Vai alla pagina of
Manuali d’uso simili
-
Computer Accessories
Cisco Systems 2600
32 pagine 0.34 mb -
Computer Accessories
Cisco Systems 1550
164 pagine 6.93 mb -
Computer Accessories
Cisco Systems EHWIC1GESFPCU
18 pagine 0.26 mb -
Computer Accessories
Cisco Systems Computer Accessories
6 pagine 0.03 mb -
Computer Accessories
Cisco Systems 1552H
164 pagine 6.93 mb -
Computer Accessories
Cisco Systems AIRCAP1552HAK9
164 pagine 6.93 mb -
Computer Accessories
Cisco Systems 15454M6DC
458 pagine 8.6 mb -
Computer Accessories
Cisco Systems 3600
32 pagine 0.34 mb
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso Cisco Systems CSACS3415K9. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica Cisco Systems CSACS3415K9 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso Cisco Systems CSACS3415K9 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso Cisco Systems CSACS3415K9 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo Cisco Systems CSACS3415K9
- nome del fabbricante e anno di fabbricazione Cisco Systems CSACS3415K9
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature Cisco Systems CSACS3415K9
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio Cisco Systems CSACS3415K9 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti Cisco Systems CSACS3415K9 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio Cisco Systems in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche Cisco Systems CSACS3415K9, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo Cisco Systems CSACS3415K9, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso Cisco Systems CSACS3415K9. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
Americas Hea dquarters Cisc o Syst ems , Inc . 170 West Ta sman Driv e San Jos e, CA 95 134-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553- NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure Access Contr ol S ystem 5.4 No vember 20 1 3 Text Pa rt Numbe r: OL -26225-0 1[...]
-
Pagina 2
THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJE CT TO CHANGE WITHOUT NO TICE. ALL STATEMENT S, INFORMATI O N, AND RECOMME NDATIONS IN T HIS MANUAL ARE BELI EVED TO BE A CCURATE BUT ARE P RESENTED W ITHOUT WARRANTY OF ANY KIND, EXPRE SS OR IMPLIED. USERS MUST TA KE FULL RESPONSIBILITY FOR THEIR AP PLICATION OF ANY[...]
-
Pagina 3
iii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CONTENTS Preface xx iii Audienc e xxiii Document Conventions xxiii Document ation Update s xxiv Relat ed D ocum ent atio n xxiv Obtain ing Documentat ion and Sub m itti ng a Serv ice Reque st xxv CHAPTER 1 Introdu cing ACS 5.4 1-1 Overvi ew of ACS 1-1 ACS Di stri bute d De plo[...]
-
Pagina 4
Cont ents iv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Polic y Terminol ogy 3-3 Simp le P olici es 3-4 Rule- Based Po licies 3-4 Types of Poli cies 3-5 Acce ss Se rvic es 3-6 Ident ity P olicy 3-9 Group Map pin g Poli cy 3-11 Authori zation Poli cy for Devi ce Administrat i on 3-11 Proce ssing Rules with Multip le Co mman[...]
-
Pagina 5
Content s v User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Agentl ess Netwo rk Access 4-12 Overvi ew of Agentl ess Network Access 4-12 Host L ookup 4-1 3 Authe nti cati on wi th C all Ch eck 4-14 Proces s Service-Type Ca ll Check 4-15 PAP/E AP-MD5 Authen tication 4-15 Agentl ess Ne twork Ac cess Flow 4-16 Adding a Hos t to an [...]
-
Pagina 6
Cont ents vi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 My A ccoun t Pa ge 5-2 Login Ba nner 5-3 Usin g the Web In terface 5-3 Acce ssin g the We b Interf ace 5-4 Logg ing In 5-4 Loggin g Out 5-5 Underst anding the Web Int erface 5-5 Web In terf ace Des ign 5-6 Navigat ion Pane 5-7 Content Area 5-8 Impo rting and Export in[...]
-
Pagina 7
Content s vii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Viewing and Perfor ming Bulk Operati ons fo r Network Dev ices 7-6 Export ing Network Device s and AAA Clients 7-7 Perfor ming Bulk Operati ons fo r Network Res ources and Users 7-8 Export ing Network Res ources and Users 7-10 Creati ng, Duplicati ng, and Edi ting Ne[...]
-
Pagina 8
Cont ents viii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Viewing and Perf orming Bul k Opera tions fo r Intern al Identity St ore Hosts 8-18 Mana geme nt H ier arch y 8-19 Attri butes o f Management Hi erarchy 8-19 Config uring AAA Devices fo r Management Hierar chy 8-19 Config uring Users or Host s for Management Hie r a[...]
-
Pagina 9
Content s ix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring an AD Identi ty Store 8-49 Select ing an AD Group 8-53 Config uring AD Attribu tes 8-54 Config uring Machine Access Re strict ions 8-56 RSA Secu rID Server 8-57 Config uring RSA SecurID Ag ents 8-58 Creati ng and Editing RSA Se curID Token Serve rs 8-59 R[...]
-
Pagina 10
Cont ents x User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Managing Author izatio ns and Permiss ions 9-17 Creati ng, Duplicati ng, and Edi ting Authori zation Pr ofile s for Network Acce ss 9-18 Spec ifyin g Aut hor izatio n Pr ofile s 9-19 Specif ying Common Attrib utes in Aut horization Prof iles 9-19 Spec ifyin g RADI US A[...]
-
Pagina 11
Content s xi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring a Group Mapp ing Po licy 10-27 Config uring Group Mapp ing Po licy Rul e Propertie s 10-29 Confi guri ng a Sess ion Auth oriz atio n Poli cy f or N etwo rk A cces s 10-30 Config uring Network Access Au thoriz ation Rule Prope rties 10-32 Confi guri ng De [...]
-
Pagina 12
Cont ents xii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Adding Ta bs to the Dashboard 11-6 Adding App l icati ons to Tabs 11-7 Renaming Tabs in t he Dashboard 11- 7 Changin g the Dashboar d Layout 11-8 Deleti ng Tabs f rom t he Dash board 11 -8 CHAPTER 12 Managing A larms 12-1 Underst anding Al arms 12-1 Evalua ting Alarm[...]
-
Pagina 13
Content s xiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 CHAPTER 13 Managin g Reports 13-1 Work ing wit h Favo rite Report s 13-3 Adding Re ports to Your Favo rites Page 13-3 View ing Fa vorite -Re por t Param eters 13-4 Editi ng Favorite Reports 13-5 Runn ing F avori te R epo rts 13-5 Deleti ng Reports from Fav orites 13[...]
-
Pagina 14
Cont ents xiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Formatt ing String Data 13-33 Form attin g C ustom St ring Data 13-33 Formatt ing Date an d Time 13-35 Form attin g Cust om D ate an d Time 13 -35 Form attin g B ool ean D ata 13 -36 Applyi ng Condit i onal For mats 13-37 Settin g C ondit iona l Form att ing for Co l[...]
-
Pagina 15
Content s xv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Hiding or Di splaying Det ail Ro ws in Groups or Section s 13-68 Work ing wit h Filte rs 13-69 Type s of Filt er Condit ions 13-70 Settin g Filt er V alues 13-71 Creati ng Filters 13-72 Modify ing or Cle arin g a F ilter 13-7 3 Creati ng a Filt er with Mult iple Cond [...]
-
Pagina 16
Cont ents xvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 View ing Sc hedu led Jo bs 15-12 Viewing Proces s Status 15-14 Viewing Data Upgr ade Sta tus 15-15 Viewing Fail ure Reasons 15-15 Editin g Fa ilur e R eason s 15-15 Specif ying E-Mail Sett ings 15-16 Config uring SNMP Prefere nces 15-1 6 Underst anding Collec tion Fi[...]
-
Pagina 17
Content s xvii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Ident ity Pol icy Rule Pr operties 16-1 8 Adminis trator Auth orizat ion Policy 16-19 Config uring Administ rator Authori zation Po licies 16-19 Config uring Administ rator Authori z ation Ru le Properties 16-20 Adminis t rator Login Process 16-21 Rese [...]
-
Pagina 18
Cont ents xviii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Creati ng, Duplicati ng, Editing, and Del eting Sof tware Reposit ories 17-2 4 Managing Softwar e Reposit ories fr om the Web Interf ace and C LI 17-2 5 CHAPTER 18 Managing System Administ ration Conf igurations 18-1 Config uring Global Sys tem Options 18-1 Config [...]
-
Pagina 19
Content s xix User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Config uring Global Lo gging Categor ies 18-2 5 Config uring Per-Ins tance Loggi ng Categ ories 18-29 Config uring Per-I nstance Securi ty and Log Settin gs 18-30 Config uring Per-Ins tance Remote Sys log Targets 18-31 Displa ying Logging Cat egories 18-32 Config uri[...]
-
Pagina 20
Cont ents xx User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Sessio n Access Request s (Device Adminis trati on [TACACS+] ) A-2 Command Au thorizatio n Requests A-2 Netw ork Acc ess ( RAD IUS Wit h an d W ith out EAP) A-2 RADIUS -Based F low Without EAP Auth entication A-3 RADIUS -Based Fl ows with EAP Authenti cation A-3 Acce [...]
-
Pagina 21
Content s xxi User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Privat e Keys an d Passwords Backup B-13 EAP-T LS Flow in A CS 5 .4 B-13 PEAP v0/1 B- 14 Overvi ew of PEAP B-15 Support ed PEAP Fe atures B-15 PEAP Flow in ACS 5. 4 B-17 Creati ng the TLS Tunnel B-18 Authe nti cati ng wi th MS CH APv2 B-19 EAP-F AS T B-19 Overvi ew o[...]
-
Pagina 22
Cont ents xxii User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Authent ication Pr otocol an d Identity Stor e Compatibil ity B-36 APPENDI X C Open Source Li cense Ackno wledgements C-1 Notice s C- 1 OpenSSL/ Open SSL Pr oject C-1 Licens e Issues C-1 C-3 G LOS SARY I NDEX[...]
-
Pagina 23
xxiii User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Preface Revised: November 13, 2013 This gu ide de scribes h ow to use C isco Secur e Acce ss Contro l Syste m (ACS) 5.4. Audience This guid e is for secu rity adm inistra tors who use ACS, and who set up and ma intain ne twork and application security . Document Co nventions[...]
-
Pagina 24
xxiv User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface Cautio n Means re a d e r b e c a re f u l . Y ou are cap able of doing something tha t might result in equipment dam age or loss of data. T imesaver Means t he d escri bed act ion saves tim e . Y ou can s ave time b y perform ing the actio n describ ed in the paragr [...]
-
Pagina 25
xxv User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Pre face Obtaining Do cumentation and Submitting a Service Reque st For informat ion on obtai ning docu menta tion, sub mittin g a service re quest, an d gathering additiona l inform ati on, see th e month ly What’ s New in Cisco Pr oduct Documenta tion , which also lists al[...]
-
Pagina 26
xxvi User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Preface[...]
-
Pagina 27
CH A P T E R 1-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 1 Introducing ACS 5.4 This section con tains the follo wing topics: • Overview of A CS, pa ge 1-1 • A CS Di stributed Deploymen t, page 1-2 • A CS Mana gement Inte rfac es, page 1-3 Overview of ACS A CS is a policy- b ased secur ity serve r that pro vides st[...]
-
Pagina 28
1-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Distrib uted Deploy ment A CS pr ovides advanced monito ring, repor ting, an d troubl eshooting t ools that hel p you admini ster an d manage your ACS deploymen ts. For more inform ation on t he mon itori ng, rep orting , an d troub leshooti [...]
-
Pagina 29
1-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Licensi ng Model A CS 4.x did not prov ide increm ental repli cation, only full replicatio n, and ther e was service d o wntime for replicati o n. A CS 5.4 provides incr emental replications with no service do wntime. Y ou c an also for ce a [...]
-
Pagina 30
1-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 ACS Managem ent Interf aces • A CS W eb-b ased In terfa ce, pa ge 1-4 • A CS Command Lin e Interf ace, page 1- 4 • A CS Prog ram mati c Inter faces, page 1-5 ACS Web-ba sed Inte rface Y o u can use the ACS w eb-ba sed interfac e to fully c [...]
-
Pagina 31
1-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Hardware Models Supported by ACS • Conf iguration—Use th ese commands to perform additional conf iguration tasks for the appliance serv er in an A DE-OS en vironme nt. Note The CLI includes an option to reset the conf iguration that, when iss[...]
-
Pagina 32
1-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 1 Introducing A CS 5.4 Har dware Models Suppor ted by ACS[...]
-
Pagina 33
CH A P T E R 2-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 2 Migrating from ACS 4. x to ACS 5.4 A CS 4.x store s polic y and authenticatio n information , such as T A CAC S+ comman d sets, in the user and user gr o up recor d s. In A C S 5.4, polic y and authentica tion infor mation ar e inde pendent sha red comp onents t[...]
-
Pagina 34
2-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Overvi ew of the Migr ation Proce ss Overview of the Migration Pro cess The Migration uti lity completes the data migr ation process in two phases: • Analys is and Expor t • Import In the Analy sis an d Expo rt ph ase, you iden [...]
-
Pagina 35
2-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Before You Begin Note Y o u must install the la test patch for the supported migratio n version s listed here. Also , if you ha ve any other version of A CS 4.x inst alled, you must upgrade to one of the suppor ted versions and i ns[...]
-
Pagina 36
2-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Migrating fr om ACS 4.x to ACS 5 .4 • User -Defi n ed Fields (from the Interf ace Conf igurati o n secti on) • User Groups • Shared Shell Com mand Author ization Sets • User T A C A CS+ Shell Ex ec Att ribut es (migrat ed to[...]
-
Pagina 37
2-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 Functionality Mapping from ACS 4.x to ACS 5.4 In A CS 5.4, you define au thoriza tions, shell profiles, a ttributes, a nd othe r poli cy elem ents a s independe nt, r eusab le obj ects, [...]
-
Pagina 38
2-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Funct io nalit y Ma ppin g fro m AC S 4.x to AC S 5.4 Comm and sets (c ommand authorizatio n sets) One of the follo wing: • Shared P rofile Compon ents > Command Authori zation Set • User Se tup pa ge • Group Set up page Po[...]
-
Pagina 39
2-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Common Scenarios in Migration The following a re some of th e co mmon scena rios t hat y ou en counte r wh ile mi grating to ACS 5.4: • Migr ati ng from A CS 4.2 on CSA CS 11 20 to A CS 5.4, pa ge 2[...]
-
Pagina 40
2-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration Migr ating from AC S 3.x t o ACS 5.4 If you have A CS 3.x deployed in your environment , you cannot d irectl y migrate to A C S 5.4. Y ou mu st do the follo wing: Step 1 Upgrad e to a migrat ion-sup p[...]
-
Pagina 41
2-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 2 Mig rating from ACS 4.x to ACS 5.4 Common Sc enarios in Mig ration Step 3 Perform bu lk import of data into A CS 5.4. For more inform ation on p erformi ng bulk i mport o f A CS obje cts, se e http://www .cisco.com /en/US/docs/net_m gmt/cisco_secure _access_contro l_[...]
-
Pagina 42
2-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 2 Migrating fro m ACS 4.x to ACS 5.4 Common Scen arios in M igration[...]
-
Pagina 43
CH A P T E R 3-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 3 ACS 5.x Policy Model A CS 5.x i s a poli cy-based ac cess contro l syst em. The ter m policy model in A CS 5.x re fers t o the presenta tion of p olicy elem ents, obje cts, an d rules to t he policy adm inistrato r . A CS 5 .x uses a rule-ba sed policy mode l in[...]
-
Pagina 44
3-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l For example, we u se t he inf ormat ion de scribe d for the group- based model : If identity-condition , r estriction-condition then authorization- pr o file In ACS 5.4, you define cond itions a nd resu lt[...]
-
Pagina 45
3-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Poli cy Terminolo gy Ta b l e 3 - 2 descri bes the ru le-base d policy termin ology . T able 3-2 Rule-Based P olicy T er minology T erm Descript ion Access service Sequential set of polic ies used to process [...]
-
Pagina 46
3-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Overview of the ACS 5.x Po licy Mode l Simple Policies Y o u can configure al l of your ACS policies as rule-base d polici es. Howe ver , in some cases, you can choose to configu re a sim ple po licy , whic h selec ts a sing le re sult to appl [...]
-
Pagina 47
3-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Overview o f the ACS 5.x Policy Model Types of P olicie s Ta b l e 3 - 3 descri bes the type s of policies that you can configure in A CS. The policies ar e listed in the order of their e valuation; an y attribute s that a polic y retrie ves can [...]
-
Pagina 48
3-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s Access Services Access services are fundamental con structs i n AC S 5.x that al low yo u to con fig ure acce ss policies f or users and devices that connect to the network an d for network adm inistra tors who ad ministe r ne[...]
-
Pagina 49
3-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Ta b l e 3 - 5 desc ribes an example of a set o f access se rvices. Ta b l e 3 - 6 describes a service selection policy . If A CS 5.4 recei ves a T ACA C S+ acces s request, it app lies Access Service A, which authenticate s the [...]
-
Pagina 50
3-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s A CS accepts th e results o f the requ ests and re turns them to the N A S. Y ou must conf igure the e xternal RADIUS and T A CA CS+ serv ers in A CS for A CS to forw ard reque sts to them. Y ou can defi ne the timeo ut period[...]
-
Pagina 51
3-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces A CS can simultaneously act as a proxy serv er to multiple e xternal RADIUS and T A CA CS+ serv ers. F or A CS to ac t as a proxy server, you must configure a RADIUS or T A CACS+ proxy serv ice in A C S. See Configuring Ge neral [...]
