oup Access Control > Security Group Acce ss > Network Dev ice Access > Aut horization Poli cy .[...]

  • Página 91

    4-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Step 7 Click Fin ish . Creating an E ndpoint Admis sion Control P olicy After you crea te a servi ce, you configure t he endpoi nt adm ission co ntrol p olicy . The en dpoint ad mission control poli[...]

  • Página 92

    4-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access Initia lly , the m atrix c ontai ns the cell f or the unknown sour ce and unknown de stinat ion SG. Unknown refers to the prec onfigured SG, which i s not modifiable. When you add an SG , A CS adds a [...]

  • Página 93

    4-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts RADIUS and TACACS+ Proxy Requests Y ou can us e A CS to ac t as a proxy s erv er that recei ves authentic ation RADIUS re quests and authenti cation and auth orization T AC A CS+ reque sts fro m a ne[...]

  • Página 94

    4-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s • T A C_PLUS_A UTHOR • T A C_PLUS_A UTHEN 4. Recei ves the follo wing packets from the remote T A C A CS+ server and retu rns them back to the N AS: This be havior is configurabl e. • T A C_ PLU[...]

  • Página 95

    4-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts • Supporte d RAD IUS Att ributes, pag e 4-31 • Configuring Pr oxy Servi ce, p age 4- 32 Supporte d RADIUS A ttributes The follo wing supported RADIUS attrib utes are encr ypted: • User-P asswor[...]

  • Página 96

    4-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s Configuring Proxy Service T o co nfigure p roxy servic es: Step 1 Configure a set of rem ote RAD IUS and T A CACS+ servers. For informa tion on how to c onfigure re mote servers, see Cr eating, Duplic[...]

  • Página 97

    CH A P T E R 5-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 5 Understanding My Workspace The Ci sco Sec ure ACS web int erface is design ed to be v iewed using M icroso ft Int ernet E xplore r versions 6.x to 9.x and Moz illa Fire fox version s 3.x to 1 0.x. T he we b interfac e not o nly makes vi ewing and adm inister ing[...]

  • Página 98

    5-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Task Guides In A CS 5.4, you can also se e a ba nner in t he wel come page. Y o u ca n cu stomize this After L ogin banner text from the L ogin Banner pa ge. Task Guides From the M y W orkspace dr aw er , you can acce ss T asks Gui des. Wh[...]

  • Página 99

    5-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Login Bann er Related Topics • Conf iguring Authentica tion Settings for Administrators, page 16-10 • Chan ging the Admini stra tor Pas sword, page 1 6-22 Login Banner A CS 5.4 suppo rts cust omizin g of the login b anner t exts. Y ou[...]

  • Página 100

    5-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e • Comm on Errors, page 5-25 • Accessibi lity , page 5-27 Accessin g the Web Interface The ACS web inter face is suppo rted o n HT TPS-enable d Mic rosoft Int ernet Ex plorer versions 6. x to 9.x and Mozilla Fi[...]

  • Página 101

    5-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Note The license page only appears the f ir st time that you log in to A CS. Step 7 See In stalling a License File, page 18-35 to install a v alid license. • If your login i s successfu l, the mai n page of the A[...]

  • Página 102

    5-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Web Interface Design Figure 5-1 sh ows th e ove r all design of the A CS web interface. Figur e 5-1 ACS W eb Int erface The in terf ace contains : • Header , page 5- 6 • Na vigat ion P ane, pa ge 5- 7 • Cont[...]

  • Página 103

    5-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Navigation Pane Use the navigation pa ne to navigate through the drawers of the we b interface (see Fi gure 5-3 ). Figur e 5-3 Na vigatio n P ane Ta b l e 5 - 4 de scribes the functi on o f each drawer . T o ope n [...]

  • Página 104

    5-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T o h ide t he n avigation pane a nd expa nd the con tent area , cli ck th e c ollaps e ar row , which is cente red ver ticall y between the na vigation pane and con tent area. Click the collap se arro w again to [...]

  • Página 105

    5-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface • Seco ndary W indo ws, pa ge 5-13 • Rul e T able P ages, pa ge 5-16 Web Inter face Locat ion Y our curre nt loca tion in the inter face appear s at the top of the content area. Figure 5-5 shows that the locati[...]

  • Página 106

    5-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T able 5-5 Common Cont ent Ar ea But tons and Fields f or List P ages Button or Field Description Rows per pa ge U se th e dro p-down list to sp ecify the n umber of it ems t o dis play on this page . Options: ?[...]

  • Página 107

    5-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface T r ee table pages are a v a riati on of list page s (see Figure 5-6 ). Y ou can perf orm the s ame operat ions on tree tab le pages that you can on list pa ges, except for pa ging . In additi on, with tr ee table[...]

  • Página 108

    5-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Filtering Lar ge lists in a conten t area windo w or a secondar y windo w (see Figure 5-9 ) ca n be diff i cult to navigate through and selec t the data that you wa nt. Y ou can use the web interf ace to f ilter [...]

  • Página 109

    5-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface For pages that d o not have a Nam e or De scripti on co lumn , the so rting mechan ism m ay be supporte d in the le ft-most colum n of the pa ge, or the D escri ption c olum n. Plac e your curso r over a col umn h[...]

  • Página 110

    5-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Figur e 5-9 Secondary Windo w In addi tion to selec ting and f ilterin g data, you can create a select able objec t within a secondary wind ow . For examp le, if you attem pt to create a use rs internal i dentity[...]

  • Página 111

    5-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Figur e 5 -1 0 T ran sf er Bo x T able 5-7 T ransf er Bo x Fields and But tons Field or Button Description A vailabl e List of a va ilable items for select io n. Selected Order ed lis t of se lected items. Right a[...]

  • Página 112

    5-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Sche dule B oxes Schedu le boxes are a common ele ment in c ontent area pages (se e Fi gur e 5-10 ). Y ou use them to select acti ve times fo r a polic y element from a gr id, wher e each ro w represe nts a day o[...]

  • Página 113

    5-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Directly abov e the rule ta ble are tw o display o ptions: • Standard Polic y—Click to display the standard polic y rule table. • Exception Policy—Click to display th e ex ception p olicy r ule table, whic[...]

  • Página 114

    5-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Related Topic • A CS 5. x Policy Model Importing and Exporting ACS Object s through the Web In terface Y ou can use the import funct ionality in A CS to add, update, or d[...]

  • Página 115

    5-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Ta b l e 5 - 1 0 lists t he A CS objects, t h eir prop erties, a nd the pr operty data types. T he import template fo r each of the objects conta ins the prope rties described[...]

  • Página 116

    5-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Fields th at are optional can be l eft empty and A CS substitu tes the d efault values for those field s. KeywrapDispla yInHe x (Optio nal) Bo olean. Suppo rt T ACA CS (Req[...]

  • Página 117

    5-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface For example, when f ields that are rela ted to a hierarc hy are lef t blank, A CS assigns the v alue of the roo t node in the hierarch y . For netw ork devic es, if Security G[...]

  • Página 118

    5-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e • NDG – Locat ion— Network Resources > Network De v ice Gr oups > Location – De vice T ype— Netw ork Resources > Network De vice Groups > Device T ype[...]

  • Página 119

    5-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Adding Re cords to the ACS Internal Store When you ad d records to the A CS internal stor e, you add the re cords to the exis ting list. Th is is an append ope rati on, in whi[...]

  • Página 120

    5-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Figur e 5-13 Update Users–Im port File Note The second column, Upda ted name, is the addit ional column that you can add to the Update templ ate. Deleti ng Records f rom [...]

  • Página 121

    5-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Common E rrors Common Errors Y o u might en count er th ese co mmon er rors: • Concurre ncy Conflic t Errors , page 5- 25 • Deletio n Err ors, page 5- 26 • System Failure Err ors, page 5- 27 • Accessibi lity , page 5-27 Concurren[...]

  • Página 122

    5-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanati on Y ou attempted to edit o r duplicate an item tha t is referenc ing an item that anoth er user deleted whi le you tr[...]

  • Página 123

    5-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Accessibility System Failure Errors System f ailure errors occur when a syste m malfu nction is detec ted. When a system fa ilure e r ror is detecte d , a dia log box appe ars, wi th an error me ssage and OK b utton. Read the er ror mess[...]

  • Página 124

    5-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Accessi bility • Color use d as an enha ncem ent of inform atio n only , not as the onl y indi cator . For examp le, requ ired fi elds are associ ated with a r ed aster isk. • Conf irmation messages for important settings and actions.[...]

  • Página 125

    CH A P T E R 6-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of config uration tasks that you must pe rform to work with A CS. This chapter conta ins the f ollowing se ctions: • Configuring Mi nimal Sy stem Setu p, page 6 -1 • Conf igur ing A CS to Per[...]

  • Página 126

    6-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Perform Syst em Administr ation Tasks Configuring ACS to Pe rform System Administration Tasks Ta b l e 6 - 2 lists the set of system administration tasks that you must perform to administer A CS. T able 6-2 S [...]

  • Página 127

    6-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configu ring ACS to Perfor m System Admini strati on Tasks Step 8 Add use rs or hosts to the internal identity sto re, or def ine exter nal identity stores, or both. • For internal identity stores: Users an d Iden tity Store[...]

  • Página 128

    6-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Manage Acc ess Policies Configuring ACS to Mana ge Access Policies Ta b l e 6 - 3 li sts the s et of tasks t hat you must perform to ma nage a ccess re striction s and permi ssions. Configuring ACS to Moni tor[...]

  • Página 129

    6-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configuring ACS to Mon itor and Troubleshoot Problems in the Network Step 4 E nable syste m alarms and speci fy how yo u would like to receiv e notif ication. Monitori ng Co nfiguration > System C onfiguration > System A[...]

  • Página 130

    6-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Monitor and Troubl eshoot Prob lems in the Network[...]

  • Página 131

    CH A P T E R 7-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 7 Managing Network Resou rces The N etwork R esources drawer de fines element s withi n the network t hat issu e reque sts to A CS or tho se that A CS interacts with a s part of processing a request. This inclu des the netwo rk dev ices that issue the reques ts an[...]

  • Página 132

    7-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Network Devic e Groups In A CS, you can define net work device g roups (N DGs), which a re set s of de vice s. Th ese NDG s provid e logical groupi ng o f devices, for examp le, D evice Locat ion or T y pe, which y[...]

  • Página 133

    7-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Device Groups Step 4 Click Submit . The net work device group configurat ion is saved. The Networ k Device Groups pag e appear s with the new network device gr oup configu ration. Related Topics • Network Device Groups, page 7 -[...]

  • Página 134

    7-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Creating, Duplicating, an d Editing Network Device Gr oups Within a Hierarchy Y o u can arra nge the ne twork device group node hierarchy ac cordin g to your nee ds by choosing pare nt and ch ild relation ships fo [...]

  • Página 135

    7-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Deleting Netw ork Device Gro ups from a Hier archy T o d elete a net work device gr oup from wit hin a hiera rchy: Step 1 Choose Network Resour ces > Network Device Gr oups . The Networ k Device Groups [...]

  • Página 136

    7-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Y ou must install Securi ty Group Acces s licens e to enable Sec urity Grou p Access options. Th e Securit y Group Access optio ns only ap pear if y ou ha ve installe d the Secu rity Group Access lic ense[...]

  • Página 137

    7-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients – Descriptio n – NDG Locatio n – De vice T ype Y o u can specif y full IP address , or IP addre ss with wildca rd “*” or , with IP add ress range, suc h as [15- 20] in the IP ad dress search fiel[...]

  • Página 138

    7-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Step 1 Choose Network Resour ces > Netwo rk Devices and AAA Clients . The Networ k Device page appea rs. Step 2 Choose the f ilter condition and the Match if oper ator , and enter the f ilter criterio [...]

  • Página 139

    7-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The Oper ation di alog box appear s . Step 2 Click Next to downlo ad the .csv fi le template if you do not hav e it. Step 3 Click any one of the follo wing operations if you hav e previous ly created a tem[...]

  • Página 140

    7-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Exporting Netw ork Re sources and Users T o export a list of network resource s or users: Step 1 Click Export on the User s, Network Devices, or MAC Address page of the web inter face. The Networ k Devic[...]

  • Página 141

    7-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The first page of the Create Network D evice process app ears if you ar e crea ting a new networ k device. The Network D evice Proper ties p age for the sel ecte d device a ppears if you are dupl icatin g[...]

  • Página 142

    7-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients IP Rang e(s) By Mask Choose to ente r an IP address ra nge. Y ou can configure up t o 40 IP addre sses or subnet masks for each netw ork de vice. If y ou use a subnet m ask in thi s fi eld, all IP add re[...]

  • Página 143

    7-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Single C onnec t De vice Check to use a single T CP conn ection for all T A CAC S+ co mmunicati on with the netwo rk de vice. Choose one : • Legacy T ACA CS+ Single Conn ect Support • T A CACS+ Dra ft[...]

  • Página 144

    7-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Displaying N etwork Devic e Properties Choose Netwo rk Resour ces > Network De vices and AAA Clients , th en click a d ev ice name or check the chec k box ne xt to a de vice na me, and clic k Edit or [...]

  • Página 145

    7-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients IP Ran ge(s) By Mask Choo se to enter an IP address ra nge. Y ou can configure up t o 40 IP addresse s or subnet masks for each network de vice. If you use a su bnet mask in th is fie ld, all IP add resse[...]

  • Página 146

    7-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients RADIUS Sh ared Secret Shared secre t of the network device, i f you have enabled the RADIUS pro toco l. A shared secret is an expected stri ng of text, which a user must provide before the ne twork devic[...]

  • Página 147

    7-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Configuring a Default Network Device Related Topics: • V iewing and Pe rformi ng Bulk Opera tions fo r Ne twork Devices, page 7 -6 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Deleting N etwork Devices T [...]

  • Página 148

    7-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Configuring a D efault N etwork Dev ice Choose Network Resour ces > Default Netw o rk De vice to configure the de fault netwo rk device. The Default Net work Device page appea rs, displ aying the i nform ation desc ribed in Ta b l e [...]

  • Página 149

    7-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Working with External Proxy Ser vers Related Topics • Network Device Groups, page 7 -2 • Network Devices and AAA Clients, page 7-5 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Working with Ext ernal Pro[...]

  • Página 150

    7-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working wit h External Proxy Servers Step 2 Do one of the follo wing: • Click Cr eate . • Check the check box ne xt to the external proxy ser ver that you want to duplica te, then click Duplicate . • Click th e external proxy serv[...]

  • Página 151

    7-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Note If you want A CS to for ward unkn own RADIUS attributes you have to define VSAs for pro xy . Related Topics • RADIUS a nd T A CA CS+ Proxy Service s, page 3- 7 • RADIUS a nd T A CA CS+ Proxy Request s[...]

  • Página 152

    7-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s • Unknown —The certi ficate status is un known. The sta tus of the c ertificate is u nknown if the OCSP is no t configured to ha ndle the giv en certificate CA. In th is case, the c e rtif icate is h andl[...]

  • Página 153

    7-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Fail back T o Primary Server Enable this option to use th e secondary serv er for the gi ven amount of time when the pr imary is compl etely down. The time ra nge is 1 to 999 minu tes. Prima ry Ser ver URL Ent[...]

  • Página 154

    7-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s Step 4 Click Submit to sa ve you r changes. The OCSP Server con fig uratio n is sa ved. The O CSP Serv er page app ears w ith the ne w conf igurati on. Related Topics • Deleting OC SP Servers, page 7-24 Del[...]

  • Página 155

    CH A P T E R 8-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 8 Managing Users and Identity Stores Overview A CS manages your n etwork devices and other ACS clients by using the ACS network re source repositor ies and ident ity stores . When a host conn ects to the ne twork throug h A CS re questing a ccess to a part icular [...]

  • Página 156

    8-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Overvi ew Fixed compone nts ar e: • Name • Descriptio n • Password • Enable d or disable d status • Identity g roup to which user s belong Configurable compone nts ar e: • Enable passw ord for T A CACS+ authenticatio [...]

  • Página 157

    8-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Over view Identity Stores with Two-Factor A uthentication Y ou can use the RSA SecurID T oken Serv er an d RADIUS Id entity S erver to pro vide two-f a ctor authenti cation. These e xternal ident ity stores u se an O TP that pro v[...]

  • Página 158

    8-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Sequences Y ou can conf igure a comp lex condition wher e multiple id entity stores a nd prof iles are u sed to process a request. Y ou can def ine these identi ty methods i n an I dent[...]

  • Página 159

    8-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores • Authentic ation inf ormation Note A CS 5.4 sup ports authenti cation for intern al users against th e inter nal ident ity store on ly . This section con tains the follo wing topics: • Authen[...]

