Cisco Systems OL-24201-01 manual

Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure A ccess Contr ol S ystem 5.3 April 20 1 4 Text Part Number: OL -24201-01[...]

THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPO NSIBILITY FOR THEIR APPLICATION OF ANY PRO[...]

iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Serv ice Request xxv CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 ACS Distributed Deployment 1-2 ACS 4.x and 5.[...]

Contents iv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Policy Terminology 3-3 Simple Polici es 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Auth[...]

Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flo w 4-16 Adding a Host to an Internal Identity Store[...]

Contents vi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding th e Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface[...]

Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operation s for Network Resources and Users 7-8 Exporting Network Resources and Us ers 7-10 Creating, Duplicating, and Editin g Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying N[...]

Contents viii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Us ing a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating Exter[...]

Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-6 0 Creating, Duplicating, and Editing RADIUS Id entity Servers 8-60 Configurin[...]

Contents x User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permis sions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Acce ss Policies 10-1 Policy Creation Flow 10-1 Network Definition and Po licy Goals 10 -2 Policy Elements in the Policy Creation F low[...]

Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pa ges 10-45 Egress Policy Matrix Page 10-45 Editing a C[...]

Contents xii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules 12-9 Creating and E diting Alarm Schedule s 12-9 Assigning Alarm Schedules to Thresh olds 12-10 Deleting Alarm Schedules 12 -11 Creating, Editing, and Duplic ating Alarm Threshold s 12-11 Configuring General Threshold Info rmation 12-13 Con[...]

Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Re ports 13-13 Understanding the Report_Na me Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconne cting Active RADIUS Sessions 13-18 Customizing Reports 1[...]

Contents xiv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Organizing Report Data 13-4 1 Displaying and Organizing Re port Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Disp laying Report Item s 13-44 Hiding Co lumns 13-44 Displaying Hidden Columns 13-45 Merging Colu mns 13-45 Select[...]

Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Cha rts 13-76 Filtering Ch art Data 13-76 Changing Chart Subtype 13-77 Changing Cha rt Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer 14-1 Available Diagnostic and Trouble shooting Tools 14-1 Connectivity Tests 14-1 ACS S[...]

Contents xvi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings 15 -17 Configuring Alarm Syslog T argets 15 -17 Configuring Remote Database Settings 15-17 CHAPTER 16 Managing Syst em Administrators 16-1 Understanding Ad ministrator Roles and Accounts 16-2 Understanding Au thentication 16-3 Configuri[...]

Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instan ce 17-1 3 Deleting a Secondary Instanc e 17-13 Activating a Secondary Instan ce 17-14 Registering a Secondary Instance to a Primary In stance 17-14 Deregistering Secondary Instances from [...]

Contents xviii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring Local Server Certifica tes 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Proto cols 18-15 Generating Self-Signed Certificates 18-16 Generating a Certificate Sign ing Request 18-17 Binding CA Sign[...]

Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logg ing Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Ta rget 19-10 Viewing Log Mess[...]

Contents xx User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self[...]

Contents xxi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Authentication wi th RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD B-31 EAP- MSCHAPv2 Flow in ACS 5.3 B-31 CHAP B-31 LEAP B-31 Cer[...]

Contents xxii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...]

1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Revised: April 17, 201 4 This guide describes ho w to use Cisco Secure Access Control System (A CS) 5.3. Audience This guide is for securit y administrators who us e A CS, and who set up and maint ain network an d application security . Document Conventions This guide uses [...]

2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface Caution Means rea d e r b e c a re f u l . Y ou are capable of doing something that might result in equipment damage or loss of data . T imesaver Me ans the described action saves time . Y ou can s av e time by perfo rming the acti on described in the paragraph. Note Means[...]

3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Note W e sometimes update th e printed an d electroni c documentation after original publication. Therefo re, you should also re view the documentati on on Cisco.com for any u pdates. Obtaining Documentation and Submitting a Service Request For info rmation on obtaining doc[...]

4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface[...]

CH A P T E R 1-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 1 Introducing ACS 5.3 This section contains the following topics: • Overvie w of A CS, page 1-1 • A CS Distributed Depl oyment, page 1-2 • A CS Management Interfaces, page 1-3 Overview of ACS A CS is a policy-based security server that provides standards-co mp[...]

1-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Distributed Depl oyment A CS provides adv anced monitoring, reportin g, and troubleshooting to ols that help you administer and manage your A CS deployments. For more in formatio n on the monito ring, reporting, and troublesh ooting capabiliti[...]

1-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 ACS Licensing Model A CS 4.x did not provide incremental repl ication, on ly full r eplication, and there was service do wntime for replication. A CS 5.3 provides incrementa l replicati ons with no service do wntime. Y ou can also for ce a full repl[...]

1-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Management Interfa ces ACS Web-based Interface Y ou can use the A CS web-based interface to fully co nfig ure your A CS deplo yment, and perform monitoring and reporting operati ons. The web interface provides a consistent user e xperience, re[...]

1-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported b y ACS For informati on about using the CLI, see the Command Line Interface Refer ence Guide for Cisco Secur e Access Contr ol System 5.3 . Related Topic • A CS W eb-based Interface, page 1-4 ACS Programmatic Interfaces [...]

1-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 Hardware Mode ls Supported by ACS[...]

CH A P T E R 2-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 A CS 4.x stores polic y and authentication information , such as T A CA CS+ command sets, in the user and user group records. In A CS 5.3, polic y and authentication information are independent shared components that you use as b [...]

2-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utili ty completes the data migration pro cess in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the obje[...]

2-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Before You Begin Note Y ou must install the latest patch for the su pported migration v ersions listed here. Also, if you ha ve any other versio n of A C S 4.x installed, you must u pgrade to one of the supported v e rsions and in sta[...]

2-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 • User-Def ined Fields (from the Interface Configuration se ction) • User Groups • Shared Shell Command Auth orization Sets • User T ACA CS+ Shell Exec Attributes (migrated to user attributes)[...]

2-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In A CS 5.3, you define authorizati ons, shell prof iles, attributes, and other polic y elements as independent, reusable objects, and no t as[...]

2-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Functionality Ma pping from ACS 4.x to ACS 5.3 Command sets (command authorization sets) One of the follo wing: • Shared Prof ile Components > Command Authoriz ation Set • User Setup page • Group Setup page Policy Elements &g[...]

2-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The follo wing are some of the commo n scenarios that you encounter while migrating to A CS 5.3: • Migrating from ACS 4.2 on CSA CS 11 20 to A CS 5.3, page 2-7 • Migratin[...]

2-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you ha ve A CS 3.x deployed in your en vironment, you cannot directly migrate to A CS 5.3. Y ou must do the follo wing: Step 1 Upgrade to a migr ation-supported v ersi[...]

2-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform b ulk import of data into A CS 5.3. For more inf ormation on performing b ulk import of A CS objects, see http://www .ci sco.com/en/US/docs/n et_mgmt/cis co_sec ure_access_ control_sys tem/[...]

2-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration[...]

CH A P T E R 3-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 3 ACS 5.x Policy Model A CS 5.x is a policy-based access contr ol system. The term po licy model in A CS 5.x refers to the presentation of poli cy elemen ts, objects, and rules to the polic y administrator . A CS 5.x uses a rule-based policy mo del instead of the gr[...]

3-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For e xample, we use the informati on described for the grou p-based model: If identity-conditio n, r estriction-condi tion then authorization-p r of ile In A CS 5.3, you define conditi ons and results as glob a[...]

3-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Policy Terminology Ta b l e 3 - 2 describes the rule-based polic y terminology . T a ble 3-2 Rule-Based Po licy T er minology T erm Description Access service Sequential set of policies used to process access r[...]

3-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies Y ou can conf igure all of you r A CS policies as rule-b ased policies. Howe ver , in some cases, you can choose to conf igure a simple polic y , which select s a si ngle result to apply to all r[...]

3-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Types of Policies Ta b l e 3 - 3 describes the types of policies that y ou can configur e in A CS. The policies are listed in the order of their e valuation; any at tributes t hat a polic y retrie ves can be us[...]

3-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in A CS 5.x that allo w you to conf igure access policies for users and de vices that connect t o the network and for n etwork administrat ors who administer network devices[...]

3-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Ta b l e 3 - 5 describes an example of a set of access services. Ta b l e 3 - 6 describes a service selection poli cy . If A CS 5.3 receiv es a T ACA CS+ access request, it applies Ac cess Service A, which authentica tes the request[...]

3-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS accepts the results of the requests and returns them to the N AS. Y ou must configure the external RADIUS and T ACA CS+ servers in A CS for A CS to forw ard requests to them. Y ou can def ine the timeout period and the numb er [...]

3-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS can simultaneously act as a proxy server to mu ltiple e xternal RADIUS and T A CA C S+ servers. For A CS to act as a proxy serv er , you must configure a RAD IUS or T ACA CS+ proxy service in A CS. See Config uring General Acce[...]

3-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequ ence—Sequences o f the identity databases. The se quence is used for authentica tion and, if specified, an additional sequence is used to retrie ve only attrib utes. Y ou can select mult iple identity methods as[...]

3-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity grou p mapping polic y is a standard polic y . Conditions can be based on attrib utes or groups retrie ved from the e xternal attrib ute stores only , o r from certif icates, and the result is an i[...]

3-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy T erminology , page 3- 3 • Authorization Prof iles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-w orld problem is that, in day-to-day operations, you often ne[...]

3-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, A CS d ecides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The prot ocol used for the requ[...]

3-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, ag entless devices, and guest access in one access service, the policy is di vided into three access services. First-Match Rule Tables A CS 5.3 pro[...]

3-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specifies the po licy result that A CS uses when no other rules exist, or when the at tribute v alues in the access request do not match any rules. A CS ev aluates a set of rules in the f irst-match rule [...]

3-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Pro files for Network Access Policy Conditions Y ou can define simple conditions in rule tables b ased on attributes in: • Customizable conditions—Y ou can create custom con ditions based on protocol dictionaries and identity dic[...]

3-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can define multiple authorization prof iles as a network access policy result. In this way , you maintain a smaller number of aut horization prof iles , because you can use the authorizatio n profiles in combi[...]

3-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Networ k Device Groups Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Policy T erminology , page 3- 3 • T ypes of Policies, page 3-5 Policies and Network Device Groups Y ou can referenc e Network de vice group[...]

3-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Figure 3-2 illu strates what this polic y rule table could look like. Figur e 3-2 Sample Rule-Based P olicy Each ro w in the polic y table represents a single rule. Each rule, except f or the last Defau[...]

3-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Added users to the internal A CS identity store or add ex ternal identity st ores. See Creating Internal Users, page 8-11 , Managing Identity Attribu tes, page 8-7 , or Creating External LD AP Identi[...]

3-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Related Topics • Policy T erminology , page 3- 3 • Policy Conditions, page 3-16 • Policy Resul ts, page 3-16 • Policies and Identity Attr ibutes, p age 3-17[...]

3-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies[...]

CH A P T E R 4-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 4 Common Scenarios Using ACS Network contr ol refers to the process of controlli ng access to a network. T raditionally a username and password w as used to authenticate a user to a net work. No w a days with the rapid t echnological adv ancements, the traditiona l [...]

4-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Cisco Secure Access Control System (A CS) allow s you to centrally manage access to your network services and resources (including d evices, such as IP phones, pr inters, and so on). A CS 5.3 is a policy-b a[...]

4-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corr espon ding permit or deny setting for the command is retrie ved. If mul tiple results are found in the rules that are matched, they are consolidated and a si[...]

4-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Step 5 Configure an access service polic y . See Access Service Policy Creation, page 10-4 . Step 6 Configure a service selection policy . See Service Selection Polic y Creation, page 10-4 . Step 7 Config ur[...]

4-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the co nfigur ation flo w to defin e T ACA CS+ custom attrib utes and services. Step 1 Create a custom T A CACS+ condi tion to mo ve to T A CA CS+ servi[...]

4-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess Note During password-based access (or certificate-based acce ss), the user is not only authenticated b ut also authorized according to the A CS configuration. An d if N AS sends accounting requests, the user i[...]

4-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to -end flo w for passwor d-based network access and lists the tasks that you must perform. The info rmation about ho w to conf igure [...]

4-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess For RADIUS, non- EAP authentication method s (RADIUS/P AP , RADIUS/CHAP , RADIUS/MS-CHAPv1, RADIUS/ MSCHAPv2), and simple EAP methods ( EAP-MD5 and LEAP), you need to configure onl y the protocol in the Allowe[...]

4-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication i n A CS 5.3, page B-1 • Network De vices and AAA Clients, page 7-5 • Managing Access Policies, page 10-1 • Creating, Duplicating , and Editing Access Services, page 10-[...]

4-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Certificate-Based Network Access Y ou can conf igure two t ypes of certif icates in A CS: • T rust cert if icate—Also kno wn as CA certif icate. Us ed to form CTL trust hierarchy for verif ication of remote certificates. • Local certi[...]

4-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure polic y elements. See Managing Polic y Conditions, page 9-1 , for more informat ion. Y ou can create custom conditions to use the certi ficate’ s attrib utes as a polic y condition. See Cre[...]

4-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Validating an LDAP Secure Authentication Connection Y ou can define a secure authenticati on connection for the LDAP e xtern al identity store, by using a CA certificate to vali date the connection. T o v alidate a[...]

4-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provid es two features to accommodate no n-802.1x de vices. For e xample, MA C Authentication Bypass (Host Look up) and the Guest V LAN access by using web authentication. A CS 5.3 supports the Host Lookup fall[...]

4-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access • Internal users • Activ e Directory Y ou can access the Active Directory via the LD AP API. Y ou can use the Internal Users identity store for Host Lookup in cases where the rele vant host is already listed in[...]

4-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check Y ou may not want to copy the CallingSt ationID attrib ute v alue to the System UserName attrib ute v alue. When the Process Host Lookup o ption is checke d, A C S uses the System User[...]

4-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Agentless Network Access Flow This topic describes the end-to-end flo w for agentl ess network access and lis ts the tasks that you must perform. The information abo ut how to conf igure the tasks is located in the[...]

4-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service sel ection policy . For more information, see Creating, Duplicating , and Editing Service Selection Ru les, page 10-8 . Related Topic[...]

4-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Previous Step: Network De vices and AAA Clients, page 7-5 Next Step: Config uring an Identity Group f or Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LD AP Identity Stores, pa[...]

4-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access , and check Identity and A uthorization . The group mapping an d External Policy options are optional . d. Make sure you select Process Host Lookup. If you want A CS to detect P AP or EAP-MD5[...]

4-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests T o conf igure an authorization polic y for Host Lookup requests: Step 1 Choose Access Policies > Access Services > <access_servicename> A ut[...]