-
Pagina 52
3-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Access Se rvice s • Identity Sequen ce—Sequ ences of the identity data bases. The seque nce is used for authen tication and, if specif ied, an additional sequen ce is used to retrie ve only attrib utes. Y ou can selec t multiple identity m[...]
-
Pagina 53
3-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Access Servi ces Group Mapp ing Polic y The id entity group mapping policy i s a standa rd po licy . Condi tions ca n be ba sed on attr ibutes or group s retrie ved from the e xternal attrib ute stores only , or from certif icates, and the r e s[...]
-
Pagina 54
3-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy Related Topics • Poli c y T erm inol ogy , p age 3-3 • Authori zation Profiles for N etwork A ccess, page 3-1 6 Exception Authorization Policy Ru les A commo n real -world pro blem i s that, i n day-t o-day operat[...]
-
Pagina 55
3-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Base d Service Selection In the rules-based servic e selection mode, A CS decides which access servic e to use based on var ious configurab le opt ions. So me o f th em are : • AAA Proto col—The prot ocol used [...]
-
Pagina 56
3-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Service Select ion Policy In this e xample, inst ead of cr eating the netwo rk acces s poli cy for 802.1 x, agentles s de vices, and gu est acces s in one access servic e, the polic y is divi ded into three acc ess serv ices. First-Match Rule [...]
-
Pagina 57
3-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specif ies the policy result that A CS uses when no other rules exist, or when the attrib ute values in the acces s request do not mat ch any rules. A CS ev aluates a set of rules in the first- m atch r[...]
-
Pagina 58
3-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Authori zation Pro files for Ne twork Ac cess Policy Conditions Y o u can define simple conditio ns in rule tab les based on attributes in: • Customiza ble con ditio ns—Y ou can create c ustom c ondit ions ba sed on protoc ol dict ionar ie[...]
-
Pagina 59
3-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can def ine multiple au thorization prof iles as a network access p olic y result. I n this way , you mainta in a smalle r number of au thoriz ation profiles , because you can use the au thoriz ation p rofil[...]
-
Pagina 60
3-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Policies and Network D evice Gr oups Related Topics • Managing Users and Identity S to res, pag e 8-1 • Poli c y T erm inol ogy , p age 3-3 • T ypes of Pol icies, page 3 -5 Policies and Netwo rk Device Groups Y o u can refe rence Net wor[...]
-
Pagina 61
3-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 3-2 illustrates what this policy rule table could look like . Figur e 3-2 Sample Rule -Based P olicy Each ro w in the polic y table rep resents a single rule. Each ru le, e xcept for the l ast D[...]
-
Pagina 62
3-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies • Added users to the inte r nal A CS identity store or add e xternal iden tity stores. See Creating Internal Users, pa ge 8-11 , Ma naging Iden tity A ttributes, page 8-7 , or Creating External[...]
-
Pagina 63
3-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics • Poli c y T erm inol ogy , p age 3-3 • Policy Conditions, page 3-16 • Policy Results, page 3 -16 • Policies and Identi ty Attrib u tes, page 3-17[...]
-
Pagina 64
3-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 3 ACS 5. x Policy Mode l Flows for Con figur ing Servic es and Polic ies[...]
-
Pagina 65
CH A P T E R 4-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 4 Common Scenarios Using ACS Network co ntrol refe rs to the pro cess of contro lling access to a networ k. T r aditio nally a user name and password was used to authe nticat e a user to a net work. Now a days with the rapid technolog ical advancemen ts, the t rad[...]
-
Pagina 66
4-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation A CS organize s a sequenc e of independ ent policies into an access serv ice, which is used to proc ess an access reques t. Y ou can create multiple access servi ces to process dif ferent kinds of acc[...]
-
Pagina 67
4-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Over view of D evi ce Ad min istr atio n If a c ommand is m atched to a comm and se t, the corre spondi ng perm it or deny set ting for the c omma nd is retrie ved. If multiple results are found in the rules that are matched, they are con[...]
-
Pagina 68
4-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Overvi ew of Dev ice Ad ministr ation Step 5 Conf igure an acce ss service p o lic y . See Acce ss Service Policy Creation, pa ge 10-4 . Step 6 Conf igure a service selec tion policy . See Serv ice Selection Pol icy Creation, page 10-4 . [...]
-
Pagina 69
4-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access TACACS+ Cu stom Servic es an d Attributes This top ic describe s the conf iguration flo w to def ine T A CA CS+ cus tom attrib utes and s ervices. Step 1 Create a cu stom T ACA CS+ condi tion to move to T A C[...]
-
Pagina 70
4-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s Note During pas swor d-base d access (or certi ficate-b ased access), t he user is not o nly authen ticated but also authorized accordin g to the ACS conf iguration . And if NAS sends accounti ng requests [...]
-
Pagina 71
4-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Password-Based Network Access Passwo rd-Based Network A ccess Configura tion Flow This t opic de scribe s the end-to- end flow for passwo rd-based network access and lists t he tasks tha t you must perform . The inform ation about ho w to[...]
-
Pagina 72
4-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Password-B ased Netw ork Acces s For RADIUS, non -EAP aut hentica tion met hods (RADI US/P AP , RADIUS/ CHAP , RADIUS/ MS-CHAP v1, RADIU S/MSCHAP v2), an d simple E AP met hods (E AP-MD5 an d LEAP ), you need to co nfigure only the protoc[...]
-
Pagina 73
4-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Related Topics • Authentic ation in A CS 5.4, page B-1 • Network Devices and AAA Clients, page 7-5 • Managin g Access Poli cies, page 10 -1 • Creatin g, Duplic ating, an d Editing A ccess Service s[...]
-
Pagina 74
4-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Certificate -Based Ne twork Ac cess Y o u can configure two types of cert ificates in A CS: • T rust certi fica te—Also kno wn as CA certif icate. Us ed to form CTL trus t hierar chy f or v erif ication of remote certif icates. • L[...]
-
Pagina 75
4-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Certificate-Based Network Access Y ou can create custom con ditions to use the certif icate’ s attrib utes as a polic y condition. See Creating, Duplicat ing, a nd Edi ting a Custom Se ssion Co ndition, pag e 9-5 , for details. Step 5 [...]
-
Pagina 76
4-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A default L ocal Server Certificate is install ed on ACS so that you c an conne ct to ACS with your browser . The de fault ce rtificate is a se lf-sig ned cert ificate and cannot be m odified du ring instal la[...]
-
Pagina 77
4-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access The defau lt securit y policy say s that 802.1x au thenticatio n must succee d before access to the networ k is grante d. The refore , by default , non- 802.1x-c apab le devices ca nnot get ac cess to an 802 .1x-[...]
-
Pagina 78
4-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess A CS supports host lo okup for the follo wing identity stores: • Intern al hosts • Exte rnal LDAP • Intern al users • Acti ve Directory Y ou can a ccess th e Act i ve Direct ory via the LD AP API. Y ou[...]
-
Pagina 79
4-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access • T wel ve consec utive hexadecima l di gits wi thout any separa tors —0123456 789AB If the C alling-Sta tion-ID attribute is one of the four suppor ted MAC address form ats above, A C S copies it to the User[...]
-
Pagina 80
4-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Agentless N etwork Acce ss Flow This topic describes the end -to-end flow for agentless netwo rk access and lists the tasks that you must perform. The inf ormation a bout ho w to conf igure the task s is locat[...]
-
Pagina 81
4-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access Step 7 Def ine the se r vice selec tion. Step 8 Add the ac cess service to you r service selectio n polic y . For more informatio n, see Creating, Dupli cating, and Editing Serv ice Selection Rule s, page 10-8 . [...]
-
Pagina 82
4-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS Agentle ss Net work Acc ess Previ ous St ep: Network Devices and AAA Clients, page 7-5 Next Step : Conf iguring an Identity G r oup for Ho st Lookup Netwo rk Access Req uests, page 4-18 Related Topics • Creating External LD AP Identity[...]
-
Pagina 83
4-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS Agentless Network Access c. Select Ne twork Access , and chec k Identity an d A ut horizati on . The group ma pping an d Externa l Policy opti ons are optio nal. d. Make sure you select Process Host Loo kup. If you want A CS t o detect P[...]
-
Pagina 84
4-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Configuring an Authorization Policy for Host Lookup Requests T o con figure an author ization policy for Host L ookup requests: Step 1 Choose Access P o licies > Acce ss Servic es > <access_s ervic ena[...]
-
Pagina 85
4-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS VPN Remo te Network Acces s Supported Authentic ation Protocols A CS 5. 4 supports th e following protoc ols for inner authenti cation inside the V PN tunnel: • RADIUS/P AP • RADIUS/CHA P • RADIUS/MS-C HAPv1 • RADIUS/MS-C HAPv2 W[...]
-
Pagina 86
4-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS VPN Remote Network Ac cess Supporte d VPN Ne twork Ac cess Serve rs A CS 5. 4 supports th e following VPN networ k access ser vers: • Cisco ASA 5500 Se ries • Cisco VPN 3000 Se ries Related Topics • VPN Remote Netwo rk Access, page[...]
-
Pagina 87
4-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Related Topics • VPN Remote Netwo rk Access, page 4-20 • Supported Au thenti cation Protoc ols, page 4-2 1 • Supported I dentity Stores, pag e 4-21 • Supported VPN Network Access Servers, pa[...]
-
Pagina 88
4-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access 6. Conf ig uring EAP - F AST Settings f or Secur ity Group Access . 7. Creati ng an Access Ser v ice for Security Gr oup Access . 8. Creating a n En dpoint A dmissi on Contr ol Policy . 9. Creati ng a[...]
-
Pagina 89
4-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Devices consid er on ly th e SGT value; the name a nd de scripti on of a sec urity group a re a m anag ement con ve nience an d are not con vey ed to the de vices. Th erefor e, chang ing the na me o[...]
-
Pagina 90
4-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access T o conf igure an ND A C policy for a de vice: Step 1 Choose Access P olicies > Se curity Gr oup Access Control > Security Group Acce ss > Network Dev ice Access > Aut horization Poli cy .[...]
-
Pagina 91
4-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS ACS and C isco Secur ity Group Ac cess Step 7 Click Fin ish . Creating an E ndpoint Admis sion Control P olicy After you crea te a servi ce, you configure t he endpoi nt adm ission co ntrol p olicy . The en dpoint ad mission control poli[...]
-
Pagina 92
4-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS ACS and Cisco Security Grou p Access Initia lly , the m atrix c ontai ns the cell f or the unknown sour ce and unknown de stinat ion SG. Unknown refers to the prec onfigured SG, which i s not modifiable. When you add an SG , A CS adds a [...]
-
Pagina 93
4-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts RADIUS and TACACS+ Proxy Requests Y ou can us e A CS to ac t as a proxy s erv er that recei ves authentic ation RADIUS re quests and authenti cation and auth orization T AC A CS+ reque sts fro m a ne[...]
-
Pagina 94
4-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s • T A C_PLUS_A UTHOR • T A C_PLUS_A UTHEN 4. Recei ves the follo wing packets from the remote T A C A CS+ server and retu rns them back to the N AS: This be havior is configurabl e. • T A C_ PLU[...]
-
Pagina 95
4-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 4 Com mon Scena rios Using ACS RADIUS and T ACAC S+ Prox y Reque sts • Supporte d RAD IUS Att ributes, pag e 4-31 • Configuring Pr oxy Servi ce, p age 4- 32 Supporte d RADIUS A ttributes The follo wing supported RADIUS attrib utes are encr ypted: • User-P asswor[...]
-
Pagina 96
4-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 4 Co mmon S cenarios Using ACS RADIUS a nd TACACS+ Prox y Request s Configuring Proxy Service T o co nfigure p roxy servic es: Step 1 Configure a set of rem ote RAD IUS and T A CACS+ servers. For informa tion on how to c onfigure re mote servers, see Cr eating, Duplic[...]
-
Pagina 97
CH A P T E R 5-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 5 Understanding My Workspace The Ci sco Sec ure ACS web int erface is design ed to be v iewed using M icroso ft Int ernet E xplore r versions 6.x to 9.x and Moz illa Fire fox version s 3.x to 1 0.x. T he we b interfac e not o nly makes vi ewing and adm inister ing[...]
-
Pagina 98
5-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Task Guides In A CS 5.4, you can also se e a ba nner in t he wel come page. Y o u ca n cu stomize this After L ogin banner text from the L ogin Banner pa ge. Task Guides From the M y W orkspace dr aw er , you can acce ss T asks Gui des. Wh[...]
-
Pagina 99
5-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Login Bann er Related Topics • Conf iguring Authentica tion Settings for Administrators, page 16-10 • Chan ging the Admini stra tor Pas sword, page 1 6-22 Login Banner A CS 5.4 suppo rts cust omizin g of the login b anner t exts. Y ou[...]
-
Pagina 100
5-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e • Comm on Errors, page 5-25 • Accessibi lity , page 5-27 Accessin g the Web Interface The ACS web inter face is suppo rted o n HT TPS-enable d Mic rosoft Int ernet Ex plorer versions 6. x to 9.x and Mozilla Fi[...]
-
Pagina 101
5-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Note The license page only appears the f ir st time that you log in to A CS. Step 7 See In stalling a License File, page 18-35 to install a v alid license. • If your login i s successfu l, the mai n page of the A[...]
-
Pagina 102
5-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Web Interface Design Figure 5-1 sh ows th e ove r all design of the A CS web interface. Figur e 5-1 ACS W eb Int erface The in terf ace contains : • Header , page 5- 6 • Na vigat ion P ane, pa ge 5- 7 • Cont[...]
-
Pagina 103
5-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Navigation Pane Use the navigation pa ne to navigate through the drawers of the we b interface (see Fi gure 5-3 ). Figur e 5-3 Na vigatio n P ane Ta b l e 5 - 4 de scribes the functi on o f each drawer . T o ope n [...]
-
Pagina 104
5-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T o h ide t he n avigation pane a nd expa nd the con tent area , cli ck th e c ollaps e ar row , which is cente red ver ticall y between the na vigation pane and con tent area. Click the collap se arro w again to [...]
-
Pagina 105
5-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface • Seco ndary W indo ws, pa ge 5-13 • Rul e T able P ages, pa ge 5-16 Web Inter face Locat ion Y our curre nt loca tion in the inter face appear s at the top of the content area. Figure 5-5 shows that the locati[...]
-
Pagina 106
5-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e T able 5-5 Common Cont ent Ar ea But tons and Fields f or List P ages Button or Field Description Rows per pa ge U se th e dro p-down list to sp ecify the n umber of it ems t o dis play on this page . Options: ?[...]
-
Pagina 107
5-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface T r ee table pages are a v a riati on of list page s (see Figure 5-6 ). Y ou can perf orm the s ame operat ions on tree tab le pages that you can on list pa ges, except for pa ging . In additi on, with tr ee table[...]
-
Pagina 108
5-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Filtering Lar ge lists in a conten t area windo w or a secondar y windo w (see Figure 5-9 ) ca n be diff i cult to navigate through and selec t the data that you wa nt. Y ou can use the web interf ace to f ilter [...]
-
Pagina 109
5-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface For pages that d o not have a Nam e or De scripti on co lumn , the so rting mechan ism m ay be supporte d in the le ft-most colum n of the pa ge, or the D escri ption c olum n. Plac e your curso r over a col umn h[...]
-
Pagina 110
5-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Figur e 5-9 Secondary Windo w In addi tion to selec ting and f ilterin g data, you can create a select able objec t within a secondary wind ow . For examp le, if you attem pt to create a use rs internal i dentity[...]
-
Pagina 111
5-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Figur e 5 -1 0 T ran sf er Bo x T able 5-7 T ransf er Bo x Fields and But tons Field or Button Description A vailabl e List of a va ilable items for select io n. Selected Order ed lis t of se lected items. Right a[...]
-
Pagina 112
5-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Using th e Web Interfac e Sche dule B oxes Schedu le boxes are a common ele ment in c ontent area pages (se e Fi gur e 5-10 ). Y ou use them to select acti ve times fo r a polic y element from a gr id, wher e each ro w represe nts a day o[...]
-
Pagina 113
5-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Using the Web Interface Directly abov e the rule ta ble are tw o display o ptions: • Standard Polic y—Click to display the standard polic y rule table. • Exception Policy—Click to display th e ex ception p olicy r ule table, whic[...]
-
Pagina 114
5-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Related Topic • A CS 5. x Policy Model Importing and Exporting ACS Object s through the Web In terface Y ou can use the import funct ionality in A CS to add, update, or d[...]
-
Pagina 115
5-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Ta b l e 5 - 1 0 lists t he A CS objects, t h eir prop erties, a nd the pr operty data types. T he import template fo r each of the objects conta ins the prope rties described[...]
-
Pagina 116
5-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Fields th at are optional can be l eft empty and A CS substitu tes the d efault values for those field s. KeywrapDispla yInHe x (Optio nal) Bo olean. Suppo rt T ACA CS (Req[...]
-
Pagina 117
5-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface For example, when f ields that are rela ted to a hierarc hy are lef t blank, A CS assigns the v alue of the roo t node in the hierarch y . For netw ork devic es, if Security G[...]
-
Pagina 118
5-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e • NDG – Locat ion— Network Resources > Network De v ice Gr oups > Location – De vice T ype— Netw ork Resources > Network De vice Groups > Device T ype[...]
-
Pagina 119
5-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Importing and Exporting ACS Objects through the Web Interface Adding Re cords to the ACS Internal Store When you ad d records to the A CS internal stor e, you add the re cords to the exis ting list. Th is is an append ope rati on, in whi[...]
-
Pagina 120
5-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Importing and Exporting A CS Object s through t he Web Interfac e Figur e 5-13 Update Users–Im port File Note The second column, Upda ted name, is the addit ional column that you can add to the Update templ ate. Deleti ng Records f rom [...]