  • Página 160

    8-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Groups Y ou can assign each internal u ser to one identity gr oup. Identity groups are def ined within a hie rarchical structure . The y are lo gical entities that are associated w ith [...]

  • Página 161

    8-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Managing Users and Identity St ores, page 8-1 • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page [...]

  • Página 162

    8-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attrib utes in the internal user record. User Attributes Administra tors can cr eate and a d d user -define d attrib utes from the set o[...]

  • Página 163

    8-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores In A C S 5.4, you ca n configure id entity attributes th at are use d within your polic ies, in thi s order : 1. Def ine an identi ty attrib ute (using the use r dictionary). 2. Def ine custom con[...]

  • Página 164

    8-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 3 In the Advance d tab, enter the value s for the c riter ia that you want to configure for your u ser authenti cation proc ess. Ta b l e 8 - 3 desc ribes t he fields in the Advanced tab. [...]

  • Página 165

    8-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit . The user passw ord is c o nfi g ured w ith the d ef ined crit eria. These cr iteria w ill apply only f or futur e logins. Note If one of the users gets d isabled, t he faile[...]

  • Página 166

    8-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores The Chang e Password page appears. Step 3 Comple te the fields as describe d in Ta b l e 8 - 4 to c hange th e i nternal user pa ssword. • Click File Oper ations to: – Add—Adds intern al [...]

  • Página 167

    8-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores . T able 8-5 User s and Identity Sto r es > Int erna l Identity Stor e > User Pr operties P age Option Description General Name Username. Status Use t he drop- down list bo x to se lect the[...]

  • Página 168

    8-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 5 Click Submit . The use r co nfiguration is saved. The I nterna l Use rs page appea rs with the new con figuration. Related Topics • Conf iguring Authentica tion Settings for Users, pag[...]

  • Página 169

    8-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Deleting Users from In ternal Identity Stores T o delete a user from an int ernal identity store : Step 1 Select Use rs and Identity Stores > Internal Identity Store > Users . The In tern a[...]

  • Página 170

    8-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores – Delete—Choo se this o ption to delete the internal users listed in t he import file from A C S. See Performing Bulk O perati ons fo r Network Resou rces a nd User s, pa ge 7-8 for a detai[...]

  • Página 171

    8-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit to save changes. The M A C addre ss co nfiguration is saved. The I nterna l MAC list page app ears w ith the new configurat ion. Note Ho sts with wildc ards (suppo rted form a[...]

  • Página 172

    8-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores • V iewing and Per forming Bulk Operat ions fo r Inte rnal I dentity St ore Hosts, pa ge 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 • Conf iguring an Identity G r oup for Ho s[...]

  • Página 173

    8-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Host Look up, p age 4- 13 • Creating Hosts in Id entity St ores, page 8-16 • Del eti ng Int ern al Host s, page 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 •[...]

  • Página 174

    8-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Configuring Users or Hosts for Management Hierarchy A specif ic lev el of access is def ined to repres ent the to p-most no de in the Man agement Hier archy assigned f or ea ch user o r a h ost[...]

  • Página 175

    8-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 8 After succe ssfully creati n g the polic y , try authentica ting the user using the create d polic y . The user will be authen ticated only if the hierarch y defin ed for the user eq uals [...]

  • Página 176

    8-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Managing External Identity Stores A CS 5.4 inte grates with e xternal id entity system s in a number of way s. Y ou can le verage an ex ternal authenti cation se rvice or use an ex ternal syste[...]

  • Página 177

    8-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Configuring L D A P Group s, pa ge 8-33 • V iewing LDAP Attributes, pa ge 8-3 4 Directory Service The dire ctory servi ce is a softwa re applic ation , or a set of applic ation s, for stori[...]

  • Página 178

    8-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5. 4 supports fai lover between a prim ary LDAP server and secon dary LDAP server . In the context of LD AP authentica tion with A CS, f ailov er applies whe n an authent ication [...]

  • Página 179

    8-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Possible r easons f or a n LD AP server to retur n bind (authe nticat ion) err ors ar e: – Filterin g errors —A search using f ilter criteria fails. – Paramete r errors —Inv al id para me[...]

  • Página 180

    8-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • String • Unsigned In teger 32 • IP Address—T his can be either an IP version 4 (IPv4 ) or IP version 6 (IPv6) addr ess. For unsigned integer s and IP address attrib utes, AC S con ver[...]

  • Página 181

    8-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Check th e En able Passwor d Cha nge opt ion t o modif y the password, to d etect t he passwor d expiratio n, and to reset the passwo rd. Step 5 Click Next . Step 6 Continue w ith Configur[...]

  • Página 182

    8-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Anonymous Acces s Cli ck to ensur e that searc hes on t he LDAP directo ry occur anonymousl y . The se rver does not distinguish wh o the client is and will allo w the client read acce ss to an[...]

  • Página 183

    8-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue w ith Configur ing Extern al LDAP Director y Organization , page 8- 29 . Configuring External LDAP Directory Organization Use this page to conf igure an e xter[...]

  • Página 184

    8-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T able 8-8 LD AP: Dir ect ory Or ganization Pag e Option Description Schema Subject Obj ect class V alue of the LD AP o bjectClass attrib ute that identif ies the subject. Often, sub ject reco [...]

  • Página 185

    8-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Subje cts In Groups Ar e Stored In Me mber Attrib ute As Use the dr op-down list box to in dicate if the subjects i n groups are stored in me mber at tributes as either: • Username • Distingu[...]

  • Página 186

    8-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Click Fin ish . The e xternal ide ntity s tore th at yo u creat ed is sa ved. Username Pr efixSuf fix Strippi ng Strip sta rt of subje ct name up to the last occurr ence of the separato[...]

  • Página 187

    8-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Related Topics • Configuring L D A P Group s, pa ge 8-33 • Deleting Exter nal LD AP Id entity Stor es, page 8-33 Deleting External LDAP Identity Stores Y o u can delet e one or more external [...]

  • Página 188

    8-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Viewing LDAP Attribute s Use this page to vie w the ex ternal LD AP attrib utes. Step 1 Select Use rs and Identity Stores > External Identity St ores > LD AP . Step 2 Check the chec k box[...]

  • Página 189

    8-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores This me ans the swit ch port to wh ich th ese de vices att ach cannot authentic ate them using the 80 2.1X exchange of device or user creden tials an d must revert to an authe nticat ion mech ani[...]

  • Página 190

    8-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-1 LD AP Interf ace Configur ation in NA C Pr ofiler Step 5 Click Updat e Server . Step 6 Click the Configuration tab and click Apply Changes . The Upda te NA C Profiler Module s page [...]

  • Página 191

    8-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Choose Configuration > Endpoint Prof iles > V iew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve[...]

  • Página 192

    8-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T o edit t he N A C Prof iler templa te in A CS: Step 1 Choose Use rs and Identi ty Stores > External Iden tity Stores > LDAP . Step 2 Click on the name of the N A C Profi ler templat e o[...]

  • Página 193

    8-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Serv er Dialog Bo x For more inf ormati on, see Creating Exte rnal LD AP Identity Stores, page 8-26 . Note Th e defaul t password for L D A P is GBSbea con . If you want[...]

  • Página 194

    8-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-7 T est Configur ation Dialog Bo x Number of Subjects —This value maps to the actu al subject devices alre ady pro f iled by the Cisco N AC Prof iler (actual dev ices enable d for P[...]

  • Página 195

    8-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profi ler Integration T o tro ublesho ot MAB authe nticatio n while integratin g with NA C Pro filer and to veri fy tha t the e ndpoint is successfully aut[...]

  • Página 196

    8-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • Maximu m passwor d ag e is N day s. • Mini mum pas sw ord a ge is N da ys. • Mini mum passw ord length is N char acter s. • Password must meet complexity requirements. AD uses the “[...]

  • Página 197

    8-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Note T o prevent A CS from using the outdate d ma ppings, you sh ould cr eate new AD grou ps in stead of chan ging or moving the existing ones. If you chang e or move the existing gro ups, you ha[...]

  • Página 198

    8-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Machin e authentica tion happens while star ting up a compu ter or whil e logging in to a computer . Supplicants, such as Funk Odysse y perform machine authe ntication perio dically wh ile the [...]

  • Página 199

    8-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores If the user has one of these limitati o ns, the AD1::Iden tityAccessR estricted attribu te on t h e AD dedicated dictionar y is se t to indic ate tha t the u ser has re strict ed acc ess. Y o u c[...]

  • Página 200

    8-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The E nginee rs' rule is an ex ampl e of MA R rule th at on ly allow s engineers acces s if their m achine was succes sfully authen ticated against windo ws DB. The Ma nagers' ru le i[...]

  • Página 201

    8-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The dist rib uted search is performe d based on the cach e entry qu ery attem pts and cach e entry query timeouts that are configu red in the A CS web interface. The MAR entr y search is also del[...]

  • Página 202

    8-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Callback Options fo r Dial-In users If the callba ck option is enabled , the serve r calls the caller back during the connecti o n process. The phone n umber that is used by the serv er is se t[...]

  • Página 203

    8-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The callb ack numb er v alue is also returned o n the RADI US respon se, usin g the RADI US attrib ute Cal lback Number (#19 ). • If callbac k option is Set b y Caller , the RADIUS response co [...]

  • Página 204

    8-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Note Whe n you upgrad e A CS t o A CS 5. 4 version using the Reimaging and Upgrad ing an ACS Se rver metho d, if you restor e a configurat ion in w hich the AD is defined, you nee d to join A C[...]

  • Página 205

    8-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration afte r you [...]

  • Página 206

    8-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 4 Click: • Joi n to join the selec ted nodes to th e AD do main. T he sta tus of the nodes are changed ac cording to the join results. • T est Connection to test the c onnection to e n[...]

  • Página 207

    8-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Click: • Leav e to disc onne ct th e sele cted nodes from AD do main. • Cancel to ca ncel the oper ation. Note Administrators can pe rform opera tions lik e join, lea ve, or te st conn[...]

  • Página 208

    8-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The Grou ps page appe ars. Th e Selec ted Dire ctory Gr oups field lists the AD groups you selected and sav ed. The AD groups yo u selec ted in the Extern al User Groups pag e are list ed and c[...]

  • Página 209

    8-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 3 Click: • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. T able 8-13 Activ e Dir ectory : Attr ibutes P age Option Description Name of e xample [...]

  • Página 210

    8-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration a fter y ou verify that ther e are no po licy rules that use custom co ndition s based o n the AD dicti[...]

  • Página 211

    8-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores AD Deployments with User s Belonging to Large Number of Groups In A CS 5.3 , when y ou move betwee n AD do mains, the user authe nticat ions show a ti meout err or if the user belongs t o a large[...]

  • Página 212

    8-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Thus wh en a cor rect t oken co de is sup plied toge ther w ith a PIN , ther e is a h igh degre e of cer taint y that the per son is a v alid user . Therefore, RSA SecurID server s provide a mo[...]

  • Página 213

    8-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Manually I ntervene to Remove a Down RSA Se curID Server When a n RSA Se curID serv er is do wn, the au tomatic exclusion m echanism does n ot alway s wo rk quickly . T o speed up this pro cess, [...]

  • Página 214

    8-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 5 Click the Adv anced tab . See Con figuring Advanced Options, page 8-6 2 for more i nfor matio n. Step 6 Click Submit to create an R SA SecurI D stor e. The RS A Secur ID T oke n Server p[...]

  • Página 215

    8-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Editing ACS Insta nce Settings Y ou can edit the A CS instance settings to: • Enab le the RSA opt ions file, page 8-61 • Reset Agent Files, page 8-61 Enable the RSA options file Y ou can enab[...]

  • Página 216

    8-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 1 Choose either of the follo wing options: • T o r eset node secret on t he agen t host, chec k th e Remove securid f ile on submit ch eck box . If you re set th e node se cret on the ag[...]

  • Página 217

    8-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Creatin g and E diting RSA Secu rID T oken Servers, pa ge 8-5 9 • Configuring ACS Instance Sett ings, pag e 8-60 • Editing A CS Instanc e Setti ngs, p age 8- 61 • Editing A CS Instanc e[...]

  • Página 218

    8-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5.4 allo ws you to co nfigur e multiple RADIUS identity stor es. Ea ch RADIUS id entity st ore can hav e pri mary a nd sec ondary RADI US se rvers. Whe n A CS is unabl e to c onne[...]

  • Página 219

    8-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores RADIUS Iden tity Store in Identity Sequenc e Y ou can add the RADIUS identity st ore for authentic ation sequen ce in an identi ty sequen ce. Ho wev e r , you cann ot add t he R ADIUS id entit y [...]

  • Página 220

    8-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Safeword token servers support both the formats. A CS works with various token servers. While configurin g a Saf eword server, you must c heck t he Safeword Server c heck b ox for ACS to parse [...]

  • Página 221

    8-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Check the check box next to the iden tity store you want to duplicate, th en click Duplicate . • Click the identity store name that you w ant to modify , or check the box next to the name a[...]

  • Página 222

    8-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 • Configuring Shel l Promp ts, page 8- 69 • Configuring[...]

  • Página 223

    8-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Configur ing She ll Prompts For T A CACS+ ASCII auth entication, A CS must return the passw ord prompt to the us er . RADIUS identity serv er supports th is functiona lity by the passw ord prompt[...]

  • Página 224

    8-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Do either of the foll ow ing: • Click Submit to save yo ur change s and retur n to t he RADIUS Iden tity Ser vers p age. • Click the Adv anced tab to confi g ure failur e message han[...]

  • Página 225

    8-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Click Submit to save t he RADIUS Id entity Ser ver . Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 Configuring CA[...]

  • Página 226

    8-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Note A CS buil d s a certif icate chain with the CA cer tific ates that you add to it and uses this chain during TLS nego tiations. Y ou must add the c ertific ate that signed th e serv er certific at[...]

  • Página 227

    8-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Editing a Certificate Authori ty and C onfiguring Certificate Revocation Lists Use this page to edit a trusted CA (Certif icate Author ity) certif icate. Step 1 Select Use rs and Identity Stores > C[...]

  • Página 228

    8-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Step 3 Click Submit . The Trust Cer tificat e pag e appe ars with th e ed ited certi ficate. The ad minist rator has th e righ ts to configure CRL and OCSP ver ification. I f both CRL and OCSP verific[...]

  • Página 229

    8-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring Certificate Authentication Profiles The T rust Certif icate page appea rs without th e delet ed certif icate(s). Related Topic • Overview of EAP-TLS, pa ge B-6 Exporting a Cer tificate Authority T o exp ort a trus t[...]

  • Página 230

    8-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring Ce rtificate A uthenticat ion Profiles When A CS processe s a certificat e-base d request for authen tica tion, one of t wo things happe ns: the userna me from the certif icate is co mpared to the us ername in AC S t[...]

  • Página 231

    8-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Step 4 Click Submit. The Cer tif icate Authenti cation Profile p age reap pears. Related Topics • V ie wing Identity Polic ies, page 10-22 • Conf igur ing Id enti ty Store Se quence s, p[...]

  • Página 232

    8-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Attribute Retrieval Sequence Y ou can optionally d ef ine a list o f databases f rom which to retrie ve additio nal attrib utes. These database s can be acces sed regar dless of wheth er yo[...]

  • Página 233

    8-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Password Base d Check this chec k box to use the password-ba sed authen ticatio n meth od. I f you choos e thi s option, you must cho ose the set of identit y stores that A CS will access on[...]

  • Página 234

    8-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Step 3 Click Submit . The Iden tity Store Sequences page reappea rs. Related Topics • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page 7 -8 • V ie wing Identity[...]

  • Página 235

    8-81 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Managing External Iden tity Stores, pa ge 8-22 • Conf iguring Cer tific ate Authen tication Pr ofile s , page 8-75 • Creating, Du[...]

  • Página 236

    8-82 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences[...]

  • Página 237

    CH A P T E R 9-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 9 Managing Policy Elements A polic y defines the authentica tion and au thorization processing of c lients that at tempt to access the A CS network. A cli ent c an be a user, a networ k device, or a us er associat ed with a network device. Policies are sets of ru [...]

  • Página 238

    9-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Y o u can m ap users and h osts to identit y gro ups by using the group ma pping policy . Y ou can include identi ty group s in con diti ons to c onfigure c ommon pol icy cond itions f or al l user s in the gro u[...]

  • Página 239

    9-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Creatin g, Dupl icat ing, and E diting a D ate and Time Conditi on, p age 9-3 • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 ?[...]

  • Página 240

    9-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o a dd date a nd time condi tions to a policy , yo u must first cu stomiz e the rule t able. See Cu stomizing a Policy , page 1 0-4 . Step 4 Click Submit . The date and time condition is sa ved. The Date and T [...]

  • Página 241

    9-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Related Topics • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 • Conf iguring Access Service Policies, page 10-22 Creating, Dupli[...]