4-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols A CS 5.3 supports the follo wing protocols for inner aut hentication inside the VPN tunn el: • RADIUS/P AP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 W ith the use[...]

4-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Supported VPN Networ k Access Servers A CS 5.3 supports the followi ng VPN network access serv ers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network A ccess, page 4-20 • S[...]

4-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network A ccess, page 4-20 • Supported Authenticati on Protocols, page 4-21 • Supported Identity Stores, pag e 4-21 • Supported VPN Netw ork Access Servers, page 4-22 ?[...]

4-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access 6. Config uring EAP-F AST Setti ngs for Security Group Access . 7. Creating an Access Service for Security Group Acces s . 8. Creating an Endpoint A dmission Control Po licy . 9. Creating an Egress Policy[...]

4-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices co nsider only the SGT v alue; the name and descr iption of a security group are a management con venience and are not con veyed to the de vices. Therefore, changing the name or description of the [...]

4-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access T o conf igure an ND A C polic y for a de vice: Step 1 Choose Access Policies > Security Gr oup Access Control > Security Group Access > Network Device Access > A uthorization Policy . Step 2 [...]

4-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next . The Access Services Properties page appears. Step 6 In the Authenticati on Protocols area, check the relev ant protoc ols for your access service. Step 7 Click Finish . Creating an Endp[...]

4-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access The first r ow (topmost) of t he matr ix contains the column headers, which display the destination SGT . The first co lumn (far left) contain s the row t itles, with the source SG displayed. At t he inte[...]

4-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests T o cr eate a default polic y: Step 1 Choose Access Policies > Security Gr oup Acc ess Control > Egress P olicy then choose Default Policy . Step 2 Fill in the f ields as in the Default Po licy for Eg[...]

4-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receiv es the following packets from the N AS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2. Receiv es the follo wing packets fr[...]

4-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests The T ACA CS+ proxy feature in A CS supports the follo wing protocols: • PA P • ASCII • CHAP • MSCHAP authentications types Related Topics • RADIUS and T A CACS+ Proxy Requests, page 4-29 • Supp[...]

4-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service T o conf igure proxy services: Step 1 Config ure a set of remote RADIUS and T ACA CS+ servers. For informatio n on how to configure remote servers, see Creating , Duplicating, and [...]

CH A P T E R 5-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure A CS web interface is designed to be vie wed using Microsoft Internet Explor er 7.x, 8.x, and 9.x and Mozi lla Firefox 3.x and 4.x. The web interface not only makes vie wing and administering A CS possible, but i t also [...]

5-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Task Guides Task Guides From the My W orkspace dra wer , you can access T asks Guides. When you click an y of the tasks, it opens a frame on the right side of the we b interface. This frame contains step -by-step instruc tions as well as lin[...]

5-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Related Topics • Config uring Authentication Settings for Administrato rs, page 16-9 • Changing the Ad ministrator Password, page 16-13 Using the Web Interface Y ou can conf igure and administer A CS through the [...]

5-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Logging In T o log in to the A CS web interf ace for the f irst time after installation: Step 1 Enter the A CS URL in your browser , for example https:// acs_host /acsadmin , where /acs_ho st is the IP address or Doma[...]

5-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Step 7 See Installing a License File, page 18 -35 to install a v alid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful , the follo wing error[...]

5-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 sho ws the overall design of the A CS w eb interface. Figure 5-1 ACS W eb Interf ace The interface contains: • Header , page 5-6 • Navig ation Pane, pag e 5-7 • Content Area, page[...]

5-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Navigation Pane Use the navigation pane to navigate through the drawers of the we b interface (see Figure 5-3 ). Figure 5-3 Navig ation P ane Ta b l e 5 - 3 describes the function o f each drawer . T o open a drawer [...]

5-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface The options listed beneath dra wers in the na vigation pane are or ganized in a tree structure, where appropriate. The options in the tr ee structure are dynamic and can chan ge based on administrator actions. Creatin[...]

5-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Web Interface Location Y our current location in the interface ap pears at the top of the content a rea. Figure 5-5 sho ws that the location is the Poli cy Elements drawer and t he Network De vices and AAA Clients pa[...]

5-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface T able 5-4 Common Cont ent Ar ea Butt o ns and Fields for List P ages Button or Field Description Rows per page Use the drop-down list to specify the num ber of items to disp lay on this page. Options: • 10—Up to[...]

5-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface T ree table pages are a v ariation of list pages (see Figure 5-6 ). Y ou can perform the same operations on tree table pages that you can on l ist pages, except for paging. In addition, with tree tabl e pages: • A[...]

5-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Filtering Large lists in a content area windo w or a secondary window (see Figure 5-9 ) can be dif ficult to navigate through and select the data that you w ant. Y ou can us e the web interface to f ilter data in the[...]

5-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface For pages that do not ha ve a Name or Description column, the sorting mechan ism may be supported in the left-most column of the pa ge, or the Descript ion column. Place your curs or ov er a column heading to determ[...]

5-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Figur e 5-9 Secondary Windo w In addition to selectin g and filt ering data, you can cr eate a selectable object within a secondary windo w . For ex ample, if you attempt to cr eate a us ers internal identity store, [...]

5-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Figur e 5-1 0 T ransf er Box T able 5-6 T ransf er Box Fields and But tons Field or Button Description A v ailable List of av ailable items for selection. Selected Ordered list of selected items. Right arrow (>) [...]

5-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10 ). Y ou use them to select activ e times for a policy element from a grid, where each ro w represents a day of the week and ea[...]

5-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Directly above the rule ta ble are two displa y options: • Standard Polic y—Click to display the stand ard policy rule tabl e. • Exception Po licy—Click to di splay the exceptio n policy rule tab le, which t[...]

5-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Related Topic • A CS 5.x Polic y Model Importing and Exporting ACS Objects through the Web Interface Y ou can use the import functionality in A CS to add, up date, or delete [...]

5-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Ta b l e 5 - 9 lists the A CS objects, their properties, and the property data types. The imp ort template for each of the objects contain s the properties described in this ta[...]

5-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Fields that ar e optional can be left empt y and A C S substitutes the def ault v alues for those f ields. For e xample, whe n fie lds that are rela ted to a hierar chy are lef[...]

5-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must downlo ad the import f ile templates from the A CS web interface. T o do wnload [...]

5-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface For e xample, the internal user Add temp late contains the fields described in Ta b l e 5 - 1 0 : Each ro w of the .csv f ile corresponds to one internal user re cord . Y ou mu[...]

5-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Figure 5-12 Add Users – Import File Step 4 Sav e the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in t[...]

5-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Figur e 5-13 Update Users–Import File Note The second column, Updated name, is the addi tional column that you can add to the Update template. Deleting Records from the ACS I[...]

5-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Common Errors Common Errors Y ou might encounter these common errors: • Concurrency Co nflict Errors, page 5-25 • Deletion Errors, page 5-26 • System F ailure Errors, page 5-27 • Accessibility , page 5- 27 Concurrency Conflict Error[...]

5-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Common Errors Error Message The item you are trying to Submit i s referencing items that do not exist anymore. Explanation Y ou attempted to edit or duplicate an it em that is referencing an item th at another user deleted while yo u tried [...]

5-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Accessibility System Failure Errors System failure errors occur when a system malfunc tion is detect ed. When a sys tem failur e error is detected, a dialog box appears, with an error messa ge and OK b utton. Read the error message, click O[...]

5-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Accessibility • Color used as an enhan cement of information only , not as the only indicator . F or example, required fields are associated with a red asterisk. • Confir mation messages for important setti ngs and actions. • User-con[...]

CH A P T E R 6-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of conf iguration tasks that you must perform to work with A CS. This chapter contains the follo wing sections: • Config uring Minimal System Setup, page 6-1 • Config uring A CS to Perform Syst[...]

6-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Configuring ACS to Perform System Administration Tasks Ta b l e 6 - 2 lists the set of syst em administration tasks that you must perform to admini ster A CS. Ta b l e 6 - 2 [...]

6-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Step 8 Add users or hosts to the internal identity sto re, or define external identity stores, or both. • For internal i dentity stores: Users and Identity Stores > Inte[...]

6-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Manage Access Polic ies Configuring ACS to Manage Access Policies Ta b l e 6 - 3 lists the set of tasks that you must perform to manage access restrictions and permissi ons. Configuring ACS to Monitor and Troubl[...]

6-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 4 Enable sys tem alarms an d specify ho w you wou ld like to recei ve notif ication. Monitoring Conf iguration > System Config uration > System Alarm S[...]

6-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Mo nitor and Troublesho ot Problems in the Network[...]

CH A P T E R 7-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resource s drawer defines elements within the networ k that issue requests to A CS or those that A CS interacts with as part of processing a requ est. This includes the network devices that issue the requests and external ser[...]

7-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Network Device Groups In A CS, you can de fine network de vice groups (ND Gs ), which are sets of de vices. These NDGs pro vide logical groupin g of devi ces, for examp le, Devi ce Location or T ype, which you can use i[...]

7-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Device Groups Step 4 Click Submit . The network de vice group conf iguration is sa ved. The Network De vice Groups page appears with the ne w network de vice group configurat ion. Related Topics • Network De vice Groups, page 7-2 [...]

7-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy Y ou can arrange the netw ork de vice group node hierarchy accord ing to your needs by choo sing parent and child relationships fo r new , d up[...]

7-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy T o delete a netw ork dev ice group from within a hierarch y: Step 1 Choose Network Resour ces > Network Device Gr oups . The Network De vice Groups page app[...]

7-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Y ou must install Security Group Access license to enable Security Group A ccess options. The Security Group Access options only appear if y ou hav e installed the Secur ity Group Access license. F or more in[...]

7-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients – Device T y pe Y ou can specify full IP ad dress, or IP address with wildcard “* ” or , with IP address range, such as [15-20] in the IP address search field. The wi ldcard “*” and the IP rang e [1[...]

7-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Step 2 Choose the filter condition and the Match if operator , and enter the f ilter criterion that you are looking for in the te xt box. Step 3 Click Go . A list of recor ds that match y our filter criterion[...]

7-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Step 3 Click any one of the follo wing operations if you hav e pre viously created a template-based .csv f ile on your local disk: • Add—Adds the records in th e .csv file to the records currently a v ail[...]

7-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Exporting Network Resources and Users T o e xport a list of network resources or u sers: Step 1 Click Export on the Users, Network De vices, or MA C Address page of the web interface. The Network De vice pag[...]

7-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients The first page of the Create Network De vice process appears if you are creating a ne w network d evice. The Network Device Properties page for the selected device appears if you are duplicating o r editing [...]

7-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients IP Range(s) By Mask Choose to enter an IP address range. Y ou can configure up to 40 IP addresses or sub net masks for each network device. If you use a subnet ma sk in th is field, all IP addresses within t[...]

7-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all T ACA CS+ communication wit h the network de vice. Choose one: • Legac y T A CA CS+ Single Conn ect Support • T A CA CS+ Draft Complian [...]

7-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Displaying Network Device Properties Choose Network Resour ces > Network De vices and AAA Clients , then click a de vice name or check the check box ne xt to a de vice name, and click Edit or Duplicate . [...]

7-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients IP Range(s) By Mask Choose to enter an IP addre ss range. Y ou can configure up to 40 IP addresses or subnet masks for each network de vice. If you use a subn et mask in this f iel d, all IP addresses within[...]

7-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients RADIUS Shared Secret Shared secret of the network d evice, if y ou hav e enabled the RA DIUS protocol. A shared secret is an expected string of te xt, which a user must pro vide before the netwo rk device au[...]

7-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Configuring a Default Network Device Related Topics: • V ie wing and Performing Bulk Operations fo r Network De vices, page 7-6 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Deleting Network Devices T o delet[...]

7-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Configuring a Default Network Device Choose Network Resour ces > Default Network De vice to conf igure the default network de vice. The Default Netw ork De vice page appears, di splaying the informat ion described in Ta b l e 7 - 6 . T a[...]

7-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Related Topics • Network De vice Groups, page 7-2 • Network De vices and AAA Clients, page 7-5 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Working with External Proxy [...]

7-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate . • Click the exte rnal proxy server nam[...]

7-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Note If you want A CS to forward un known RADIUS attrib utes you ha ve to define VSAs f or proxy . Related Topics • RADIUS and T A CA CS+ Proxy Services, page 3-7 • RADIUS and T A CACS+ Proxy Reques[...]

7-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers[...]

CH A P T E R 8-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview A CS manages your network de vices and other A C S clients by using the A CS network resource repositories and identity stores. When a host conn ects to the network through ACS requesting access to a particular network r[...]

8-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity grou p to which users belong Config urable components are: • Enable password f or T ACA CS+ authentication • Sets of[...]

8-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Tw o-Factor Authentication Y ou can use t he RSA SecurID T oken Serv er and RA DIUS Ident ity Server t o provide two-facto r authentication. These extern al identity stores use an O TP that pr ovides g re[...]

8-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Sequences Y ou can configure a complex condition where multiple identity stores an d prof iles are used to process a request. Y ou can define these identity met hods in an Identity Sequence[...]

8-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Authentication informatio n Note A CS 5.3 supports authent ication for internal users against th e internal identity sto re only . This section contains the following topics: • Authentication I[...]

8-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Groups Y ou can assign each i nternal user to one identit y group. Iden tity groups are def ined within a hi erarchical structure. Th ey are lo gical entities t hat are associ ated with use[...]

8-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Managing Intern al Identity Sto res, page 8-4 • Performing Bulk Operation s for Network Resources and Users, page 7-8 • Ident[...]

8-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal us er record. User Attributes Administrators can create and ad d user-d efined attribut es from the set of identi[...]

8-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores In A CS 5.3, you can configure i dentity attrib utes that are used within your policies, in th is order: 1. Define an identity attribute (using t he user dictionary). 2. Define custom conditions t o [...]

8-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 3 In the Advanced tab, enter the values for the criter ia th at you want to configure for your user authentication process. Ta b l e 8 - 3 describe s the fields in the Advanced tab . Passwor d[...]

8-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit . The user password is configured with the de fined criteria. These criteria will apply only for future lo gins. Note A CS supports an y character as passw ords and shar ed secre[...]

8-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores • Click the username that you want to modify , or check the check box next to the name and click Edit . • Check the check box next to the user whos e password you w ant to change, then click Ch[...]

8-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Description (Optional) Descrip tion of the user . Identity Group Click Select to display the Id entity Groups windo w . Choose an identity group and click OK to configure the user wi th a specif ic [...]