-
Pagina 121
5-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Common E rrors Common Errors Y o u might en count er th ese co mmon er rors: • Concurre ncy Conflic t Errors , page 5- 25 • Deletio n Err ors, page 5- 26 • System Failure Err ors, page 5- 27 • Accessibi lity , page 5-27 Concurren[...]
-
Pagina 122
5-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanati on Y ou attempted to edit o r duplicate an item tha t is referenc ing an item that anoth er user deleted whi le you tr[...]
-
Pagina 123
5-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 5 Understandi ng My Works pace Accessibility System Failure Errors System f ailure errors occur when a syste m malfu nction is detec ted. When a system fa ilure e r ror is detecte d , a dia log box appe ars, wi th an error me ssage and OK b utton. Read the er ror mess[...]
-
Pagina 124
5-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 5 Understand ing My Workspace Accessi bility • Color use d as an enha ncem ent of inform atio n only , not as the onl y indi cator . For examp le, requ ired fi elds are associ ated with a r ed aster isk. • Conf irmation messages for important settings and actions.[...]
-
Pagina 125
CH A P T E R 6-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of config uration tasks that you must pe rform to work with A CS. This chapter conta ins the f ollowing se ctions: • Configuring Mi nimal Sy stem Setu p, page 6 -1 • Conf igur ing A CS to Per[...]
-
Pagina 126
6-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Perform Syst em Administr ation Tasks Configuring ACS to Pe rform System Administration Tasks Ta b l e 6 - 2 lists the set of system administration tasks that you must perform to administer A CS. T able 6-2 S [...]
-
Pagina 127
6-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configu ring ACS to Perfor m System Admini strati on Tasks Step 8 Add use rs or hosts to the internal identity sto re, or def ine exter nal identity stores, or both. • For internal identity stores: Users an d Iden tity Store[...]
-
Pagina 128
6-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Manage Acc ess Policies Configuring ACS to Mana ge Access Policies Ta b l e 6 - 3 li sts the s et of tasks t hat you must perform to ma nage a ccess re striction s and permi ssions. Configuring ACS to Moni tor[...]
-
Pagina 129
6-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 6 Post-Installa tion Configu ration Tas ks Configuring ACS to Mon itor and Troubleshoot Problems in the Network Step 4 E nable syste m alarms and speci fy how yo u would like to receiv e notif ication. Monitori ng Co nfiguration > System C onfiguration > System A[...]
-
Pagina 130
6-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 6 Post-Installation Configuration Tasks Configuring A CS to Monitor and Troubl eshoot Prob lems in the Network[...]
-
Pagina 131
CH A P T E R 7-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 7 Managing Network Resou rces The N etwork R esources drawer de fines element s withi n the network t hat issu e reque sts to A CS or tho se that A CS interacts with a s part of processing a request. This inclu des the netwo rk dev ices that issue the reques ts an[...]
-
Pagina 132
7-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Network Devic e Groups In A CS, you can define net work device g roups (N DGs), which a re set s of de vice s. Th ese NDG s provid e logical groupi ng o f devices, for examp le, D evice Locat ion or T y pe, which y[...]
-
Pagina 133
7-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Device Groups Step 4 Click Submit . The net work device group configurat ion is saved. The Networ k Device Groups pag e appear s with the new network device gr oup configu ration. Related Topics • Network Device Groups, page 7 -[...]
-
Pagina 134
7-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Device Group s Creating, Duplicating, an d Editing Network Device Gr oups Within a Hierarchy Y o u can arra nge the ne twork device group node hierarchy ac cordin g to your nee ds by choosing pare nt and ch ild relation ships fo [...]
-
Pagina 135
7-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Deleting Netw ork Device Gro ups from a Hier archy T o d elete a net work device gr oup from wit hin a hiera rchy: Step 1 Choose Network Resour ces > Network Device Gr oups . The Networ k Device Groups [...]
-
Pagina 136
7-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Y ou must install Securi ty Group Acces s licens e to enable Sec urity Grou p Access options. Th e Securit y Group Access optio ns only ap pear if y ou ha ve installe d the Secu rity Group Access lic ense[...]
-
Pagina 137
7-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients – Descriptio n – NDG Locatio n – De vice T ype Y o u can specif y full IP address , or IP addre ss with wildca rd “*” or , with IP add ress range, suc h as [15- 20] in the IP ad dress search fiel[...]
-
Pagina 138
7-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Step 1 Choose Network Resour ces > Netwo rk Devices and AAA Clients . The Networ k Device page appea rs. Step 2 Choose the f ilter condition and the Match if oper ator , and enter the f ilter criterio [...]
-
Pagina 139
7-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The Oper ation di alog box appear s . Step 2 Click Next to downlo ad the .csv fi le template if you do not hav e it. Step 3 Click any one of the follo wing operations if you hav e previous ly created a tem[...]
-
Pagina 140
7-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Exporting Netw ork Re sources and Users T o export a list of network resource s or users: Step 1 Click Export on the User s, Network Devices, or MAC Address page of the web inter face. The Networ k Devic[...]
-
Pagina 141
7-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients The first page of the Create Network D evice process app ears if you ar e crea ting a new networ k device. The Network D evice Proper ties p age for the sel ecte d device a ppears if you are dupl icatin g[...]
-
Pagina 142
7-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients IP Rang e(s) By Mask Choose to ente r an IP address ra nge. Y ou can configure up t o 40 IP addre sses or subnet masks for each netw ork de vice. If y ou use a subnet m ask in thi s fi eld, all IP add re[...]
-
Pagina 143
7-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients Single C onnec t De vice Check to use a single T CP conn ection for all T A CAC S+ co mmunicati on with the netwo rk de vice. Choose one : • Legacy T ACA CS+ Single Conn ect Support • T A CACS+ Dra ft[...]
-
Pagina 144
7-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients Displaying N etwork Devic e Properties Choose Netwo rk Resour ces > Network De vices and AAA Clients , th en click a d ev ice name or check the chec k box ne xt to a de vice na me, and clic k Edit or [...]
-
Pagina 145
7-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Network Devices an d AAA Clients IP Ran ge(s) By Mask Choo se to enter an IP address ra nge. Y ou can configure up t o 40 IP addresse s or subnet masks for each network de vice. If you use a su bnet mask in th is fie ld, all IP add resse[...]
-
Pagina 146
7-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Network Devices and A AA Clients RADIUS Sh ared Secret Shared secre t of the network device, i f you have enabled the RADIUS pro toco l. A shared secret is an expected stri ng of text, which a user must provide before the ne twork devic[...]
-
Pagina 147
7-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Configuring a Default Network Device Related Topics: • V iewing and Pe rformi ng Bulk Opera tions fo r Ne twork Devices, page 7 -6 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Deleting N etwork Devices T [...]
-
Pagina 148
7-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Configuring a D efault N etwork Dev ice Choose Network Resour ces > Default Netw o rk De vice to configure the de fault netwo rk device. The Default Net work Device page appea rs, displ aying the i nform ation desc ribed in Ta b l e [...]
-
Pagina 149
7-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Working with External Proxy Ser vers Related Topics • Network Device Groups, page 7 -2 • Network Devices and AAA Clients, page 7-5 • Creatin g, Duplic ating , and Editi ng Network Device Grou ps, page 7-2 Working with Ext ernal Pro[...]
-
Pagina 150
7-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working wit h External Proxy Servers Step 2 Do one of the follo wing: • Click Cr eate . • Check the check box ne xt to the external proxy ser ver that you want to duplica te, then click Duplicate . • Click th e external proxy serv[...]
-
Pagina 151
7-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Note If you want A CS to for ward unkn own RADIUS attributes you have to define VSAs for pro xy . Related Topics • RADIUS a nd T A CA CS+ Proxy Service s, page 3- 7 • RADIUS a nd T A CA CS+ Proxy Request s[...]
-
Pagina 152
7-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s • Unknown —The certi ficate status is un known. The sta tus of the c ertificate is u nknown if the OCSP is no t configured to ha ndle the giv en certificate CA. In th is case, the c e rtif icate is h andl[...]
-
Pagina 153
7-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 7 Managing N etwork Res ources Wo rking with OCSP Services Fail back T o Primary Server Enable this option to use th e secondary serv er for the gi ven amount of time when the pr imary is compl etely down. The time ra nge is 1 to 999 minu tes. Prima ry Ser ver URL Ent[...]
-
Pagina 154
7-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 7 M anaging N etwork Resou rces Working with OCSP Service s Step 4 Click Submit to sa ve you r changes. The OCSP Server con fig uratio n is sa ved. The O CSP Serv er page app ears w ith the ne w conf igurati on. Related Topics • Deleting OC SP Servers, page 7-24 Del[...]
-
Pagina 155
CH A P T E R 8-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 8 Managing Users and Identity Stores Overview A CS manages your n etwork devices and other ACS clients by using the ACS network re source repositor ies and ident ity stores . When a host conn ects to the ne twork throug h A CS re questing a ccess to a part icular [...]
-
Pagina 156
8-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Overvi ew Fixed compone nts ar e: • Name • Descriptio n • Password • Enable d or disable d status • Identity g roup to which user s belong Configurable compone nts ar e: • Enable passw ord for T A CACS+ authenticatio [...]
-
Pagina 157
8-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Over view Identity Stores with Two-Factor A uthentication Y ou can use the RSA SecurID T oken Serv er an d RADIUS Id entity S erver to pro vide two-f a ctor authenti cation. These e xternal ident ity stores u se an O TP that pro v[...]
-
Pagina 158
8-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Sequences Y ou can conf igure a comp lex condition wher e multiple id entity stores a nd prof iles are u sed to process a request. Y ou can def ine these identi ty methods i n an I dent[...]
-
Pagina 159
8-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores • Authentic ation inf ormation Note A CS 5.4 sup ports authenti cation for intern al users against th e inter nal ident ity store on ly . This section con tains the follo wing topics: • Authen[...]
-
Pagina 160
8-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Identity Groups Y ou can assign each internal u ser to one identity gr oup. Identity groups are def ined within a hie rarchical structure . The y are lo gical entities that are associated w ith [...]
-
Pagina 161
8-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Managing Users and Identity St ores, page 8-1 • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page [...]
-
Pagina 162
8-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attrib utes in the internal user record. User Attributes Administra tors can cr eate and a d d user -define d attrib utes from the set o[...]
-
Pagina 163
8-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores In A C S 5.4, you ca n configure id entity attributes th at are use d within your polic ies, in thi s order : 1. Def ine an identi ty attrib ute (using the use r dictionary). 2. Def ine custom con[...]
-
Pagina 164
8-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 3 In the Advance d tab, enter the value s for the c riter ia that you want to configure for your u ser authenti cation proc ess. Ta b l e 8 - 3 desc ribes t he fields in the Advanced tab. [...]
-
Pagina 165
8-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit . The user passw ord is c o nfi g ured w ith the d ef ined crit eria. These cr iteria w ill apply only f or futur e logins. Note If one of the users gets d isabled, t he faile[...]
-
Pagina 166
8-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores The Chang e Password page appears. Step 3 Comple te the fields as describe d in Ta b l e 8 - 4 to c hange th e i nternal user pa ssword. • Click File Oper ations to: – Add—Adds intern al [...]
-
Pagina 167
8-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores . T able 8-5 User s and Identity Sto r es > Int erna l Identity Stor e > User Pr operties P age Option Description General Name Username. Status Use t he drop- down list bo x to se lect the[...]
-
Pagina 168
8-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Step 5 Click Submit . The use r co nfiguration is saved. The I nterna l Use rs page appea rs with the new con figuration. Related Topics • Conf iguring Authentica tion Settings for Users, pag[...]
-
Pagina 169
8-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Deleting Users from In ternal Identity Stores T o delete a user from an int ernal identity store : Step 1 Select Use rs and Identity Stores > Internal Identity Store > Users . The In tern a[...]
-
Pagina 170
8-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores – Delete—Choo se this o ption to delete the internal users listed in t he import file from A C S. See Performing Bulk O perati ons fo r Network Resou rces a nd User s, pa ge 7-8 for a detai[...]
-
Pagina 171
8-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 4 Click Submit to save changes. The M A C addre ss co nfiguration is saved. The I nterna l MAC list page app ears w ith the new configurat ion. Note Ho sts with wildc ards (suppo rted form a[...]
-
Pagina 172
8-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores • V iewing and Per forming Bulk Operat ions fo r Inte rnal I dentity St ore Hosts, pa ge 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 • Conf iguring an Identity G r oup for Ho s[...]
-
Pagina 173
8-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Related Topics • Host Look up, p age 4- 13 • Creating Hosts in Id entity St ores, page 8-16 • Del eti ng Int ern al Host s, page 8 -18 • Policies and Identi ty Attrib u tes, page 3-17 •[...]
-
Pagina 174
8-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing Internal Iden tity Stores Configuring Users or Hosts for Management Hierarchy A specif ic lev el of access is def ined to repres ent the to p-most no de in the Man agement Hier archy assigned f or ea ch user o r a h ost[...]
-
Pagina 175
8-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing Internal Identity Stores Step 8 After succe ssfully creati n g the polic y , try authentica ting the user using the create d polic y . The user will be authen ticated only if the hierarch y defin ed for the user eq uals [...]
-
Pagina 176
8-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Managing External Identity Stores A CS 5.4 inte grates with e xternal id entity system s in a number of way s. Y ou can le verage an ex ternal authenti cation se rvice or use an ex ternal syste[...]
-
Pagina 177
8-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Configuring L D A P Group s, pa ge 8-33 • V iewing LDAP Attributes, pa ge 8-3 4 Directory Service The dire ctory servi ce is a softwa re applic ation , or a set of applic ation s, for stori[...]
-
Pagina 178
8-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5. 4 supports fai lover between a prim ary LDAP server and secon dary LDAP server . In the context of LD AP authentica tion with A CS, f ailov er applies whe n an authent ication [...]
-
Pagina 179
8-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Possible r easons f or a n LD AP server to retur n bind (authe nticat ion) err ors ar e: – Filterin g errors —A search using f ilter criteria fails. – Paramete r errors —Inv al id para me[...]
-
Pagina 180
8-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • String • Unsigned In teger 32 • IP Address—T his can be either an IP version 4 (IPv4 ) or IP version 6 (IPv6) addr ess. For unsigned integer s and IP address attrib utes, AC S con ver[...]
-
Pagina 181
8-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Check th e En able Passwor d Cha nge opt ion t o modif y the password, to d etect t he passwor d expiratio n, and to reset the passwo rd. Step 5 Click Next . Step 6 Continue w ith Configur[...]
-
Pagina 182
8-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Anonymous Acces s Cli ck to ensur e that searc hes on t he LDAP directo ry occur anonymousl y . The se rver does not distinguish wh o the client is and will allo w the client read acce ss to an[...]
-
Pagina 183
8-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue w ith Configur ing Extern al LDAP Director y Organization , page 8- 29 . Configuring External LDAP Directory Organization Use this page to conf igure an e xter[...]
-
Pagina 184
8-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T able 8-8 LD AP: Dir ect ory Or ganization Pag e Option Description Schema Subject Obj ect class V alue of the LD AP o bjectClass attrib ute that identif ies the subject. Often, sub ject reco [...]
-
Pagina 185
8-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Subje cts In Groups Ar e Stored In Me mber Attrib ute As Use the dr op-down list box to in dicate if the subjects i n groups are stored in me mber at tributes as either: • Username • Distingu[...]
-
Pagina 186
8-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Click Fin ish . The e xternal ide ntity s tore th at yo u creat ed is sa ved. Username Pr efixSuf fix Strippi ng Strip sta rt of subje ct name up to the last occurr ence of the separato[...]
-
Pagina 187
8-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Related Topics • Configuring L D A P Group s, pa ge 8-33 • Deleting Exter nal LD AP Id entity Stor es, page 8-33 Deleting External LDAP Identity Stores Y o u can delet e one or more external [...]
-
Pagina 188
8-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Viewing LDAP Attribute s Use this page to vie w the ex ternal LD AP attrib utes. Step 1 Select Use rs and Identity Stores > External Identity St ores > LD AP . Step 2 Check the chec k box[...]
-
Pagina 189
8-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores This me ans the swit ch port to wh ich th ese de vices att ach cannot authentic ate them using the 80 2.1X exchange of device or user creden tials an d must revert to an authe nticat ion mech ani[...]
-
Pagina 190
8-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-1 LD AP Interf ace Configur ation in NA C Pr ofiler Step 5 Click Updat e Server . Step 6 Click the Configuration tab and click Apply Changes . The Upda te NA C Profiler Module s page [...]
-
Pagina 191
8-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 2 Choose Configuration > Endpoint Prof iles > V iew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve[...]
-
Pagina 192
8-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores T o edit t he N A C Prof iler templa te in A CS: Step 1 Choose Use rs and Identi ty Stores > External Iden tity Stores > LDAP . Step 2 Click on the name of the N A C Profi ler templat e o[...]
-
Pagina 193
8-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Serv er Dialog Bo x For more inf ormati on, see Creating Exte rnal LD AP Identity Stores, page 8-26 . Note Th e defaul t password for L D A P is GBSbea con . If you want[...]
-
Pagina 194
8-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Figur e 8-7 T est Configur ation Dialog Bo x Number of Subjects —This value maps to the actu al subject devices alre ady pro f iled by the Cisco N AC Prof iler (actual dev ices enable d for P[...]
-
Pagina 195
8-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profi ler Integration T o tro ublesho ot MAB authe nticatio n while integratin g with NA C Pro filer and to veri fy tha t the e ndpoint is successfully aut[...]
-
Pagina 196
8-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • Maximu m passwor d ag e is N day s. • Mini mum pas sw ord a ge is N da ys. • Mini mum passw ord length is N char acter s. • Password must meet complexity requirements. AD uses the “[...]