  • Página 242

    9-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o ad d custom c onditio ns to a po licy , you must first cu stomiz e the rule table. Se e Customi zing a Pol icy , page 10-4 . Step 4 Click Submit . The ne w custom session condition is sa ved. The Custom Condi[...]

  • Página 243

    9-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note Th e filters in ACS 5.4 are similar to t he NARs in A CS 4.x. In A CS 4.x, the N ARs were base d on eithe r the user or us er gr oup. In 5.4, the filter s are i ndepen dent c onditio ns th at you can re[...]

  • Página 244

    9-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions The device dictionary (the NDG dictionary) cont ains networ k device group attributes s uch as Location , De vice T ype, or other d ynamically created attrib utes that r epresent NDGs. These attributes , in t urn[...]

  • Página 245

    9-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Step 5 Click Close to close the I mport Pr ogress window . Y o u can submi t only one .csv file to the system at on e t ime. If an i mpor t is u nder way , an addit ional import cann ot succeed until the ori[...]

  • Página 246

    9-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons, pag [...]

  • Página 247

    9-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Def ining MA C Address-Based End Station Filte rs, page 9-11 • Defining CLI or DNIS-B ased End Statio n Filters, page 9-1 1 Defining MAC Address-Based E nd Station Filters Y o u can crea te, dupli cat[...]

  • Página 248

    9-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Step 2 Check the CL I check box t o enter the CL I numbe r of the end stat ion. Y ou can optiona lly set t his fi eld to A NY to re fer to a ny CLI number . Step 3 Check the DNI S check box to enter the D NIS nu[...]

  • Página 249

    9-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons,[...]

  • Página 250

    9-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Defining Name-Based Device Filters Y o u can cr eate, duplica te, an d edi t the nam e of t he network d evice that yo u want t o permi t or deny ac cess to. T o do th is: Step 1 From the D e vice Nam e tab, do [...]

  • Página 251

    9-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Creating, Duplicating, and Editi ng Device Port Filters Use the De vice Port Filters page to create, duplic ate, and edit devi ce port f ilters. T o do this: Step 1 Choose Policy Elements > Session Condi[...]

  • Página 252

    9-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions • Check the check bo x next to the IP-b ased dev ice port f ilter that you want to duplicate , then click Duplicate . • Check the check box next to the IP- based de vice por t filter that you want to edit, t[...]

  • Página 253

    9-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 Check the Por t check box a nd enter t he port num ber . Step 4 Click OK . Related Topics • Managin g Network Conditi ons, pag e 9-6 • Creatin g, Duplic ating , and Editing D evice Por[...]

  • Página 254

    9-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions • Security groups and securi ty group ACLs for Cisco Securi ty Group Acce ss. See ACS and Cisco Security Group Acce ss, page 4-23 , for information on conf iguring these polic y elements. These to[...]

  • Página 255

    9-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons • Click t he nam e tha t y ou want t o mo dify; or , check the chec k box next to t he na me tha t you want t o modify a nd click Edit . The Aut horizat ion Profile Propert ies page appea rs. S[...]

  • Página 256

    9-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 1 Select P olicy Elements > A uthorization and Permissions > N etwork Access > A uthorizat ion Pr of iles , then click : • Cre a te to create a new network acc ess author izat ion de[...]

  • Página 257

    9-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-5 A uthor ization Pr ofile: Common T asks P ag e Option Description ACLS Do wnloadable A CL Name Includes a def ined do wnload able A CL. See Creating, Duplic ating, a nd Editi ng Downlo[...]

  • Página 258

    9-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Specifying RADIUS Attribute s in Authorization Profil es Use this tab t o conf igure which RADIUS attrib utes to includ e in the Access -Accept p acket f or an authori zation prof ile. This tab also[...]

  • Página 259

    9-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 T o conf igure: • Basic informatio n of an authorizatio n profile ; see Specifyin g Auth orizat ion Pr ofiles, page 9-19 . • Common ta sks for an author izatio n profile; see Specifyin[...]

  • Página 260

    9-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Creating and Editing S ecurity Grou ps Use this pa ge to view names and det ails of secu rity gr oups and secu rity gr oup tags (SGTs) , and to open pages to cre ate, duplic ate, and ed it secu rity[...]

  • Página 261

    9-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons The Com mon T asks tab al lows you to select and c onfigure the fre quently used attributes for the pr ofile. The attrib utes that are inclu ded here are th ose def ined b y the T ACA CS protocol[...]

  • Página 262

    9-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Defining Gen eral Shell Prof ile Properties Use this page to defin e a shell prof ile’ s general properties. Step 1 Select Policy Elements > Authorization and Permissions > Device Adminis tr[...]

  • Página 263

    9-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-9 Shell P ro file: Comm on T asks Option Description Privileg e Level Default Privilege (Optiona l) Enable s the initia l privilege le vel assignmen t that you all ow for a clie nt, thr [...]

  • Página 264

    9-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 3 Click: • Submit to save your cha nges an d retu rn to t he She ll Profiles pa ge. • The Gene ral tab to conf igure the name a nd description for the auth orization p rofi le; see Defining[...]

  • Página 265

    9-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Defining Custom Attributes Use this tab to defin e custom attrib utes for the shell profile. This tab also displays the Common T asks Attributes th at you have chosen in t he Comm on T asks ta b [...]

  • Página 266

    9-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions After yo u create comm and sets, you c an use them in aut horizat ions and permissi ons wi thin rule tables. A rule ca n conta in mul tipl e comm and set s. Se e Creating, Duplicatin g, and Editing [...]

  • Página 267

    9-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 4 Click Submit . The com mand set is saved. Th e Comm and Se ts page appe ars with the c ommand set th at yo u create d or duplicat ed. T able 9-1 1 Command Set Pr oper ties P age Field Des [...]

  • Página 268

    9-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Related Topics • Creatin g, Duplic ating , and Editi ng Authori zation Profiles fo r Network Acce ss, page 9-18 • Creatin g, Duplic ating , and Editi ng a Shell Profile for Device Adm inistra ti[...]

  • Página 269

    9-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons – Click Start Export to export the D ACLs without any enc ryption . Step 3 Enter v alid conf iguration dat a in th e requir ed f ields as sho wn in Ta b l e 9 - 1 2 , an d define o ne o r mo re[...]

  • Página 270

    9-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Configurin g Security Grou p Acce ss Cont rol Lists Securi ty group ac cess cont rol list s (SGACLs) are applie d at Egress, ba sed on the sour ce an d destinat ion SGTs. Use this page to view , cre[...]

  • Página 271

    CH A P T E R 10-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 10 Managing Acc ess Policies In A CS 5.4, polic y dri ves all acti vities. Policies consist m ainly of rules th at determi ne the actio n of the polic y . Y ou create acc ess services to def ine authentica tion and authorization policies fo r requests. A global s[...]

  • Página 272

    10-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Policy Creation F low In short, you must determine th e: • Details of your ne twork configurat ion. • Access ser v ices that imp lement y our policie s. • Rules tha t define th e co nditi ons under whic h an access se rvice can run. [...]

  • Página 273

    10-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Policy Creation Flow Policy Elements in the Policy Creation Flow The web interf ace pro vides these de faults for def ining de vice groups and iden tity groups: • All Locatio ns • All De vice T ypes • All Gro ups The loca tions, de[...]

  • Página 274

    10-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Customizing a Pol icy Policy Creation Flow—Next Steps • Access Service Po licy Creation , page 10-4 • Service Selec tion Policy Crea tion , page 10-4 Access Service Policy Creation After you cre ate the basic elements, you can create[...]

  • Página 275

    10-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy If you have implemented Sec urity Group Acce ss functiona lity , you can al so custom ize results fo r authorizati o n policies. Cautio n If you have already d efined rules, be certain that a r ul[...]

  • Página 276

    10-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Note If you create and sav e a simple p olicy , and the n change to a rule-b ased polic y , the simple policy becomes the defau lt rule of th e rule-b ased poli cy . If you have sa ved a rule-bas [...]

  • Página 277

    10-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy T o conf igure a rule- based s ervice selection policy , see t h ese t o pics: • Creating, Duplicatin g, and Ed iting Service Selectio n Rules, page 10-8 • Deleting Ser vice Selection Rules, p[...]

  • Página 278

    10-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Creating, Duplicatin g, and Editing Servic e Selection Rules Create se rvice select ion rules to deter mine which a ccess service processes in coming r equests. Th e Defa ult Rule pr ovide s a def[...]

  • Página 279

    10-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy • The Defau lt Ru le— Y ou can chan ge onl y the acc ess se rvice. See T able 1 0-3 for field descr iptions: Step 4 Click OK. The Ser vice Sele ction Policy pag e appear s with th e rule th at[...]

  • Página 280

    10-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-base d Policy page. T o display this page, click Hit Count on the Rule-base d Policy page. Deleting Serv[...]

  • Página 281

    10-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Configuring Acce ss Services Access services cont ain the authen tication and authoriza tion policie s for r equests . Y ou can c reate sepa rate acc ess serv ices for dif feren t use cases ; for e xample, de[...]

  • Página 282

    10-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Edi t the fiel ds i n t he Al lowed Protoc ols tab as de scribed in Ta b l e 1 0 - 7 . Step 4 Click Submit to sa ve th e changes y ou hav e made to the de fault access ser vice. Creating, Duplicating, a[...]

  • Página 283

    10-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 2 Do one of the follo wing: • Click Cr eate . • Check t he check box next to t he ac cess ser vice that you wa nt to dupli cate; then cli ck Duplicate . • Click the a ccess serv ice name that you w[...]

  • Página 284

    10-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Description Description of the access service. Access Servi ce Policy Structu re Based on serv ice templat e Creates an access service conta ining policies b ased on a predefined te mplate. T his option is av [...]

  • Página 285

    10-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 3 Click Next to conf igure the allo wed protocols. See Configuring Access Service A llowed Protocols, page 10-1 6 . Related Topic • Configuring A ccess Service Al lowed Protocol s, page 1 0-16 • Conf[...]

  • Página 286

    10-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Configuring Access Service Allowed Protocols The allowed p rotoco ls ar e t he se cond part o f ac cess servi ce creat ion. A cce ss serv ice definiti ons co ntai n genera l and allowed proto col inform ation [...]

  • Página 287

    10-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-TLS Enables t he EAP-TLS Auth entication protocol a nd conf igures EA P-TLS settings. Y ou can specify ho w AC S ver ifies u ser iden tity as pres ented i n the E AP Ident ity resp onse from the en[...]

  • Página 288

    10-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Allo w EAP-F AST Enab les the EAP-F AST authentication protocol and EAP-F AST settings. The EAP-F AST proto col ca n suppo rt multip le int ernal pr otocol s on the same server . Th e defaul t inner m ethod i [...]

  • Página 289

    10-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-F AST (conti nued) PA C O p t i o n s • T unnel P A C T im e T o Li ve—The T ime T o Li ve (TTL) v alue restricts the lifetime o f the P A C. Specify the lifetim e v alue and units. Th e defaul[...]

  • Página 290

    10-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Click Fin ish to sa ve your changes to t h e acce ss service. T o enabl e an access service, you mu st add it to the se rvice sele ction pol icy . Configuring Access Services Templates Use a service tem[...]

  • Página 291

    10-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Deleting an Ac cess Service T o delete an access serv ice: Step 1 Select Ac cess Policies > Access Services . The Access Services p age appears with a list of configu red services . Step 2 Check one or mo [...]

  • Página 292

    10-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Acce ss Service Policies Y ou confi gure access se r vice policie s after you create th e access service: • V ie wing Identity Polic ies, page 10-22 • Conf iguring Identity Polic y Ru[...]

  • Página 293

    10-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies In the rule-b ased polic y , each rule contains one or mo re conditions an d a result, which i s the identity source to use for authentica tion. Y ou can create, duplic ate, edit, an d delete rules wi[...]

  • Página 294

    10-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Viewing Rules-Based Identi ty Policies Select Ac cess Policies > Access Services > service > Identity , wher e <ser vi ce> is the name of the acces s service. By def ault, the Simple I[...]

  • Página 295

    10-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 For informatio n about c onfig uring an id[...]

  • Página 296

    10-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T able 1 0-1 1 Identity Rule Pr oper ties P age Option Description General Rule Name N ame of the ru le. If you a re dupl icati ng a rul e, you must enter a uniq ue name as a m inimu m configura tion[...]

  • Página 297

    10-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring a Group Mapping Policy Conf ig ure a group mapping polic y to map groups and attrib utes that are retrie ved from extern al identity stores to A CS identity groups. When A CS processes a r[...]

  • Página 298

    10-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 2 Select a n identity group. Step 3 Click Sa ve C hanges to save th e policy . T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a[...]

  • Página 299

    10-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Deleting Po licy Ru les, page 10-40 Related Topics • V ie wing Identity Polic ies, page 10-22 • Configuring a Session Aut horizati on Policy for Network Acce ss, page 10- 30 • Configuring a [...]

  • Página 300

    10-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring a Session Authoriz ation Policy for Network Ac cess When yo u creat e an access serv ice for netw ork ac cess aut h orizat ion, it creates a Session Authori zation polic y . Y ou can then[...]

  • Página 301

    10-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T able 1 0-15 Networ k A ccess A uthor ization P olicy P age Option Description Status Rule sta tuses are: • Enabled—Th e rule is acti ve. • Disabl ed—ACS does not apply th e results of the ru[...]

  • Página 302

    10-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Ne twork Acce ss Au thorization R ule Properties Use this page to create, dup licate, and edit th e rules to determine acce ss permissions in a network acce s s service. Step 1 Select Ac [...]

  • Página 303

    10-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Device Administration Authorization Policies A device admi nistratio n autho rization policy det ermines the aut horizat ions an d permi ssions for network admini strat ors. Y o u crea te [...]

  • Página 304

    10-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Device Administratio n Authorization Rule Properties Use this page to creat e, duplicate , and edit the rules to determin e authoriza tions and permissions in a device administ ration ac [...]

  • Página 305

    10-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Shell/Command Authorizatio n Policies for Devi ce Administration When you cr eate an acc ess service and s elect a ser vice polic y structu re for De vice Admini strati on, A CS automatic [...]

  • Página 306

    10-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Configuring Au[...]

  • Página 307

    10-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Related Topics [...]

  • Página 308

    10-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Creating Policy Rules When you crea te rules, remember that the order of the rules is im portant. When A CS encounters a match as it proces ses the requ est of a client that tries to ac cess the ACS [...]

  • Página 309

    10-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Duplicating a Rule Y ou can duplicat e a rule if yo u want to create a ne w rule that is the same , or ve ry similar to , an e xisting rule. The dup licate rule na me is based on the origi nal rule wi[...]

  • Página 310

    10-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 4 Click OK . The Polic y page appears with the ed ited rule. Step 5 Click Sa ve C hanges to save th e new conf iguration. Step 6 Click Discard Chang es to cancel the edited i nformation. Related[...]

  • Página 311

    10-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Configuring Co mpound Conditions Use compound conditions to d efi ne a set of c onditions based on any at tributes allo wed in simple pol icy conditi ons. Y ou define compou nd condit ions in a policy[...]

  • Página 312

    10-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Note D ynamic at tribute mappi ng is not ap plica ble for Ex tern alGro ups attr ibute of T ype "String Enum" an d "T ime And Date " attrib ute of type "Date T ime Perio d". [...]

  • Página 313

    10-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Figur e 1 0-2 Compound Expr ession - At omic Conditio n Single Nested Compound Co ndition Consis ts of a singl e operat or follo wed b y a set of pr edicates (>=2) . The op erator is appl ied betwe[...]

  • Página 314

    10-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compou nd Expres sion with D ynamic va lue Y ou can selec t dynamic v alue to se lect anot her dic tionary attr ibu te to c ompare against the dictio na[...]

  • Página 315

    10-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Related Topics • Compound Con dition Buil ding Blocks, page 10-41 • Using the Com pound Ex pression Builder , page 10- 45 Using the Co mpound Expression Builder Y ou construct compound conditio ns[...]

  • Página 316

    10-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Related Topics • Compound Con dition Bui lding Blocks, page 10-41 • T ypes of Com pound Con ditions, page 10-42 Security Group Access Co ntrol Pages This section con tains the follo wing topics: ?[...]

  • Página 317

    10-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topic • Creatin g an Eg ress Po licy , page 4- 27 Editing a Cell in th e Egress Policy Matrix Use thi s page to co nf igure t he polic y for the select ed cell. Y ou can conf igure the SGA[...]

  • Página 318

    10-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s NDAC Policy Page The N etwork Device Admission Cont rol (N DA C) pol icy deter mines t he SGT for ne twork d evices in a Security Group Access e n vi ronment . The ND AC policy hand les: • Peer a ut[...]