8-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 5 Click Submit . The user configuration is saved. The Internal Users pa ge appears with the new configuration. Related Topics • Config uring Authentication Settings for Users, page 8-9 • V[...]

8-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click OK . The Internal Users page appears without the deleted users. Related Topics • V iewing and Perform ing Bulk Operations for Internal Identity Store Users, page 8-15 • Creating Int[...]

8-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Creating Hosts in Identity Stores T o create, d uplicate, or edit a MA C address and assign identity groups to in ternal hosts: Step 1 Select Users and Identity Stores > Inter nal Identity Stor [...]

8-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit to sav e changes. The MA C address configuration is sa ved. The Internal MA C list page appears with the new configuration. Note Hosts with wildcards (suppor ted formats) for MA [...]

8-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Deleting Internal Hosts T o delete a MA C address: Step 1 Select Users and Identity Stores > Inter nal Identity Stor es > Hosts . The Internal MA C List page appears, w ith any configured MA [...]

8-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Policies and Identity Attr ibutes, p age 3-17 • Config uring an Identity Group f or Host Lookup Network Access Requ ests, page 4-18 Management Hierarchy Management Hierarch y enables the admin[...]

8-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores The administrator can conf igure an y le vel of hi erarchy while def ining management centers or AAA client locations. Th e syntax for ManagementHierarchy attrib ute is: <Hierar chyName>: <[...]

8-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics Config uring and Using HostI sInManagement Hierar chy Attrib utes, page 8-21 . Configuring and Using HostIsInM anagement Hierarchy Attributes T o configure and use HostIsInMana gement[...]

8-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Managing External Identity Stores A CS 5.3 integrates with e xternal identity sy stems in a number of w ays. Y ou can le verage an e xternal authentication service or use an ex ternal system to obt[...]

8-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Config uring LD AP Groups, page 8-33 • V ie wing LD AP Attrib utes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storin g and organ[...]

8-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Failover A CS 5.3 supports failo ver between a primary LD AP se rver and secondary LD AP server . In the context of LD AP authent ication with A CS , failover applie s when an authentication reques[...]

8-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LD AP server to return bind (authentication) errors are: – Filtering errors—A search using f ilter criteria fails. – Parameter errors—In valid parameters were entered.[...]

8-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Unsigned Integer 32 • IPv4 Address For unsig ned integers and IPv 4 attrib utes, A CS conv erts the strings that it has retrie ved to the corresponding data types. If con version f ails or if[...]

8-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Continue with Conf iguring an External LD AP Server Connection, page 8-27 . Note N A C guest Server can also be used as an External LD AP Server . For proced ure to use NA C guest server as an[...]

8-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonym ously . The server does not distinguish who th e client is and will allo w the cl ient read access to any data that[...]

8-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue with Conf iguring External LD AP Directory Or ganization, page 8-29 . Configuring External LDAP Directory Organization Use this page to configure an external LD AP[...]

8-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T able 8-8 LD AP: Dir ect ory Or ganization P age Option Description Schema Subject Object class V alue of the LD AP objectClass attribute that id entifies th e subject. Often, subject records hav [...]

8-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search B ase Enter the distinguishe d name (DN ) fo r the subtree that contains all subjects. For example: o=corporati on.com If the tree containing subjects is the base DN, enter: o=corporat[...]

8-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Finis h . The external identity st ore you created is sav ed. Username PrefixS uffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropr[...]

8-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Config uring LD AP Groups, page 8-33 • Deleting External LD AP Identity Stores, page 8 -33 Deleting External LDAP Identity Stores Y ou can delete one or more e xternal LD AP iden[...]

8-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Viewing LDAP Attributes Use this page to view the external LD A P attributes. Step 1 Select Users and Identity Stores > Exter nal Identity Stor es > LD AP . Step 2 Check the check box next to[...]

8-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means th e switch port to wh ich these de vices attach cannot authenticate them using the 802.1X exch ange of de vice or user creden tials and must re vert to an authenticati on mechanism other [...]

8-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Figur e 8-1 LD AP Int erf ace Configur ation in NAC Pr ofiler Step 5 Click Update Serv er . Step 6 Click the Conf iguration tab and click A pply Changes . The Update N A C Profiler Modules pa ge ap[...]

8-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Conf iguration > Endpoint Pr of iles > V i ew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve [...]

8-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T o edit the N A C Prof iler template in A CS: Step 1 Choose Users and Identity Stor es > External Identity Stor es > LD AP . Step 2 Click on the name of the N AC Prof iler template or ch eck[...]

8-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Server Dialog Bo x For more information, see Cr eating External LD AP Identity Stores, page 8-26 . Note The default password for LD AP is GBSbeacon . If you w ant to change [...]

8-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Number of Subjects: 100 • Number of Director y Groups: 6 Figur e 8-7 T est Configuration Dialog Bo x Number of Subjects —This v alue maps to the actual subj ect de vices already prof iled b[...]

8-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Ev ent Deli very Method and Activ e Response, see the Cisco N AC Pr ofiler Installation and Conf iguration Gu ide, Release 3.1 at the follo wing location: http:/[...]

8-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The AD user password change using the abo ve met hods must fo llo w the AD passwor d policy . Y ou must check with your AD administrator to kno w the complete AD password pol icy rule. AD passw ord[...]

8-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a fi rew all between A CS and AD, certain ports need to be opened in order t o allow A CS to communicate with AD. The foll owing are the default por ts to be opened: Note Dial-in users ar[...]

8-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Attribute Retrieval for Authorization Y ou can configure A CS to retriev e user or machine AD attributes to be use d in authori zation and g roup mapping rules. The attrib utes are mapped to the A [...]

8-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machin e authentication to user authentication an d authori zation process. The most common usage of MAR is to fail authen tication of users[...]

8-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The Engineers' rule is an example of MAR rule that only allows e ngineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an exam ple of a[...]

8-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Activ e Director y are supported on the follo wing serv ers: • W indo ws server 2003 • W indo ws server 2003 R2 • W indo ws server 2008 • W i[...]

8-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Joining ACS to an AD Domain After you conf igure the AD identity store in A CS th rough the A CS web interface, you must submi t the confi guration to join A CS to the AD domain. F or more informat[...]

8-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3 Click: Username Predefined user in AD. AD account require d for doma in access in A CS should have either of the follo wing: • Add workstations t o domain user right in correspo nding domain[...]

8-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Sa ve Changes to sav e the conf iguration, join the A CS to the specified AD domain with the configured credentials, and start the AD agent. • Discard Changes to discard all changes. • If A[...]

8-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD grou ps in the domain, as well as other trusted domains in the same forest. If you ha ve more group s that are not displayed, use t[...]

8-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 3 Click: • Sa ve Changes to sav e the configuration. • Discard Changes to discard all changes. T able 8-1 1 Activ e Direct ory: A t tr ibutes P age Option Description Name of ex ample Subj[...]

8-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already con figured an d you want to del ete it, click Clear Conf iguration after you v erify that there are no policy rules that use cu stom conditions based on the AD dictionary . AD D[...]

8-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RSA SecurID Server A CS supports the RSA SecurID server as an extern al database. RSA SecurID two-factor authentication consists of the user’ s personal identif ication number (PIN) and an indi v[...]

8-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the re quested loads on the RSA Sec urID servers in the realm. Ho we ver , you do hav e the option to manu ally balance the [...]

8-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 4 Click the A CS Instance Settings tab . See Configuring A CS Instance Settings, page 8-57 for more inform ation. Step 5 Click the Advanced tab . See Configuring A dvan ced Options, page 8-59 [...]

8-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server , pa ge 8-54 • Config uring A CS Instance Settings, page 8-57 • Config uring Adv anced Optio ns, page 8-59 Configuring ACS Instance Settings The A CS Instan[...]

8-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Enable the RSA options file Y ou can enable the RSA options file ( sdopts.r ec ) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the [...]

8-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the follo wing options: • T o reset node secret on the agent host, check the Remove securid f ile on submit check box. If you reset the node secret on t he agent host, you m[...]

8-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RSA SecurID Server , pa ge 8-54 • Creating and Editing RSA SecurI D T ok en Servers, pa ge 8-55 • Config uring A CS Instance Settings, page 8-57 • Editing A CS Instance Set[...]

8-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover A CS 5.3 allows you to configure mul tiple RADIUS identity stores. Each RADIUS i dentity store can hav e primary and secondary RADIUS servers. When AC S is unable to c onnect to t he primar [...]

8-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RADIUS Identity Store in Identity Sequence Y ou can add the RADIUS identity store for authentica tion sequence in an iden tity sequence. Howe ver , you cannot add th e RADIUS identity store fo r at[...]

8-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safew ord token servers support bo th the formats. A CS works with v arious token servers. While configuring a Safe word server , yo u must check the Safew ord Server check box for A CS to parse the [...]

8-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Cr eate . Y ou can also: • Check the check box ne xt to the identi ty store you want to d uplicate, then click Duplicate . • Click the iden tity store name that yo u want to modi f[...]

8-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the pr imary RADIUS identity server f ails. If you enable the secon[...]

8-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RADIUS Identity St ores, page 8-60 • Creating, Duplicating , and Editing RADIUS Identi ty Servers, page 8-63 • Config uring Shell Prompts, page 8-6 6 • Config uring Directo[...]

8-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a reques t, RADIUS attributes are return ed along with the response. Y ou can make use of these RADI US attrib utes in polic[...]

8-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates • Config uring Shell Prompts, page 8-6 6 • Config uring Adv anced Optio ns, page 8-68 Configuring Advanced Options In the Adv anced tab, you can do the follo wing: • Define what an access reject fro[...]

8-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Y ou use the CA options to install digital certif icate s to support EAP-TLS authentication. A CS uses the X.509 v3 digital certificate standard. A CS also supports manual certificate acquisition and pro v[...]

8-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates Step 4 Click Submit . The new cert ificat e is sav ed. The T rust Certif i cate List page appears with the new certif icate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of [...]

8-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3 Click Submit . The T rust Certificate page appe ars with the edited certificate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of EAP-TLS, page B-6 Deleting a Certifica[...]

8-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Certificat e Authentication Profiles Related Topic • Overvie w of EAP-TLS, page B-6 Exporting a Certificate Authority T o e xport a t rust certif icate: Step 1 Select Users and Identity Stores > Certif icate A uthor[...]

8-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificat e Authen tication Profiles T o cr eate, duplicate , or edit a certif icate authentication profile: Step 1 Select Users and Identity Stores > Cert ificate A uthe nticatio n Profile . The Certificate Authentic[...]

8-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity polic y determines the iden tity sources that A CS uses for authentication and attrib ute retrie v al. An identity source consi sts[...]

8-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box ne xt to the sequence that you want to duplicat e, then click Duplicate . • Click the sequence name that you want to[...]

8-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Step 3 Click Submit . The Identity Store Sequen ces page reappears. Related Topics • Performing Bulk Operation s for Network Resources and Users, page 7-8 • V ie wing Identity Polici es, page[...]

8-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Intern al Identity Sto res, page 8-4 • Managing External Iden tity Stores, page 8-22 • Config uring Certif icate Authentication Prof iles, page 8-72 • Creating, Duplicating , an[...]

8-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences[...]

CH A P T E R 9-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy def ines the authenti cation and authorizat ion processing of cl ients that attempt to access the A CS network. A clien t can be a user , a network de vice, or a user associated with a netw ork de vice. Policies are sets of rules.[...]

9-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Y ou can map users and hosts to identity grou ps by using the group mapping polic y . Y ou can include identity groups in cond itions to conf igure common policy co nditions for all users in the group. F or more info[...]

9-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Deleting a Session Condition , page 9-6 • Managing Netw ork Conditions, page 9 -6 See Chapter 3, “ ACS 5.x Polic y Model” for informati on about additional condit ions that you can use in policy ru les, alt[...]

9-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions T o add date and ti me conditions to a policy , you must first customize the rule table. See Customizing a Polic y , page 10-4 . Step 4 Click Submit . The date and time condition is sa ve d. The Date and T ime Condit[...]

9-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and i dentity dictionaries co ntain a larg e number of at tribu tes. T o u se any of these attri bute s as a condition in a p olicy rule, you[...]

9-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 4 Click Submit . The new custom session condi tion is saved. The Custom Condition p age appears with th e new custom session conditio n. Clients that are associated with this con dition are subject to it f or th[...]

9-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions A CS of fers three types of filters: • End Station Filt er—Filters end statio ns, such as a laptop or print er that initiates a connection based on the end station’ s IP address, MA C ad dress, CLID number , or[...]

9-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Netwo rk Conditions, page 9-8 • Exporting Netwo rk Conditions, page 9-9 • Creating, Duplicati ng, and Editing End Stati on Filters, page 9-9 • Creating,[...]

9-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions T imesaver Instead of download ing the template and creati ng an import f ile, you can use the e xport fi le of the particular f ilter , update the information in that f ile, sa ve it, and reu se it as your import f [...]

9-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9-6 • Importing Netwo rk Conditions, page 9-8 • Creating, Duplicating , and Editing De vice Filters, page 9-12 • [...]

9-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Defining MAC Address-Based End Station Filters Y ou can create, duplicate, and edit the MA C addresses of end stati ons or destinations that you w ant to permit or deny access to . T o do this: Step 1 From the MA C [...]

9-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS numb er of the destination machine. Y ou can optionally set this f ield to ANY to refer to an y DNIS number . Note Y ou can use ? and * wildcard charact ers to refer[...]

9-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9 -6 • Importing Network Co nditions, page 9-8 • Creating, Duplicati ng, and Editing End Stati on Filters, pa ge 9-[...]

9-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions • Check the check box next to the name-based de vice filter that you want to edi t, then click Edit . A dialog box appears. Step 2 Click Select to choose the netwo rk de vice that you want t o filt er . Step 3 Cli[...]

9-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Check the check box next to th e de vice port filter that yo u w ant to edit, then cli ck Edit . • Click Expor t to sav e a list of de vice port filters in a .csv file. F or more information, see Exporting Net[...]

9-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the Por t check box and enter t he port number . This f ield is of type string and can contain numbers or characters. Y ou ca n use the following wildcard characters: • ?—match a single character ?[...]

9-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining NDG-Based Device Port Filters Y ou can create, duplicate, and ed it the network de vice group type and the port to which you want t o permit or deny access. T o do this: Step 1 From the Netw or[...]

9-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Aut horization Profiles for Network Access Y ou creat e authoriza tion profiles to de fine ho w di fferent types of users are authorized to access the network. F or ex[...]

9-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying Authorization Profiles Use this tab to conf igure the name and descripti on for a network access authori zation profil e. Step 1 Select Policy Elements > A uthorization and P ermissions &g[...]