-
Pagina 197
8-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Note T o prevent A CS from using the outdate d ma ppings, you sh ould cr eate new AD grou ps in stead of chan ging or moving the existing ones. If you chang e or move the existing gro ups, you ha[...]
-
Pagina 198
8-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Machin e authentica tion happens while star ting up a compu ter or whil e logging in to a computer . Supplicants, such as Funk Odysse y perform machine authe ntication perio dically wh ile the [...]
-
Pagina 199
8-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores If the user has one of these limitati o ns, the AD1::Iden tityAccessR estricted attribu te on t h e AD dedicated dictionar y is se t to indic ate tha t the u ser has re strict ed acc ess. Y o u c[...]
-
Pagina 200
8-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The E nginee rs' rule is an ex ampl e of MA R rule th at on ly allow s engineers acces s if their m achine was succes sfully authen ticated against windo ws DB. The Ma nagers' ru le i[...]
-
Pagina 201
8-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The dist rib uted search is performe d based on the cach e entry qu ery attem pts and cach e entry query timeouts that are configu red in the A CS web interface. The MAR entr y search is also del[...]
-
Pagina 202
8-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Callback Options fo r Dial-In users If the callba ck option is enabled , the serve r calls the caller back during the connecti o n process. The phone n umber that is used by the serv er is se t[...]
-
Pagina 203
8-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores The callb ack numb er v alue is also returned o n the RADI US respon se, usin g the RADI US attrib ute Cal lback Number (#19 ). • If callbac k option is Set b y Caller , the RADIUS response co [...]
-
Pagina 204
8-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Note Whe n you upgrad e A CS t o A CS 5. 4 version using the Reimaging and Upgrad ing an ACS Se rver metho d, if you restor e a configurat ion in w hich the AD is defined, you nee d to join A C[...]
-
Pagina 205
8-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration afte r you [...]
-
Pagina 206
8-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 4 Click: • Joi n to join the selec ted nodes to th e AD do main. T he sta tus of the nodes are changed ac cording to the join results. • T est Connection to test the c onnection to e n[...]
-
Pagina 207
8-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 4 Click: • Leav e to disc onne ct th e sele cted nodes from AD do main. • Cancel to ca ncel the oper ation. Note Administrators can pe rform opera tions lik e join, lea ve, or te st conn[...]
-
Pagina 208
8-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores The Grou ps page appe ars. Th e Selec ted Dire ctory Gr oups field lists the AD groups you selected and sav ed. The AD groups yo u selec ted in the Extern al User Groups pag e are list ed and c[...]
-
Pagina 209
8-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Step 3 Click: • Sa ve Changes to sav e the configurati o n. • Discard Changes to discard a ll cha nges. T able 8-13 Activ e Dir ectory : Attr ibutes P age Option Description Name of e xample [...]
-
Pagina 210
8-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores • If AD is al ready configur ed and you wa nt to delete it, c lick Clear Conf iguration a fter y ou verify that ther e are no po licy rules that use custom co ndition s based o n the AD dicti[...]
-
Pagina 211
8-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores AD Deployments with User s Belonging to Large Number of Groups In A CS 5.3 , when y ou move betwee n AD do mains, the user authe nticat ions show a ti meout err or if the user belongs t o a large[...]
-
Pagina 212
8-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Thus wh en a cor rect t oken co de is sup plied toge ther w ith a PIN , ther e is a h igh degre e of cer taint y that the per son is a v alid user . Therefore, RSA SecurID server s provide a mo[...]
-
Pagina 213
8-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Manually I ntervene to Remove a Down RSA Se curID Server When a n RSA Se curID serv er is do wn, the au tomatic exclusion m echanism does n ot alway s wo rk quickly . T o speed up this pro cess, [...]
-
Pagina 214
8-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 5 Click the Adv anced tab . See Con figuring Advanced Options, page 8-6 2 for more i nfor matio n. Step 6 Click Submit to create an R SA SecurI D stor e. The RS A Secur ID T oke n Server p[...]
-
Pagina 215
8-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Editing ACS Insta nce Settings Y ou can edit the A CS instance settings to: • Enab le the RSA opt ions file, page 8-61 • Reset Agent Files, page 8-61 Enable the RSA options file Y ou can enab[...]
-
Pagina 216
8-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 1 Choose either of the follo wing options: • T o r eset node secret on t he agen t host, chec k th e Remove securid f ile on submit ch eck box . If you re set th e node se cret on the ag[...]
-
Pagina 217
8-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Creatin g and E diting RSA Secu rID T oken Servers, pa ge 8-5 9 • Configuring ACS Instance Sett ings, pag e 8-60 • Editing A CS Instanc e Setti ngs, p age 8- 61 • Editing A CS Instanc e[...]
-
Pagina 218
8-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Failover A CS 5.4 allo ws you to co nfigur e multiple RADIUS identity stor es. Ea ch RADIUS id entity st ore can hav e pri mary a nd sec ondary RADI US se rvers. Whe n A CS is unabl e to c onne[...]
-
Pagina 219
8-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores RADIUS Iden tity Store in Identity Sequenc e Y ou can add the RADIUS identity st ore for authentic ation sequen ce in an identi ty sequen ce. Ho wev e r , you cann ot add t he R ADIUS id entit y [...]
-
Pagina 220
8-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Safeword token servers support both the formats. A CS works with various token servers. While configurin g a Saf eword server, you must c heck t he Safeword Server c heck b ox for ACS to parse [...]
-
Pagina 221
8-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores • Check the check box next to the iden tity store you want to duplicate, th en click Duplicate . • Click the identity store name that you w ant to modify , or check the box next to the name a[...]
-
Pagina 222
8-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 • Configuring Shel l Promp ts, page 8- 69 • Configuring[...]
-
Pagina 223
8-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Managing External Identity Stores Configur ing She ll Prompts For T A CACS+ ASCII auth entication, A CS must return the passw ord prompt to the us er . RADIUS identity serv er supports th is functiona lity by the passw ord prompt[...]
-
Pagina 224
8-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Managing External Ident ity Stores Step 2 Do either of the foll ow ing: • Click Submit to save yo ur change s and retur n to t he RADIUS Iden tity Ser vers p age. • Click the Adv anced tab to confi g ure failur e message han[...]
-
Pagina 225
8-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Click Submit to save t he RADIUS Id entity Ser ver . Related Topics • RADI US Iden tity Sto res, pa ge 8-63 • Creating, Duplicating, and Ed iting RADIUS Identit y Server s, page 8-66 Configuring CA[...]
-
Pagina 226
8-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Note A CS buil d s a certif icate chain with the CA cer tific ates that you add to it and uses this chain during TLS nego tiations. Y ou must add the c ertific ate that signed th e serv er certific at[...]
-
Pagina 227
8-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring CA Certificates Editing a Certificate Authori ty and C onfiguring Certificate Revocation Lists Use this page to edit a trusted CA (Certif icate Author ity) certif icate. Step 1 Select Use rs and Identity Stores > C[...]
-
Pagina 228
8-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring CA Certificates Step 3 Click Submit . The Trust Cer tificat e pag e appe ars with th e ed ited certi ficate. The ad minist rator has th e righ ts to configure CRL and OCSP ver ification. I f both CRL and OCSP verific[...]
-
Pagina 229
8-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores Configuring Certificate Authentication Profiles The T rust Certif icate page appea rs without th e delet ed certif icate(s). Related Topic • Overview of EAP-TLS, pa ge B-6 Exporting a Cer tificate Authority T o exp ort a trus t[...]
-
Pagina 230
8-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring Ce rtificate A uthenticat ion Profiles When A CS processe s a certificat e-base d request for authen tica tion, one of t wo things happe ns: the userna me from the certif icate is co mpared to the us ername in AC S t[...]
-
Pagina 231
8-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Step 4 Click Submit. The Cer tif icate Authenti cation Profile p age reap pears. Related Topics • V ie wing Identity Polic ies, page 10-22 • Conf igur ing Id enti ty Store Se quence s, p[...]
-
Pagina 232
8-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Attribute Retrieval Sequence Y ou can optionally d ef ine a list o f databases f rom which to retrie ve additio nal attrib utes. These database s can be acces sed regar dless of wheth er yo[...]
-
Pagina 233
8-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences Password Base d Check this chec k box to use the password-ba sed authen ticatio n meth od. I f you choos e thi s option, you must cho ose the set of identit y stores that A CS will access on[...]
-
Pagina 234
8-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences Step 3 Click Submit . The Iden tity Store Sequences page reappea rs. Related Topics • Performi ng B ulk Op erati ons f or N etwork Reso urce s and U sers, page 7 -8 • V ie wing Identity[...]
-
Pagina 235
8-81 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 8 Managing U sers and Iden tity Stores C onfiguring Identity Store Seq uences • Mana ging In ternal Iden tity Sto res, pa ge 8-4 • Managing External Iden tity Stores, pa ge 8-22 • Conf iguring Cer tific ate Authen tication Pr ofile s , page 8-75 • Creating, Du[...]
-
Pagina 236
8-82 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 8 Managing Use rs and Id entity Sto res Configuring I dentity Stor e Sequences[...]
-
Pagina 237
CH A P T E R 9-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 9 Managing Policy Elements A polic y defines the authentica tion and au thorization processing of c lients that at tempt to access the A CS network. A cli ent c an be a user, a networ k device, or a us er associat ed with a network device. Policies are sets of ru [...]
-
Pagina 238
9-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Y o u can m ap users and h osts to identit y gro ups by using the group ma pping policy . Y ou can include identi ty group s in con diti ons to c onfigure c ommon pol icy cond itions f or al l user s in the gro u[...]
-
Pagina 239
9-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Creatin g, Dupl icat ing, and E diting a D ate and Time Conditi on, p age 9-3 • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 ?[...]
-
Pagina 240
9-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o a dd date a nd time condi tions to a policy , yo u must first cu stomiz e the rule t able. See Cu stomizing a Policy , page 1 0-4 . Step 4 Click Submit . The date and time condition is sa ved. The Date and T [...]
-
Pagina 241
9-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Related Topics • Creating, Du plicating, a n d Editing a Custom Sessio n Condition, page 9-5 • Deleting a Session Cond ition, page 9-6 • Conf iguring Access Service Policies, page 10-22 Creating, Dupli[...]
-
Pagina 242
9-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions T o ad d custom c onditio ns to a po licy , you must first cu stomiz e the rule table. Se e Customi zing a Pol icy , page 10-4 . Step 4 Click Submit . The ne w custom session condition is sa ved. The Custom Condi[...]
-
Pagina 243
9-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note Th e filters in ACS 5.4 are similar to t he NARs in A CS 4.x. In A CS 4.x, the N ARs were base d on eithe r the user or us er gr oup. In 5.4, the filter s are i ndepen dent c onditio ns th at you can re[...]
-
Pagina 244
9-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions The device dictionary (the NDG dictionary) cont ains networ k device group attributes s uch as Location , De vice T ype, or other d ynamically created attrib utes that r epresent NDGs. These attributes , in t urn[...]
-
Pagina 245
9-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Step 5 Click Close to close the I mport Pr ogress window . Y o u can submi t only one .csv file to the system at on e t ime. If an i mpor t is u nder way , an addit ional import cann ot succeed until the ori[...]
-
Pagina 246
9-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons, pag [...]
-
Pagina 247
9-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s • Def ining MA C Address-Based End Station Filte rs, page 9-11 • Defining CLI or DNIS-B ased End Statio n Filters, page 9-1 1 Defining MAC Address-Based E nd Station Filters Y o u can crea te, dupli cat[...]
-
Pagina 248
9-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Step 2 Check the CL I check box t o enter the CL I numbe r of the end stat ion. Y ou can optiona lly set t his fi eld to A NY to re fer to a ny CLI number . Step 3 Check the DNI S check box to enter the D NIS nu[...]
-
Pagina 249
9-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Note T o conf igure a f ilter , at a minimum, you must enter f ilter criteria in at least one of the three ta bs. Step 5 Click Submit to sa ve th e changes. Related Topics • Managin g Network Conditi ons,[...]
-
Pagina 250
9-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions Defining Name-Based Device Filters Y o u can cr eate, duplica te, an d edi t the nam e of t he network d evice that yo u want t o permi t or deny ac cess to. T o do th is: Step 1 From the D e vice Nam e tab, do [...]
-
Pagina 251
9-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Mana gi ng Pol icy C ond ition s Creating, Duplicating, and Editi ng Device Port Filters Use the De vice Port Filters page to create, duplic ate, and edit devi ce port f ilters. T o do this: Step 1 Choose Policy Elements > Session Condi[...]
-
Pagina 252
9-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Policy Condit ions • Check the check bo x next to the IP-b ased dev ice port f ilter that you want to duplicate , then click Duplicate . • Check the check box next to the IP- based de vice por t filter that you want to edit, t[...]
-
Pagina 253
9-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 Check the Por t check box a nd enter t he port num ber . Step 4 Click OK . Related Topics • Managin g Network Conditi ons, pag e 9-6 • Creatin g, Duplic ating , and Editing D evice Por[...]
-
Pagina 254
9-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions • Security groups and securi ty group ACLs for Cisco Securi ty Group Acce ss. See ACS and Cisco Security Group Acce ss, page 4-23 , for information on conf iguring these polic y elements. These to[...]
-
Pagina 255
9-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons • Click t he nam e tha t y ou want t o mo dify; or , check the chec k box next to t he na me tha t you want t o modify a nd click Edit . The Aut horizat ion Profile Propert ies page appea rs. S[...]
-
Pagina 256
9-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 1 Select P olicy Elements > A uthorization and Permissions > N etwork Access > A uthorizat ion Pr of iles , then click : • Cre a te to create a new network acc ess author izat ion de[...]
-
Pagina 257
9-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-5 A uthor ization Pr ofile: Common T asks P ag e Option Description ACLS Do wnloadable A CL Name Includes a def ined do wnload able A CL. See Creating, Duplic ating, a nd Editi ng Downlo[...]
-
Pagina 258
9-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Specifying RADIUS Attribute s in Authorization Profil es Use this tab t o conf igure which RADIUS attrib utes to includ e in the Access -Accept p acket f or an authori zation prof ile. This tab also[...]
-
Pagina 259
9-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 3 T o conf igure: • Basic informatio n of an authorizatio n profile ; see Specifyin g Auth orizat ion Pr ofiles, page 9-19 . • Common ta sks for an author izatio n profile; see Specifyin[...]
-
Pagina 260
9-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Creating and Editing S ecurity Grou ps Use this pa ge to view names and det ails of secu rity gr oups and secu rity gr oup tags (SGTs) , and to open pages to cre ate, duplic ate, and ed it secu rity[...]
-
Pagina 261
9-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons The Com mon T asks tab al lows you to select and c onfigure the fre quently used attributes for the pr ofile. The attrib utes that are inclu ded here are th ose def ined b y the T ACA CS protocol[...]
-
Pagina 262
9-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Defining Gen eral Shell Prof ile Properties Use this page to defin e a shell prof ile’ s general properties. Step 1 Select Policy Elements > Authorization and Permissions > Device Adminis tr[...]
-
Pagina 263
9-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons T able 9-9 Shell P ro file: Comm on T asks Option Description Privileg e Level Default Privilege (Optiona l) Enable s the initia l privilege le vel assignmen t that you all ow for a clie nt, thr [...]
-
Pagina 264
9-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Step 3 Click: • Submit to save your cha nges an d retu rn to t he She ll Profiles pa ge. • The Gene ral tab to conf igure the name a nd description for the auth orization p rofi le; see Defining[...]
-
Pagina 265
9-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Defining Custom Attributes Use this tab to defin e custom attrib utes for the shell profile. This tab also displays the Common T asks Attributes th at you have chosen in t he Comm on T asks ta b [...]
-
Pagina 266
9-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions After yo u create comm and sets, you c an use them in aut horizat ions and permissi ons wi thin rule tables. A rule ca n conta in mul tipl e comm and set s. Se e Creating, Duplicatin g, and Editing [...]
-
Pagina 267
9-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons Step 4 Click Submit . The com mand set is saved. Th e Comm and Se ts page appe ars with the c ommand set th at yo u create d or duplicat ed. T able 9-1 1 Command Set Pr oper ties P age Field Des [...]
-
Pagina 268
9-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Related Topics • Creatin g, Duplic ating , and Editi ng Authori zation Profiles fo r Network Acce ss, page 9-18 • Creatin g, Duplic ating , and Editi ng a Shell Profile for Device Adm inistra ti[...]
-
Pagina 269
9-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 9 Managing Po licy Elem ents Managi ng Authoriz ations a nd Permissi ons – Click Start Export to export the D ACLs without any enc ryption . Step 3 Enter v alid conf iguration dat a in th e requir ed f ields as sho wn in Ta b l e 9 - 1 2 , an d define o ne o r mo re[...]
-
Pagina 270
9-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 9 Managing P olicy Elemen ts Managing Authoriza tions and Permissions Configurin g Security Grou p Acce ss Cont rol Lists Securi ty group ac cess cont rol list s (SGACLs) are applie d at Egress, ba sed on the sour ce an d destinat ion SGTs. Use this page to view , cre[...]
-
Pagina 271
CH A P T E R 10-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 10 Managing Acc ess Policies In A CS 5.4, polic y dri ves all acti vities. Policies consist m ainly of rules th at determi ne the actio n of the polic y . Y ou create acc ess services to def ine authentica tion and authorization policies fo r requests. A global s[...]
-
Pagina 272
10-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Policy Creation F low In short, you must determine th e: • Details of your ne twork configurat ion. • Access ser v ices that imp lement y our policie s. • Rules tha t define th e co nditi ons under whic h an access se rvice can run. [...]