  • Página 319

    10-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topics: • Conf igur ing an ND A C Polic y , page 4 -25 • ND AC Policy Propert ies Page, page 10 -49 NDAC Policy Pr o perties Page Use this pa ge to creat e, duplicate, and edit ru les to[...]

  • Página 320

    10-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Note For end point adm ission con trol, you must de f ine an a ccess serv ice and s ession aut horizatio n policy . See Conf iguring Network Access Authorization Rule Properties, page 1 0-32 for infor[...]

  • Página 321

    10-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Network Dev ice Acce ss EAP- FAST Settings Page Use this page to conf igure parameters f or the E AP-F AST protocol t h at the ND A C polic y uses. T o d isplay t his page, choose Access Polic ies > Securit y [...]

  • Página 322

    10-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Max Session User Settings Y o u can configure ma ximu m user session to impose maxim um sessi on value for each users. T o con f igure ma ximum user sessions: Step 1 Choose Ac cess Polici es > Max User Session P o[...]

  • Página 323

    10-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Unlimited is select ed by defau lt. Grou p le ve l session is a p plied based on t he hierarch y . For e xample: The group hi erarc hy is Americ a:US:W est:CA an d the maxim um sessions ar e as follo ws: • Amer[...]

  • Página 324

    10-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Related topics • Maximum User Sessi ons, pa ge 10-51 • Max Session Us er Settings, pa ge 10-52 • Max Session Group Settings, page 10-5 2 • Pur ging U ser S ess ions , pa ge 10 -54 • Maximum User Se ssion in[...]

  • Página 325

    10-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions The Purge User Ses sion pag e appear s with a lis t of all AAA cli ents. Step 2 Select the AAA client for which you want to purge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged [...]

  • Página 326

    10-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Maximu m User Sessio n in Proxy Scenar io Authentic ation and accoun ting requests should be sent to the same A CS serve r , else the Maximum Session fe ature w ill not work as desi red. Related topics • Maximum Us[...]

  • Página 327

    CH A P T E R 11-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 11 Monitoring and Reporting in ACS The Monitori ng a nd Repo rts d rawer a ppears i n the pri mary w eb in terface wind ow and conta ins the Launch Moni tori ng an d Rep ort V iewer optio n. The Monitoring and Report V iewer pro vides monitoring , reporting, and [...]

  • Página 328

    11-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Authent ication Records and D etails • Support for n on-Engl ish cha racter s (UTF -8)—Y ou ca n have non-Eng lish ch aracters in: – Sysl og me ssag es—C onf igurab le attr ib ute v alue , user name , and A CS na med co [...]

  • Página 329

    11-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Dashbo ard Pa ges Note Th ese tabs ar e custom izable , and you ca n modify or delete th e following tabs. • General—Th e General tab lists the follo wing: – Fiv e most rece nt alarm s—Whe n you clic k the nam e of the a lar[...]

  • Página 330

    11-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Work ing wit h Port lets – Authentic ation Snapsh ot—Prov ides a snap shot of au thenticatio ns in t he graphic al and ta bular format s for up to the p ast 30 days. In th e grap hica l rep resen tation, t he f ield based on[...]

  • Página 331

    11-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Working with Portlets Figur e 1 1 -1 P ortlets T op 5 Alar ms an d My Favorite Report s appea r in sep arate windows. Y ou can e dit e ach of thes e portle ts separately . T o ed it a por tlet, c lick the edit button ( ) at th e upp[...]

  • Página 332

    11-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Related Topic • Das hbo ard P ages, page 1 1-2 • Running A uthenti cation Lo okup Rep ort, page 11-6 Running Authentication Lookup Report When you run an Authent icat ion Look up repor t, [...]

  • Página 333

    11-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Step 5 Click Add Page . A new tab of your choi ce is crea ted. Y ou can ad d the ap plicat ions that yo u most frequ ently mo nitor i n this tab Adding Applications to Tabs T o add an applic ation t[...]

  • Página 334

    11-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Changing the Dash board L ayout Y o u can chan ge the loo k and fee l of the Dash board . A CS provi des you wit h nine different in-built layouts. T o ch oose a differen t layout: Step 1 From[...]

  • Página 335

    CH A P T E R 12-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 12 Managing Alarms The Moni torin g featur e in A C S genera tes alarm s to notify you of critic al system co nditi ons. The monitori ng comp onent r etrieves data fro m ACS. Y ou can configure thresho lds and r ules on this da ta to manage alar ms. Alarm n otifi[...]

  • Página 336

    12-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarms System Alarms System alarms notify you of critica l conditions encountered du ring the ex ecution of the A CS Monitoring and Reportin g vie wer . System alarms also provide in formational st atus of system acti vities, such as[...]

  • Página 337

    12-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Notifying Users of Events When a threshold is reached o r a s ystem alarm i s gen erated, the alarm appears in t he Alarms I nbox o f the web in terfa ce. From th is page, you ca n vie w the alarm de[...]

  • Página 338

    12-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Ti m e Displ ay only . Indicates t he time of the as sociate d alarm ge neration in the f ormat Ddd Mmm dd hh:mm: ss timezon e yyyy , wher e: • Ddd = Sun, Mon, Tue, W ed, Th u, Fri, Sat. • Mmm = J an,[...]

  • Página 339

    12-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Configure Inc rement al Back up Dat a Reposito ry as Rem ote Rep ository otherwi se backup will fail and I ncremental bac kup mode will be chang ed to off. Wa r n i n g Configure Re mote R epository [...]

  • Página 340

    12-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Full Database Pur ge Backup f ailed: Exception Details Critical Incremental Back up Fa iled: Excepti o n Details Critical Log Recover y Log Message Reco very failed : Excepti on Details Critical View Comp[...]

  • Página 341

    12-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Note Th e Alarm for A CS dat abase exceedi ng the quot a is sent only wh en the total size of the A CS database exceeds the quo ta. T otal size of ACS database = acs*. log + acs. db where acs*.log is[...]

  • Página 342

    12-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Note ACS cannot be use d as a rem ote syslog server . But , you can us e an external server as a s ysl og ser ver . If you use an external server as a syslog ser ver , no al arms can be gene rated in the [...]

  • Página 343

    12-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Understandi ng Alarm Sch edules Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Understandin g Alarm Schedules Y ou can creat e alarm schedule s to specif y when a[...]

  • Página 344

    12-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Al arm Schedu les Step 3 Click Submit to sa ve th e alarm schedu le. The schedule that y ou create is added to the Schedule list box in the Thre shold pages. Assigning A larm Sched ules to Thresho lds When you crea te an alarm thres[...]

  • Página 345

    12-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Deleting Alarm Schedules Note Before you delete an alar m schedule, ensu re that it is not referenced by an y thresholds tha t are def ined in A CS. Y ou ca nnot dele te the defaul t sched ule[...]

  • Página 346

    12-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Step 2 Do one of the follo wing: • Click Cr eate . • Check th e check box next to the a larm t hat you want to duplicat e, then click Duplicate . • Click t he al arm name t hat y ou want[...]

  • Página 347

    12-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hresho ld Cri teria, page 12- 14 • Configuring T hreshol d Notifications, page 12- 32 Config[...]

  • Página 348

    12-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Configuring Threshold Criteria A CS 5. 4 provides the foll owing threshold categories to define different threshold cri teria: • Passed Authenticati ons, page 12-14 • Faile d Authenticatio[...]

  • Página 349

    12-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Note Y o u can specify one or more filter s to limit the passed aut hentications that are consi dered for thresho ld e valuation. Each fi lter is asso ciated with a particular attrib ute in th[...]

  • Página 350

    12-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 351

    12-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds An alar m is triggere d because at least one De vice IP has gr eater than 10 fai led authen tications in the past 2 hours. Note Y o u can spec if y one or mor e f ilters to limit th e fail ed [...]

  • Página 352

    12-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 353

    12-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds The aggr egation job b egins at 00:05 hou rs every day . From 23:50 ho urs, up u ntil the t ime the a ggregation job compl et es, th e auth ent icat ion in activity alar ms are s upp resse d. [...]

  • Página 354

    12-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 355

    12-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 356

    12-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 357

    12-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 358

    12-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 359

    12-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 360

    12-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 361

    12-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Unknown NAD When A CS e v aluates this threshol d, it e x amines th e RADIUS o r T A CA CS+ failed a uthenticat ions that ha ve occu rred during the specif ied time interv al up to the pre vio[...]

  • Página 362

    12-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 363

    12-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Y ou can spec ify one o r more f ilters to lim it the f ailed authentic ations t h at are co nsider ed for threshold e valuation. E ach f ilter is associated wi th a partic ular attrib ute in [...]

  • Página 364

    12-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds If, in the p ast fo ur hou rs, RBA CL d rops have occu rred fo r two differe nt sourc e group tags as shown in the f ollo wing tab le, an alarm i s trigge red, bec ause at least on e SGT has a[...]

  • Página 365

    12-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds NAD-Reported AAA Downtime When A CS e v aluates this thresh old, it e xamines the N AD-reported AAA d o wn e vents that occurred during the specified inter val up to the previous 24 hour s. Th[...]

  • Página 366

    12-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]

  • Página 367

    12-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Deleting Ala rm Threshol ds Related Topics • V iewing and E diti ng Alar ms in Y our Inbo x, page 1 2-3 • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Deleting Alarm T hresho[...]

  • Página 368

    12-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Configuring Sy stem Ala rm Settings Configuring System Alarm Settings System alarms ar e used to no tify use rs of: • Error s that ar e enco unte red by the Mo nito ring and Repo rting ser vic es • Informa tion on data purging Use this pa ge t[...]

  • Página 369

    12-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Unders tanding Alarm Sy slog Targ ets Understandin g Alarm Syslog Targets Alarm syslog tar gets are the destinations where alarm syslog messages are sent. The Monitoring and Report V iewer sends alar m notificatio n in the form of sysl og message[...]

  • Página 370

    12-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarm Sysl og Targe ts Step 4 Click Submit . Related Topics • Understa nding A larm Sysl og T argets, pag e 12-35 • Deleting A larm Syslog T argets, pa ge 12-36 Deleting A larm Syslog Ta rgets Note Y ou ca nnot de lete t he defa[...]

  • Página 371

    CH A P T E R 13-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 13 Managing Reports The Moni toring a nd Report V i ewer component of A CS co llect s log and configurat ion data from various A CS server s in you r deploy ment, ag gre gates it, and pro vides interacti ve r eports that h elp you analyze the dat a. The Mon itori[...]

  • Página 372

    13-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports • Catalog— Monitoring and Reports > Reports > Catalog > < rep o r t _ t y pe > For easy acces s, you can add reports to yo ur Fa vorites page , from whi ch you can cus tomiz e and dele te reports . Y ou can customi ze the re [...]

  • Página 373

    13-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports This chapte r describes in detail the follo wing: • W ork ing wi th F av orite Re ports, pa ge 13-3 • Sharing Re ports, page 1 3-6 • W orkin g with Cata log Report s, page 13-7 • V iewing Reports, pag e 13-20[...]

  • Página 374

    13-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Favor ite Report s Step 5 Click Add to F a vorite . The repor t is added to your Favorites page. Related Topics • W orki ng wit h Fav orite R eports, page 13- 3 • V iewing Fa vorite -Rep ort Paramete rs, page 13- 4 • Editing[...]

  • Página 375

    13-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports Editing Favorite Reports After you view the existing parame ters in your favorite report , you can edit th em. T o edit the parame ters in your fav o rite report s: Step 1 Choose Monitoring and Reports > Report s [...]

  • Página 376

    13-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Sharing Repor ts The repor t is gener ated i n the page . Step 3 Click Launch Int e ractiv e V iewer for more optio ns. Related Topics • Adding Re ports t o Y our Favorites Page, page 13-3 • V iewing Fa vorite -Rep ort Paramete rs, page 13-[...]

  • Página 377

    13-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Step 7 Click Sa ve . The repo rt is sa ved in yo ur Shared folder a nd is a vailab le for al l users. Note Th e shared re ports that were created i n older versio ns of A CS do not work afte r you upgr ade an older ve[...]

  • Página 378

    13-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s T A CA CS Authentication Provides T ACA CS+ authentic ation details for a select ed time per iod. P assed authentica tions, failed att e mpts T A CA CS Authorization Provides T ACA CS+ authorizatio n details for a[...]

  • Página 379

    13-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports A CS Log Info rmat ion Provides ACS log inform ation for a parti cular log cate gory and A CS serve r for a selected tim e peri od. All log cate go ries A CS Operations Audit Pro vides all t he operation al changes d [...]

  • Página 380

    13-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Networ k Devic e Au then tic ati on Su mm ary Pro vides the RADIUS and T ACA C S+ authen tica tion summ ary in forma tion for a particu lar ne twork d evice for a sele cted t ime period , along wi th the gr aphi [...]

  • Página 381

    13-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Running C atalog Re ports T o run a repo rt th at is in th e Ca tal og: Step 1 Select Monitori ng and Reports > Re ports > Catalog > re p o rt _ t y p e , where r e port_t ype is the type of report yo u want[...]

  • Página 382

    13-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s The av ailable reports for the report type you select ed are disp layed with the informa tion shown in T able 13- 3 . Step 2 Click the radio b utton next to the report na me you want to run, then select one of th[...]

  • Página 383

    13-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Note Y ou cannot delete system re ports fro m the Reports > Catalog pages; y ou can de lete cu stomize d reports only . Step 2 Check one or more chec k boxes next to the repo rts you want to de lete, and click Del[...]

  • Página 384

    13-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Related Topics • W orki ng with Cata log Repor ts, page 13 -7 • Understa nding the Repor t_Name Page, page 13-14 Understanding the Report_Name P age Note Not all options listed in T a ble 13-5 are used i n se[...]

  • Página 385

    13-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Identity Group Enter an identity group nam e or click Select to enter a v a lid iden tity gr oup name on which to run yo ur repor t. Device Name Ent er a device name or click Sele ct to ent er a valid device name on [...]

  • Página 386

    13-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Comm and Accounting On ly Check the ch eck box to enable yo ur repo rt to run for comm and acco unting . T o p Use the dro p down list box to sele ct the numb er of top (most freq uent) auth entic ation s by acce[...]

  • Página 387

    13-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Related Topics • W orkin g with Cata log Report s, page 13-7 • W ork ing wi th F av orite Re ports, pa ge 13-3 • A vailab le Reports in the Cata log, page 13-7 • Running Cat alog Report s, page 13-1 1 Enablin[...]

  • Página 388

    13-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Changing Authorizatio n and Discon necting Active RA DIUS Session s Note Som e of th e N ADs i n you r deploym ent do not send an Ac counti ng Stop or Acc ountin g Off packet af ter a reload. As a result of t his[...]

  • Página 389

    13-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Figur e 13-3 CoA Options Step 4 Click Run to reauthenti cate or disc onnect the RADIU S session. If your cha nge o f auth orizat ion fai ls, i t mig ht b e beca use of any of the following r easons : • Device does [...]

  • Página 390

    13-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Note If you save the customi zed report with t he same name a s the original system repo rt (overwriting the or igina l system repo rt), yo u ca nnot de lete i t. T o rest ore a cust omized rep ort to the default , preconf ig[...]

  • Página 391

    13-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports About St andard Viewer From Stand ard V iewer , you ca n open a tab le of content s, navigate the repo rt, export data t o spreadshe et format , and prin t the repo rt. You can cli ck Launch Interacti ve V iewer to close Sta n da[...]

  • Página 392

    13-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Figur e 13-5 Cont ext Men u f or Labels in Int era ctive Viewer If the rep ort contai ns a chart, you can use the con text menu for ch arts, sho wn in Figure 13-6 , to modify the chart’ s formatting, subtype, and other prop[...]

  • Página 393

    13-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Using the Table of Contents In the viewer , you can open a ta ble of conte nts to view the report struc ture and n avigate t he re port . T o open the table of co nten ts, ch oose the t able of content s button in th e toolba r .[...]

  • Página 394

    13-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Exporting Re port Da ta The vie wer supports the ability to e x port report da ta to an Excel spread sheet as a comma-sep arated values (.csv ) file, p ipe-se parated values (. psv) file, or a ta b-separa ted values (.tsv) fi[...]

  • Página 395

    13-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Figur e 13-12 The Expor t Da ta Dialog Box A vailab le Result Sets lists the tables in the report. A vailable Co lumn s lists the colu mns you c an export fr om the speci fied table. Y ou can export a ny of the data the report us[...]

  • Página 396

    13-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Printing Reports Y o u can p rint a report that ap pears i n the viewer in H TML or PDF f ormat. Becau se you can modify the report in I nteracti ve V iewer , Interac ti ve V iewer supports print ing either the o riginal repo[...]