9-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9 -5 A uthorization Profile: Common T asks Page Option Description ACLS Downloadable A CL Name Includes a defined downloadable ACL. See Creating, Duplicat ing, and Editing Do wnloadable A CLs, pa[...]

9-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to conf igure which RADIUS attri butes to include in the Acce ss-Accept packet for an authorization pro file. This tab also displays t[...]

9-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 3 T o co nfigure: • Basic information o f an authorization prof ile; see Specifying Authorization Prof iles, page 9-19 . • Common tasks for an authorizat ion profi le; see Specifying Common At [...]

9-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Creating and Editing Security Groups Use this page to vie w names and details of security groups and securi ty group tags (SGTs), and to open pages to create, duplicate, and edit security gr oups. When [...]

9-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions The Common T asks tab al lows you to select and conf igure the frequent ly used attrib utes for the prof ile. The attributes that are in cluded he re are tho se defined by the T A CACS prot ocol draft s[...]

9-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining General Shel l Profile Properties Use this page to def ine a shell profil e’ s general properties. Step 1 Select P olicy Elements > A uthorization and Permissions > Device Admini strati[...]

9-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9-9 Shell Pr ofile: Common T asks Option Description Privilege Level Default Pri vilege (Optional) En ables the initial pri vilege le vel assi gnment that you allo w for a client, through shell a[...]

9-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Step 3 Click: • Submit to sa ve your chan ges and return to the Shell Prof iles page. • The General tab to conf igure the name and d escription for the authorizatio n profile; see Defi ning General [...]

9-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to def ine custom attrib utes for the shell prof ile. This tab also displays the Commo n T asks Attrib utes that you ha ve chosen i n the Common T asks tab . Step[...]

9-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions After you create command sets, you can use them in autho rizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shel l Profi le [...]

9-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 4 Click Submit . The command set is sav ed. The Command Sets page appears with the command set that you created or duplicat ed. T able 9-1 1 Command Set Pr operties P age Field Description Name Nam[...]

9-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Related Topics • Creating, Duplicating , and Editing Authorization Profiles for Netw ork Access, page 9-18 • Creating, Duplicating , and Editing a Shell Prof ile for Device Admi nistration, page 9-2[...]

9-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions – Click Start Export to e xport the D A CLs without any encryption. Step 3 Enter v alid conf iguration data in the required f ields as shown in Ta b l e 9 - 1 2 , and define one o r more A CLs by usin[...]

9-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Configuring Security Group Access Control Lists Security group access control lists (SG A CLs) are applied at Egress, based on the source and destination SGTs. Use this page to vie w , create, duplicate[...]

9-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions[...]

CH A P T E R 10-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 10 Managing Access Policies In A CS 5.3, policy dri ves all acti vities. Polici es cons ist mainly of rules that determi ne the action of the policy . Y ou c reate access services to define authen tication and authorizat ion policies for requests. A global service [...]

10-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Policy Creation Flow In short, you must determi ne the: • Details of your netw ork conf iguration. • Access services that implement your policies. • Rules that def ine the conditions un der which an access service can run. This section[...]

10-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creatio n Flow Policy Elements in the Policy Creation Flow The web interf ace provides these def aults for def ining de vice groups and i dentity groups: • All Locations • All De vice T ypes • All Groups The locations, de vice ty[...]

10-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Polic y Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an acce[...]

10-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy If you ha ve imp lemented Security Group Access function ality , you can also customize results for authorization po licies. Caution If you ha ve already defined rules, be certain that a rule is not u[...]

10-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Note If you create and sav e a simple policy , and then change to a rule-based polic y , the simple policy beco mes the default rule of the rule-based policy . If you have saved a rule-based polic y a[...]

10-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy T o conf igure a rule-based service selection policy , see these topics: • Creating, Duplicating , and Editing Service Selection Rul es, page 10-8 • Deleting Service Selection Rules, page 10 -10 A[...]

10-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determin e whic h access service processes incoming requests. The Default Rule pro vides a default access s[...]

10-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy • The Default Rule—Y ou can change only the access service. See T able 10-3 for field descri ptions: Step 4 Click OK. The Service Selection Polic y page appears with the rule that you conf igured.[...]

10-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count displ ay on the Rule-based Polic y page. T o di splay this page, click Hit Count on the Rule-based Polic y page. Deleting Servic[...]

10-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and au thorization policies for requests. Y ou c an create separate access services for different use cases; fo r example, de vice administrat[...]

10-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Edit the fields in the Allowed Protocols tab as d escribed in T able 10-7 . Step 4 Click Submit to sav e the changes you hav e made to the default access service. Creating, Duplicating, and Editing Access [...]

10-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box next to the access servic e that you want to du plicate; then click Duplicate . • Click the access service name that you w ant to mod[...]

10-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Click Next to conf igure the allowed pr otocols. See Configuring Access Servic e Allowed Protocols, page 10-15 . Description Description of the access service. Access Service Policy Structure Based on serv[...]

10-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Config uring Access Service Allo wed Protocols, page 10-15 • Config uring Access Services T empl ates, page 10-19 Configuring Access Serv ice Allowed Protocols The allowed protocols are the sec[...]

10-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authenticat ion protocol and configures EAP-TLS settin gs. Y ou can specify ho w A CS verif ies user identity as pre sented in the EAP Identity response from the end-user client.[...]

10-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allo w EAP-F AST Enable s the EAP-F AST authentication protocol an d EAP-F AST settings. Th e EAP-F AST protocol can support multiple int ernal protocols on the same server . The defa ult inner method is MSCHAPv2.[...]

10-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allo w EAP-F AST (continued) PA C O p t i o n s • T unnel P A C T ime T o Li ve—The T ime T o Live ( TTL) v alue restricts the lifetime of the P A C. Specify the lifetime value and unit s. The default is one [...]

10-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3 Click Finish to sav e your changes to the access service. T o enable an access service, you must add it to the service sel ection polic y . Configuring Access Services Templates Use a service template to de[...]

10-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Deleting an Access Service T o delete an access service: Step 1 Select Access Policies > Access Services . The Access Services page appea rs with a list of configured services. Step 2 Check one or more check b[...]

10-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Access Service Policies Y ou configure access service policies after you c reate the access service: • V ie wing Identity Polici es, page 10-21 • Config uring Identity Polic y Rule Propert[...]

10-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies In the rule-based policy , each rule contains one or more conditions an d a result, which is the identity source to use for authentication. Y ou can create, dupl icate, edit, and delete rules within the i[...]

10-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity , w here <servi ce> is the name of the access service. By default, th e Simple Identity P[...]

10-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 For info rmation about confi guring an identit y po[...]

10-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T able 1 0-1 1 Identity Rule Proper ties P age Option Description General Rule Name Name of th e rule. If you are duplicat ing a rule, you must enter a unique name as a minimum conf iguration; all other f[...]

10-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Config ure a group mapping polic y to map groups and attrib utes that are retrie ve d from external iden tity stores to A CS identity groups. When A CS processes a reque[...]

10-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 2 Select an identity group. Step 3 Click Sav e Changes to sa ve th e polic y . T o conf igure a rule-ba sed policy , see these topics: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, [...]

10-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Deleting Poli cy Rules, p age 10-39 Related Topics • V ie wing Identity Polici es, page 10-21 • Config uring a Session Authorization Po licy for Netw ork Access, page 10-29 • Config uring a Sess[...]

10-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring a Session Authorization Policy for Network Access When you create an access service for ne twork access authorization, it create s a Session Authorization policy . Y ou can then add and modify[...]

10-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T able 1 0-15 Networ k Access A uthorization P olicy P age Option Description Status Rule statuses are: • Enabled—The r ule is active. • Disabled—A CS does not apply the results of the rule. • M[...]

10-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Network Access Au thorization Rule Properties Use this page to create, duplicate, and edit the ru les to determine acce ss permissions in a network access service. Step 1 Select Access Policie[...]

10-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A dev ice administration authorization polic y determines the authorizations an d permissions for network administrators. Y ou create an authorizat[...]

10-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Device Administration Authorization Rule Properties Use this page to create , duplicate, and edit the r ules to det ermine author izations an d permissio ns in a device administration access s[...]

10-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Shell/Command Authoriza tion Policies for Device Administration When you create an access se rvice and select a service policy st ructure for Device Administration, A CS automatically creates [...]

10-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Configuring Authorizatio[...]

10-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Related Topics • Confi[...]

10-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Creating Policy Rules When you create rules, remember that the order of the rules is important. When A C S encounters a match as it processes the request of a client that tries to access the ACS network, [...]

10-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Duplicating a Rule Y ou can duplicate a rul e if you want to create a ne w rule that is the same, or very similar t o, an existing rule. The duplicat e rule name is based on the original rule with parenth[...]

10-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 4 Click OK . The Policy page appears with the edited rule. Step 5 Click Sav e Changes to sa ve th e ne w config uration. Step 6 Click Discard Changes to cancel t he edited information. Related Topics[...]

10-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound condi tions to def ine a set of conditions based on any attrib utes allowed in simple pol icy conditions. Y ou def ine com pound conditi ons in a policy rule page;[...]

10-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Note Dynamic attribut e mapping is not applicable for Exte rnalGroups attribute of T ype "String Enum" and "T ime And Date" attrib ute of type "Date T ime Period". For hierarchic[...]

10-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Figur e 1 0-2 Compound Expr ession - At omic Condition Single Nested Compound Condition Consists of a single operator followed by a set of pr edicates (>=2). The operator is applied between each of the pre[...]

10-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compound Expression with Dynamic value Y ou can select dynamic value to select another dict ionary attrib ute to compare agai nst the dict ionary attribute [...]

10-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-4 0 • Using the Co mpound Expre ssion Builder, page 10-44 Using the Compound Expression Builder Y ou construct compoun d conditions by using th[...]

10-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-4 0 • T ypes of Compoun d Conditions, page 10-41 Security Group Access Control Pages This section contains the following topics: • Egress [...]

10-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topic • Creating an Egress Polic y , page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to config ure the policy for the selected cell. Y ou can configure the SGA CLs to apply t[...]

10-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Con trol (ND A C) policy determines the SG T for network devices in a Security Group Access en vironmen t. The ND A C policy handles: • Peer authorization re[...]

10-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topics: • Config uring an ND AC Policy , page 4-25 • ND AC Polic y Properties Page, page 10-48 NDAC Policy Properties Page Use this page to create , duplicate, and edit rules to determine the[...]

10-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Note For endpoint admissi on control, you must def ine an access service and session authori zation policy . See Configuring Netw ork Access Authoriz ation Rule Properties, page 10-31 for information about[...]

10-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to conf igure parameters for the EAP-F AST protocol that the ND AC po licy uses. T o disp lay this page, choose Access Policies > Security Gr oup Access Con[...]

10-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings Y ou can confi gure maximum user session t o impose maximum session v alue for each users. T o conf igure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > [...]

10-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Unlimited is selected by def ault. Group le vel sessi on is applied based on the hierarchy . F or example: The group hierarch y is America:US:W est:CA and the maximum sessions are as follows: • America: 100 max sessi[...]

10-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics • Maximum User Sessions, page 10- 50 • Max Session Use r Settings, page 10-51 • Max Session Group Sett ings, page 10-51 • Purgin g User Sessions, page 10-53 • Maximum User Session in Distri bute[...]

10-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to pur ge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users i[...]

10-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accou nting requests should be sent to the same A CS server , else the Maximum Session feature will not work as desired. Related topics • Maximum User Sessions[...]

10-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions[...]

CH A P T E R 11-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 11 Monitoring and Reporting in ACS The Monitoring and Reports dra wer appears in th e primary web interf ace windo w and contains th e Launch Monitori ng & Report V ie wer option. The Monitoring & Re port V iewer provides monitoring, report ing, and troubl [...]

11-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Authentication Records and Details • Support for non-Engli sh characters (UTF-8)—Y ou can hav e non-English characters in: – Syslog messages—Conf igurable attribute v alu e, user name, and ACS named configuration objects – G[...]

11-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the follo wing tabs. • General—The General tab lists the follo wing: – Fi ve most recent alar ms—When you click the name of the alarm, a dial og bo[...]

11-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Working with Portlets – Authentication Snap shot—Provides a sn apshot of authenticatio ns in the graphical and tab ular formats for up to the past 30 days. In the graphical represen tation, the field based on which the records are[...]

11-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Working with Portlets Figure 1 1 -1 P ortlets T op 5 Alarms an d My Fa vorit e Reports appear in sepa rate windo ws. Y ou can edit each of these portlets separately . T o edit a portlet, click the edit b utton ( ) at the upper -right [...]

11-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Related Topic • Dashboard Pages, page 11 -2 • Running Authentication Loo kup Report, page 11-6 Running Authenticat ion Lookup Report When you run an Authenti cation Lookup rep ort, consider the [...]

11-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Configuring Tabs in the Dashbo ard Step 5 Click Add Page . A ne w tab of your choice is creat ed. Y ou can add the applications that you mo st frequently monitor in this tab Adding Applications to Tabs T o add an application to a tab:[...]

11-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Changing the Dashboard Layout Y ou can change the look an d feel of the Dashboard. A CS provides you with nine di fferent in- built layouts. T o choose a dif ferent layout: Step 1 From the Monitorin[...]

CH A P T E R 12-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 12 Managing Alarms The Monitoring feature in A CS generates alarms to notify you of critical system conditions. The monitoring component retrie ves data from A CS. Y ou can configure thresho lds and rules on this data to manage alarms. Alarm notif ications are disp[...]

12-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rms System Alarms System alarms notify you of cri ti cal conditions encountered durin g th e ex ecution of the A CS Monitoring and Reporting viewer . System alarms also pro vide informational status of system activities, such as data[...]

12-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Notifying Users of Events When a threshold is reached or a system ala rm is ge nerated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can vie w th e alarm details, add a comme[...]

12-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox T ime Display o nly . Indicates the time of the associat ed alarm generation in the format Ddd Mmm d d hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , Sat. • Mmm = Jan, Feb, Mar , A[...]

12-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Conf igure Incremental Backup Data Repository as Remote Reposit ory otherwise backup will fa il and Incremental backup mode will be changed to of f. Wa r n i n g Conf igure Remote Repository und er Purge Conf [...]

12-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Full Database Purg e Backup failed: Exceptio n Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recov ery fail ed: Exception Details Critical Vie w C o mp re ss Da[...]

12-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Failed to load backup library . Scheduled backup of A CS conf iguration db fail ed. Please check ADE.log for more details. Critical Symbol lookup er ror . Scheduled backup of A CS configurati on db failed. Ple[...]