-
Pagina 273
10-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Policy Creation Flow Policy Elements in the Policy Creation Flow The web interf ace pro vides these de faults for def ining de vice groups and iden tity groups: • All Locatio ns • All De vice T ypes • All Gro ups The loca tions, de[...]
-
Pagina 274
10-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Customizing a Pol icy Policy Creation Flow—Next Steps • Access Service Po licy Creation , page 10-4 • Service Selec tion Policy Crea tion , page 10-4 Access Service Policy Creation After you cre ate the basic elements, you can create[...]
-
Pagina 275
10-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy If you have implemented Sec urity Group Acce ss functiona lity , you can al so custom ize results fo r authorizati o n policies. Cautio n If you have already d efined rules, be certain that a r ul[...]
-
Pagina 276
10-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Note If you create and sav e a simple p olicy , and the n change to a rule-b ased polic y , the simple policy becomes the defau lt rule of th e rule-b ased poli cy . If you have sa ved a rule-bas [...]
-
Pagina 277
10-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy T o conf igure a rule- based s ervice selection policy , see t h ese t o pics: • Creating, Duplicatin g, and Ed iting Service Selectio n Rules, page 10-8 • Deleting Ser vice Selection Rules, p[...]
-
Pagina 278
10-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Creating, Duplicatin g, and Editing Servic e Selection Rules Create se rvice select ion rules to deter mine which a ccess service processes in coming r equests. Th e Defa ult Rule pr ovide s a def[...]
-
Pagina 279
10-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring the Service Selection Policy • The Defau lt Ru le— Y ou can chan ge onl y the acc ess se rvice. See T able 1 0-3 for field descr iptions: Step 4 Click OK. The Ser vice Sele ction Policy pag e appear s with th e rule th at[...]
-
Pagina 280
10-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring t he Service Se lection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-base d Policy page. T o display this page, click Hit Count on the Rule-base d Policy page. Deleting Serv[...]
-
Pagina 281
10-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Configuring Acce ss Services Access services cont ain the authen tication and authoriza tion policie s for r equests . Y ou can c reate sepa rate acc ess serv ices for dif feren t use cases ; for e xample, de[...]
-
Pagina 282
10-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Edi t the fiel ds i n t he Al lowed Protoc ols tab as de scribed in Ta b l e 1 0 - 7 . Step 4 Click Submit to sa ve th e changes y ou hav e made to the de fault access ser vice. Creating, Duplicating, a[...]
-
Pagina 283
10-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 2 Do one of the follo wing: • Click Cr eate . • Check t he check box next to t he ac cess ser vice that you wa nt to dupli cate; then cli ck Duplicate . • Click the a ccess serv ice name that you w[...]
-
Pagina 284
10-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Description Description of the access service. Access Servi ce Policy Structu re Based on serv ice templat e Creates an access service conta ining policies b ased on a predefined te mplate. T his option is av [...]
-
Pagina 285
10-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Step 3 Click Next to conf igure the allo wed protocols. See Configuring Access Service A llowed Protocols, page 10-1 6 . Related Topic • Configuring A ccess Service Al lowed Protocol s, page 1 0-16 • Conf[...]
-
Pagina 286
10-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Configuring Access Service Allowed Protocols The allowed p rotoco ls ar e t he se cond part o f ac cess servi ce creat ion. A cce ss serv ice definiti ons co ntai n genera l and allowed proto col inform ation [...]
-
Pagina 287
10-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-TLS Enables t he EAP-TLS Auth entication protocol a nd conf igures EA P-TLS settings. Y ou can specify ho w AC S ver ifies u ser iden tity as pres ented i n the E AP Ident ity resp onse from the en[...]
-
Pagina 288
10-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Allo w EAP-F AST Enab les the EAP-F AST authentication protocol and EAP-F AST settings. The EAP-F AST proto col ca n suppo rt multip le int ernal pr otocol s on the same server . Th e defaul t inner m ethod i [...]
-
Pagina 289
10-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Allo w EAP-F AST (conti nued) PA C O p t i o n s • T unnel P A C T im e T o Li ve—The T ime T o Li ve (TTL) v alue restricts the lifetime o f the P A C. Specify the lifetim e v alue and units. Th e defaul[...]
-
Pagina 290
10-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Services Step 3 Click Fin ish to sa ve your changes to t h e acce ss service. T o enabl e an access service, you mu st add it to the se rvice sele ction pol icy . Configuring Access Services Templates Use a service tem[...]
-
Pagina 291
10-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Services Deleting an Ac cess Service T o delete an access serv ice: Step 1 Select Ac cess Policies > Access Services . The Access Services p age appears with a list of configu red services . Step 2 Check one or mo [...]
-
Pagina 292
10-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Acce ss Service Policies Y ou confi gure access se r vice policie s after you create th e access service: • V ie wing Identity Polic ies, page 10-22 • Conf iguring Identity Polic y Ru[...]
-
Pagina 293
10-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies In the rule-b ased polic y , each rule contains one or mo re conditions an d a result, which i s the identity source to use for authentica tion. Y ou can create, duplic ate, edit, an d delete rules wi[...]
-
Pagina 294
10-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Viewing Rules-Based Identi ty Policies Select Ac cess Policies > Access Services > service > Identity , wher e <ser vi ce> is the name of the acces s service. By def ault, the Simple I[...]
-
Pagina 295
10-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 For informatio n about c onfig uring an id[...]
-
Pagina 296
10-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T able 1 0-1 1 Identity Rule Pr oper ties P age Option Description General Rule Name N ame of the ru le. If you a re dupl icati ng a rul e, you must enter a uniq ue name as a m inimu m configura tion[...]
-
Pagina 297
10-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring a Group Mapping Policy Conf ig ure a group mapping polic y to map groups and attrib utes that are retrie ved from extern al identity stores to A CS identity groups. When A CS processes a r[...]
-
Pagina 298
10-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 2 Select a n identity group. Step 3 Click Sa ve C hanges to save th e policy . T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a[...]
-
Pagina 299
10-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies • Deleting Po licy Ru les, page 10-40 Related Topics • V ie wing Identity Polic ies, page 10-22 • Configuring a Session Aut horizati on Policy for Network Acce ss, page 10- 30 • Configuring a [...]
-
Pagina 300
10-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring a Session Authoriz ation Policy for Network Ac cess When yo u creat e an access serv ice for netw ork ac cess aut h orizat ion, it creates a Session Authori zation polic y . Y ou can then[...]
-
Pagina 301
10-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T able 1 0-15 Networ k A ccess A uthor ization P olicy P age Option Description Status Rule sta tuses are: • Enabled—Th e rule is acti ve. • Disabl ed—ACS does not apply th e results of the ru[...]
-
Pagina 302
10-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Ne twork Acce ss Au thorization R ule Properties Use this page to create, dup licate, and edit th e rules to determine acce ss permissions in a network acce s s service. Step 1 Select Ac [...]
-
Pagina 303
10-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Device Administration Authorization Policies A device admi nistratio n autho rization policy det ermines the aut horizat ions an d permi ssions for network admini strat ors. Y o u crea te [...]
-
Pagina 304
10-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Configuring Device Administratio n Authorization Rule Properties Use this page to creat e, duplicate , and edit the rules to determin e authoriza tions and permissions in a device administ ration ac [...]
-
Pagina 305
10-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Configuring Shell/Command Authorizatio n Policies for Devi ce Administration When you cr eate an acc ess service and s elect a ser vice polic y structu re for De vice Admini strati on, A CS automatic [...]
-
Pagina 306
10-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Configuring Au[...]
-
Pagina 307
10-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies T o conf igure rules, see: • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleting Po licy Ru les, page 10-40 Related Topics [...]
-
Pagina 308
10-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Creating Policy Rules When you crea te rules, remember that the order of the rules is im portant. When A CS encounters a match as it proces ses the requ est of a client that tries to ac cess the ACS [...]
-
Pagina 309
10-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Configuring Access Service Policies Duplicating a Rule Y ou can duplicat e a rule if yo u want to create a ne w rule that is the same , or ve ry similar to , an e xisting rule. The dup licate rule na me is based on the origi nal rule wi[...]
-
Pagina 310
10-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring A ccess Serv ice Polic ies Step 4 Click OK . The Polic y page appears with the ed ited rule. Step 5 Click Sa ve C hanges to save th e new conf iguration. Step 6 Click Discard Chang es to cancel the edited i nformation. Related[...]
-
Pagina 311
10-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Configuring Co mpound Conditions Use compound conditions to d efi ne a set of c onditions based on any at tributes allo wed in simple pol icy conditi ons. Y ou define compou nd condit ions in a policy[...]
-
Pagina 312
10-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Note D ynamic at tribute mappi ng is not ap plica ble for Ex tern alGro ups attr ibute of T ype "String Enum" an d "T ime And Date " attrib ute of type "Date T ime Perio d". [...]
-
Pagina 313
10-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Figur e 1 0-2 Compound Expr ession - At omic Conditio n Single Nested Compound Co ndition Consis ts of a singl e operat or follo wed b y a set of pr edicates (>=2) . The op erator is appl ied betwe[...]
-
Pagina 314
10-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Configuring Co mpound Con ditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compou nd Expres sion with D ynamic va lue Y ou can selec t dynamic v alue to se lect anot her dic tionary attr ibu te to c ompare against the dictio na[...]
-
Pagina 315
10-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Config uring Compo und Con diti ons Related Topics • Compound Con dition Buil ding Blocks, page 10-41 • Using the Com pound Ex pression Builder , page 10- 45 Using the Co mpound Expression Builder Y ou construct compound conditio ns[...]
-
Pagina 316
10-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Related Topics • Compound Con dition Bui lding Blocks, page 10-41 • T ypes of Com pound Con ditions, page 10-42 Security Group Access Co ntrol Pages This section con tains the follo wing topics: ?[...]
-
Pagina 317
10-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topic • Creatin g an Eg ress Po licy , page 4- 27 Editing a Cell in th e Egress Policy Matrix Use thi s page to co nf igure t he polic y for the select ed cell. Y ou can conf igure the SGA[...]
-
Pagina 318
10-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s NDAC Policy Page The N etwork Device Admission Cont rol (N DA C) pol icy deter mines t he SGT for ne twork d evices in a Security Group Access e n vi ronment . The ND AC policy hand les: • Peer a ut[...]
-
Pagina 319
10-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Security Gro up Access Contro l Pages Related Topics: • Conf igur ing an ND A C Polic y , page 4 -25 • ND AC Policy Propert ies Page, page 10 -49 NDAC Policy Pr o perties Page Use this pa ge to creat e, duplicate, and edit ru les to[...]
-
Pagina 320
10-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Security Grou p Access Control Page s Note For end point adm ission con trol, you must de f ine an a ccess serv ice and s ession aut horizatio n policy . See Conf iguring Network Access Authorization Rule Properties, page 1 0-32 for infor[...]
-
Pagina 321
10-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Network Dev ice Acce ss EAP- FAST Settings Page Use this page to conf igure parameters f or the E AP-F AST protocol t h at the ND A C polic y uses. T o d isplay t his page, choose Access Polic ies > Securit y [...]
-
Pagina 322
10-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Max Session User Settings Y o u can configure ma ximu m user session to impose maxim um sessi on value for each users. T o con f igure ma ximum user sessions: Step 1 Choose Ac cess Polici es > Max User Session P o[...]
-
Pagina 323
10-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions Unlimited is select ed by defau lt. Grou p le ve l session is a p plied based on t he hierarch y . For e xample: The group hi erarc hy is Americ a:US:W est:CA an d the maxim um sessions ar e as follo ws: • Amer[...]
-
Pagina 324
10-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Related topics • Maximum User Sessi ons, pa ge 10-51 • Max Session Us er Settings, pa ge 10-52 • Max Session Group Settings, page 10-5 2 • Pur ging U ser S ess ions , pa ge 10 -54 • Maximum User Se ssion in[...]
-
Pagina 325
10-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 0 Managing Ac cess Polici es Maximum Use r Sess ions The Purge User Ses sion pag e appear s with a lis t of all AAA cli ents. Step 2 Select the AAA client for which you want to purge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged [...]
-
Pagina 326
10-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 10 Managing Access Policie s Maximum User Sessions Maximu m User Sessio n in Proxy Scenar io Authentic ation and accoun ting requests should be sent to the same A CS serve r , else the Maximum Session fe ature w ill not work as desi red. Related topics • Maximum Us[...]
-
Pagina 327
CH A P T E R 11-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 11 Monitoring and Reporting in ACS The Monitori ng a nd Repo rts d rawer a ppears i n the pri mary w eb in terface wind ow and conta ins the Launch Moni tori ng an d Rep ort V iewer optio n. The Monitoring and Report V iewer pro vides monitoring , reporting, and [...]
-
Pagina 328
11-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Authent ication Records and D etails • Support for n on-Engl ish cha racter s (UTF -8)—Y ou ca n have non-Eng lish ch aracters in: – Sysl og me ssag es—C onf igurab le attr ib ute v alue , user name , and A CS na med co [...]
-
Pagina 329
11-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Dashbo ard Pa ges Note Th ese tabs ar e custom izable , and you ca n modify or delete th e following tabs. • General—Th e General tab lists the follo wing: – Fiv e most rece nt alarm s—Whe n you clic k the nam e of the a lar[...]
-
Pagina 330
11-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Work ing wit h Port lets – Authentic ation Snapsh ot—Prov ides a snap shot of au thenticatio ns in t he graphic al and ta bular format s for up to the p ast 30 days. In th e grap hica l rep resen tation, t he f ield based on[...]
-
Pagina 331
11-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Working with Portlets Figur e 1 1 -1 P ortlets T op 5 Alar ms an d My Favorite Report s appea r in sep arate windows. Y ou can e dit e ach of thes e portle ts separately . T o ed it a por tlet, c lick the edit button ( ) at th e upp[...]
-
Pagina 332
11-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Related Topic • Das hbo ard P ages, page 1 1-2 • Running A uthenti cation Lo okup Rep ort, page 11-6 Running Authentication Lookup Report When you run an Authent icat ion Look up repor t, [...]
-
Pagina 333
11-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 1 Monitoring and Reporting in ACS Configuring Tabs in the Dashboard Step 5 Click Add Page . A new tab of your choi ce is crea ted. Y ou can ad d the ap plicat ions that yo u most frequ ently mo nitor i n this tab Adding Applications to Tabs T o add an applic ation t[...]
-
Pagina 334
11-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapte r 11 Monit o ring an d Reporti ng in ACS Configuring Ta bs in the D ashboard Changing the Dash board L ayout Y o u can chan ge the loo k and fee l of the Dash board . A CS provi des you wit h nine different in-built layouts. T o ch oose a differen t layout: Step 1 From[...]
-
Pagina 335
CH A P T E R 12-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 12 Managing Alarms The Moni torin g featur e in A C S genera tes alarm s to notify you of critic al system co nditi ons. The monitori ng comp onent r etrieves data fro m ACS. Y ou can configure thresho lds and r ules on this da ta to manage alar ms. Alarm n otifi[...]
-
Pagina 336
12-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarms System Alarms System alarms notify you of critica l conditions encountered du ring the ex ecution of the A CS Monitoring and Reportin g vie wer . System alarms also provide in formational st atus of system acti vities, such as[...]
-
Pagina 337
12-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Notifying Users of Events When a threshold is reached o r a s ystem alarm i s gen erated, the alarm appears in t he Alarms I nbox o f the web in terfa ce. From th is page, you ca n vie w the alarm de[...]
-
Pagina 338
12-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Ti m e Displ ay only . Indicates t he time of the as sociate d alarm ge neration in the f ormat Ddd Mmm dd hh:mm: ss timezon e yyyy , wher e: • Ddd = Sun, Mon, Tue, W ed, Th u, Fri, Sat. • Mmm = J an,[...]
-
Pagina 339
12-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Configure Inc rement al Back up Dat a Reposito ry as Rem ote Rep ository otherwi se backup will fail and I ncremental bac kup mode will be chang ed to off. Wa r n i n g Configure Re mote R epository [...]
-
Pagina 340
12-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Full Database Pur ge Backup f ailed: Exception Details Critical Incremental Back up Fa iled: Excepti o n Details Critical Log Recover y Log Message Reco very failed : Excepti on Details Critical View Comp[...]
-
Pagina 341
12-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Viewi ng a nd Ed itin g Al arms i n Your In box Note Th e Alarm for A CS dat abase exceedi ng the quot a is sent only wh en the total size of the A CS database exceeds the quo ta. T otal size of ACS database = acs*. log + acs. db where acs*.log is[...]
-
Pagina 342
12-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Viewing and Ed iting Al arms in Your I nbox Note ACS cannot be use d as a rem ote syslog server . But , you can us e an external server as a s ysl og ser ver . If you use an external server as a syslog ser ver , no al arms can be gene rated in the [...]
-
Pagina 343
12-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Understandi ng Alarm Sch edules Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Understandin g Alarm Schedules Y ou can creat e alarm schedule s to specif y when a[...]
-
Pagina 344
12-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Al arm Schedu les Step 3 Click Submit to sa ve th e alarm schedu le. The schedule that y ou create is added to the Schedule list box in the Thre shold pages. Assigning A larm Sched ules to Thresho lds When you crea te an alarm thres[...]
-
Pagina 345
12-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Deleting Alarm Schedules Note Before you delete an alar m schedule, ensu re that it is not referenced by an y thresholds tha t are def ined in A CS. Y ou ca nnot dele te the defaul t sched ule[...]
-
Pagina 346
12-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Step 2 Do one of the follo wing: • Click Cr eate . • Check th e check box next to the a larm t hat you want to duplicat e, then click Duplicate . • Click t he al arm name t hat y ou want[...]
-
Pagina 347
12-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hresho ld Cri teria, page 12- 14 • Configuring T hreshol d Notifications, page 12- 32 Config[...]