  • Página 397

    13-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-13 Sav e Dialog Bo x Step 2 Nav igate to the location wher e you want to sa ve the f ile. Step 3 T ype a file na me an d cli ck Save . Step 4 Click OK i n the conf irmation messa ge that app ea[...]

  • Página 398

    13-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The text of a column header come s from t he data s ource. If the da ta source disp lays colu mn headers i n capital letters wi th no sp aces between words, t h e report d esign di splays column h ea[...]

  • Página 399

    13-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer • Modify the f ont, col or , style , and other propert ies of the text . • Specify t hat t he column disp lays up percase or lowercase. • Modify the de fault forma tting of the data v alue in an agg[...]

  • Página 400

    13-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer Formatting Data in Aggregate Rows An aggr eg ate row dis plays a total , aver age, or ot her summary da ta for a colu mn. Y ou learn ho w to create an aggre gate ro w in a later chapte r . Figure 13-[...]

  • Página 401

    13-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer . Formatting N umeric Data Numeric data can t ake s e veral f orms. A colum n of postal codes require s differen t fo rmatti ng fro m a column of sal es figures. Figu re 13 -16 shows the numeri c formats [...]

  • Página 402

    13-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The data type of a column is deter mined by the data source . Ke ep in mind that a text or str ing data type can conta in nu meric d igits. A telephon e numbe r , for example , is freq uent ly string[...]

  • Página 403

    13-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Formatting C ustom Numeric Data T o def ine a custom form at, you use special sy mbols to constru ct a format pattern. A format pat tern show s where to place curr enc y symbol s , thou sands sep arators,[...]

  • Página 404

    13-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer 415-555-2121 Y o u can cr eate c ustom formats for str ing data . T ab le 13-8 describ es the sy mbols yo u can use to define custom string formats . T able 13- 9 sho ws exampl es of cust om str ing [...]

  • Página 405

    13-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Step 4 Click A pply . Formatting Date and Time The appe aranc e of date and tim e data depends on t he loca le in whi ch you are working. For example, the follo wing date and time are correc t for the U.S[...]

  • Página 406

    13-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o create a cust om date or time fo rmat, Step 1 Sele ct a dat e-an d-ti me co lumn , th en clic k Fo r m a t . The Date or T ime column form at windo w appears. Step 2 In Form at D ate o r Time As [...]

  • Página 407

    13-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-1 7 Specifying Disp lay V alues f or T r ue an d F alse Applying Condition al Formats Conditional formattin g changes th e formatti ng of data whe n a certain condition i s true. F or e x ample[...]

  • Página 408

    13-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer After you c reate the con dition, you set th e format in which to displ a y data tha t meets the co ndition. Th e format applies to the co lumn in Sele ct Column, not to the column you use to set the[...]

  • Página 409

    13-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-20 T wo Compar ison V alue Fields A ppear f or the Be tween Op era tor The values for the com pari son can be typed i n direc tly or de riv ed from the sp ecified repo rt col umn. Select Ch ang[...]

  • Página 410

    13-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o add additional conditio nal formatting rules, select Add Rule an d repeat s teps 3 an d 4 for eac h ne w rule. Step 6 Click A pply . The report design appear s with the specif ied conditional for[...]

  • Página 411

    13-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 4 Click A pply . Setting a nd Removing Page Breaks in a Group C olumn In Inte ractive V i ewer , if your r eport design h as groupe d data, you ca n set p age bre aks bef ore or a fter t he grouped da ta. Step 1 Selec[...]

  • Página 412

    13-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Displaying a nd Organizin g Repo rt Data After you access a data source and se lect the data set to use, you d etermine t he best w ay to display the data in a repo rt. Ther e are se veral way s to org anize data sets: [...]

  • Página 413

    13-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-25 Report Displ aying Cust omers Gr ouped by Country Step 2 Select Column > Move t o Group Header . The Mo ve to Gro up He ader wind o w appears, as sho wn in Figure 13-26 . Figur e 13-26 Mov e to Gr oup Head[...]

  • Página 414

    13-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-27 Report Displ aying Cust omer Name in Ea ch Gr oup Header Removin g Column s T o remov e a column, select the column and click Delete . When y ou re move a co lumn from the repor t, you are not deletin g th[...]

  • Página 415

    13-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 3 Select any items you want to hide or Dese lect any hidden items you want to displ ay . T o display all hidden items, cli ck Clear . Step 4 Click A pply . Hiding Columns T o hide or di spla y colu mns: Step 1 Select [...]

  • Página 416

    13-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-29 Separat e Columns In Figur e 13-30 , the data f rom these two columns is me rged into on e column. Figu re 13-30 M erged Colu mn T o merge data in multiple co lumns: Step 1 Selec t and right- clic k the co[...]

  • Página 417

    13-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Selectin g a Colu mn from a Merged C olumn Y ou can aggrega te, filter , and group data in a colu mn that contain s data that is mer ged from multiple column s. Y o u must first select one of the colum ns on which to aggre[...]

  • Página 418

    13-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data When you sort multiple columns, it is important t o unders tand the order of precedence for the sort. I n Adv anced Sort, the fi rst column y ou select is the pri mary sorting col umn. Report data is sor ted f irst b y [...]

  • Página 419

    13-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Grouping Data A report can conta in a great deal of data. Consider the task of listing e very item a corporation o wns, along w ith infor mation suc h as the pur chas e price, pu rchase da te, inve ntory ta g numbe r , a n[...]

  • Página 420

    13-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-33 Groupe d D ata Y o u can group da ta in the re port desi gn editor or i n Intera ctive V iewer . The chan ges you ma ke in the viewer do not affect the report design . If you work in En terpri se mode, yo [...]

  • Página 421

    13-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 2 From the co ntext menu , select Group > A dd Group . The Grou p Detail dialog box appe ars, as shown in Figure 13- 35 . Figur e 13-35 Groupi ng D at e or Time D ata Step 3 T o sho w ev ery date or tim e v alue, l[...]

  • Página 422

    13-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Step 2 From the co ntext menu , select Group > Delete Inner Group . Creating Rep ort Calculation s Most report s requir e some sort of calc ulation s to track sales, finances, inv entory , an d other cr itical b usin[...]

  • Página 423

    13-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-38 Selecting a F unction Understanding Supported C alculation Functions T able 13- 11 provides examples of the functi ons you ca n use to create calcula tions. Note Th e Calcula tion dialo g box does not supp or[...]

  • Página 424

    13-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data AND Combines tw o condition s and retur n s records that match bot h cond itions . For example, you ca n reque st records from cus tomers w ho spend more than $50,0 00 a year and al so have a cre dit r ank o f A. This f[...]

  • Página 425

    13-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data False The B oolean False. Thi s funct ion i s used in expression s to in dicate that an argumen t is f a lse. In the follo wing exampl e, False ind icates that the se cond argume nt, asc ending, is false and th erefor e th[...]

  • Página 426

    13-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data ISBO TTOMN(e xpr, n) Displays T rue if the value is withi n the lo west n va lues for th e e xpress ion, and Fals e ot herwi s e. ISBOTTOMN([OrderTotals], 50) ISBO TTOMN(expr, n, groupL ev e l) Displays T rue if the val[...]

  • Página 427

    13-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data LIKE(str ) Displays T rue if the va lues match, and F alse otherwise. Use SQL syntax to specify the string pattern. The foll owing rules apply: • Literal patt ern charac ters must match e xactly . LIKE is case-sensiti ve[...]

  • Página 428

    13-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data OR The logical OR operator . This functio n is used to connect cl auses in an expression and do es not take arguments. PERCENTIL E(expr , pc t) Displays a per centile v alue, a v alue on a sc ale of 100 that i ndica tes[...]

  • Página 429

    13-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data R OUNDDO W N(num) Rounds a nu mber do wn. ROUNDDOWN([StockPrice]) R OUNDDO W N(num, dec) Rounds a number do wn, awa y from 0, to the spe cified numbe r of digi ts. Th e defa ult value for dec is 0. ROUNDDOWN([StockPrice], [...]

  • Página 430

    13-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data WEEKD A Y(date, option) Displays the day of the week in one of the follo wing format opti ons: • 1 - Re tur ns the day n umber, from 1 ( Sund ay) throu gh 7 (Saturda y). 1 is the defau lt option . • 2 - Re turns t h[...]

  • Página 431

    13-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Understanding Supported Operat ors T able 13- 12 descr ibes t he ma themat ical and l ogica l op erators you c an u se in w riting expressi ons tha t create ca lculat ed columns. Using Numbers and Dates in an Expression Wh[...]

  • Página 432

    13-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Using Multiply Values i n Calculated Columns T o use multiply v alues in calculated columns: Step 1 Selec t a col umn. In t he repo rt, the new calc ulate d co lumn appears to the right of the column yo u select . Step [...]

  • Página 433

    13-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 7 For the second argume nt, typ e the numbe r of days to ad d. In this ca se, type 7. Step 8 V alidate t he e xpressi on, the n click A pply . The ne w calculat ed column ap pears i n the r eport . Fo r e very v alue [...]

  • Página 434

    13-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-39 Aggr egat e Row f or a Gr oup T able 13- 13 shows the aggregate functions that you ca n use. T a bl e 1 3-1 3 A ggregate Func ti ons Aggr egat e fun ctio ns Desc rip tion A verage C alculat es the av erage[...]

  • Página 435

    13-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Creating an Ag gregate Data Row T o create an aggre gate data r ow: Step 1 Select a column , then selec t Aggregation . The Aggre gation di alog box appe ars. The name of the co lumn you selected is lis ted in the Selec te[...]

  • Página 436

    13-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Adding Addi tional Aggregate Rows After y ou cr eat e a si ngle a ggregate row for a colu mn, y ou can add u p to two mor e ag gregate r ows for the same column. For an item total co lumn, for e xample, you can create a[...]

  • Página 437

    13-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Deleting A ggregate Ro ws T o delete an aggre gate row : Step 1 Select the calcul ated co lumn that contains the agg reg ation y ou wa nt to re mov e, then sel ect Aggregati on . The Aggregatio n dial og bo x [...]

  • Página 438

    13-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-43 Suppr essed V alues Y o u can sup press d uplicat e values to ma ke your report easier t o read . Y ou can su ppress only co nsecu tiv e occurre nces of dup licate v alues. In the Locatio n col[...]

  • Página 439

    13-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Figur e 13-44 Gr oup D etail Row s Display ed Figure 13-45 shows the results of hidin g the detail rows for the creditra nk groupin g. Figur e 13-45 Gr oup D etail Rows Hidden • T o col lapse a group or sec [...]

  • Página 440

    13-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Types of Filter Conditions T able 13- 15 describes the types of filt er conditions and provides e xamples of how f ilter conditions are translat ed into i n structions to the d ata sourc e. Bottom N Returns [...]

  • Página 441

    13-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Setting Filter Values After y ou choose a co nditi on, you set a filte r value. Step 1 T o vie w all the v alues for th e selected column, se lect Select V alues . Additiona l fields appear in the Filte r dial[...]

  • Página 442

    13-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-46 Selecting a Fil ter V alue in In ter active V iewer Step 2 T o sear ch for a valu e, type the v alue in the Fin d V alue f ield, t hen clic k Fi nd . All v alues that match you r f ilter te xt [...]

  • Página 443

    13-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 3 From the Conditi o n pulldo wn menu, select a c o ndition. T able 1 3-14 descri bes t he cond itions you ca n select . • If yo u sele ct Be tween or No t Betwee n , Va l u e F r o m and Va l u e To , [...]

  • Página 444

    13-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-47 The A dvance d Filter D ialog Bo x in Inte rac tiv e V iewe r Adv anced Filter provides a great d eal of flex ibility in settin g the filte r valu e. For conditions that test equality and for t[...]

  • Página 445

    13-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 7 V alidate the fi lter syntax b y clic king V alidate . Y ou hav e no w created a filte r with one conditi on. The nex t step is to add conditi o ns. Step 8 Foll ow steps Step 3 to Step 7 to create ea ch[...]

  • Página 446

    13-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Step 2 From the Fi lter pul ldown menu, se lect a pa rticular numbe r of rows or a p ercenta ge of rows, a s shown in Figure 13-48 . Step 3 Enter a v alue in the f ield next t o the Filter pu lldow n menu to specif y the[...]

  • Página 447

    13-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-49 Parts of a Basi c Bar Chart Ther e are a variety of ch art types. Some typ es of data are best depic ted wit h a specific type of ch art . Charts can be use d as reports in them selves a nd they can be used [...]

  • Página 448

    13-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Changing Chart Subtype char ts have subtyp es, w hich you ca n cha nge as nee ded: • Bar char t—Side-by-Side , Stacked, Per cent Stacked • Line c hart—Ov erlay , Stack ed, Percent Stacked • Area c hart—Ov erl[...]

  • Página 449

    13-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-50 Ch art For matting Opti ons Y o u use this page to: • Edit a nd format the default chart title. • Edit an d format the defaul t title for the categor y , or x-, axis. • Modify settin gs for t he la bel[...]

  • Página 450

    13-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s[...]

  • Página 451

    CH A P T E R 14-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 14 Troubleshooting ACS with the Monitoring an d Report Viewer This ch ap ter de scribes the diagnost ic an d tro ubleshoo ting tools that t he Mo nito ring and Repor t V iewer prov ides for the Cisco Secure Access Control System . This chap ter cont ains the foll[...]

  • Página 452

    14-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Availa ble Diagn ostic and Troubl eshootin g Tools Support bundles typ icall y con tain t he A CS dat abas e, log files, core files, an d Moni toring and Re port V iewer support files. Y ou can exclude cert[...]

  • Página 453

    14-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Performing Connectivity Tests Performing Connectivit y Tests Y o u can test your conne ctivity to a network device with th e device’ s hostna me or IP ad dress. For exa mple, you can v erify you r conn[...]

  • Página 454

    14-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Downlo ading ACS Sup port Bundl es for Di agnosti c Informati on Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 • Connecti vity T ests, page 14-1 • A CS Su pport B u[...]

  • Página 455

    14-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Downloading ACS Support Bundles for Diagnostic Information • Include lo cal l ogs—Check this check box to i nclude loca l logs, then cli ck All , or click Recent and enter a v alue from 1 to 999 in t[...]

  • Página 456

    14-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Working with Exp ert Troubleshooter The fo llowing sect ions descri be how to use the Expe rt Troublesho oter d iagnost ic tool s: • T r oublesh ooting RADIUS Auth en[...]

  • Página 457

    14-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 4 Click Sear ch to di splay the RADIUS authe ntications that match your se arch criteria. The Search Resu lt table i s populated wi th the resu lts of your sea rch[...]

  • Página 458

    14-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er The Ex pert Troubleshoot er begins to troub lesho ot your RAD IUS au thent icatio n. The M onitor ing and Report V iewer prompt s you for ad ditiona l input, if req uir[...]

  • Página 459

    14-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 8 Click Done to return to the Expert T roubleshooter . The Progress Details page refreshes periodic ally to display the tasks that are performed as troublesh ootin[...]

  • Página 460

    14-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Executing the Show C ommand on a N etwork De vice The Execut e Network Device Comma nd diagn ostic tool allows you to run any sho w command on a network device fr om t[...]

  • Página 461

    14-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progress Detail s page appears. The Mo nitoring and Report V iewe r prompts you for additio nal input. Step 4 Click the User Input Required butt[...]

  • Página 462

    14-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Comparing SGACL P olicy Betwe en a Netwo rk Device and ACS For Security Group Access- enabled devices, A C S assigns an SGACL for e very source SGT -destination SGT pa[...]

  • Página 463

    14-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Use this dia gnostic tool to compa re the SXP-IP mappi ngs betwee n a device and its peers. T o do this: Step 1 Choose Monitoring and Reports > T roubleshooting >[...]

  • Página 464

    14-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 4 Click S XP-IP Mappings from the list of troublesh ooting tools. The Ex pert Tr ouble shooter page refre shes an d shows the foll owing fi eld: Network Device IP[...]

  • Página 465

    14-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 10 Click Show Results Summary to vie w the diagnos is and resol ution steps. The Results Summary page appea rs with the in formation d escribed in Ta b l e 1 4 - [...]

  • Página 466

    14-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 6 Click Show Re sults Summary to view the diagnosis and re solution steps. Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 •[...]

  • Página 467

    14-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progre ss Details page appea rs with a summa ry . Step 4 Click Show Re sults Summary to vie w the results o f de vice SGT co mparison. The Re su[...]

  • Página 468

    14-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er[...]

  • Página 469

    CH A P T E R 15-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 15 Managing System Operat ions and Configuration in the Monitoring an d Report Viewer This cha pter descr ibes the tasks that you must perfo rm to configure an d admi nister th e Monitor ing an d Report V iewer . The M oni toring Co nfiguration drawer a llows you[...]