12-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note A CS cannot be used as a remote sysl og se rver . But, you can use an external server as a syslog server . If you use an external server as a syslog server , no al arms can be generated in the A CS view as[...]

12-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Schedule s • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules Y ou can create alarm schedules to spec ify when a particular alarm thres hol d is run. Y ou can create, edit, and delete alarm schedules. Y ou can [...]

12-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Schedules Step 3 Click Submit to sav e the alarm schedule. The schedule that you create is added to the Schedu le list box in the Threshold pages. Assigning Alarm Schedules to Thresholds When you create an alarm threshold, you mu[...]

12-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Deleting Alarm Schedules Note Before you del ete an alarm schedul e, ensure that it is not reference d by any thresholds that are defined in A CS. Y o u cannot delete the default schedule (n onstop[...]

12-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the alarm th at you w ant to duplicate, then cl ick Duplicate . • Click the alarm name that you w ant to modi[...]

12-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Criteri a, page 12-14 • Config uring Threshold Notif ications, page 12-32 Configuring General[...]

12-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Configuring Threshold Criteria A CS 5.3 provides the follo wing threshold categor ies to defin e diff erent threshold crit eria: • Passed Authen tications, page 12-14 • Failed Auth entications,[...]

12-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Note Y ou can specify one or more f ilters to limit the passed au thentications that are considered for threshold e val uation. Each fi lter is associated with a particular attrib ute in the authen[...]

12-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds An alarm is triggered because at le a st one Device IP has greater than 10 failed authentications in the past 2 hours. Note Y ou can specify one or more f ilters to limit the f ailed authentication[...]

12-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds The aggregation job begins at 00:05 ho urs e very day . From 23:50 ho urs, up until the time the aggregation job completes, the authenticat ion inacti vity alarms are suppressed. For example, if yo[...]

12-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Unknown NAD When A CS ev aluates thi s threshold, it examines the RADIUS or T ACA CS+ failed authent ications that hav e occurred durin g the specif ied time interv al up to the pre vious 24 hours.[...]

12-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Y ou can specify one or more f ilters to limit t he failed authentications t hat are considered for threshold e v aluation. Each f ilter is ass ociated with a particular attrib ute in the records a[...]

12-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds If, in the past four hour s, RB A C L drops ha ve occurred fo r two dif ferent source grou p tags as sho wn in the follo wing table, an alarm is trigg ered, beca use at least one SGT has a count gr[...]

12-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds NAD-Reported AAA Downtime When A CS ev aluates thi s threshold, it examines the N AD-reported AAA do wn e vents that occurre d during the spec ified interval up to the pre vious 24 h ours. The AAA [...]

12-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

12-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Deleting Al arm Threshol ds Related Topics • V ie wing and Editing Alar ms in Y our Inbox, page 12-3 • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Deleting Alarm Thresholds, page 12-33 Deleting Alarm Thresholds T o delete[...]

12-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Configuring System Alarm Settin gs Configuring System Alarm Settings System alar ms are used to noti fy users of: • Errors that ar e encounter ed by the Monitor ing and Report ing services • Information on data purging Use this page to enable sys[...]

12-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslo g targ ets are th e destinatio ns where alarm syslog messages are sent. The Monitori ng & Report V ie wer sends alarm notifi cation in the form of syslog messages. [...]

12-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Syslog Targets Step 4 Click Submit . Related Topics • Understanding Alar m Syslog T ar gets, page 12-35 • Deleting Alarm Syslog T ar gets, page 12- 36 Deleting Alarm Syslog Targets Note Y ou cannot delete the def ault nonstop[...]

CH A P T E R 13-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 13 Managing Reports The Monitoring & Report V ie wer component of A CS collects log and conf iguration data from v arious A CS servers in your deployment, aggregates it, and provides interactive report s that help you analyze the data. The Monitoring & Repo[...]

13-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports • Catalog— Monitoring & Reports > Reports > Catalog > < r eport_type > For easy access, you can add reports to your F av o ri tes pa ge, from which you can customi ze and delete reports. Y ou can customize the reports that mus[...]

13-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in d etail the fo llowing: • W orking with F av orite Reports, page 13-3 • Sharing Reports, p age 13-6 • W orkin g with Catalog Reports, page 13-7 • V ie wing Reports, page 13-21 • Format[...]

13-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Favorite Reports Step 5 Click Add to F av orite . The report is added to yo ur Fa vori tes page. Related Topics • W orking with F av orite Reports, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Editing F av o ri[...]

13-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you vie w the e xisting parameters in your fa vori te report, you can ed it them. T o edit t he parameters in your fa vorite reports: Step 1 Choose Monitoring and Reports > Reports > [...]

13-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Sharing Reports The report is generated in the page . Step 3 Click Launch Interactive V iew er for more options. Related Topics • Adding Reports to Y our Fa vorites P age, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Runnin[...]

13-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 7 Click Sav e . The report is sa ved in your Shared folder and is a v ailable for all users. Working with Catalog Reports Catalog reports ar e system reports that are preco nfigured in A C S. This section contai n[...]

13-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Access Service Authentication Summar y Provid es RADIUS and T ACA CS+ authentication summary informat ion for a particular access service for a selected time peri od; along with a graphical represen tation. Passed au the[...]

13-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts A CS System Diagnostics Provides syst e m diagnostic details b ased on se verity for a selected time period. Internal Operations Diagnostics, distrib uted management, administrator authentication and autho rization T o[...]

13-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Session Status Summary Pro vides the port sessions and status of a particular network de vice obtained by SNMP . This report uses either the commu nity string provid ed in the report or the community string configured i[...]

13-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Running Catalog Reports T o run a r eport that is in the Catalog: Step 1 Select Monitoring & Reports > Reports > Catalog > r eport_type , where r eport_typ e is the type of report you want to run. The av [...]

13-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Ty p e Ty p e o f r e p o r t . Modified At Time that the associated report w as la st modified by an admini st rator , in the format Ddd Mmm dd hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri ,[...]

13-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 2 Click the radio b utton next to th e report name you w ant to run, t hen select one of the options under Run : • Run for T oday —The repo rt you specified is run a nd the generated results are displayed. ?[...]

13-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports T able 13-4 Repor ts > Report T ypes and Names <report_type> <report_name> AAA Protocol AAA Diagnosti cs Authentication T rend RADIUS Accoun ting RADIUS Authentication T ACA CS Accounting T ACA CS Authent[...]

13-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • Understanding the Report_N ame Page, page 13-15 Understanding the Report_Name Page Note Not all options listed in Ta b l e 1 3 - 5 are used in selecting[...]

13-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Failure Reason Enter a f ailure reason name or click Select to en ter a vali d failure reason name on w hich to run your report. Protocol Use the drop do wn list box to select which protocol on which you w ant to run yo[...]

13-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • W orking with F av orite Reports, page 13-3 • A v ailable Repo rts in the C atalog, page 13-7 • Running Catalog Reports, page 13-11 Administrator Na[...]

13-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Enabling RADIUS CoA Options on a Device T o vi ew all t he RADIUS Acti ve Session repo rts you ha ve to enable RADI US CoA options on the de vice. T o co nfigure th e RADIUS CoA options: Step 1 Config ure MAB, 802.1X an[...]

13-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Figure 13-2 RADIUS Active Session Report Step 2 Click the CoA link from the RADIUS session that y ou want to reauthenticate or termin ate. The Change of Aut horization Requ est page appear s. Step 3 Select a CoA optio[...]

13-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports • Shared secret mismatch Step 5 See the T roubleshoot ing RADIUS Authenticat ions, page 14-6 to troub leshoot a failed change of authorization attempt . A failed dynamic CoA will be li sted under failed RADIUS authent[...]

13-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Step 3 Click Ye s to conf irm that you want to reset the System Report f iles to the fact ory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default. Viewing Reports This section [...]

13-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-4 Context Menu for Colu m n Data in Int er active V iewer Figure 13-5 sh ows the con text menu you use to modi fy labels in Interacti ve V ie wer . T o disp lay this menu, select and right-cl ick a label. Use this menu t [...]

13-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the vie wer , you see the first page of data. T o vi ew or w ork with data, you use tools that hel p you navig ate the report. I n the vie wer , you can page through a report by using t he[...]

13-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-1 0 T able of Cont ents Expanded Entry T o na vigate to a specific page, cli ck the related link. Exporting Report Data The vie wer supports the ability t o export report d a ta to an Exc el spreadsh eet a s a comma-separ[...]

13-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for an y other spreadsheet. Step 1 In the viewer , sele ct Export Data. The Export Data dialog box appears, as sho wn in Figure 13-12 . Figure 13-12 The Export Dat [...]

13-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Printing Reports Y ou can print a repo rt that appears in the vie wer in HTML or PDF format. Because you can modify the report in Interacti ve V iewer , Interactiv e V ie wer supports printing either the original report or the repor[...]

13-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navig ate to the location where you want to sa ve the file. Step 3 T ype a f ile name and click Sa ve . Step 4 Click OK on the conf irmation message that appears. Formatting Reports in Interactive View[...]

13-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 2 Select Change T ext . The Edit T e xt dialog box appears. Step 3 Modify the tex t as desired and click A pply . Formatting Labels T o modify the formatting of a label: Step 1 Click on the label and th[...]

13-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment T o ch ange the alignment o f data in a co lumn, right-click t he column and select Alignment from the context menu. Then, choose one of the alignment options: Left, Center , or[...]

13-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Data Types In an information obj ect, as in the relational databases on w hich information objects are based, all the data in a column is of the same data type, e x cluding the column header . The[...]

13-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Numeric Data Numeric data can take se veral f orms. A column of postal codes requires dif ferent formatting from a column of sales figures. Figure 13-16 sho ws the numeric formats you can use. Figu[...]

13-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 7 In Neg ativ e Numbers, select an opt ion for displaying ne gati ve numbers, b y using either a minus sign before the number or parentheses around the nu mber . Step 8 Click A pply . Formatting Fixed o[...]

13-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code f ield, type a format pattern similar to those sho wn in T able 13-7 . Step 4 Click Apply . Formatting String Data Step 1 T o def ine the format fo r a column that contai ns string data,[...]

13-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 1 Select a string data column, th en click For m a t . The String column form at windo w appears. Step 2 In Format String as f ield, select Custom. A second field, F ormat Code, appears. Step 3 In the F[...]

13-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer T abl e 13-6 sho ws the standard date-and-time data ty pe formats. Step 1 Select a column that contains date o r time data, then click For m at . The Date and T ime Format windo w appears. Step 2 In Format Da[...]

13-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean e xpression e v aluates to T rue or False. Fo r example, you create a calculated column with the follo wing e xpression: ActualShipDate <= TargetShipDate If the actual sh[...]

13-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figur e 13-18 Conditional For mat ting in Int eractiv e View er Y ou can affect the formatting of one column based on the v alue in another column. F or example, if you select the CustomerName column, yo u ca[...]

13-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer b. In the next field, use the d rop-do wn list to select the operator to apply to the column you selected. Y ou can select Equal to, Less than, Le ss t han or Equal to, and so on. Depending on your selection[...]

13-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional F ormatting, cho ose Format, and set the for matting for the condi tional text . Y ou can set the font, font size, fo nt color , and background color . Y ou also can specifyi ng displayi[...]

13-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Figur e 13-23 Removing a Conditiona l F or mat in Int eractiv e Viewer Step 4 Click A pply . Setting and Removing Page Breaks in Detail Columns In Interactiv e V iewer , you can force page breaks after a pre[...]

13-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figur e 13-24 Setting a P age Br ea k Step 3 Specify whether to set a page break before e very group, or for e very group except the f irst or last groups. T o delete an e xisting page break, select No ne in Before group or Af[...]

13-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Reordering Columns in Interactive Viewer T o reorder columns: Step 1 Select and right-click a column. Step 2 From the conte xt menu, select Column > Reorder Columns . The Arrange Columns windo w appears Step 3 Select the c[...]

13-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Mov e to Gr ou p Header Dialog Box Step 3 From the Mov e to Group field, select a v alue. Step 4 In the Header row f ield, select the row number in which t o mov e the v alue you selected in Step 3. Step 5 Click A[...]

13-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Hiding or Displaying Report Items T o hide or d isplay report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items. The Hide or Sho w Items dialog box appears, similar to Figure 13-28 . Figure 13-28[...]

13-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO displ ay hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Col umns . The Show Columns dialog box appears. Step 3 Select any item s you want to di splay . Use C[...]

13-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figure 13-30 Merg ed Column T o mer ge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns . Selecting a Column from a Merged Column Y ou can aggreg ate, f ilter , and g[...]

13-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data sour ce determines the default sort order for the data ro ws. If the data source sorts a column in ascending order , the column is sorted in ascending order in the [...]

13-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-31 Sorting Multip le Columns If the report uses group ed data, the drop-do wn lists in Adv a nced Sort sho w only the detail columns in the report, not the column s you used to group the data. Grouping Data A repor[...]

13-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped D ata T o or ganize all thi s information into a u seful in vent ory report, you create data gr oups and data sections. Data groups contain relat ed data rows. For e xample, you can create a report that [...]

13-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Adding Groups T o ad d groups: Step 1 Select and right-click the column you want to use to create a group . Step 2 From the Conte xt menu, select Gr oup > Add Group . The ne w group appears in the vie wer . As shown in Fig[...]

13-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Step 4 T o set a grouping interv al, select Group ev ery and enter a value and select the grouping interv al. For e xample, to create a ne w group for e very month, type 1 and select Month f rom the drop-do wn list. The report[...]

13-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-37 Calculated Column T o create a calculation, you • Provide a ti tle for the calculated column. • Write an expression th at indicates which data to use and ho w to display the calculated data in the report. Th[...]

13-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions T abl e 13-11 provides e xamples of the functions you can use to create calcula tions. Note The Calculation dialog box does not support the use of uppercase TR UE and F ALSE functi[...]

13-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data COUNT( ) Counts the ro ws in a table. COUNT( ) COUNT(groupLe vel) Counts the ro ws at the specif ied group le vel. COUNT(2) COUNTDISTINCT(expr) Counts the rows th at contain distinct v alues in a table. COUNTDISTINCT([Custome[...]

13-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data FIRST(expr , groupLev el) Displays the firs t value that appears in the specif ied column at the specified grou p lev el. FIRST([customerID], 3) IF(condition, doIfT rue, doIfFalse) Displays the result of an If...Then...Else st[...]

13-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data ISTOPNPERCENT(e xpr , percent, groupLe vel ) Displays T rue if the value is within the hi ghest n percentage v alues for the expression at the specified group le vel , and Fal se otherwise. ISTOPNPERCENT([SalesTotals], 5, 3) [...]