-
Pagina 348
12-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Configuring Threshold Criteria A CS 5. 4 provides the foll owing threshold categories to define different threshold cri teria: • Passed Authenticati ons, page 12-14 • Faile d Authenticatio[...]
-
Pagina 349
12-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Note Y o u can specify one or more filter s to limit the passed aut hentications that are consi dered for thresho ld e valuation. Each fi lter is asso ciated with a particular attrib ute in th[...]
-
Pagina 350
12-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 351
12-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds An alar m is triggere d because at least one De vice IP has gr eater than 10 fai led authen tications in the past 2 hours. Note Y o u can spec if y one or mor e f ilters to limit th e fail ed [...]
-
Pagina 352
12-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 353
12-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds The aggr egation job b egins at 00:05 hou rs every day . From 23:50 ho urs, up u ntil the t ime the a ggregation job compl et es, th e auth ent icat ion in activity alar ms are s upp resse d. [...]
-
Pagina 354
12-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 355
12-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 356
12-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 357
12-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 358
12-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 359
12-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 360
12-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 361
12-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Unknown NAD When A CS e v aluates this threshol d, it e x amines th e RADIUS o r T A CA CS+ failed a uthenticat ions that ha ve occu rred during the specif ied time interv al up to the pre vio[...]
-
Pagina 362
12-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 363
12-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds Y ou can spec ify one o r more f ilters to lim it the f ailed authentic ations t h at are co nsider ed for threshold e valuation. E ach f ilter is associated wi th a partic ular attrib ute in [...]
-
Pagina 364
12-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds If, in the p ast fo ur hou rs, RBA CL d rops have occu rred fo r two differe nt sourc e group tags as shown in the f ollo wing tab le, an alarm i s trigge red, bec ause at least on e SGT has a[...]
-
Pagina 365
12-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Crea ting, Editing, and Duplicating Alarm Thresh olds NAD-Reported AAA Downtime When A CS e v aluates this thresh old, it e xamines the N AD-reported AAA d o wn e vents that occurred during the specified inter val up to the previous 24 hour s. Th[...]
-
Pagina 366
12-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Creating, Edi ting, and D uplicating Alarm Th resholds Related Topics • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Conf igur ing Gener al Thresh old Infor mation , page 1 2-13 • Configuring T hreshol d Notifications[...]
-
Pagina 367
12-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Deleting Ala rm Threshol ds Related Topics • V iewing and E diti ng Alar ms in Y our Inbo x, page 1 2-3 • Creatin g, Editing, a nd Duplicat ing Alarm Thresholds, page 12-11 • Deletin g Ala rm Thre sholds, page 12-3 3 Deleting Alarm T hresho[...]
-
Pagina 368
12-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Configuring Sy stem Ala rm Settings Configuring System Alarm Settings System alarms ar e used to no tify use rs of: • Error s that ar e enco unte red by the Mo nito ring and Repo rting ser vic es • Informa tion on data purging Use this pa ge t[...]
-
Pagina 369
12-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 2 Managing Al arms Unders tanding Alarm Sy slog Targ ets Understandin g Alarm Syslog Targets Alarm syslog tar gets are the destinations where alarm syslog messages are sent. The Monitoring and Report V iewer sends alar m notificatio n in the form of sysl og message[...]
-
Pagina 370
12-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 12 M anaging Alarms Underst anding Alarm Sysl og Targe ts Step 4 Click Submit . Related Topics • Understa nding A larm Sysl og T argets, pag e 12-35 • Deleting A larm Syslog T argets, pa ge 12-36 Deleting A larm Syslog Ta rgets Note Y ou ca nnot de lete t he defa[...]
-
Pagina 371
CH A P T E R 13-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 13 Managing Reports The Moni toring a nd Report V i ewer component of A CS co llect s log and configurat ion data from various A CS server s in you r deploy ment, ag gre gates it, and pro vides interacti ve r eports that h elp you analyze the dat a. The Mon itori[...]
-
Pagina 372
13-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports • Catalog— Monitoring and Reports > Reports > Catalog > < rep o r t _ t y pe > For easy acces s, you can add reports to yo ur Fa vorites page , from whi ch you can cus tomiz e and dele te reports . Y ou can customi ze the re [...]
-
Pagina 373
13-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports This chapte r describes in detail the follo wing: • W ork ing wi th F av orite Re ports, pa ge 13-3 • Sharing Re ports, page 1 3-6 • W orkin g with Cata log Report s, page 13-7 • V iewing Reports, pag e 13-20[...]
-
Pagina 374
13-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Favor ite Report s Step 5 Click Add to F a vorite . The repor t is added to your Favorites page. Related Topics • W orki ng wit h Fav orite R eports, page 13- 3 • V iewing Fa vorite -Rep ort Paramete rs, page 13- 4 • Editing[...]
-
Pagina 375
13-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Wo rking with Favorite Reports Editing Favorite Reports After you view the existing parame ters in your favorite report , you can edit th em. T o edit the parame ters in your fav o rite report s: Step 1 Choose Monitoring and Reports > Report s [...]
-
Pagina 376
13-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Sharing Repor ts The repor t is gener ated i n the page . Step 3 Click Launch Int e ractiv e V iewer for more optio ns. Related Topics • Adding Re ports t o Y our Favorites Page, page 13-3 • V iewing Fa vorite -Rep ort Paramete rs, page 13-[...]
-
Pagina 377
13-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Step 7 Click Sa ve . The repo rt is sa ved in yo ur Shared folder a nd is a vailab le for al l users. Note Th e shared re ports that were created i n older versio ns of A CS do not work afte r you upgr ade an older ve[...]
-
Pagina 378
13-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s T A CA CS Authentication Provides T ACA CS+ authentic ation details for a select ed time per iod. P assed authentica tions, failed att e mpts T A CA CS Authorization Provides T ACA CS+ authorizatio n details for a[...]
-
Pagina 379
13-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports A CS Log Info rmat ion Provides ACS log inform ation for a parti cular log cate gory and A CS serve r for a selected tim e peri od. All log cate go ries A CS Operations Audit Pro vides all t he operation al changes d [...]
-
Pagina 380
13-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Networ k Devic e Au then tic ati on Su mm ary Pro vides the RADIUS and T ACA C S+ authen tica tion summ ary in forma tion for a particu lar ne twork d evice for a sele cted t ime period , along wi th the gr aphi [...]
-
Pagina 381
13-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Running C atalog Re ports T o run a repo rt th at is in th e Ca tal og: Step 1 Select Monitori ng and Reports > Re ports > Catalog > re p o rt _ t y p e , where r e port_t ype is the type of report yo u want[...]
-
Pagina 382
13-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s The av ailable reports for the report type you select ed are disp layed with the informa tion shown in T able 13- 3 . Step 2 Click the radio b utton next to the report na me you want to run, then select one of th[...]
-
Pagina 383
13-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Note Y ou cannot delete system re ports fro m the Reports > Catalog pages; y ou can de lete cu stomize d reports only . Step 2 Check one or more chec k boxes next to the repo rts you want to de lete, and click Del[...]
-
Pagina 384
13-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Related Topics • W orki ng with Cata log Repor ts, page 13 -7 • Understa nding the Repor t_Name Page, page 13-14 Understanding the Report_Name P age Note Not all options listed in T a ble 13-5 are used i n se[...]
-
Pagina 385
13-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Identity Group Enter an identity group nam e or click Select to enter a v a lid iden tity gr oup name on which to run yo ur repor t. Device Name Ent er a device name or click Sele ct to ent er a valid device name on [...]
-
Pagina 386
13-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Comm and Accounting On ly Check the ch eck box to enable yo ur repo rt to run for comm and acco unting . T o p Use the dro p down list box to sele ct the numb er of top (most freq uent) auth entic ation s by acce[...]
-
Pagina 387
13-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Related Topics • W orkin g with Cata log Report s, page 13-7 • W ork ing wi th F av orite Re ports, pa ge 13-3 • A vailab le Reports in the Cata log, page 13-7 • Running Cat alog Report s, page 13-1 1 Enablin[...]
-
Pagina 388
13-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Working wit h Catalog Report s Changing Authorizatio n and Discon necting Active RA DIUS Session s Note Som e of th e N ADs i n you r deploym ent do not send an Ac counti ng Stop or Acc ountin g Off packet af ter a reload. As a result of t his[...]
-
Pagina 389
13-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Working w ith Catalog Reports Figur e 13-3 CoA Options Step 4 Click Run to reauthenti cate or disc onnect the RADIU S session. If your cha nge o f auth orizat ion fai ls, i t mig ht b e beca use of any of the following r easons : • Device does [...]
-
Pagina 390
13-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Note If you save the customi zed report with t he same name a s the original system repo rt (overwriting the or igina l system repo rt), yo u ca nnot de lete i t. T o rest ore a cust omized rep ort to the default , preconf ig[...]
-
Pagina 391
13-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports About St andard Viewer From Stand ard V iewer , you ca n open a tab le of content s, navigate the repo rt, export data t o spreadshe et format , and prin t the repo rt. You can cli ck Launch Interacti ve V iewer to close Sta n da[...]
-
Pagina 392
13-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Figur e 13-5 Cont ext Men u f or Labels in Int era ctive Viewer If the rep ort contai ns a chart, you can use the con text menu for ch arts, sho wn in Figure 13-6 , to modify the chart’ s formatting, subtype, and other prop[...]
-
Pagina 393
13-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Using the Table of Contents In the viewer , you can open a ta ble of conte nts to view the report struc ture and n avigate t he re port . T o open the table of co nten ts, ch oose the t able of content s button in th e toolba r .[...]
-
Pagina 394
13-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Exporting Re port Da ta The vie wer supports the ability to e x port report da ta to an Excel spread sheet as a comma-sep arated values (.csv ) file, p ipe-se parated values (. psv) file, or a ta b-separa ted values (.tsv) fi[...]
-
Pagina 395
13-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Viewing Re ports Figur e 13-12 The Expor t Da ta Dialog Box A vailab le Result Sets lists the tables in the report. A vailable Co lumn s lists the colu mns you c an export fr om the speci fied table. Y ou can export a ny of the data the report us[...]
-
Pagina 396
13-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports View ing Rep orts Printing Reports Y o u can p rint a report that ap pears i n the viewer in H TML or PDF f ormat. Becau se you can modify the report in I nteracti ve V iewer , Interac ti ve V iewer supports print ing either the o riginal repo[...]
-
Pagina 397
13-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-13 Sav e Dialog Bo x Step 2 Nav igate to the location wher e you want to sa ve the f ile. Step 3 T ype a file na me an d cli ck Save . Step 4 Click OK i n the conf irmation messa ge that app ea[...]
-
Pagina 398
13-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The text of a column header come s from t he data s ource. If the da ta source disp lays colu mn headers i n capital letters wi th no sp aces between words, t h e report d esign di splays column h ea[...]
-
Pagina 399
13-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer • Modify the f ont, col or , style , and other propert ies of the text . • Specify t hat t he column disp lays up percase or lowercase. • Modify the de fault forma tting of the data v alue in an agg[...]
-
Pagina 400
13-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer Formatting Data in Aggregate Rows An aggr eg ate row dis plays a total , aver age, or ot her summary da ta for a colu mn. Y ou learn ho w to create an aggre gate ro w in a later chapte r . Figure 13-[...]
-
Pagina 401
13-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer . Formatting N umeric Data Numeric data can t ake s e veral f orms. A colum n of postal codes require s differen t fo rmatti ng fro m a column of sal es figures. Figu re 13 -16 shows the numeri c formats [...]
-
Pagina 402
13-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer The data type of a column is deter mined by the data source . Ke ep in mind that a text or str ing data type can conta in nu meric d igits. A telephon e numbe r , for example , is freq uent ly string[...]
-
Pagina 403
13-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Formatting C ustom Numeric Data T o def ine a custom form at, you use special sy mbols to constru ct a format pattern. A format pat tern show s where to place curr enc y symbol s , thou sands sep arators,[...]
-
Pagina 404
13-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer 415-555-2121 Y o u can cr eate c ustom formats for str ing data . T ab le 13-8 describ es the sy mbols yo u can use to define custom string formats . T able 13- 9 sho ws exampl es of cust om str ing [...]
-
Pagina 405
13-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Step 4 Click A pply . Formatting Date and Time The appe aranc e of date and tim e data depends on t he loca le in whi ch you are working. For example, the follo wing date and time are correc t for the U.S[...]
-
Pagina 406
13-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o create a cust om date or time fo rmat, Step 1 Sele ct a dat e-an d-ti me co lumn , th en clic k Fo r m a t . The Date or T ime column form at windo w appears. Step 2 In Form at D ate o r Time As [...]
-
Pagina 407
13-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-1 7 Specifying Disp lay V alues f or T r ue an d F alse Applying Condition al Formats Conditional formattin g changes th e formatti ng of data whe n a certain condition i s true. F or e x ample[...]
-
Pagina 408
13-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer After you c reate the con dition, you set th e format in which to displ a y data tha t meets the co ndition. Th e format applies to the co lumn in Sele ct Column, not to the column you use to set the[...]
-
Pagina 409
13-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Formatting Repor ts in Interactive Viewer Figur e 13-20 T wo Compar ison V alue Fields A ppear f or the Be tween Op era tor The values for the com pari son can be typed i n direc tly or de riv ed from the sp ecified repo rt col umn. Select Ch ang[...]
-
Pagina 410
13-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Formatti ng Reports in In teractive Vi ewer T o add additional conditio nal formatting rules, select Add Rule an d repeat s teps 3 an d 4 for eac h ne w rule. Step 6 Click A pply . The report design appear s with the specif ied conditional for[...]
-
Pagina 411
13-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 4 Click A pply . Setting a nd Removing Page Breaks in a Group C olumn In Inte ractive V i ewer , if your r eport design h as groupe d data, you ca n set p age bre aks bef ore or a fter t he grouped da ta. Step 1 Selec[...]
-
Pagina 412
13-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Displaying a nd Organizin g Repo rt Data After you access a data source and se lect the data set to use, you d etermine t he best w ay to display the data in a repo rt. Ther e are se veral way s to org anize data sets: [...]
-
Pagina 413
13-43 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-25 Report Displ aying Cust omers Gr ouped by Country Step 2 Select Column > Move t o Group Header . The Mo ve to Gro up He ader wind o w appears, as sho wn in Figure 13-26 . Figur e 13-26 Mov e to Gr oup Head[...]
-
Pagina 414
13-44 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-27 Report Displ aying Cust omer Name in Ea ch Gr oup Header Removin g Column s T o remov e a column, select the column and click Delete . When y ou re move a co lumn from the repor t, you are not deletin g th[...]
-
Pagina 415
13-45 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 3 Select any items you want to hide or Dese lect any hidden items you want to displ ay . T o display all hidden items, cli ck Clear . Step 4 Click A pply . Hiding Columns T o hide or di spla y colu mns: Step 1 Select [...]
-
Pagina 416
13-46 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-29 Separat e Columns In Figur e 13-30 , the data f rom these two columns is me rged into on e column. Figu re 13-30 M erged Colu mn T o merge data in multiple co lumns: Step 1 Selec t and right- clic k the co[...]
-
Pagina 417
13-47 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Selectin g a Colu mn from a Merged C olumn Y ou can aggrega te, filter , and group data in a colu mn that contain s data that is mer ged from multiple column s. Y o u must first select one of the colum ns on which to aggre[...]
-
Pagina 418
13-48 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data When you sort multiple columns, it is important t o unders tand the order of precedence for the sort. I n Adv anced Sort, the fi rst column y ou select is the pri mary sorting col umn. Report data is sor ted f irst b y [...]
-
Pagina 419
13-49 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Grouping Data A report can conta in a great deal of data. Consider the task of listing e very item a corporation o wns, along w ith infor mation suc h as the pur chas e price, pu rchase da te, inve ntory ta g numbe r , a n[...]
-
Pagina 420
13-50 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-33 Groupe d D ata Y o u can group da ta in the re port desi gn editor or i n Intera ctive V iewer . The chan ges you ma ke in the viewer do not affect the report design . If you work in En terpri se mode, yo [...]
-
Pagina 421
13-51 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 2 From the co ntext menu , select Group > A dd Group . The Grou p Detail dialog box appe ars, as shown in Figure 13- 35 . Figur e 13-35 Groupi ng D at e or Time D ata Step 3 T o sho w ev ery date or tim e v alue, l[...]
-
Pagina 422
13-52 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Step 2 From the co ntext menu , select Group > Delete Inner Group . Creating Rep ort Calculation s Most report s requir e some sort of calc ulation s to track sales, finances, inv entory , an d other cr itical b usin[...]
-
Pagina 423
13-53 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Figur e 13-38 Selecting a F unction Understanding Supported C alculation Functions T able 13- 11 provides examples of the functi ons you ca n use to create calcula tions. Note Th e Calcula tion dialo g box does not supp or[...]
-
Pagina 424
13-54 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data AND Combines tw o condition s and retur n s records that match bot h cond itions . For example, you ca n reque st records from cus tomers w ho spend more than $50,0 00 a year and al so have a cre dit r ank o f A. This f[...]
-
Pagina 425
13-55 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data False The B oolean False. Thi s funct ion i s used in expression s to in dicate that an argumen t is f a lse. In the follo wing exampl e, False ind icates that the se cond argume nt, asc ending, is false and th erefor e th[...]
-
Pagina 426
13-56 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data ISBO TTOMN(e xpr, n) Displays T rue if the value is withi n the lo west n va lues for th e e xpress ion, and Fals e ot herwi s e. ISBOTTOMN([OrderTotals], 50) ISBO TTOMN(expr, n, groupL ev e l) Displays T rue if the val[...]