  • Página 470

    15-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er • Configure an d edit failu re reaso ns—Th e Mon itoring a nd Rep ort V iewer allows you t o configure the description o f the f ailure reason code and prov ide instructi o n[...]

  • Página 471

    15-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up • Configuring Syste m Alarm Set tings, pag e 15-18 • Configuring A larm Syslog T argets, p age 15- 18 • Conf iguring Re[...]

  • Página 472

    15-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up If yo u en able increm ent al ba ckup, data is purged daily at 4 :00 a.m. at th e lo cal t ime zone where the A CS instan ce t[...]

  • Página 473

    15-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up only the log c olle ctor se rvices durin g co mpress op erat ion a nd wi ll be u p and runn ing af ter the com press operatio[...]

  • Página 474

    15-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up From the Monitoring an d Report V ie wer, select Monitoring Configurat ion > System Oper ations > Data Ma nagement > [...]

  • Página 475

    15-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Restoring Data from a Backup Configuring NF S Stagin g If the utiliza tion of /opt exceeds 30 percen t, then you are re quired to use NFS staging with a re mote repositor y in or[...]

  • Página 476

    15-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Step 2 Choose a backu p file that you want to r estore. Note If you cho ose an inc remental back up file to restor e, ACS restores a ll pr e viousl y as[...]

  • Página 477

    15-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic Log Collec tion Deta ils Page, page 15-10 T able 15-3 Log Collec tion Pag e Option Description A CS Serv er Name of the A CS server . Clic[...]

  • Página 478

    15-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Log Collection Details Page Use this page to vi ew the rec ently col lected log names for an A CS serv er . Step 1 From the Monitoring an d Report V ie[...]

  • Página 479

    15-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic • V iewing Log C ollecti ons, page 15-8 T able 15-4 Log Collec tion Details P age Option Description Log Name Name of t he log file. La[...]

  • Página 480

    15-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Recove ring Log Me ssage s Recovering Log Me ssages A CS server sends syslog m essages to the Monitoring and Report V iewer for the a ctivities such as passed authe nticat ion, [...]

  • Página 481

    15-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Sc hedul ed Jobs Note Whe n you cha nge any sche dule thro ugh th e A CS web inte rface, f or the n ew schedule to take effect, you must manua lly restart th e Job Man a[...]

  • Página 482

    15-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Viewing Proce ss Status Viewing Process Status Use this pag e to view the status of processe s running i n your A CS en vi ronmen t. From the Monitoring an d Report V ie wer, se[...]

  • Página 483

    15-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Data Upgrade Status Viewing Data Upgra de Status After y ou upg rade to A C S 5. 4, ensur e that the M onitori ng and Repor t V iewer databa se up grade is comp let e. Y[...]

  • Página 484

    15-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Spec ifyi ng E -Ma il Se ttin gs Related Topic V iewing Failure Reason s, page 15-1 5 Specifying E-Mail Settings Use this page to specify the e-mail serv er and administra tor e[...]

  • Página 485

    15-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Understanding Collection Filters Understandin g Collection Filters Y ou can create collection f ilters that allo w you to filte r and drop syslog e ve nts that are not used for [...]

  • Página 486

    15-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Sy stem Ala rm Settings Step 3 Click Submit . Related Topics • Creating a nd E diting Col lection Filters, p age 15- 17 • Deleting Colle ction Filters, page 15-1[...]

  • Página 487

    15-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuring Remote Database Settings Note A CS does not supp ort remo te data base with cl uster setup . T o conf igure a remo te databas e: Step 1 From the M onitor ing and Rep[...]

  • Página 488

    15-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Re mote Da tabase Setti ngs Note Y ou ca n view the statu s of y our expor t job in th e Schedul er . Se e V iewing Schedul ed Jobs, page 15-1 2 for more i nform ati[...]

  • Página 489

    CH A P T E R 16-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 16 Managing System Administrators System adm inistra tors ar e respon sible for depl oying, c onfiguring, m aintaini ng, and monitori ng the A C S servers in your network. Th ey can perform va rious opera tions in ACS through the A CS administra tiv e interface. [...]

  • Página 490

    16-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Adminis trator Roles and Ac count s • Conf igure administrator session setting • Conf igure ad ministr ator a ccess settin g The first time y ou log in to A C S 5.4, you ar e promp ted for th e predefined adm inis[...]

  • Página 491

    16-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Config uring Syst em Admini strator s and Accounts When these steps are co mpleted , def ined administr ators can lo g in and star t working in the syste m. Understanding Authentication An authenti cation request is the f irst ope[...]

  • Página 492

    16-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s • Dynamic Role assign ment—Rol es are a ssigned ba sed on the rul es in the A A C authoriz ation policy . Assigning Static Roles A CS 5.4 allows you to assign the administrator roles static ally to an inter[...]

  • Página 493

    16-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Underst anding Ro les Predefined Roles T able 16- 1 shows the pred efin ed roles included in A CS: T able 16-1 Pr edefined Role Descr iptions Role Privileges Change Admin Password This role is in tended for A CS ad ministr ators w[...]

  • Página 494

    16-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s Note At first logi n, only the Su per Ad min is assigne d to a spec ific admini strator . Related Topics • Administrator Accounts an d Role Association • Creating, Duplicating, Editing, and Deleting Adminis[...]

  • Página 495

    16-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Creating, Duplicating, Editing, and Deleting Administrator Accounts Only appr opriate a dministrators can conf igure ident ities and certif icates. The iden tities co nfi gured in t he System Administr ation dra wer are av ailable[...]

  • Página 496

    16-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Creating, Du plica ting, Edit ing, and Del eting Ad minis trator Ac counts Step 2 Do any of the f ollowing: • Click Cr eate . • Check t he check box next to the a ccount that you want to du plicat e an d cli ck Duplicate . • C[...]

  • Página 497

    16-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Viewing Predefined Roles Step 4 Click Submit . The new account is sav ed. The Admi nistrat ors page app ear s, with the new account th at you cre ated or duplicat ed. Related Topics • Understa nding R oles, p age 16- 3 • Admin[...]

  • Página 498

    16-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring A uthenti cation Set tings for Ad ministra tors Choose System Administratio n > Administrators > Roles . The Rol es pag e ap pears with a li st of pr edefine d role s. T able 16-4 describes the Roles page fields. [...]

  • Página 499

    16-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Authentication Settings for Administrators The Pa ssword Polic ies page a ppears with t he Passw ord Comple xity and Ad v anced tabs. Step 2 In the Pas sw ord C omp lexi ty tab, c heck each check box th at y ou w ant [...]

  • Página 500

    16-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring Se ssion Idl e Timeout Note A CS auto matical ly deact iv ates o r disable s your a ccount ba sed on yo ur last l ogin, la st password chan ge, or numbe r of login retrie s. Th e CL I and PI us er a ccount s are b loc k[...]

  • Página 501

    16-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Administrator Access Settings Step 1 Choose System Administration > Administrators > Settings > Session . The GUI Session pa ge appears. Step 2 Enter the Session Idle T imeout v alue in minutes. V a lid v alu[...]

  • Página 502

    16-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Step 1 Choose System Administration > Administrators > Settings > Access . The IP A ddresses Filter ing page appears. Step 2 Click Reject connections from liste d IP a ddresses ra[...]

  • Página 503

    16-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control The AA C service process es thes e two pol icies in a sequence . Y ou need to con fig ure bot h the Administra tor identity polic y and the Administrator authorizat ion p olic y . The de[...]

  • Página 504

    16-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control In cases whe re Den y Access is sel ected as the resu lt, the acce ss of the admini strator is denied. In a rule-ba sed polic y , each rule contain s one or more condition s and a result, [...]

  • Página 505

    16-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleti[...]

  • Página 506

    16-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Identity Po licy Rule Properties Y ou can crea te, duplicate , or edit an identity polic y rule to determin e the iden tity datab ases that a re used to authentic ate the admin[...]

  • Página 507

    16-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administrator Authorization Policy The au thoriza tion poli cy in the Admin istrative Access Contro l is used for dynami call y assigni ng roles to admini strators upon login . The role [...]

  • Página 508

    16-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Administ rator Au thorization Rule Properties Use this page to create, dupli cate, an d edit th e rules t o determine administrato r roles in the AA C access service. Select Sy[...]

  • Página 509

    16-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administra tor Login Process When an adm inistrator l o gs in to the A CS web interface , AC S 5.4 perfor m s the auth enticatio n as gi ven below . If an a dministrator accou nt is co n[...]

  • Página 510

    16-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Rese ttin g th e Adm inis tra tor P assw or d Note If the adm inist rator password o n the AD or LDAP server is expir ed or reset, then ACS denies the administrato r access to the web interf ace. Resetting the Administrat or Passwo[...]

  • Página 511

    16-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Changing t he Admini strat or Password The ad ministra tor password i s created. Y o u can also use the acs reset- password command to reset your ACSAdmin account pa ssword. For more informatio n on this command, refer to http://[...]

  • Página 512

    16-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Changing the A dministr ator Passwor d[...]

  • Página 513

    CH A P T E R 17-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 17 Configuring System Operation s Y o u can configure an d deploy A CS instanc es so that one ACS i nstan ce becom es the primar y instance and th e other A CS instances c an be re gister ed to the primary as secondary instances . An A CS ins tan ce represe nts A[...]

  • Página 514

    17-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t • Using th e Deploym ent Ope ratio ns Page to Creat e a Local Mo de Instan ce, pa ge 17-2 3 Understandin g Distributed Deployment Y ou can conf igure multiple ACS servers in a deplo yment. W i[...]

  • Página 515

    17-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment A CS 5. 4 supports one primary and twen ty second ary servers in a large A CS deployme nt. The me dium A CS depl oyment co nsists of one pri mar y and twelve secon dary servers. Also, all A CS [...]

  • Página 516

    17-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t Removin g Seco ndary S ervers T o p ermane ntly r emove a seconda ry ser ver from a depl oyment, you mu st first deregi ster t he seco ndary serv er and then delete it fr om the primary . Y o u [...]

  • Página 517

    17-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment When t he conn ecti on to t he pri mar y server r esume s, you can r econne ct th e disc onnect ed seco ndary instance in Local Mode to the prima ry serve r . From the secon dary instance in Lo[...]

  • Página 518

    17-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Scheduled B ackups Step 3 Y ou must acti va te the se condary ser ver on t he primary , eith er automa tically or by issuing a manua l request. Related Topics • V iewing and Editing a Primary Inst ance, pag e 17-9 • V iewing and E [...]

  • Página 519

    17-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Scheduled Backups Step 2 Click Submit to schedule the bac kup. Related Topic Backin g Up Pr imary and Se condar y Insta nces, p age 17- 8 T able 1 7-2 Sch eduled Backup s P age Option Description Backup D ata Filename cr eated b y b[...]

  • Página 520

    17-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Backing U p Primary and Seconda ry Instan ces Backing Up Primary and Secondary Insta nces A CS provides yo u the o ption to bac k up t he pri mary a nd se condary instan ces at any time apar t from the regular sch eduled backups. For a[...]

  • Página 521

    17-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Synchr onizing Primary and Sec ondary Inst ances Af ter Back up and Resto r e Synchronizin g Primary and Sec ondary Instanc es After Backup and Restore When yo u specify that a syst em back up is res tored on a primar y instan ce, t[...]

  • Página 522

    17-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances T able 1 7 -4 Distr ibuted S ystem Ma nag ement P age Option Description Primary I nstance Name H ostna me o f th e prim ary ins tance . IP Addre ss IP address of the pri mary instan ce. Online Status Indi cates if [...]

  • Página 523

    17-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Step 2 From the Pr imary I nstance t able, click t he primar y instance that yo u wan t to mod ify , or check th e Name check box a nd c lick Edit . Step 3 Complete the fields in the Distributed System Manage ment[...]

  • Página 524

    17-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances Step 4 Click Submit . The Prim ary In stance table on the Distri buted System Mana geme nt page app ears wi th the edit ed prim ary inst ance . Related Topics • Replicatin g a Secondar y Inst ance from a Primary I[...]

  • Página 525

    17-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Viewing and Editing a Secondary Instance T o edit a secondary in stanc e: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gement pa ge app[...]

  • Página 526

    17-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Activa ting a Secon dary In stance Activating a Sec ondary Instance T o acti vate a seco ndary ins tance: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gemen[...]

  • Página 527

    17-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Registeri ng a Seco ndary In stance to a Primary In stance . T able 1 7- 6 S ystem Oper ations: Deplo yment Oper ations P age Option Description Instance Status Curr ent Stat us I dent ifies the ins tance of the node you log i nto [...]

  • Página 528

    17-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Registering a Secondar y Inst ance to a Pri mary Insta nce Step 3 Speci fy th e appro pria te values in th e Regist ratio n Sec tion. Step 4 Click Register to Primary . The following wa rning m essag e i s disp layed. This oper ation [...]

  • Página 529

    17-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Deregist ering Seco ndary Instances fr om the Distribute d System Managemen t Page Deregistering Secon dary Instances from the Di stributed Syste m Management Page T o deregister secondary instances from the Distributed System Mana[...]

  • Página 530

    17-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Promoting a Se condary Instanc e from the Di stribut ed System M anagem ent Page The syste m displays th e following warnin g mess age: This oper ation w ill de regist er this serve r as a sec ondary with t he pri mary s erver. ACS wi[...]

  • Página 531

    17-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Promot ing a Sec ondary I nstance f rom the Depl oyment Operation s Page Promoting a Second ary Instance from the De ployment Operations Page T o pro mote a second ary inst ance to a primary inst ance fro m the Dep loyment Operati [...]

  • Página 532

    17-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Replicating a Seco ndary Inst ance fro m the D istributed S ystem Mana geme nt Page Note All A CS appliances mu st be in sy nc with th e AD domain clo ck. T o repli cate a s[...]

  • Página 533

    17-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Replicating a Secondary Instance from a Primary Instance The Distr ibuted System Mana gement page appe ars. On th e Seconda ry Instanc e table, the Repli cation Status colu mn shows UPD A TED . Replic ation is compl ete on the sec [...]

  • Página 534

    17-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Failover A CS 5.4 allo ws you to conf igure multip le A CS instance s for a d eploym ent scenar io. Ea ch deplo yment can have one pr imary and multipl e sec ondar y A CS se[...]

  • Página 535

    17-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Cleanup.. ..... Starting ACS .... The database on the primary server is restored successfully . Now , you ca n observe that all second ary ser vers in the d[...]

  • Página 536

    17-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance Y o u can use the con f igura tion info rmation on t he A CS Configuration Audit repor t to manuall y restore the conf iguration information for this insta nce. [...]

  • Página 537

    17-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Step 4 Click Submit . The n ew so ftware repo sito ry i s sa ved. The S oftw are Repo sito ry pa ge appea rs, wi th the ne w sof tware repos itory that you [...]

  • Página 538

    17-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance[...]

  • Página 539

    CH A P T E R 18-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 18 Managing System Administration Configurations After y ou inst all Ci sco Secu re ACS, you must configure a nd a dminister it to mana ge your network eff icient ly . The A CS web inter face allows you to easil y configure A CS to perform various oper ations . F[...]

  • Página 540

    18-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring G lobal Sys tem Op tions Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Admi nist ration > Conf iguration > Global Syst[...]

  • Página 541

    18-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Config uring Glo bal System Options Configuring PEAP Settings Use the PEAP Settings p age to conf igure PEAP runtime charact eristics. Select System Admi nist ration > Conf iguration > Global System Options &g[...]

  • Página 542

    18-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Gener ate P A C page to ge nerate a us er or machi ne P A C. Step 1 Select System Administration > Configuration > Global System[...]

  • Página 543

    18-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 3 Click Submit to conf igure the RSA SecurID Prompts. Managing Diction aries The fol lo wing tasks a re a v ailable when y ou select Sy stem Administration > Configuration > Dicti[...]

  • Página 544

    18-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es • RADIUS (Cisc o BBSM) • RADIUS (Cisc o VPN 3000) • RADIUS (Cisc o VPN 5000) • RADIUS (Jun iper) • RADIUS (N ortel [Bay Net works]) • RADIUS (Red Creek) • RADIUS (US Roboti[...]

  • Página 545

    18-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es • Click Cr eate . • Check t he check box next to t he R ADIUS VS A tha t you wa nt t o dupli cate , then clic k Duplicate . • Check the check bo x next to the RADIU S VSA that you want[...]

  • Página 546

    18-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es T able 18-9 Cr eating, Dupl icating, and Editing RADIU S Subat tr ibutes Option Description General Attrib ute Name of the suba ttrib ute. The name must b e unique. Descri ption (O ption[...]

  • Página 547

    18-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 4 Click Submit to save the subattrib ute. Viewing RADIUS Vendo r-Specific Subattributes T o v iew the at tributes t hat are supp orted by a part icular RADIU S vendor: Step 1 Choose Sys[...]