13-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data MONTH(date, option) Displays the m onth of a sp ecified d ate-and-time valu e, in one of three optional formats: • 1 - Displays the month number of 1 through 12. • 2 - Displays the complete month name i n the user’ s loc[...]

13-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data RANK(exp r) Displays the rank of a numb er , string, or date-and-time value, starting at 1. Duplicate v alues recei ve identical ran k but the d uplication does not af fect the ranking of subsequent v alues. RANK([AverageStar[...]

13-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data TRIM(str) Display s a string with all leading and trailing blank ch ar ac te r s re m oved . A ls o r e move s a ll co ns ec u tive blank characters. Leading and trailing blanks can be spaces, tabs, and so on. TRIM([customerNa[...]

13-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Understanding Supported Operators T abl e 13-12 describes the mathematical an d logical operators you can use in writing expressions th at create calculated columns. Using Numbers and Da tes in an Expression When you create a[...]

13-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns T o use multip ly va lues in calculated columns: Step 1 Select a column. In the report, the ne w calculated column appears to the right of the column you select. Step 2 Select Add Ca[...]

13-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Step 7 For the second ar gument, type the number of days to add. In this case, type 7. Step 8 V alidate the ex pression, then click A pply . The new calculated column appears in the report. F or e very v a lue in the Order Da[...]

13-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-39 A ggreg ate Ro w for a Group T abl e 13-13 sho ws the aggregate funct ions that you can use. T able 13-13 Aggr egate Functions Aggregate functions Description A verage Calculates the av erage va lue of a set of da[...]

13-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Creating an Aggregate Data Row T o create an aggregate data ro w: Step 1 Select a column, then select Aggr egation . The Aggreg ation dialog box appears. The name of th e column you selected is listed in the Selected Column f[...]

13-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate ro w for a column, you can add up to tw o more aggregate ro ws for the same column. F or an item total column, for e xample, you can create a sum of all the [...]

13-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Deleting Aggregate Rows T o delete an aggre gate ro w: Step 1 Select the calculated column th at contains the aggre gation you w ant to remo ve, th en select Aggr egation . The Aggre gation dialog box appears, disp [...]

13-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figure 13-43 Suppressed V alues Y ou can suppress duplicate v alues to make your repo rt easier to read. Y ou can suppress only conse cuti ve occurrences of dupl icate v alues. In the Locati on column in Figur e 13-[...]

13-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Figur e 13-44 Group Detail Rows Displa yed Figure 13-45 sho ws the results of hiding the detail r ows for t he creditrank gr ouping. Figure 13-45 Gr oup Detail Rows Hidden • T o collapse a group or section, sel ec[...]

13-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Types of Filter Conditions T abl e 13-15 describes the types of f ilter conditions and pr ovides e xamples of how f ilter conditions are translated into instructi ons to the data source. Bottom N Returns the lo west[...]

13-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Setting Filter Values After you choose a condition, you set a f ilter value. Step 1 T o vie w all the v alues for the selected column, select Select V alues . Additional f ields appear in the Filter dialog bo x as s[...]

13-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-46 Selecting a Filter V alue in Interactiv e Viewer Step 2 T o search for a v alue, type the value in the Find V alue field, then click Find . All v alues that match your f ilter text are returned. For e [...]

13-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 3 From the Condition pu lldow n menu, select a condition. T able 13-14 describes the conditions you can select. • If you select Between or Not Between , Va l u e F r o m and Va l u e To , additional field s a[...]

13-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-47 The Adv anced Filter Di alog Bo x in Intera ctive View er Adva nced Filter provi des a great deal of fle xibility in setti ng the filter v alue. For conditions that test equality and for the Between co[...]

13-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 7 V alidate the f ilter syntax by clicking Va l i d a t e . Y ou hav e now created a filter with one cond ition . The next step is to ad d conditions. Step 8 Follo w steps Step 3 to Step 7 to create each additi[...]

13-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldo wn menu, select a particular nu mber of rows or a percentage of ro ws, as shown in Figure 13-48 . Step 3 Enter a v alue in t he field n ext to the Fil ter pulldo wn menu to specify the nu mber or pe[...]

13-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-49 P arts of a Basic Bar Char t There are a variety of chart types. So me types of data are best depicted with a specific ty pe of chart. Charts can be used as reports in th emselves and they can be used togeth er wi[...]

13-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts hav e subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stack ed, Percent Stacked • Line chart—Overlay , Stacked, Percent Stacked • Area chart—Overlay , Stacked, Percen[...]

13-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-50 Chart F o r matting Options Y ou use this page to: • Edit and format the default chart titl e. • Edit and format the def ault title for the category , or x-, axis. • Modify settings for the labels o n the x-[...]

CH A P T E R 14-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the di agnostic and troublesho oting tools that the Monitor ing & Report V ie wer provides for the Cisco Secure Access Control Syste m. This chapter contains the following sec[...]

14-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Available Diag nostic and Troub leshooting Tools Support b undles typically contain t he A CS database, log f iles, core f iles, and Monitoring & Repo rt V iewer sup port files. Y ou can exclude certai[...]

14-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests Y ou can test your con nectiv ity to a network devi ce with the de vice’ s hostname or IP address. For exam ple, you can verify you r connectio[...]

14-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Downloading ACS Su pport Bund les for Diagnostic Information Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Connecti vity T ests, page 14-1 • A CS Support Bundle, [...]

14-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter • Include core files—Check this check box to include core f iles, then click All or click Include f iles from t he last and enter a value from 1 to 36 5 in the day(s[...]

14-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter • Comparing IP-SGT P airs on a De vice with A CS-Assigned SGT Records, page 14-14 • Comparing Device SGT with ACS-Assigned Device SGT , page 14-15 Related Topics •[...]

14-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click Search to display the RADIUS authentications that match your search criteria. The Search Result table is po pulated with the results of your search. The fol[...]

14-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 8 Click Done to return to th e Expert T roubleshoot er . The Progress Details page refreshes periodically to display the tasks that are performed as troubleshooting[...]

14-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 10 Click Done to return to the Expert T roubleshooter . The Monitoring & Report V ie wer pro vides you the diagnosis, steps to resolv e the problem, and trouble[...]

14-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run to run the sho w command on the specif ied network de vice. The Progress Details pag e appears. The Monitoring & Report V iewer prompts you for ad [...]

14-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 3 Click Run . The Progress Details pag e appears. The Monitoring & Report V ie wer prompts you for additional i nput. Step 4 Click the User Input Required b u [...]

14-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter 3. Compares the SGA CL policy obt ained from the netw ork de vice with the SGA CL policy obt ained from A CS. 4. Displays the source SGT —destinat ion SGT pair if the[...]

14-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click S XP-IP Mappings from the list of troublesho oting tools. The Expert T roubleshooter page refreshes and sho ws the following f ield: Network De vice IP—E[...]

14-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 10 Click Show Results Summary to vie w the diagnosis and resolution steps. The Results Summary page appears with the informatio n described in T able 14-6 . Relate[...]

14-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 6 Click Show Results Summary to vie w the diagnosis and resolution steps. Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Co[...]

14-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run . The Progress Details page appears with a summary . Step 4 Click Show Results Summary to vie w the results of devi ce SGT comparison. The Results Summ[...]

CH A P T E R 15-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 15 Managing System Operati ons and Configuration in the Monitoring & Report Viewer This chapter describes the tasks th at you must perform to co nfigure an d administer the Monitor ing & Report V ie wer . The Monitoring Co nfigu ration dra wer allows y ou t[...]

15-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er • Config ure and edit fail ure reasons—The Monitoring & Report V ie wer allows you to co nfigu re the description of the fail ure reason code and pro vide instructions to r[...]

15-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • Config uring Alarm Syslog T argets, page 15-17 • Config uring Remote Database Settings, page 15-17 Configuring Data Purgin g and [...]

15-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p – If the database disk usage is greater than 8 3 GB, a backup is run immediately follo wed by a purge u ntil the database disk [...]

15-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • A CS displays an alert message when the dif ference between the physical and a ctual size of the view database i s greater tha n 10[...]

15-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p Configuring NFS stagging If the ut ilization of /opt exceeds 30%, then it is req uired to use NFS staging with a remote repositor[...]

15-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from t he V iew database that was backed up ea rlier . Y ou can restore data from an incrementa[...]

15-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Note Y ou can use the refresh symbol to refresh the cont ents of the page. Related Topic Log Collection Deta ils Page, page 15- 9 T able 15-3 Log Co llecti[...]

15-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently co llected log names for an ACS serv er . Step 1 From the Monitoring & Rep ort V iewer , sel[...]

15-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Related Topic • V ie wing Log Collections, p age 15-7 T able 15-4 Log Collection Details P age Option Description Log Name Name of the log file. Last Sy[...]

15-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Recovering Log Message s Recovering Log Messages A CS server sends syslog messages to the Monitoring and Report V iewer fo r the acti vities such as passed authentication, failed at [...]

15-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Scheduled J obs Note When you change any schedule through the ACS web in terface, for th e ne w schedule to take ef fect, you must manually restart the Job Manager p roces[...]

15-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Process Sta tus Viewing Process Status Use this page to vie w the status of processes running in your A CS en vironment. From the Monitoring & Report V ie wer, select Mon[...]

15-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Data Upgr ade Status Viewing Data Upgrade Status After you upgrad e to A CS 5.3, ensure that the Monitoring & Report V iewer database upgrade is complete. Y ou can do [...]

15-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Specifying E-Mail Settings Related Topic V iewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address. [...]

15-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Understanding Collection Filters Understanding Collection Filters Y ou can create collection f ilters that allo w you to filt er and drop syslog ev ents that are n ot used for mon[...]

15-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring System Alarm Settings Related Topics • Creating and Editing Collect ion Filters, page 15-16 • Deleting C ollection Filt ers, page 15-17 Deleting Collection Filters T [...]

15-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Remo te Database Settings Step 1 From the Monitoring & Report V ie wer , choose Monitoring Conf iguration > System Conf iguration > Remote Database Settings [...]

CH A P T E R 16-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators ar e responsible for depl oying, conf iguring, maintain ing, and monitoring the A CS servers in your network. The y can perform v arious operations in A CS through the A CS administrati ve interface. When you [...]

16-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Administra tor Roles and Accounts • Config ure administrator session setting • Config ure administrator access setting The first t ime you log in to A CS 5.3, you are prompted for the predef ined administrator userna[...]

16-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Ad ministrators and Accou nts Understanding Authentication An authentication requ est is the fi rst operation for e v ery management session. If authenticati on fails, the management session is terminated. But if auth[...]

16-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Roles Permissions A permission is an access right that applies to a specif ic admini strati v e task . Permissions consist of: • A Resource – The list of A CS components that an administrator can acce ss, such as net[...]

16-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Role s Note At first logi n, only the Super Admin is assigned t o a specific admini strator . Related Topics • Administrator Accounts and Role Association • Creating, Dup licating, Edi ting, and Dele ting Admin istrato[...]

16-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Creating, Dup licating, Editing, and Deleti ng Administrator Accounts Administrator Accounts and Role Association Administrator account def initions consist of a name, status, description, e-mail ad dress, password, and role assignmen[...]

16-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicatin g, Editing, and D eleting Administrator Accounts Step 2 Do any of the follo wing: • Click Cr eate . • Check the check box next to the account that you want t o duplicate an d click Duplicate . • Click the acco[...]

16-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Viewing Predefined Role s The new account is sa ved. The Administrators page appears, with the new account that you created or duplicat ed. Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Ro le Associa[...]

16-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Auth entication Settings for Administrators Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • Config uring Authentication Settings for Administrato rs, page 16-[...]

16-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Configuring Authenticatio n Settings for Administrators Note A CS automatically deactiv ates or disable s your account based on your last login, last password change, or number of lo gin retries. The CLI and PI use r accounts are blo[...]

16-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeou t Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • V ie wing Predef ined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, [...]

16-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Resetting the Admi nistrator Password Step 3 Click Cr eate in the IP Range(s) area. A ne w window appears. Enter the IP address of the machine from which you want to allow remote access to A CS. Enter a subnet mask for an entire IP a[...]

16-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Admini strator Password http://www .ci sco.com/en/US/docs/net _mgmt/cisco_secure_access_ control_system/5.3/comman d/ reference/cli_app_a.html#wp189 3005 . Note Y ou cannot reset the administrat or password through the A C[...]

16-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Changing the Admi nistrator Password Resetting Another Administrator’s Password T o reset another administrator’ s password: Step 1 Choose System Administration > Administrators > Accounts . The Accounts page appears wi th [...]

CH A P T E R 17-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 17 Configuring System Operations Y ou can confi gure and deploy A CS instance s so that one A CS instance becomes the primary instance and the other A CS instances can be registered to the primary as secondary instances . An A CS instance represents A CS software t[...]

17-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment Understanding Distributed Deployment Y ou can confi gure multiple A CS servers in a deployment. W ithin any deplo yment, you designate one server as the primary server and all the other servers are [...]

17-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Note A CS 5.3 does not support the large deplo yment with more than ten A CS instances (one primary and nine secondaries). F or more informat ion on A CS server deployments, see: http://www .ci sco.co[...]

17-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment • Understanding Distrib uted Deplo yment, page 17-2 Promoting a Secondary Server There can be one server only that is functio ning as the prim ary se rver . Howe ver , you can promote a secondary [...]

17-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each co nfiguration chan ge is propagate d to all secondary instances. Unlike A CS 4.x where full replic ation was performe d, in A CS 5.3, o[...]

17-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Scheduled Backup s • Using the Deployment Operations Pa ge to Create a Local Mode Instanc e, page 17-22 Scheduled Backups Y ou can schedu le backups to be ru n at periodic in tervals. Y ou can schedule backups from the primar y web in[...]

17-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Seconda ry Instances Step 2 Click Submit to schedule t he backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances A CS provides you the option to back [...]

17-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Synchronizing Primary and Secondary Instan ces After Backup and Restore Step 4 Click Submit to run the backup i mmediately . Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Resto[...]

17-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distribu ted System Management page appears with two t ables: • Primary Instance table — Shows the primary instance. The primary instance is created as part of the installatio n process. • Secondary Instances [...]

17-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances Step 2 From the Primary Instance table, click the pr imary instance that you want to modify , or check the Name check box and click Edit . Step 3 Complete the fields in the Di stributed System Management Properties pa[...]

17-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4 Click Submit . Port Port for Management service. MA C Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every (only applies for primary instance)[...]

17-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances The Primary Instance table on the Distrib uted System Management page app ears with the edited primary instance. Related Topics • Replicating a Secondary Instance fr o m a Primary Instance , page 17-18 • V iewing [...]