-
Pagina 427
13-57 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data LIKE(str ) Displays T rue if the va lues match, and F alse otherwise. Use SQL syntax to specify the string pattern. The foll owing rules apply: • Literal patt ern charac ters must match e xactly . LIKE is case-sensiti ve[...]
-
Pagina 428
13-58 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data OR The logical OR operator . This functio n is used to connect cl auses in an expression and do es not take arguments. PERCENTIL E(expr , pc t) Displays a per centile v alue, a v alue on a sc ale of 100 that i ndica tes[...]
-
Pagina 429
13-59 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data R OUNDDO W N(num) Rounds a nu mber do wn. ROUNDDOWN([StockPrice]) R OUNDDO W N(num, dec) Rounds a number do wn, awa y from 0, to the spe cified numbe r of digi ts. Th e defa ult value for dec is 0. ROUNDDOWN([StockPrice], [...]
-
Pagina 430
13-60 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data WEEKD A Y(date, option) Displays the day of the week in one of the follo wing format opti ons: • 1 - Re tur ns the day n umber, from 1 ( Sund ay) throu gh 7 (Saturda y). 1 is the defau lt option . • 2 - Re turns t h[...]
-
Pagina 431
13-61 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Understanding Supported Operat ors T able 13- 12 descr ibes t he ma themat ical and l ogica l op erators you c an u se in w riting expressi ons tha t create ca lculat ed columns. Using Numbers and Dates in an Expression Wh[...]
-
Pagina 432
13-62 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Using Multiply Values i n Calculated Columns T o use multiply v alues in calculated columns: Step 1 Selec t a col umn. In t he repo rt, the new calc ulate d co lumn appears to the right of the column yo u select . Step [...]
-
Pagina 433
13-63 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Step 7 For the second argume nt, typ e the numbe r of days to ad d. In this ca se, type 7. Step 8 V alidate t he e xpressi on, the n click A pply . The ne w calculat ed column ap pears i n the r eport . Fo r e very v alue [...]
-
Pagina 434
13-64 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Figur e 13-39 Aggr egat e Row f or a Gr oup T able 13- 13 shows the aggregate functions that you ca n use. T a bl e 1 3-1 3 A ggregate Func ti ons Aggr egat e fun ctio ns Desc rip tion A verage C alculat es the av erage[...]
-
Pagina 435
13-65 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Or ganizing Report Data Creating an Ag gregate Data Row T o create an aggre gate data r ow: Step 1 Select a column , then selec t Aggregation . The Aggre gation di alog box appe ars. The name of the co lumn you selected is lis ted in the Selec te[...]
-
Pagina 436
13-66 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Organizin g Report Data Adding Addi tional Aggregate Rows After y ou cr eat e a si ngle a ggregate row for a colu mn, y ou can add u p to two mor e ag gregate r ows for the same column. For an item total co lumn, for e xample, you can create a[...]
-
Pagina 437
13-67 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Deleting A ggregate Ro ws T o delete an aggre gate row : Step 1 Select the calcul ated co lumn that contains the agg reg ation y ou wa nt to re mov e, then sel ect Aggregati on . The Aggregatio n dial og bo x [...]
-
Pagina 438
13-68 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-43 Suppr essed V alues Y o u can sup press d uplicat e values to ma ke your report easier t o read . Y ou can su ppress only co nsecu tiv e occurre nces of dup licate v alues. In the Locatio n col[...]
-
Pagina 439
13-69 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Figur e 13-44 Gr oup D etail Row s Display ed Figure 13-45 shows the results of hidin g the detail rows for the creditra nk groupin g. Figur e 13-45 Gr oup D etail Rows Hidden • T o col lapse a group or sec [...]
-
Pagina 440
13-70 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Types of Filter Conditions T able 13- 15 describes the types of filt er conditions and provides e xamples of how f ilter conditions are translat ed into i n structions to the d ata sourc e. Bottom N Returns [...]
-
Pagina 441
13-71 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Setting Filter Values After y ou choose a co nditi on, you set a filte r value. Step 1 T o vie w all the v alues for th e selected column, se lect Select V alues . Additiona l fields appear in the Filte r dial[...]
-
Pagina 442
13-72 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-46 Selecting a Fil ter V alue in In ter active V iewer Step 2 T o sear ch for a valu e, type the v alue in the Fin d V alue f ield, t hen clic k Fi nd . All v alues that match you r f ilter te xt [...]
-
Pagina 443
13-73 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 3 From the Conditi o n pulldo wn menu, select a c o ndition. T able 1 3-14 descri bes t he cond itions you ca n select . • If yo u sele ct Be tween or No t Betwee n , Va l u e F r o m and Va l u e To , [...]
-
Pagina 444
13-74 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Hiding an d Filter ing Report D ata Figur e 13-47 The A dvance d Filter D ialog Bo x in Inte rac tiv e V iewe r Adv anced Filter provides a great d eal of flex ibility in settin g the filte r valu e. For conditions that test equality and for t[...]
-
Pagina 445
13-75 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Hiding and F ilteri ng Re port Da ta Step 7 V alidate the fi lter syntax b y clic king V alidate . Y ou hav e no w created a filte r with one conditi on. The nex t step is to add conditi o ns. Step 8 Foll ow steps Step 3 to Step 7 to create ea ch[...]
-
Pagina 446
13-76 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Step 2 From the Fi lter pul ldown menu, se lect a pa rticular numbe r of rows or a p ercenta ge of rows, a s shown in Figure 13-48 . Step 3 Enter a v alue in the f ield next t o the Filter pu lldow n menu to specif y the[...]
-
Pagina 447
13-77 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-49 Parts of a Basi c Bar Chart Ther e are a variety of ch art types. Some typ es of data are best depic ted wit h a specific type of ch art . Charts can be use d as reports in them selves a nd they can be used [...]
-
Pagina 448
13-78 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s Changing Chart Subtype char ts have subtyp es, w hich you ca n cha nge as nee ded: • Bar char t—Side-by-Side , Stacked, Per cent Stacked • Line c hart—Ov erlay , Stack ed, Percent Stacked • Area c hart—Ov erl[...]
-
Pagina 449
13-79 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 3 Managing Reports Unde rsta ndin g Ch arts Figu re 13-50 Ch art For matting Opti ons Y o u use this page to: • Edit a nd format the default chart title. • Edit an d format the defaul t title for the categor y , or x-, axis. • Modify settin gs for t he la bel[...]
-
Pagina 450
13-80 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 13 Ma nagin g Re ports Underst anding Chart s[...]
-
Pagina 451
CH A P T E R 14-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 14 Troubleshooting ACS with the Monitoring an d Report Viewer This ch ap ter de scribes the diagnost ic an d tro ubleshoo ting tools that t he Mo nito ring and Repor t V iewer prov ides for the Cisco Secure Access Control System . This chap ter cont ains the foll[...]
-
Pagina 452
14-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Availa ble Diagn ostic and Troubl eshootin g Tools Support bundles typ icall y con tain t he A CS dat abas e, log files, core files, an d Moni toring and Re port V iewer support files. Y ou can exclude cert[...]
-
Pagina 453
14-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Performing Connectivity Tests Performing Connectivit y Tests Y o u can test your conne ctivity to a network device with th e device’ s hostna me or IP ad dress. For exa mple, you can v erify you r conn[...]
-
Pagina 454
14-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Downlo ading ACS Sup port Bundl es for Di agnosti c Informati on Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 • Connecti vity T ests, page 14-1 • A CS Su pport B u[...]
-
Pagina 455
14-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Downloading ACS Support Bundles for Diagnostic Information • Include lo cal l ogs—Check this check box to i nclude loca l logs, then cli ck All , or click Recent and enter a v alue from 1 to 999 in t[...]
-
Pagina 456
14-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Working with Exp ert Troubleshooter The fo llowing sect ions descri be how to use the Expe rt Troublesho oter d iagnost ic tool s: • T r oublesh ooting RADIUS Auth en[...]
-
Pagina 457
14-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 4 Click Sear ch to di splay the RADIUS authe ntications that match your se arch criteria. The Search Resu lt table i s populated wi th the resu lts of your sea rch[...]
-
Pagina 458
14-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er The Ex pert Troubleshoot er begins to troub lesho ot your RAD IUS au thent icatio n. The M onitor ing and Report V iewer prompt s you for ad ditiona l input, if req uir[...]
-
Pagina 459
14-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 8 Click Done to return to the Expert T roubleshooter . The Progress Details page refreshes periodic ally to display the tasks that are performed as troublesh ootin[...]
-
Pagina 460
14-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Executing the Show C ommand on a N etwork De vice The Execut e Network Device Comma nd diagn ostic tool allows you to run any sho w command on a network device fr om t[...]
-
Pagina 461
14-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progress Detail s page appears. The Mo nitoring and Report V iewe r prompts you for additio nal input. Step 4 Click the User Input Required butt[...]
-
Pagina 462
14-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Comparing SGACL P olicy Betwe en a Netwo rk Device and ACS For Security Group Access- enabled devices, A C S assigns an SGACL for e very source SGT -destination SGT pa[...]
-
Pagina 463
14-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Use this dia gnostic tool to compa re the SXP-IP mappi ngs betwee n a device and its peers. T o do this: Step 1 Choose Monitoring and Reports > T roubleshooting >[...]
-
Pagina 464
14-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 4 Click S XP-IP Mappings from the list of troublesh ooting tools. The Ex pert Tr ouble shooter page refre shes an d shows the foll owing fi eld: Network Device IP[...]
-
Pagina 465
14-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 10 Click Show Results Summary to vie w the diagnos is and resol ution steps. The Results Summary page appea rs with the in formation d escribed in Ta b l e 1 4 - [...]
-
Pagina 466
14-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er Step 6 Click Show Re sults Summary to view the diagnosis and re solution steps. Related Topics • A vailable D iagnosti c and T roublesho oting T ools, page 14- 1 •[...]
-
Pagina 467
14-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 4 Troubleshooting ACS with the Mo nitoring and Re port Viewe r Working with Expert Troubleshooter Step 3 Click Run . The Progre ss Details page appea rs with a summa ry . Step 4 Click Show Re sults Summary to vie w the results o f de vice SGT co mparison. The Re su[...]
-
Pagina 468
14-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 14 Troub leshooting ACS with the Monitoring and Report Viewer Working wit h Expert Trou bleshoot er[...]
-
Pagina 469
CH A P T E R 15-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 15 Managing System Operat ions and Configuration in the Monitoring an d Report Viewer This cha pter descr ibes the tasks that you must perfo rm to configure an d admi nister th e Monitor ing an d Report V iewer . The M oni toring Co nfiguration drawer a llows you[...]
-
Pagina 470
15-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er • Configure an d edit failu re reaso ns—Th e Mon itoring a nd Rep ort V iewer allows you t o configure the description o f the f ailure reason code and prov ide instructi o n[...]
-
Pagina 471
15-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up • Configuring Syste m Alarm Set tings, pag e 15-18 • Configuring A larm Syslog T argets, p age 15- 18 • Conf iguring Re[...]
-
Pagina 472
15-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up If yo u en able increm ent al ba ckup, data is purged daily at 4 :00 a.m. at th e lo cal t ime zone where the A CS instan ce t[...]
-
Pagina 473
15-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuri ng Data Purgi ng and In crement al Back up only the log c olle ctor se rvices durin g co mpress op erat ion a nd wi ll be u p and runn ing af ter the com press operatio[...]
-
Pagina 474
15-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring D ata Purgin g and Increm ental Back up From the Monitoring an d Report V ie wer, select Monitoring Configurat ion > System Oper ations > Data Ma nagement > [...]
-
Pagina 475
15-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Restoring Data from a Backup Configuring NF S Stagin g If the utiliza tion of /opt exceeds 30 percen t, then you are re quired to use NFS staging with a re mote repositor y in or[...]
-
Pagina 476
15-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Step 2 Choose a backu p file that you want to r estore. Note If you cho ose an inc remental back up file to restor e, ACS restores a ll pr e viousl y as[...]
-
Pagina 477
15-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic Log Collec tion Deta ils Page, page 15-10 T able 15-3 Log Collec tion Pag e Option Description A CS Serv er Name of the A CS server . Clic[...]
-
Pagina 478
15-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er View ing Log Collect ions Log Collection Details Page Use this page to vi ew the rec ently col lected log names for an A CS serv er . Step 1 From the Monitoring an d Report V ie[...]
-
Pagina 479
15-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewin g Log Coll ections Related Topic • V iewing Log C ollecti ons, page 15-8 T able 15-4 Log Collec tion Details P age Option Description Log Name Name of t he log file. La[...]
-
Pagina 480
15-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Recove ring Log Me ssage s Recovering Log Me ssages A CS server sends syslog m essages to the Monitoring and Report V iewer for the a ctivities such as passed authe nticat ion, [...]
-
Pagina 481
15-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Sc hedul ed Jobs Note Whe n you cha nge any sche dule thro ugh th e A CS web inte rface, f or the n ew schedule to take effect, you must manua lly restart th e Job Man a[...]
-
Pagina 482
15-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Viewing Proce ss Status Viewing Process Status Use this pag e to view the status of processe s running i n your A CS en vi ronmen t. From the Monitoring an d Report V ie wer, se[...]
-
Pagina 483
15-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Viewing Data Upgrade Status Viewing Data Upgra de Status After y ou upg rade to A C S 5. 4, ensur e that the M onitori ng and Repor t V iewer databa se up grade is comp let e. Y[...]
-
Pagina 484
15-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Spec ifyi ng E -Ma il Se ttin gs Related Topic V iewing Failure Reason s, page 15-1 5 Specifying E-Mail Settings Use this page to specify the e-mail serv er and administra tor e[...]
-
Pagina 485
15-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Understanding Collection Filters Understandin g Collection Filters Y ou can create collection f ilters that allo w you to filte r and drop syslog e ve nts that are not used for [...]
-
Pagina 486
15-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Sy stem Ala rm Settings Step 3 Click Submit . Related Topics • Creating a nd E diting Col lection Filters, p age 15- 17 • Deleting Colle ction Filters, page 15-1[...]
-
Pagina 487
15-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 5 Managing Syste m Opera tions and Configuratio n in the Moni toring an d Report Viewer Configuring Remote Database Settings Note A CS does not supp ort remo te data base with cl uster setup . T o conf igure a remo te databas e: Step 1 From the M onitor ing and Rep[...]
-
Pagina 488
15-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 15 Managing Syst em Operati ons and C onfiguratio n in the Monitoring and Report View er Configuring Re mote Da tabase Setti ngs Note Y ou ca n view the statu s of y our expor t job in th e Schedul er . Se e V iewing Schedul ed Jobs, page 15-1 2 for more i nform ati[...]
-
Pagina 489
CH A P T E R 16-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 16 Managing System Administrators System adm inistra tors ar e respon sible for depl oying, c onfiguring, m aintaini ng, and monitori ng the A C S servers in your network. Th ey can perform va rious opera tions in ACS through the A CS administra tiv e interface. [...]
-
Pagina 490
16-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Adminis trator Roles and Ac count s • Conf igure administrator session setting • Conf igure ad ministr ator a ccess settin g The first time y ou log in to A C S 5.4, you ar e promp ted for th e predefined adm inis[...]
-
Pagina 491
16-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Config uring Syst em Admini strator s and Accounts When these steps are co mpleted , def ined administr ators can lo g in and star t working in the syste m. Understanding Authentication An authenti cation request is the f irst ope[...]
-
Pagina 492
16-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s • Dynamic Role assign ment—Rol es are a ssigned ba sed on the rul es in the A A C authoriz ation policy . Assigning Static Roles A CS 5.4 allows you to assign the administrator roles static ally to an inter[...]
-
Pagina 493
16-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Underst anding Ro les Predefined Roles T able 16- 1 shows the pred efin ed roles included in A CS: T able 16-1 Pr edefined Role Descr iptions Role Privileges Change Admin Password This role is in tended for A CS ad ministr ators w[...]
-
Pagina 494
16-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Underst anding Role s Note At first logi n, only the Su per Ad min is assigne d to a spec ific admini strator . Related Topics • Administrator Accounts an d Role Association • Creating, Duplicating, Editing, and Deleting Adminis[...]
-
Pagina 495
16-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Creating, Duplicating, Editing, and Deleting Administrator Accounts Only appr opriate a dministrators can conf igure ident ities and certif icates. The iden tities co nfi gured in t he System Administr ation dra wer are av ailable[...]
-
Pagina 496
16-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Creating, Du plica ting, Edit ing, and Del eting Ad minis trator Ac counts Step 2 Do any of the f ollowing: • Click Cr eate . • Check t he check box next to the a ccount that you want to du plicat e an d cli ck Duplicate . • C[...]
-
Pagina 497
16-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Viewing Predefined Roles Step 4 Click Submit . The new account is sav ed. The Admi nistrat ors page app ear s, with the new account th at you cre ated or duplicat ed. Related Topics • Understa nding R oles, p age 16- 3 • Admin[...]
-
Pagina 498
16-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring A uthenti cation Set tings for Ad ministra tors Choose System Administratio n > Administrators > Roles . The Rol es pag e ap pears with a li st of pr edefine d role s. T able 16-4 describes the Roles page fields. [...]
-
Pagina 499
16-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Authentication Settings for Administrators The Pa ssword Polic ies page a ppears with t he Passw ord Comple xity and Ad v anced tabs. Step 2 In the Pas sw ord C omp lexi ty tab, c heck each check box th at y ou w ant [...]
-
Pagina 500
16-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Configuring Se ssion Idl e Timeout Note A CS auto matical ly deact iv ates o r disable s your a ccount ba sed on yo ur last l ogin, la st password chan ge, or numbe r of login retrie s. Th e CL I and PI us er a ccount s are b loc k[...]