  • Página 548

    18-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Related Topic Creatin g, Duplic ating , and Edit ing RADIU S V en dor-Specific Attribute s, page 18-6 Configuring Iden tity Dictionar ies This section con tains the follo wing topics: ?[...]

  • Página 549

    18-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Configuring Internal Identity Attributes T able 18- 10 describes the f ields in the interna l < users | hosts > identity attrib utes. T able 18-1 0 Identity Attr ibute Pr operties Pag[...]

  • Página 550

    18-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Deleting an Internal Us er Identity Attribute T o delete an interna l user identity attrib ute: Step 1 Select System Admi nist ration > Conf iguration > Dictionaries > Ide ntit[...]

  • Página 551

    18-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Creating, Duplicating, and Editing an Internal Host Identity Attribute T o create, duplica te, and edit an internal host identity attr ibu te: Step 1 Select System Admi nist ration > Con[...]

  • Página 552

    18-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ocal Server Certificates Adding Static IP address to Users in Internal Identity Store T o add static IP address to a user in In ternal Identity Store: Step 1 Add a static IP attrib ute to intern[...]

  • Página 553

    18-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 2 Click Add . Step 3 Enter the inform ation in the Loca l Certif icate Store Proper ties page as describe d in T ab le 18-12 : Importing Server Certificat es and Associating Ce[...]

  • Página 554

    18-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating Self-Si gned Certificates Step 1 [...]

  • Página 555

    18-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating a Certificat e Signing Request Step 1 Sel[...]

  • Página 556

    18-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Binding CA Sig ned Certific ates Use this page to bind a CA signed ce rtif icate to the request that was use d to obtain the c ertif icate f rom the CA. Step 1 Select System[...]

  • Página 557

    18-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Submit to extend the e xisting certif icate’ s v alidity . The Local Certif icate Store page appears with the edited certi fica te. Related Topic • Conf iguring Loc[...]

  • Página 558

    18-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates The Cert ificate Store page ap pears wit hout the deleted cert ificate( s). Related Topic • Conf iguring Local Serv er Certificate s, page 18-14 Exporting Certificates T o[...]

  • Página 559

    18-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 2 Click Export to export the loc al certif icate to a client machi ne. Configuring Log s Log recor ds ar e genera ted fo r: • Acco unti ng messa ges • AAA audi t and diagnostic s messages[...]

  • Página 560

    18-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 1 Select System Admi nist ration > Configuration > Log Configuration > Remote Log T argets . The Remote Log T a rgets pa ge ap pears . Step 2 Do one of the follo wing: • Clic[...]

  • Página 561

    18-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 4 Click Submit . The remo te log target co nfiguration i s sav e d. The Remote Log T argets pa ge appears w ith the new rem ote log target configurati on. Related Topic • Delet ing a Remote[...]

  • Página 562

    18-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring th e Local Lo g Use the Local Conf iguration page to conf igure the maximum days to retai n your local log data. Step 1 Select System Admi nist ration > Configuration > Log[...]

  • Página 563

    18-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Global Logging Categorie s T o vie w and conf igure gl obal loggin g categ ories: Step 1 Select System Admi nist ration > Configuration > Log Configuration > Logging C ategori[...]

  • Página 564

    18-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 6 Click Submit . The Lo gging Cat egories pag e appe ars, with your co nfigured log ging cat egory . Administr ative and operati onal aud it me ssages inc lude aud it messa ges o f the [...]

  • Página 565

    18-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Related Topic • Configuring Pe r-Instance L ogging Categories, p age 18- 29 • V iewing ADE-OS Log s, page 18 -28 Fil e-Man ag emen t • A CS_DELETE_ CORE—A CS core files delet ed • A CS_D[...]

  • Página 566

    18-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Viewing A DE-OS Logs The log s listed in T able 1 8-22 are w ritten t o the A DE-OS logs. Fr om the A CS CLI, you can use th e follo wing command to vie w the ADE-OS logs: show logging syste[...]

  • Página 567

    18-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep [...]

  • Página 568

    18-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring Per-Instanc e Security and Log Settings Y o u can configure the severity le vel and loca l log setting s in a loggi ng category configuration for a specif ic ov erridden or custo[...]

  • Página 569

    18-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Per-Instanc e Remote Syslog Targets Use this page to conf igure remote syslog targets for logging cate gories. Step 1 Select System Admi nist ration > Conf iguration > Log Config[...]

  • Página 570

    18-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Displaying L ogging Ca tegories Y o u can view a tree of configured loggi ng categorie s for a speci fic A CS inst ance. In additi on, you can configure a logg ing ca tegory’ s severity le[...]

  • Página 571

    18-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring th e Log C ollector Use the Log Collector page to selec t a log data coll ector and suspend or re sume log da ta transmissi on. Step 1 Select System Admi nist ration > Configuration[...]

  • Página 572

    18-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Licensi ng Overv iew Licensing Overvi ew T o operate A C S, you mus t instal l a v alid li cense. A CS prompts y ou to install a valid bas e license wh en you first acc ess the we b interfac e. Each ACS insta[...]

  • Página 573

    18-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topics • Licen sing Overview , page 18-3 4 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 18 -36 • Adding Deployme nt Lice nse File s, pa ge 1[...]

  • Página 574

    18-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Installin g a Licens e File Viewing the Base Lice nse T o u pgrad e t he bas e li cen se: Step 1 Select System Admi nist ration > Conf iguration > Licensing > Ba se Serve r License . The Ba se Ser ve[...]

  • Página 575

    18-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topic • Upgrad ing the Ba se Server Licens e, page 18- 37 Upgrading th e Base S erver Lice nse Y o u can upgra de the base server licens e. Step 1 Select System Admi nist ration [...]

  • Página 576

    18-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Viewing Licens e Feature Options Viewing License Feature Optio ns Y o u can add, upgra de, or delete existi ng depl oyment l icen ses. The con figuration pane a t the top of the pag e sho ws the de ployme nt [...]

  • Página 577

    18-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding De ployment Lic ense Files Adding Deployme nt License Files T o a dd a n ew base de ployment licen se file: Step 1 Select System Administration > Configuration > Licensing > F eature Options . The F[...]

  • Página 578

    18-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Deleti ng Deploy men t License File s Related Topics • Licens ing Overview , page 18-34 • T ypes of Li censes, page 18-34 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 1[...]

  • Página 579

    18-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Available Downloads Downloading Migration Utility Files T o do wnload migration ap plication f iles and the m igration g uide for A CS 5.4: Step 1 Choose System Administration > Downl o ads > Migration Utilit[...]

  • Página 580

    18-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Availa ble Do wnloads T o do wnload the s e sample scripts: Step 1 Choose System Administration > Downl o ads > Sample Python Script s . The Samp le Python Scr ipts page ap pear s. Step 2 Click one of t[...]

  • Página 581

    CH A P T E R 19-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 19 Understanding Logging This c hapter d escrib es loggin g func tional ity in A C S 5.4. A dmini strators and u sers u se t he various managem ent i nterf aces of A CS to per form dif ferent tasks . Using the ad minist rativ e access control featu re, you can a [...]

  • Página 582

    19-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Using Log Targets Y ou can specify to send customer log informatio n to multip le cons umers or Log T ar gets and s pecify wheth er the lo g mes sages a re store d locall y in text form at or forwarde d to syslog se rvers.[...]

  • Página 583

    19-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Note F or comple x configuratio n items or attrib utes, such as policy or D ACL con tents, the ne w attrib ute val ue is reported as "Ne w/Updated" and the au dit does not c ontain the ac tu al attrib ute va l u e or[...]

  • Página 584

    19-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Each log message contains the follo wing information : • Event code— A unique message code. • Logging categor y—Iden tifies the catego ry to wh ich a log message belon gs. • Se verity le vel—Identif ies the le [...]

  • Página 585

    19-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Local Store T arget Log messages in the local store ar e text f iles that are sent to one log file, located at /opt/CSCOacs/lo gs/localSto r e/ , regar dless of w hich lo gging ca tegory they be long to . The loca l store can [...]

  • Página 586

    19-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging T able 19-2 Local Sto r e and S yslog Messag e F orma t Field Description timestamp Date of the mess age gene ratio n, acc ording t o the loca l cloc k of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh[...]

  • Página 587

    19-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Y o u can use the web in terface to con figure the numbe r of days to retain local store l og files; how ev er , the defa ult setting is to pur ge data when it excee d s 5 MB or each day , whichev er limit is f irst attained. [...]

  • Página 588

    19-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging When you configure a critical log target, and a me ssage is sent to that critical log target, the messa ge is also se nt to the con figured noncriti cal log target on a best- effort basis. • When you conf igure a critica[...]

  • Página 589

    19-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging T able 19-3 Remote S yslog M essag e Header F orma t Field Description pri_nu m Priority v alue of the message; a combination of the fac ility va lue and the se verity v alue of the me ssage. Priority v alue = ( facility v alu[...]

  • Página 590

    19-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging The syslog messag e data or pa yload is the same as the Loca l Store Me ssage Format , which i s describe d in T abl e 19-2 . The remote syslog ser ver tar gets are identif ied by the facility co de names LOCAL0 to LOCAL7[...]

  • Página 591

    19-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging The M onitori ng and R eport V iewer has t wo drawer o ptions: • Moni tori ng and R eports—Us e this dra wer to vie w and conf igure al arms , view l og repo rts, and perform trouble shoot ing tasks . • Monitori ng C on[...]

  • Página 592

    19-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng ACS 4.x Versus ACS 5.4 Logging If you are familiar with the logging f unctionality in A C S 4. x, ensure that you familiarize yourself with the loggin g func tionality of A CS 5.4, which is consid erably [...]

  • Página 593

    19-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng ACS 4 .x Vers us ACS 5.4 Loggi ng Configuration Use the Sy stem Configuration > Logging page to d ef ine: • Logge rs an d individual lo gs • Critical loggers • Remote logging • CSV log file • Syslog log • ODBC log See Config[...]

  • Página 594

    19-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng[...]

  • Página 595

    A- 1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX A AAA Protocols This section con tains the follo wing topics: • T ypical Use Cases, page A-1 • Access Prot ocols—T ACA CS+ and RADIUS, page A -5 • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 Typical Use Case s This section con ta[...]

  • Página 596

    A- 2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases Session Access Requests (Device Administration [TACAC S+]) Note Th e numbe rs refer to Figur e A-1 on pa ge A-1 . For session reque st: 1. An admini strator logs i nto a network device. 2. The network device sends a T A CACS+ acces[...]

  • Página 597

    A-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Typical Use Cases – EAP proto cols that inv ol ve a TLS handshake and in whic h the clie nt uses the ACS server certi ficate t o perfo rm serve r auth ent icat ion: PEAP , using one of the fol lowing inner method s: PEAP/EAP- MSCH APv2 and PEAP/EAP[...]

  • Página 598

    A- 4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP me thods that us e certificat es fo r bot h ser ver and c lient aut hent icatio n – EAP- TLS – PEAP/EAP-T LS Whene ver EAP is in volv ed in the authen tication process, i[...]

  • Página 599

    A-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Access Protoco ls—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section con tains the follo wing topics: • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 A CS 5. 4 can use the T ACA C S+ an d RADIUS acc ess pr[...]

  • Página 600

    A- 6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Overview of RADIUS This section con tains the follo wing topics: • RADIUS VSAs, page A-6 • A CS 5.4 as t he AAA Server , page A-7 • RADIUS Att ribute Support in ACS 5.4, page A-8 • RADIUS Acc e ss Requests, pag e A-11 RAD[...]

  • Página 601

    A-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS ACS 5.4 as the AAA Se rver A AAA serv er is a server program th at handle s user req uests for acc ess to computer res ourc es, and fo r an enterp rise, pro vides AAA services. The AAA ser ver typically intera cts with netw ork acc[...]

  • Página 602

    A- 8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S RADIUS Attribute Support in ACS 5.4 A CS 5. 4 supports the RA DIUS prot ocol as RFC 2865 descri bes. A CS 5. 4 supports th e following types of RADIUS att ributes: • IETF RADI US attrib utes • Generic an d Cisco VS As • Oth[...]

  • Página 603

    A-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS Authentication A CS supports various aut hentica tion p rotocols transpor ted over RADI US. The support ed prot ocols tha t do not include EAP are: • PA P • CHAP • MSCHA Pv1 • MSCHA Pv2 In addi tion, various EAP-b ased pr o[...]

  • Página 604

    A-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Admin istrator can co nfigure th e att ribute opera tion cl ause fo r a spe cific proxy access servic e. Wh en this service i s selected , A CS pe rforms th e operat ion on the acce ss request and fo rwards the upda ted acce ss r[...]

  • Página 605

    A-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS • If the Mu ltiple attrib utes are allo wed, then the update o peration remo ves all the occu rrences of th is attribute a nd adds one attribute with a new value. Example: Login-IP- Host – a ttribu te Multi p le allo wed: On t[...]

  • Página 606

    A-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S When th e RADI US serv er recei ves t h e acces s-req uest fro m the N AD, it se arches a database fo r the user name . Dependi ng on the r esul t of t he databa se qu ery , an acce pt or rejec t is sent . A te xt messa ge can ac[...]

  • Página 607

    B-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX B Auth enticat ion in ACS 5 .4 Authentic ation v erif ies user informa tion to c onfi rm the u ser's ide ntity . T r aditional a u thenticati o n uses a name a nd a fixed passwo rd. Mor e secu re m ethods use cryp tograp hic techn iques, such as those used [...]

  • Página 608

    B-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PAP This ap pen dix d escr ibe s th e foll owing : • RADIUS-based authenticat ion that does not include EAP: – P AP , page B-2 – CHAP , page B- 32 – MSCHA Pv1 – EAP-MSCHA Pv2, pa ge B-30 • EAP family of prot ocols tran sported [...]

  • Página 609

    B-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP RADIUS PAP Authentication Y ou can use dif ferent le ve ls of security concurre ntly with A CS for dif ferent requiremen ts. P AP applies a tw o-w ay hand shaking pr ocedur e. If authentication succeed s, A CS returns a n ackno wledge[...]

  • Página 610

    B-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP In A CS 5.4 , EAP is en capsulate d in the RADIUS prot ocol . Incoming and outg oing EAP mes sages are stored in a RA DIUS EAP-M essage att ribute (79). A single RADIU S packet ca n contai n multip le EAP-Mes sage att rib utes whe n th[...]

  • Página 611

    B-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-MD5 A CS sup ports ful l EAP infrast ructu re, inclu ding EAP ty pe negotiati on, message s equenci ng and message r etransmi ssion. Al l protoc ols supp ort fr agme ntation of big message s. In A CS 5.4, you conf igure EAP methods fo[...]

  • Página 612

    B-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Overvi ew of EAP- TLS EAP-TL S is one of th e me thods in the EAP au thenti cation framework, and is base d on the 80 2.1x and EAP archi tecture. Components in volv ed in th e 802.1x and EAP authentic ation proc ess are the: • Ho[...]

  • Página 613

    B-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS • Using a third-par ty signature, usually from a CA, that v erifies the information in a certif icate. This third-pa rty bindin g is similar to the real-world eq uiv ale nt of the sta mp on a passport. Y ou trust the passport b[...]

  • Página 614

    B-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Y ou can conf igure the timeo ut for each sessio n in the cac he, for eac h protocol indi vidually . The lif etime of a sessi on is measur ed fr om th e beginni ng of th e co n versation an d is d eterm ined when t he TLS s ession [...]

  • Página 615

    B-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS For HTTPS, SFTP , SSH and Acti veM Q, an auto-generate d self-si gned certif icates can be use d as the means fo r serv er authenticati on. Fixed Management Certificates A CS gene rates and use s self-signe d certificates t o ide[...]

  • Página 616

    B-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS • Initial Sel f-Signed Certific ate Generation, page B-10 • Certificate Gene ration, page B-10 Importing the ACS Ser ver Certificate When yo u manual ly impor t and A CS serve r certificat e you must supply t he certif icate f[...]

  • Página 617

    B-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS There are tw o types of certif icate gener ation : • Self-sign ing c ertificat e gene ration— A C S sup ports ge nerat ion of an X. 509 c ertificate and a PKCS#12 p riv ate ke y . The pass phrase u sed to encr ypt the pri v [...]

  • Página 618

    B-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Credentia ls Distributio n All certif icates are kept in the A CS database which is distrib uted and shared between all A CS nodes. The A CS serv er cer tificates ar e associated and desig nated f or a specif ic node, wh ich uses [...]

  • Página 619

    B-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS Private Keys an d Passwords Backup The entir e A CS database is dist rib uted and ba cked-up on the prim ary A CS along with all the ce rtif icates, priv at e-keys and the en crypte d priv a te-key-pass words. The private-key-pa[...]