17-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The follo wing warning message appears: Are you sure you want to delete the sel ected item/it ems? Step 5 Click OK . The Secondary Instances table on th e Distrib uted System Management page appears witho[...]

17-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Registering a Seconda ry Instance to a Prima ry Instance . T able 17 -6 S ystem Oper ations: Deployment Operations P age Option Description Instance Status Current Status Identifies the instance of the node you log in to as primary or [...]

17-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3 Specify the appropriate v alues in the Registration Section. Step 4 Click Register to Primary . The follo wing warnin g message is displayed. This operati on will regis ter t[...]

17-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Deregistering Secondary Instanc es from the Distr ibuted System Management Page Deregistering Secondary Instance s from the Distributed System Management Page T o deregister secondary instances from t he Distributed System Manageme nt [...]

17-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Mana gement Page The system displays the follo wing warning message: This operati on will dereg ister this ser ver as a seco ndary with the p rimary server . ACS will be rest ar[...]

17-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Promoting a Secondar y Instance from the Dep loyment Operations Pag e Promoting a Secondary Instance from the Deployment Operations Page T o promot e a secondary instance to a pri mary instance from the Deplo yment Operations page: Ste[...]

17-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Replicating a Secondary Instance from the Distributed System Management Page Note All A CS appliances must be in sync with the AD d omain clock. T o re plicate a seco ndary inst[...]

17-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Replicating a Secondary Instanc e from a Primary Instance The Distribu ted System Management page appears. On the Secondary Instance table, the Replication Status column sho ws UPD A TE D . Replication is complete on the secondary in s[...]

17-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Failover A CS 5.3 allows you to configure mul tiple A C S instances for a dep loyment scenario. Each deplo yment can hav e one primary and multiple secondar y A CS server . Scen[...]

17-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Cleanup..... .. Starting ACS... . The database on the primary se rver is restored successfully . Now , you can observe that all se condary servers in the distribute[...]

17-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Insta nce Y ou can use the conf iguration information on the A C S Config uration Audit report to manually restore the conf iguration infor mation for this inst ance. Creating,[...]

17-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Step 4 Click Submit . The new software repository is sa ved. The Soft ware Repository page appears, with the ne w software repository that you created, dupl icated,[...]

CH A P T E R 18-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Ci sco Secure A CS, you must conf igure and administer it t o manage your network eff iciently . The ACS web interface allo ws you to ea sily configure A CS to perform v arious operations. For a lis[...]

18-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Administration > Conf iguration > Global System Options > E[...]

18-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Op tions Configuring PEAP Settings Use the PEAP Settings page to conf igure PEAP ru ntim e characteristics. Select System Administration > Conf iguration > Global System Options > PEAP S[...]

18-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Generate P AC pag e to generate a user or machine P AC. Step 1 Select System Admini stration > Confi guration > Global System Options > E[...]

18-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to conf igure the RSA SecurID Prompt s. Managing Dictionaries The follo wing tasks ar e av ailable when you select System Administration > Conf iguration > Dictionaries : ?[...]

18-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries • RADIUS (RedCreek) • RADIUS (US Robotics) • TA C A C S + T o vie w and choose attributes from a p rotocol dictionary , select System Administ ration > Confi guration > Dictionaries >[...]

18-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to sav e the changes. Related Topics V iewi ng RADIUS and T ACA CS+ Attrib utes, page 18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes T o create, dup[...]

18-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries T able 18-9 Cr eating, Duplicating, and Ed iting RADIUS Subat tr ibutes Option Description General Attrib ute Name of the subattribut e. The name must be unique. Description (Optional) A brief descr[...]

18-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 4 Click Submit to sav e the suba ttribute. Viewing RADIUS Vendor-Specific Subattributes T o vi ew the att ribut es that are supported by a par ticular RADIUS v endor: Step 1 Choose Syst em Admi[...]

18-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Related Topic Creating, Duplicating , and Editing RADIUS V endor-Specif ic Attrib utes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplica[...]

18-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Configuring Internal Identity Attributes T abl e 18-10 describes the f ields in the internal < users | hosts > identit y attrib utes. T able 18-1 0 Identity Attr ibute Pr operties P age Optio[...]

18-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Deleting an Internal User Identity Attribute T o delete an internal user identity attrib ute: Step 1 Select System Administration > Conf iguration > Di ctionaries > Identity > Internal [...]

18-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Creating, Duplicating, and Editing an Internal Host Identity Attribute T o cr eate, duplicate, and edit an internal h ost identity attrib ute: Step 1 Select System Administration > Conf iguratio[...]

18-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store T o add stat ic IP address to a user in I nternal Identity Store: Step 1 Add a static IP attribute to inte rnal user attr[...]

18-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 2 Click Add . Step 3 Enter the informatio n in the Local Certif icate Store Properties page as described i n T able 1 8-12 : Importing Server Certificates and As sociating Certifica[...]

18-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating Self-Signed Certificates Step 1 Select System Administ[...]

18-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating a Certificate Signing Request Step 1 Select System Ad[...]

18-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Conf igurations > Loca l Server Certif icates > Local Certificates > Add. Step 2 Select Bind CA Signed Certif icate > Next . Step 3 En[...]

18-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Submit to ex tend the existing certif icate’ s v alidity . The Local Certificate Store page ap pears with the edited certificate. Related Topic • Config uring Local Serv[...]

18-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates T o e xport a certi fica te: Step 1 Select System Administration > Conf iguration > Loca l Server Certif icates > Local Certificates . Step 2 Check the box[...]

18-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Logs Log records are generated for: • Accounting messages • AAA audit and di agnostics messages • System diagnostics messages • Administrati ve and operatio nal audit messages The me[...]

18-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs • Remote Log T argets > Duplicate: “ lo g_tar get” , where log_tar get is the name of the remote log tar get you selected in Step 2 , if you are duplicat ing a remote log targ et. • Remote Log[...]

18-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Deleting a Remote Log Target T o delete a remote log t arget: Step 1 Select System Administration > Conf iguration > Log Conf iguration > Remote Log T argets . The Remote Log T a rgets page app[...]

18-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Conf iguration > Log Conf iguration > Local Log T arget . The Local Configurat ion page appears. Step 2 Click De lete Logs Now to immediately delete all loc[...]

18-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs If you ha ve compl eted your conf iguration, proceed to Step 6 . Step 4 T o conf igure a remote syslog target, click the Remot e Syslog T arget and proceed to Step 5 . Step 5 Complete the Remote Syslog [...]

18-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs T abl e 18-22 lists a set of adminis trativ e and operational logs under v arious categories that are no t logged to the local t arget. T able 18-22 Administr ative and Oper ationa l Logs Not Logged in t[...]

18-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Related Topic • Config uring Per -Instance Logging Cate gories, page 18-29 • V iewi ng ADE-OS Logs, page 18-28 Software-Management • A CS_UPGRADE—A CS upgraded • AC S _ P A T C H — AC S p a [...]

18-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in T abl e 18-22 are written to the ADE-OS logs. From the AC S CLI, you can use the follo wing command t o vie w the ADE-OS logs: show logging system This command list[...]

18-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:[...]

18-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings Y ou can conf igure the se verity lev e l and local lo g settings in a logging cate gory conf iguration for a specific o verridden or custom A C S insta[...]

18-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Per-Instance Remote Syslog Targets Use this page to configure remote sy slog targets for logging cate gories. Step 1 Select System Administration > Conf iguration > Log Conf iguration [...]

18-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Displaying Logging Categories Y ou can vie w a tree of conf igured logging cat egories for a specif ic ACS inst ance. In addition, you can confi gure a logging cate gory’ s sev erity le ve l, log targe[...]

18-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring the Log Collector Use the Log Collector pa ge to sel ect a log data collecto r and suspend or resume log data transmission. Step 1 Select System Administration > Conf iguration > Log C[...]

18-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview T o operate A CS, you must install a va lid license. A CS prompts you to install a v alid base license when you first access the web interface. Each A CS instance (p rimary or second[...]

18-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview , page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Adding Deplo yment License Files, page 18-39 • Delet[...]

18-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License T o upgrade the base license: Step 1 Select System Administration > Conf iguration > Licensing > Base Server Li cense . The Base Server License page appears wit[...]

18-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Serv er License, page 18-37 Upgrading the Base Server License Y ou can upgrade the base server license. Step 1 Select System Administration > Conf igurati[...]

18-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Fe ature Options Viewing License Feature Options Y ou can add, upgrade, or delete e xisting deploy ment licenses. The config uration pane at the top o f the page sho ws the deployment information. Select [...]

18-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License File s Adding Deployment License Files T o add a new base deployment license file: Step 1 Select System Administration > Conf iguration > Licensing > F eature Options . The Feature Opti[...]

18-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview , page 18-34 • T ypes of Licenses, page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Deleting De[...]

18-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Availabl e Downloa ds Downloading Migration Utility Files T o do wnload migration application files an d the migration gui de for A C S 5.3: Step 1 Choose System Administra tion > Download s > Migration Util ity . [...]

18-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Do wnloads T o do wnload these sample scripts: Step 1 Choose System Administration > Downl oads > Sample Python Scripts . The Sample Python Scripts pag e appears. Step 2 Click one of the follo wing: • P[...]

CH A P T E R 19-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logg ing functionality in A C S 5.3. Administrator s and users use the v arious management interfaces of A CS to perform dif feren t tasks. Using the administrati ve access control feature, you can assign permissi ons[...]

19-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Using Log Targets Y ou can specify to send cust omer log information to multiple consumers or Lo g T arg ets and specify whether the log messages are stored locally in te xt form at or forw arded to syslog servers. By default, a s[...]

19-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Note For comple x conf iguration items or attrib utes, such as policy or D A CL contents, the ne w attrib ute v alue is reported as "Ne w/Updated" and the audit does not contai n the actual at trib ute va l u e o r va l u[...]

19-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Each log message contains the follo wing information: • Event code—A un ique message code. • Logging category—Identif i es the catego ry to which a log message belongs. • Se verity le vel—Identifies th e lev e l of se [...]

19-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Local Store Target Log messages in the local stor e are text f iles that are sent to one log f ile, located at /opt/CSCOacs/lo gs/localStor e/ , regardless of which l ogging category they belo ng to. The local store can only contai[...]

19-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging T able 19-2 Local St or e and Syslog Message F or mat Field Description timestamp Date of the message generat ion, according to the local clock of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh: zm . Possible [...]

19-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Y ou can use the web in terface to configure the n umber of da ys to retain local store log files; howe ver , the default setting is to purge data when it exceeds 5 MB or each d ay , whiche ver limit is f irst attained. If you do c[...]

19-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging When you configure a critical log target, and a message is sent to that critical log tar get, the message is also sent to the configured noncriti cal log target on a best-effort basis. • When you configure a critical log tar get[...]

19-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging T able 19-3 Remote Syslog Messag e Header For mat Field Description pri_num Priority v alue of the message; a comb ination of the facility value an d the sev erity v alue of the message. Priority v alue = (facility valu e* 8) + se [...]

19-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging The syslog messa ge data or pay load is the same as the Local Store Message Format, which is described in T able 19-2 . The remote syslog server tar gets are id entified by the f acility code names LOCAL0 to LOCAL7 ( LOCAL6 is th[...]

19-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging The Monitoring & Report V ie wer has two dra wer options: • Monitoring and Reports—Use this dra wer to view and con figur e alarms, vie w log reports, an d perform troubleshooti ng tasks. • Monitoring Conf iguration—Us[...]

19-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are fa miliar with the loggin g functionality in A CS 4.x, ensure that you familiarize yo urself with the logging functionali ty of A CS 5.3, which is con siderably dif feren[...]

19-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Conf iguration Use the System Confi guration > Logging page to defi ne: • Loggers and indi vidual logs • Critical loggers • Remote logging • CSV log fi le • Syslog log • ODBC log See Config uring Lo[...]

19-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging[...]

A-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX A AAA Protocols This section contains the following topics: • T ypical Use Cases, page A-1 • Access Protocols—T A CACS+ and RADI US, page A-5 • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 Typical Use Cases This section contains the followin[...]

A-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s Session Access Requests (Dev ice Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1 . For session request: 1. An administrator l ogs into a networ k dev ice. 2. The network de vice sends a T A CA CS+ access req[...]

A-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Typical Us e Cases – EAP protocols that in volv e a TLS handshake a nd in which the client uses the A CS server certificate to perform se rv er authentication: PEAP , using one of the follo wing inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-F AS[...]

A-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP methods that use certi ficates for bo th server and client authentication – EAP-TLS Whene ver EAP is in volved in the au thenticat ion process, it is p receded by an EAP ne go[...]

A-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 A CS 5.3 can use the T A CA CS+ and RADIUS access prot ocols. Ta[...]

A-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • A CS 5.3 as the AAA Server , page A-7 • RADIUS Attribute Support in A CS 5.3, page A-8 • RADIUS Access Req uests, page A-9 RADIUS is a cl[...]

A-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to compu ter resources, and for an enterprise, provides AAA services. The AAA se rver typically interacts with network access and gate way [...]

A-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 A CS 5.3 supports the RADIUS protocol as RFC 2865 descri bes. A CS 5.3 supports the follo wing types of RADIUS at tributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vend ors?[...]

A-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS Authentication A CS supports various aut hentication protocols transpo rted ov er RADIUS. The support ed protocols that do not includ e EAP are: • PA P • CHAP • MSCHAPv1 • MSCHAPv2 In addition, v arious EAP-based protocols can b[...]

A-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS In RADIUS, authentication and authorization are coupl ed. If the RADIUS serv er finds the username and the password is correct, the RADIUS server retu rns an access-accept respon se, including a list of attrib ute-v alue pairs that d[...]

B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX B Authentication in ACS 5.3 Authentication v erif ies user information to conf irm the user's identity . T raditional authentication uses a name and a f ixed passw ord. More secure methods use cry ptographic techniques, such as those used inside the Challeng e Authe[...]

B-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the fo llowi ng: • RADIUS-based authen tica tion that d oes not inclu de EAP: – PA P, p a g e B - 2 – CHAP , page B-31 – MSCHAPv1 – EAP-MSCHAPv2, page B-3 0 • EAP family of protocol s transported over R[...]

B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication Y ou can use dif ferent le vels of secur ity concurrently wi th A CS for dif ferent requirements. P AP applies a two-w ay handshaking procedure. If auth entication succeeds, A CS returns an ackno wledgement; other[...]

B-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In A CS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a partic ul[...]

B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 A CS supports full EAP infrastructure, including EAP typ e negotiation, message sequencing and message retransmission. All prot ocols support fragmentation of big messages. In A CS 5.3, you configure EAP method s for authentication as [...]

B-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of th e methods in the EAP authenti cation frame work, and i s based on the 802.1x and EAP architecture. Componen ts in v olved in the 80 2.1x and EAP authentication p rocess are the: • Host—The [...]

B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third- party signature, usually fr om a CA, th at verif ies the informatio n in a certif icate. This third-party binding is similar to the real-world eq ui valent of t he stamp on a passport. Y ou trust the passport be caus[...]

B-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anony mous Dif fie-Hel lman tunnel relates to the establi shment of a completely anon ymous tunnel between a client and a serv er for cases where none of the peers authenticates itself. A CS runtime supports anon ymous Dif fie-Hell[...]

B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates A CS generates and use s self-signe d certificates to identi fy various management protocols such as the W eb bro wser , HTTPS, Activ eMQ SSH, and SFTP . Self-signed certif icates are generated when ACS is[...]

B-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Se rver Certificate When you manually import and A CS server cer tificate yo u must supply the certif icate file, the pri v ate key file, and the pri vate ke y password used to decr ypt the PKCS#12 pri vate ke y . T[...]

B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of cert ificate generation: • Self signing certif icate generation — A CS supp orts generation of an X.5 09 certifi cate and a PKCS#12 priv ate key . The passphrase used to encr ypt the pri v ate ke y in the PK[...]

B-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certifi cates are kept in the A CS database which is distributed and shared between all A CS nodes. The A CS server certif icates are associated and designat ed for a specific node, which uses that specif[...]

B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire A CS database is distributed and backed-up on the primary A CS along with all the certif icates, priv ate-keys and the encrypted pri v ate-key-passwor d s. The pri vate-k ey-passw ord-ke y [...]

B-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between t he host and A CS goes through the network de vice. EAP-TLS authenticatio n fails if th e: • Server f ails to verify the client’ s certif icate, and rejects EAP-TLS authentication. • Client fail[...]

B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that yo u use to encrypt EAP transactions, thereby protecting the contents of EAP authenticatio ns. PEAP uses server -side public ke y certificat es to authenticate the s[...]

B-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unau thenticated Tunnel Establishmen t Modes T unnel esta blishment helps prev ent an attacker from in jecting pac kets betw een the client and the network access serv er (N AS) or , to allo w ne gotiatio n [...]

B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allo ws authentication between A CS and the peer by usin g the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 pro tocol as the inner method i nside the tunnel. The local certificate [...]

B-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireles s client credentials with MSCHAPv2: At the end of this mutu al authentication e xchange, the wireless client has prov ided [...]

B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST is a client-server security architecture that encrypts EA P transactions with a TLS tunn el. While similar to PEAP in this respect, it differs sign ifican tly in that EAP-F AST tunnel establishment is based on strong secret[...]

B-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST can protect t he username in all EAP-F AST transaction s. A CS does not perform user authentication based on a username that is presented in phase one, howe ver , whether the username is protected during phase one depends [...]

B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST • A CS-Supported Features for P A Cs, page B-24 • Master Key Generation and P A C TTLs, page B -26 • EAP-F AST for Allo w TLS Renegotiation, page B-26 About Master-Keys EAP-F AST master-ke ys are strong secrets that A CS automa[...]

B-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes A CS supports out-of-band and in-band pro visioning modes. The in- band provision ing mode operates inside a TLS tunnel raised by Anonymou s DH or Authenticated DH or RSA algorithm for k ey agreement. T o minimize[...]

B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The v arious means by which an end- user client can rece i ve P ACs are: • P A C pro visioning —Requi red when an end-user client has no P A C. For mor e information about ho w master-k ey and P AC states determine whet her P A C[...]

B-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o cont rol whether A CS performs Automatic In-Band P A C Provision ing, use the options on the Global System Options pages in the Syst em Administration dra wer . For more information, see EAP-F AST , page B-18 . Manual PAC Provis[...]

B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proacti ve P A C update time is conf igured for the A CS server in the Allo wed Protocols Page. Thi s mechanism allows the client to be alw ays updated with a valid P A C. Note There is no proacti ve P A C update for Machine and [...]

B-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The v alues for master ke y generation and P AC TTLs determine their states, as described in About Master-K eys, page B-21 and T ypes of P ACs, page B-22 . Master k ey and P AC states determine whe[...]

B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o enable A CS to perform EAP-F AST authentication: Step 1 Config ure an identity store that supp orts EAP-F AST authen tication. T o determine which i dentity stores support EAP-F AST authent ication, see Authentication Pro tocol a[...]

B-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme impro ves the secu rity by reducing the amount of cry ptographic sensiti ve material that is transmitted. This section contains the following topics: • Ke y Distribution Algorith m, page B-28 • EAP-F AST P A C-Opaque[...]

B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RA DIUS Key Wrap PAC Migration from ACS 4.x Although the conf iguration can be migrated from 4.x, the P A Cs themselves, as being stored only in supplicants, m ay still be issued from versions a s far back as A CS 3.x.[...]

B-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshak e Authentication Prot ocol (MSCHAP v2) provi des two-way authentica tion, also known as mutu al authentication. The remote access client re ceiv es verif ication that the remote access s[...]

B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for ma chine auth entication. EAP-MSCHAPv2 W indows machine authentication is the same as u ser authentication. The dif ference is that you must use the Acti ve Directory[...]

B-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes A CS parses the follo wing client certifi cate’ s attributes: • Certif icate serial-number (in binary format) • Encoded certificate (in binary DER format) • Subject’ s CN attribute • [...]

B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes A CS collects client certificate te xtual attributes and places them in the A CS context dictionary . A CS can apply any r ule based policy on these attr ibutes as with an y rule att[...]

B-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Au thentication • For auto matic do wnloading, you def ine the amount of time before the CRL f ile expires, should A CS do wnload it. The CRL e xpiration time is tak en from the CRL ne xtUpdate fie l d . For both modes, if the do w[...]

B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol an d Identity Store Compatibility Note Microsoft PEAP clients may also ini tiate machine authen tication whene ver a user logs of f. This feature prepares the netwo rk connection for the ne xt user login. Mi crosoft PE[...]

B-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authenti cation protoc ol support. T able B-5 EAP A uthentication Pr otocol and User D atabase Compatibility Identity Store E AP-MD5 EAP-TLS 1 1. In EAP-TL[...]

C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX C Open Source License Acknowledgments See http://www .cisco.com/en/US/produ cts/ps9911 /produ cts_licensing_infor mation_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The follo wing notices pertain [...]

C-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments Notices 4. The names “OpenSSL T oolkit” and “OpenSSL Projec t” must no t be used to endorse or promote products deri ved from this softw are without prior written permi ssion. F or written permission, please contact openss[...]

C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgmen ts 4. If you include an y W indows specif ic code (or a deri vati ve ther eof) from the apps dir ectory (application code) you must include an ackno wle dgement: “Thi s product includes sof tware written by T im Hudson (tjh@cryptsoft[...]

C-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments[...]

GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAA Authentication, autho rization, and accounting (AAA ) is a term for a frame work for intelligently controlling access to computer re sources, enforcing policies, auditin g usage, and providi ng the information necessary t o bill fo r services. These combined proce[...]

Glossary GL-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 accounts The capability of A CS to record user sessions in a log f ile. ACS System Administrators Ad m i ni s t ra t or s w it h di ff e re n t access privile ges define d under the System Conf iguratio n section of the A CS web interface. The y administer and manage A[...]

Glossar y GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticity The v alidity and conformance of the or iginal information. authorization The approv al, permission, or empowermen t for someone or something to do so mething. authorization profile The basic "permissions container" for a RADIUS -based network ac[...]

Glossary GL-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 certificate-based authentication The use of Secure Sockets Layer (SSL) and certifi cates to authenticate and encrypt HTTP traf fic. certificate Digital representation of user or de vice attrib utes, including a public k ey , that is sig ned with an authoritati ve pri v[...]

Glossar y GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration management The process of es tablishing a k nown baseline condition and managin g it. cookie Data exchanged between an HTTP server and a browser ( a client of the server) to store state information on the client side an d retrie ve it later for serv er us[...]

Glossary GL-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 D daemon A program which is often started at the time the system boots and runs continuo usly without interventi on from any of the u sers on the system. The daemon program forwards the requ ests to other programs (or processes) as appropri ate. The term da emon is a U[...]

Glossar y GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelope An en crypted message with the encr ypted session key . digital sign ature A hash of a message that uniquely identifies the se nder of the messag e and prov es the message hasn't changed since transmission. DSA digital signature algorithm. An asym[...]

Glossary GL-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 dumpsec A security tool that du mps a variet y of informati on about a system's users, file system, re gistry , permissions, password policy , and services. DLL Dynamic Link Library . A collection of small programs , an y of which can be called when needed by a la[...]

Glossar y GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Extensible Authenticatio n Protocol. A protocol for wireless netw orks that expands on Au thentication methods used by the PPP (Point-to-Point Protocol), a protocol oft en used when connecting a computer to the Internet. EAP can support multiple auth entication mec[...]

Glossary GL-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 G gateway A network point that acts as an entrance to another netw ork. global system options Configuring T ACA CS+, EAP-TTLS, PEAP , and EAP- F AST runtime character istics and generating EAP-F AST P A C. H hash func tions Used to generate a one way "check sum&q[...]

Glossar y GL-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 I I18N Intern ationaliza tion and loca liza tion are means of adapting softwa re for non-nati ve en vironments, especially other nations and culture s. Internationalizati on is the adaptation of products fo r potential use virtually ev erywhere, while localization is [...]

Glossary GL-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ISO International Or ganization for Stand ardization, a volun tary , non-treaty , non-go vernmen t organizat ion, established in 1947 , with vo ting members that ar e de signated standards bodies of participatin g nations and non-v oting observ er org anizations. ISP [...]

Glossar y GL-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 M MAC Address A physical address; a numeric v alue that uniquely identif ies that netw ork de vice from e very ot her de vice on the planet. matchingRul e (LDAP) The method by which an attrib ute is compared in a search operation. A matchingRule i s an ASN.1 defini ti[...]

Glossary GL-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 PI (Programm atic Interface) The A CS PI is a programmatic interf ace that provides e xternal applic ations the ability to communicate with A CS to configure and operate A CS; this includes performing the follo wing operations on A CS objects: create, update, delete a[...]

Glossar y GL-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 R RDN (LDAP) Th e Relative Distinguished Name (fre quently but incorrectly written as Relati vely Distinguished Name). The name gi ven to an attri bute(s) that is unique at its le vel in the hierarch y . RDNs may be single v alued or multi-v alued in which case two or[...]

Glossary GL-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Schema (LDAP) A package of attr ibut es and object classes that a r e sometimes (nominally) related. The sch ema(s) in which the object classes and attributes that the applic ation will u se (ref erence) are packaged are identif ied to the LD AP server so that it can [...]

Glossar y GL-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 SOAP (Simple Object Access Protocol) A lightweight XML-based pr otocol for ex change of information in a decentrali zed, distrib uted en vironment. SOAP consists of three parts: an env elope tha t defines a framework for describing what is in a message and ho w to pro[...]

Glossary GL-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 U UDP User Datagram Protocol. A communicati ons protocol that of fers a limited amount of service when messages are exchanged between computers in a ne twork that uses the Internet Protocol (IP) URL Uniform Resource Locator . The un ique address for a file that is acc[...]

Glossar y GL-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 X X.509 A standard for pub lic ke y infrastructure. X.509 spec if ies, amongst other things, standard formats for public ke y certif icates and a certificatio n path v alidation algorith m. XML (eXtensi ble Markup Language) XML is a flexib le way to create common info[...]

Glossary GL-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...]

IN-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 INDEX Symbols ! formatting symbol 13-33 % operator 13-60 & formatting symbol 13-33 & operator 13-60 * operator 13-60 + operat or 13-60 / operator 13-60 <= operator 13-60 <> operator 13-60 < formatting symbol 13-33 < operat or 13-60 = operat or 13-60 >= [...]

Index IN-2 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Arrange Columns dialog 13-42 ascending sort order 13-47 AVERAGE function 13-53 Average function 13-63 averages 13-53, 13-57, 13-59, 13-63 B background colors 13-39 Between condition 13-68, 13-73 BETWEEN function 13-53 Between operator 13-38 blank characters 13-59 Boolean [...]

Index IN-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 formatting data and 13-36 context menus 13-21 conversions 13-33 COUNT_DISTINCT func tion 13-54 COUNT function 13-54 Count function 13-63 Count Value function 13-63 creating aggregate rows 13-64, 13-65 calculated columns 13-51, 13-60 data filter s 13-68, 13-70, 13-71, 13-72[...]

Index IN-4 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 downloads 18-40 duplicate values 13-66, 13-67 E EAP-FAST enabling B-26 identity protection B-20 logging B-19 master keys definition B-21 PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 refresh B-26 phases B-19 EAP-FAST settings configuring 18-3 [...]

Index IN-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 G General Date format op tion 13-30 General N umber fo rmat opti on 13-30 Go to page pick li st 13-23 Greater Than conditi on 13-69 greater than operator 13-60 Greater Than or Eq ual to condition 13-69 greater than or equal to operator 13-60 Group Detail dial og 13-50 grou[...]

Index IN-6 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 locales creating charts and 13-77 customizing formats for 13-30, 13-31, 13-35 locating text valu es 13-54, 13-58 logical operators 13-60 Long Date fo rmat option 13-30 Long Time format option 13-30 lowercase characters 13-56 Lowercase format option 13-31 LOWER function 13[...]

Index IN-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 numeric data types 13-30 numeric expression s 13-60, 13-61 numeric values 13-24, 13-32 O opening exported data files 13-25 Interactive Viewer 13-21 operators 13-38, 13-60 OR operator 13-60, 13-74 P PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 [...]

Index IN-8 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 report viewers 13-21 resizing columns 13-25, 13-28 RIGHT function 13-58 ROUNDDOWN func tion 13-58 ROUND function 13-58 rounding 13-53, 13-58 ROUNDUP func tion 13-58 row-by-row comparisons 13-54 rows 13-66, 13-67 RUNNINGSUM function 13-58 running total s 13-58 S Save As di[...]

Index IN-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 time data types 13-30 time formats 13-30, 13-34 timesaver, descript ion of ii-xxiv time stamps 13-57, 13-58 time values 13-34, 13-50 TODAY function 13-58 Top N condition 13-69 Top Percent condition 13-69 totals 13-37, 13-58, 13-63 trailing characters 13-59 TRIM function 13[...]

Index IN-10 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 X x-axis values 13-75 Y y-axis values 13-75 YEAR function 13-59[...]