  • Página 620

    B-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Note All co mmuni cation between t he host and A CS goes thro ugh the net work device. EAP-TLS authentic ation fails if the: • Serv er fails to v erify the cl ient’ s certif icate, an d reje cts EAP- TLS au thenticat ion. •[...]

  • Página 621

    B-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 • Cisco AC 3.x • Funk Ody ssey Access C lient 4 .0.2 an d 5.x • Intel Supplican t 12.4.x Overvi ew of PE AP PEAP is a client -server sec urity ar chi tecture t hat you use to e ncrypt E AP transa ction s, there by protec [...]

  • Página 622

    B-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 • Fast Reconnect, page B-16 • Session R esume, page B- 16 • Protecte d Ex chan ge of A rbitra ry Param eters, pa ge B-17 • Cryptobin ding TL V Ex tensio n, page B-17 Server Aut henticated and Unauthent icated Tunnel Estab[...]

  • Página 623

    B-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 Protected E xchange of Arbitrar y Parame ters TL V tuples pro vide a way to e xchange ar bitrary informat ion betwee n the peer and A CS within a secure ch annel. Cryptobindi ng TLV Extensi on The cryp tobind ing TL V extensio [...]

  • Página 624

    B-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Figur e B-3 PEAP Pr ocessin g Flo w Creating the TLS Tunnel The fo llowing describes th e process for creatin g the TLS tun nel: 271629 Phase 1 Phase 2 User authentication credentials are sent through TLS Tunnel again using EAP .[...]

  • Página 625

    B-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Authenticatin g with MS CHAP v2 After the TLS tunnel is created, follo w these steps to authentica te the wireless clien t credentials with MSCHA Pv2: At the end of this mutual a uthentication e xchange, the wir eless clien t h[...]

  • Página 626

    B-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST EAP-F AST is a c lient-server security architec ture that encrypts EAP tran sactions with a TLS tunnel. While similar to PE AP in this respect, it d if fers signif icantly in that EAP-F AST tunnel establis hment is based o n stro[...]

  • Página 627

    B-21 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST EAP-F AST can protect the username in all EAP-F AST transac tions. A CS does no t perform user authenti cation based on a use r name that is presented in phase one, ho wev er , whether the user name is protec ted d uring ph ase[...]

  • Página 628

    B-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST • A CS- Supported Fea tures for P A Cs, pag e B-25 • Master Key Genera tion an d P A C TTL s, page B-27 • EAP-F AST for Allow TLS R enegotiatio n, page B -27 About Master-Keys EAP-F AST mas ter- keys are strong se crets tha[...]

  • Página 629

    B-23 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Provisioning Modes A CS sup ports out- of-band and in-ban d provisioning mo des. The in -band provision ing mod e operate s inside a TLS tunnel raised by Anonymous DH or Authenticate d DH or RSA algorithm for k ey agre eme nt. [...]

  • Página 630

    B-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The v arious means b y whi ch an end- user client can r eceiv e P A Cs are : • P A C provisioning —Requ ired w hen an e nd-user c lient has no P AC. For more infor mation a bout how maste r-ke y and P A C states dete rmine wh[...]

  • Página 631

    B-25 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST T o con trol whet her A CS perform s Automa tic In- Band P A C Provisioni ng, use t he options on th e Globa l System Options pages in the System Administration drawer . For more information, see EAP-F AST , page B-19 . Manual [...]

  • Página 632

    B-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The proac tive P AC update time is con figured for th e A CS se rver in the Allowed Protocols Page. Th is mecha nism all ows the client to be always updated wi th a valid P A C. Note There is no proacti ve P A C update for Mach i[...]

  • Página 633

    B-27 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Master Key Generation and PAC TTLs The values for master key genera tion and P A C TTLs deter mine their states, as d escrib ed in About Master-Ke ys, page B-22 and T ypes of P ACs, page B-23 . Master k ey and P A C states d et[...]

  • Página 634

    B-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST For informat ion about how master key generatio n and P AC TTL v a lues det ermin e wheth er P A C provisioning or P A C re fresh ing is requ ired, see Ma ster Key Genera tion and P A C TT Ls, page B- 27 . Step 3 Determ ine whe t[...]

  • Página 635

    B-29 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST • P A C M igrat ion fr om A CS 4.x, pag e B-29 Key Distribution Algorithm The comm on seed- key is a rela tiv e ly la rge and a com plete ly ra ndom buffer th at is genera ted by t he primar y A CS server . T he see d-key is [...]

  • Página 636

    B-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP Authe ntication wi th RADIUS Key Wrap • A list of retire d A C S 4.x master-keys. The list is taken fro m the A CS 4. x configurati on and plac ed in a ne w table in A CS 5.4. Each migrat ed master -ke y is associate d with its expe[...]

  • Página 637

    B-31 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-M SCHAPv 2 Overview of EAP-MSCHAPv2 Some of the specif ic members of the EAP family of authen tication proto cols, specif ically EAP-F AST and PEAP , support th e notion of an “EAP inner method. ” This means tha t another EAP- ba[...]

  • Página 638

    B-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 CHAP EAP- MS CHAPv2 Flo w in ACS 5.4 Components in vo lve d in the 802.1x and MSCHAPv2 authentication process a re the: • Host—The e nd entity , or en d user’ s machine. • AAA clien t—The netw ork access point. • Authentic ati[...]

  • Página 639

    B-33 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Certificate Attributes • Subject ’ s ST attr ibut e (State Pro vince) • Subject ’ s E a ttrib ute (e Mail) • Subject ’ s SN at tribute (Subject Seria l Numbe r) • Issue r I attrib ute • SAN (Sub ject Alternati ve N ame) Y[...]

  • Página 640

    B-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Cert ific ate At tr ibute s • Subject 's ST attrib ute (State Provi nce) • Subject 's E attr ibute (eMail) • Subject 's SN a ttrib ute (Subjec t Serial Number) • Issue r I attrib ute • SAN (Subje ct Alternati ve N[...]

  • Página 641

    B-35 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Machine Authentication The conf iguration of URLs an d their association to CA's is distrib uted to the entire A CS domain. The downloaded CRLs are not dist ributed and are autono mously populate d in parallel i n each A CS server .[...]

  • Página 642

    B-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility Related Topics • Micr osof t AD, pa ge 8 -41 • Managin g Exte rnal I denti ty Stores , p age 8- 22 Authentication Protocol and Identity Store Compatibili ty A CS supports va[...]

  • Página 643

    B-37 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Authentication Protocol and Identity Store Compatibility[...]

  • Página 644

    B-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility[...]

  • Página 645

    C-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX C Open Source License Acknowledgements See http://www .ci sco.co m/en/U S/produc ts/ps991 1/produc ts_lic ensing_i nforma tion_li sting.ht ml for all the Ope n Source and T hird Party L icens es use d in Cisc o Sec ure Acc ess Cont rol Syste m, 5.4. Notices The [...]

  • Página 646

    C-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s Notices 4. The name s “OpenSSL T oolki t” and “Ope nSSL Projec t” must not be us ed to endor se or prom ote products derived from this software without pr ior written permission. For written permission, please conta c[...]

  • Página 647

    C-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix C Open Sourc e License Acknow ledg ements 4. If you incl ude any W indows specific co de (or a derivati ve th ereo f) from the apps dir ectory (applic ation code) you must i nclude an ackn owledgemen t: “Th is produc t incl udes so ftware wr itten by T im Hud son ([...]

  • Página 648

    C-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s[...]

  • Página 649

    GL-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 GLOSSAR Y A AAA Authentic ation, authorization , and accountin g (AAA) is a term for a fr ame work for intell igently contro lling access to comp uter res ources, e nforcin g policie s, auditi ng usage, an d providing t he informatio n necessary to bill for service s. These c[...]

  • Página 650

    Glos sary GL-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 accounts The cap ability of A CS to record user sessions in a log file. ACS System Administrators Ad m in i st r a to r s w i th di ff er en t access pri v ileges d efined u nder the System Conf iguration section o f the A CS web interface. T hey administer and man [...]

  • Página 651

    Glossary GL-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 authenticity The validity and conf orman ce of the or igin al info rmati on. authorization The approval, p ermissi on, or empowerm ent fo r so meone or som ethin g to do some thing. authorization profile The basi c "permi ssions cont ainer" for a RADIUS -ba[...]

  • Página 652

    Glos sary GL-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 certificate-based authentication The u se of Secure Sockets La yer (SSL) an d certif icate s to au thenticate and en crypt HTTP t r af fic. certificate Digital represe ntation of user or de vice attrib utes, includ ing a public ke y , that is signed with an author i[...]

  • Página 653

    Glossary GL-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 configuration manageme nt The proce ss of establi shing a kno wn baselin e condit ion and ma naging it. cookie Data exchan ged betwe en an HTTP ser ver an d a browser ( a cl ient o f the server ) to st ore s tate i nfor mat ion on the client si de and retrieve it lat[...]

  • Página 654

    Glos sary GL-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 D daemon A program wh ich i s often starte d at the time the sys tem bo ots and runs conti nuously wi thout intervent ion from a ny of the users o n the system. The daem on progr am forward s the re quests to other program s (or proc esses) as a ppropriat e. Th e te[...]

  • Página 655

    Glossary GL-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 digital envelop e An en crypted message with the encry p ted sess ion ke y . digital signature A hash of a message tha t uniquely identifies the sender of the messag e and proves the message hasn't chan ged s ince t ran smissi on. DSA digita l signatur e algori [...]

  • Página 656

    Glos sary GL-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 dumpsec A security tool that dumps a variety of information a bout a sy stem's users, file system, registry , permis sions, passwor d policy , and services . DLL Dynamic Link Librar y . A coll ection of small programs, any of whi ch can be calle d when ne eded [...]

  • Página 657

    Glossary GL-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 EAP Extens ible Aut hentic ation Protoc ol. A p rotoco l for w ireless networks that expand s on A uthenti cation methods used by the PPP ( Point-to-Point Protocol) , a protocol often used wh en connecting a computer to the I nternet. EAP can support m ultiple authen[...]

  • Página 658

    Glos sary GL-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 G gateway A n etwork point tha t acts as an entrance to anot her netwo rk. global system options Conf igur ing T A CA CS+, EAP-T TLS, PEAP , and EAP-F AST ru ntime cha racteris tic s and ge neratin g EAP-F AST P A C. H hash func tions Used to g enerate a one way &q[...]

  • Página 659

    Glossary GL-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 I I18N Int ernationaliza tion and localizatio n are m eans of adapting sof tware for non- nati ve en vironments, especi ally other nations and cultur es. Interna tiona lizati on is the a dapta tion o f pro ducts f or po tentia l use virtual ly ev erywhere, while loc[...]

  • Página 660

    Glos sary GL-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 ISO Interna tional Or ganization for Standardizat ion, a volu ntary , non-treaty , non-go vernment o rg anization, establi shed in 194 7, with voting membe rs that ar e designat ed standar ds bodies of participa ting natio ns and non -voting observer organizati ons[...]

  • Página 661

    Glossary GL-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 M MAC Address A physical addres s; a numeri c value tha t uni quely ident ifies that network device from every other device on the plane t. matchingRul e (LDAP) The m ethod b y which an attri bute is c o mpar ed in a sear ch opera tion. A matchi ngRule is an ASN. 1 [...]

  • Página 662

    Glos sary GL-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 PI (Programma tic Interface) The A CS PI is a prog rammatic in terface that provides e xternal ap plicati ons the ability to communicate with ACS to configure an d opera te A C S; this incl udes perf ormi ng the following op eration s on A CS objects: creat e, upda[...]

  • Página 663

    Glossary GL-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 R RDN (LDAP) Th e Relative Distinguished N ame (freque ntly but incorre ctly writte n as Relatively Distinguish ed Name). The name gi ven to an attrib ute(s) that is unique at its le vel in the hierarchy . RDNs may be single v alued or multi-v alued in which ca se t[...]

  • Página 664

    Glos sary GL-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Schema (LDAP) A package o f attrib utes and object clas ses that ar e someti mes (nomi n ally) re lated. Th e schema (s) in which th e object classes an d attrib utes that th e appli cation will u se (re ference) a r e packag ed ar e identif ied to the LD AP server[...]

  • Página 665

    Glossary GL-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 SOAP (Simple Object Acce ss Prot oc ol) A lightw eight X ML- based p rotocol for excha nge o f infor mation in a decent ralized , distr ibuted en viro nment. SO AP consis ts of th ree pa rts: an en v elope that def ines a fra me work f or de scri bing what is in a m[...]

  • Página 666

    Glos sary GL-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 U UDP User D atagram Prot ocol. A com munica tions pro tocol that o ffers a li mited a mount of se rvice when messag es ar e e xchang ed betw een comput ers in a networ k that uses t h e Int ernet Protoc ol (IP) URL Unifor m Resource Locat or . The uni que addr ess[...]

  • Página 667

    Glossary GL-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 X X.509 A standard for public key infrastruct ure. X .509 specifies, am ongst ot her things, standar d format s for public k ey ce rtif icates and a certif ication path v alidation algorithm. XML (eXtensible Markup Lan guage) XML is a fle xible wa y to create co mmo[...]

  • Página 668

    Glos sary GL-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01[...]

  • Página 669

    IN-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 INDEX Symbols ! format ting symb ol 13-34 % operat or 13-61 & formatt ing symbol 13-34 & operator 13-61 * operator 13-61 + oper ator 13-61 / oper ato r 13-61 <= opera tor 13-61 <> opera tor 13-61 < format ting symbol 13-34 < oper ator 13-61 = oper ator [...]

  • Página 670

    Index IN-2 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 Arrang e Columns di alog 13-42 ascendin g sort order 13-47 AVERAGE functio n 13-54 Averag e functi on 13-64 aver ages 13-54, 13-57, 13-60, 13-64 B backgro und c olor s 13-39 Between condition 13-69, 13-74 BETWEEN function 13-54 Bet ween oper ator 13-38 blank ch arac t[...]

  • Página 671

    Inde x IN-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 formatti n g data and 13-37 conte xt m enus 13-21 conversi ons 13-34 COUNT_DI STINCT function 13-54 COUNT fu nction 13-54 Count function 13-64 Count Value function 13-64 crea ting aggreg ate rows 13-65, 13-66 calc ulate d co lumns 13-52, 13-61 data filte rs 13-69, 13-7[...]

  • Página 672

    Index IN-4 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 download s 18-40 duplicat e values 13-67, 13-68 E EAP-FAST enab lin g B-27 identity pro tection B-21 logging B- 20 mas ter ke ys definition B- 22 PAC automatic p rovisioning B-24 definition B- 22 manual prov isioning B-25 refresh B- 27 phases B-2 0 EAP-FAST settings c[...]

  • Página 673

    Inde x IN-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 G General D a te format o ption 13-31 General N u mber f ormat optio n 13-31 Go to page pick list 13-22 Greater Than co nditio n 13-70 greate r than operator 13-61 Greater Than o r Equal to condition 13-70 greater than or equa l to opera tor 13-6 1 Group D etail dial o[...]

  • Página 674

    Index IN-6 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 locales creat ing ch arts and 13-78 customiz ing forma ts for 13-30, 13-32, 13-35 locating text valu es 13-55, 13-59 logical ope rators 13-61 Long Dat e format option 13-31 Long Tim e forma t option 13-31 lowerc ase characters 13-57 Lowe rcas e form at opti on 13-31 L[...]

  • Página 675

    Inde x IN-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 numeric da ta types 13-31 numeric expr essions 13-61, 13-62 numeric va lues 13-24, 13-33 O opening exported data files 13-25 Inter active Vi ewer 13-21 operator s 13-38, 13-61 OR oper ator 13-61, 13-75 P PAC automatic p rovisioning B-24 definition B- 22 manual prov isi[...]

  • Página 676

    Index IN-8 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 report viewer s 13-21 resizing colu mns 13-24, 13-29 RIGHT functi o n 13-58 ROUNDDOWN fu nction 13-59 ROUND fu nction 13-5 8 roundin g 13-54, 13-58 ROUNDUP fun ction 13-59 row-by- row co mpariso ns 13-55 rows 13-67, 13-68 RUNNING SUM functio n 13-59 running total s 13[...]

  • Página 677

    Inde x IN-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 time data types 13-31 time form ats 13-31, 13-35 timesav er, descr iption of ii-xxi v time stamps 13-57, 13-59 time values 13-35, 13-50 TODAY functi on 13-59 Top N condition 13-70 Top Percen t condition 13-70 totals 13-37, 13-59, 13-64 trailin g charact ers 13-59 TRIM [...]

  • Página 678

    Index IN- 10 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 X x-axis va lues 13-7 6 Y y-axis va lues 13-7 6 YEAR fu nction 13-60[...]