-
Pagina 501
16-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Configuring Administrator Access Settings Step 1 Choose System Administration > Administrators > Settings > Session . The GUI Session pa ge appears. Step 2 Enter the Session Idle T imeout v alue in minutes. V a lid v alu[...]
-
Pagina 502
16-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Step 1 Choose System Administration > Administrators > Settings > Access . The IP A ddresses Filter ing page appears. Step 2 Click Reject connections from liste d IP a ddresses ra[...]
-
Pagina 503
16-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control The AA C service process es thes e two pol icies in a sequence . Y ou need to con fig ure bot h the Administra tor identity polic y and the Administrator authorizat ion p olic y . The de[...]
-
Pagina 504
16-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control In cases whe re Den y Access is sel ected as the resu lt, the acce ss of the admini strator is denied. In a rule-ba sed polic y , each rule contain s one or more condition s and a result, [...]
-
Pagina 505
16-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control T o conf igure a rule-bas ed polic y , see these topics : • Creating Pol icy Rules, page 10-38 • Duplic ating a Rule, page 1 0-39 • Edi ting Pol icy Ru les , page 10 -39 • Deleti[...]
-
Pagina 506
16-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Identity Po licy Rule Properties Y ou can crea te, duplicate , or edit an identity polic y rule to determin e the iden tity datab ases that a re used to authentic ate the admin[...]
-
Pagina 507
16-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administrator Authorization Policy The au thoriza tion poli cy in the Admin istrative Access Contro l is used for dynami call y assigni ng roles to admini strators upon login . The role [...]
-
Pagina 508
16-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Working with Administrative Access Control Configuring Administ rator Au thorization Rule Properties Use this page to create, dupli cate, an d edit th e rules t o determine administrato r roles in the AA C access service. Select Sy[...]
-
Pagina 509
16-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Working with Administrative Access Control Administra tor Login Process When an adm inistrator l o gs in to the A CS web interface , AC S 5.4 perfor m s the auth enticatio n as gi ven below . If an a dministrator accou nt is co n[...]
-
Pagina 510
16-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Rese ttin g th e Adm inis tra tor P assw or d Note If the adm inist rator password o n the AD or LDAP server is expir ed or reset, then ACS denies the administrato r access to the web interf ace. Resetting the Administrat or Passwo[...]
-
Pagina 511
16-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 6 Managing Sys tem Ad ministrato rs Changing t he Admini strat or Password The ad ministra tor password i s created. Y o u can also use the acs reset- password command to reset your ACSAdmin account pa ssword. For more informatio n on this command, refer to http://[...]
-
Pagina 512
16-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 16 Managing Sy stem Administr ators Changing the A dministr ator Passwor d[...]
-
Pagina 513
CH A P T E R 17-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 17 Configuring System Operation s Y o u can configure an d deploy A CS instanc es so that one ACS i nstan ce becom es the primar y instance and th e other A CS instances c an be re gister ed to the primary as secondary instances . An A CS ins tan ce represe nts A[...]
-
Pagina 514
17-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t • Using th e Deploym ent Ope ratio ns Page to Creat e a Local Mo de Instan ce, pa ge 17-2 3 Understandin g Distributed Deployment Y ou can conf igure multiple ACS servers in a deplo yment. W i[...]
-
Pagina 515
17-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment A CS 5. 4 supports one primary and twen ty second ary servers in a large A CS deployme nt. The me dium A CS depl oyment co nsists of one pri mar y and twelve secon dary servers. Also, all A CS [...]
-
Pagina 516
17-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Underst anding Distri buted Depl oymen t Removin g Seco ndary S ervers T o p ermane ntly r emove a seconda ry ser ver from a depl oyment, you mu st first deregi ster t he seco ndary serv er and then delete it fr om the primary . Y o u [...]
-
Pagina 517
17-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Understand ing Distributed Depl oyment When t he conn ecti on to t he pri mar y server r esume s, you can r econne ct th e disc onnect ed seco ndary instance in Local Mode to the prima ry serve r . From the secon dary instance in Lo[...]
-
Pagina 518
17-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Scheduled B ackups Step 3 Y ou must acti va te the se condary ser ver on t he primary , eith er automa tically or by issuing a manua l request. Related Topics • V iewing and Editing a Primary Inst ance, pag e 17-9 • V iewing and E [...]
-
Pagina 519
17-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Scheduled Backups Step 2 Click Submit to schedule the bac kup. Related Topic Backin g Up Pr imary and Se condar y Insta nces, p age 17- 8 T able 1 7-2 Sch eduled Backup s P age Option Description Backup D ata Filename cr eated b y b[...]
-
Pagina 520
17-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Backing U p Primary and Seconda ry Instan ces Backing Up Primary and Secondary Insta nces A CS provides yo u the o ption to bac k up t he pri mary a nd se condary instan ces at any time apar t from the regular sch eduled backups. For a[...]
-
Pagina 521
17-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Synchr onizing Primary and Sec ondary Inst ances Af ter Back up and Resto r e Synchronizin g Primary and Sec ondary Instanc es After Backup and Restore When yo u specify that a syst em back up is res tored on a primar y instan ce, t[...]
-
Pagina 522
17-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances T able 1 7 -4 Distr ibuted S ystem Ma nag ement P age Option Description Primary I nstance Name H ostna me o f th e prim ary ins tance . IP Addre ss IP address of the pri mary instan ce. Online Status Indi cates if [...]
-
Pagina 523
17-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Step 2 From the Pr imary I nstance t able, click t he primar y instance that yo u wan t to mod ify , or check th e Name check box a nd c lick Edit . Step 3 Complete the fields in the Distributed System Manage ment[...]
-
Pagina 524
17-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Editing Ins tances Step 4 Click Submit . The Prim ary In stance table on the Distri buted System Mana geme nt page app ears wi th the edit ed prim ary inst ance . Related Topics • Replicatin g a Secondar y Inst ance from a Primary I[...]
-
Pagina 525
17-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Editing Instances Viewing and Editing a Secondary Instance T o edit a secondary in stanc e: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gement pa ge app[...]
-
Pagina 526
17-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Activa ting a Secon dary In stance Activating a Sec ondary Instance T o acti vate a seco ndary ins tance: Step 1 Choose System Administra tion > O peratio ns > Dist ributed Syst em Management . The Distr ibuted System Mana gemen[...]
-
Pagina 527
17-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Registeri ng a Seco ndary In stance to a Primary In stance . T able 1 7- 6 S ystem Oper ations: Deplo yment Oper ations P age Option Description Instance Status Curr ent Stat us I dent ifies the ins tance of the node you log i nto [...]
-
Pagina 528
17-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Registering a Secondar y Inst ance to a Pri mary Insta nce Step 3 Speci fy th e appro pria te values in th e Regist ratio n Sec tion. Step 4 Click Register to Primary . The following wa rning m essag e i s disp layed. This oper ation [...]
-
Pagina 529
17-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Deregist ering Seco ndary Instances fr om the Distribute d System Managemen t Page Deregistering Secon dary Instances from the Di stributed Syste m Management Page T o deregister secondary instances from the Distributed System Mana[...]
-
Pagina 530
17-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Promoting a Se condary Instanc e from the Di stribut ed System M anagem ent Page The syste m displays th e following warnin g mess age: This oper ation w ill de regist er this serve r as a sec ondary with t he pri mary s erver. ACS wi[...]
-
Pagina 531
17-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Promot ing a Sec ondary I nstance f rom the Depl oyment Operation s Page Promoting a Second ary Instance from the De ployment Operations Page T o pro mote a second ary inst ance to a primary inst ance fro m the Dep loyment Operati [...]
-
Pagina 532
17-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Replicating a Seco ndary Inst ance fro m the D istributed S ystem Mana geme nt Page Note All A CS appliances mu st be in sy nc with th e AD domain clo ck. T o repli cate a s[...]
-
Pagina 533
17-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Replicating a Secondary Instance from a Primary Instance The Distr ibuted System Mana gement page appe ars. On th e Seconda ry Instanc e table, the Repli cation Status colu mn shows UPD A TED . Replic ation is compl ete on the sec [...]
-
Pagina 534
17-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Replicating a Seconda ry Instan ce from a Prim ary Inst ance Failover A CS 5.4 allo ws you to conf igure multip le A CS instance s for a d eploym ent scenar io. Ea ch deplo yment can have one pr imary and multipl e sec ondar y A CS se[...]
-
Pagina 535
17-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Cleanup.. ..... Starting ACS .... The database on the primary server is restored successfully . Now , you ca n observe that all second ary ser vers in the d[...]
-
Pagina 536
17-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance Y o u can use the con f igura tion info rmation on t he A CS Configuration Audit repor t to manuall y restore the conf iguration information for this insta nce. [...]
-
Pagina 537
17-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 7 Configuring Syste m Operatio ns Using th e Deploym ent Opera tions Pa ge to Create a Loc al Mode In stance Step 4 Click Submit . The n ew so ftware repo sito ry i s sa ved. The S oftw are Repo sito ry pa ge appea rs, wi th the ne w sof tware repos itory that you [...]
-
Pagina 538
17-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapter 17 Configuring System Operations Using th e Deploy ment Op erations Page to Create a Local Mode Inst ance[...]
-
Pagina 539
CH A P T E R 18-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 18 Managing System Administration Configurations After y ou inst all Ci sco Secu re ACS, you must configure a nd a dminister it to mana ge your network eff icient ly . The A CS web inter face allows you to easil y configure A CS to perform various oper ations . F[...]
-
Pagina 540
18-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring G lobal Sys tem Op tions Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Admi nist ration > Conf iguration > Global Syst[...]
-
Pagina 541
18-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Config uring Glo bal System Options Configuring PEAP Settings Use the PEAP Settings p age to conf igure PEAP runtime charact eristics. Select System Admi nist ration > Conf iguration > Global System Options &g[...]
-
Pagina 542
18-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Gener ate P A C page to ge nerate a us er or machi ne P A C. Step 1 Select System Administration > Configuration > Global System[...]
-
Pagina 543
18-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 3 Click Submit to conf igure the RSA SecurID Prompts. Managing Diction aries The fol lo wing tasks a re a v ailable when y ou select Sy stem Administration > Configuration > Dicti[...]
-
Pagina 544
18-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es • RADIUS (Cisc o BBSM) • RADIUS (Cisc o VPN 3000) • RADIUS (Cisc o VPN 5000) • RADIUS (Jun iper) • RADIUS (N ortel [Bay Net works]) • RADIUS (Red Creek) • RADIUS (US Roboti[...]
-
Pagina 545
18-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es • Click Cr eate . • Check t he check box next to t he R ADIUS VS A tha t you wa nt t o dupli cate , then clic k Duplicate . • Check the check bo x next to the RADIU S VSA that you want[...]
-
Pagina 546
18-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es T able 18-9 Cr eating, Dupl icating, and Editing RADIU S Subat tr ibutes Option Description General Attrib ute Name of the suba ttrib ute. The name must b e unique. Descri ption (O ption[...]
-
Pagina 547
18-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Step 4 Click Submit to save the subattrib ute. Viewing RADIUS Vendo r-Specific Subattributes T o v iew the at tributes t hat are supp orted by a part icular RADIU S vendor: Step 1 Choose Sys[...]
-
Pagina 548
18-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Related Topic Creatin g, Duplic ating , and Edit ing RADIU S V en dor-Specific Attribute s, page 18-6 Configuring Iden tity Dictionar ies This section con tains the follo wing topics: ?[...]
-
Pagina 549
18-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Configuring Internal Identity Attributes T able 18- 10 describes the f ields in the interna l < users | hosts > identity attrib utes. T able 18-1 0 Identity Attr ibute Pr operties Pag[...]
-
Pagina 550
18-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Managing Dictionari es Deleting an Internal Us er Identity Attribute T o delete an interna l user identity attrib ute: Step 1 Select System Admi nist ration > Conf iguration > Dictionaries > Ide ntit[...]
-
Pagina 551
18-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Ma naging Dict ionari es Creating, Duplicating, and Editing an Internal Host Identity Attribute T o create, duplica te, and edit an internal host identity attr ibu te: Step 1 Select System Admi nist ration > Con[...]
-
Pagina 552
18-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ocal Server Certificates Adding Static IP address to Users in Internal Identity Store T o add static IP address to a user in In ternal Identity Store: Step 1 Add a static IP attrib ute to intern[...]
-
Pagina 553
18-15 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 2 Click Add . Step 3 Enter the inform ation in the Loca l Certif icate Store Proper ties page as describe d in T ab le 18-12 : Importing Server Certificat es and Associating Ce[...]
-
Pagina 554
18-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating Self-Si gned Certificates Step 1 [...]
-
Pagina 555
18-17 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Fini sh. The n ew certif icate is sa ve d. The Local Certifi cate Store pa ge app ears with the ne w ce rtif icate. Generating a Certificat e Signing Request Step 1 Sel[...]
-
Pagina 556
18-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates Binding CA Sig ned Certific ates Use this page to bind a CA signed ce rtif icate to the request that was use d to obtain the c ertif icate f rom the CA. Step 1 Select System[...]
-
Pagina 557
18-19 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding Local Server Certificates Step 4 Click Submit to extend the e xisting certif icate’ s v alidity . The Local Certif icate Store page appears with the edited certi fica te. Related Topic • Conf iguring Loc[...]
-
Pagina 558
18-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Adding L ocal Server Ce rtificates The Cert ificate Store page ap pears wit hout the deleted cert ificate( s). Related Topic • Conf iguring Local Serv er Certificate s, page 18-14 Exporting Certificates T o[...]
-
Pagina 559
18-21 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 2 Click Export to export the loc al certif icate to a client machi ne. Configuring Log s Log recor ds ar e genera ted fo r: • Acco unti ng messa ges • AAA audi t and diagnostic s messages[...]
-
Pagina 560
18-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 1 Select System Admi nist ration > Configuration > Log Configuration > Remote Log T argets . The Remote Log T a rgets pa ge ap pears . Step 2 Do one of the follo wing: • Clic[...]
-
Pagina 561
18-23 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Step 4 Click Submit . The remo te log target co nfiguration i s sav e d. The Remote Log T argets pa ge appears w ith the new rem ote log target configurati on. Related Topic • Delet ing a Remote[...]
-
Pagina 562
18-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring th e Local Lo g Use the Local Conf iguration page to conf igure the maximum days to retai n your local log data. Step 1 Select System Admi nist ration > Configuration > Log[...]
-
Pagina 563
18-25 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Global Logging Categorie s T o vie w and conf igure gl obal loggin g categ ories: Step 1 Select System Admi nist ration > Configuration > Log Configuration > Logging C ategori[...]
-
Pagina 564
18-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Step 6 Click Submit . The Lo gging Cat egories pag e appe ars, with your co nfigured log ging cat egory . Administr ative and operati onal aud it me ssages inc lude aud it messa ges o f the [...]
-
Pagina 565
18-27 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Related Topic • Configuring Pe r-Instance L ogging Categories, p age 18- 29 • V iewing ADE-OS Log s, page 18 -28 Fil e-Man ag emen t • A CS_DELETE_ CORE—A CS core files delet ed • A CS_D[...]
-
Pagina 566
18-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Viewing A DE-OS Logs The log s listed in T able 1 8-22 are w ritten t o the A DE-OS logs. Fr om the A CS CLI, you can use th e follo wing command to vie w the ADE-OS logs: show logging syste[...]
-
Pagina 567
18-29 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep [...]
-
Pagina 568
18-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Configuring Per-Instanc e Security and Log Settings Y o u can configure the severity le vel and loca l log setting s in a loggi ng category configuration for a specif ic ov erridden or custo[...]
-
Pagina 569
18-31 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring Per-Instanc e Remote Syslog Targets Use this page to conf igure remote syslog targets for logging cate gories. Step 1 Select System Admi nist ration > Conf iguration > Log Config[...]
-
Pagina 570
18-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Configuring L ogs Displaying L ogging Ca tegories Y o u can view a tree of configured loggi ng categorie s for a speci fic A CS inst ance. In additi on, you can configure a logg ing ca tegory’ s severity le[...]
-
Pagina 571
18-33 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Confi guring Logs Configuring th e Log C ollector Use the Log Collector page to selec t a log data coll ector and suspend or re sume log da ta transmissi on. Step 1 Select System Admi nist ration > Configuration[...]
-
Pagina 572
18-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Licensi ng Overv iew Licensing Overvi ew T o operate A C S, you mus t instal l a v alid li cense. A CS prompts y ou to install a valid bas e license wh en you first acc ess the we b interfac e. Each ACS insta[...]
-
Pagina 573
18-35 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topics • Licen sing Overview , page 18-3 4 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 18 -36 • Adding Deployme nt Lice nse File s, pa ge 1[...]
-
Pagina 574
18-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Installin g a Licens e File Viewing the Base Lice nse T o u pgrad e t he bas e li cen se: Step 1 Select System Admi nist ration > Conf iguration > Licensing > Ba se Serve r License . The Ba se Ser ve[...]
-
Pagina 575
18-37 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Installing a License File Related Topic • Upgrad ing the Ba se Server Licens e, page 18- 37 Upgrading th e Base S erver Lice nse Y o u can upgra de the base server licens e. Step 1 Select System Admi nist ration [...]
-
Pagina 576
18-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Viewing Licens e Feature Options Viewing License Feature Optio ns Y o u can add, upgra de, or delete existi ng depl oyment l icen ses. The con figuration pane a t the top of the pag e sho ws the de ployme nt [...]
-
Pagina 577
18-39 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Adding De ployment Lic ense Files Adding Deployme nt License Files T o a dd a n ew base de ployment licen se file: Step 1 Select System Administration > Configuration > Licensing > F eature Options . The F[...]
-
Pagina 578
18-40 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Deleti ng Deploy men t License File s Related Topics • Licens ing Overview , page 18-34 • T ypes of Li censes, page 18-34 • Install ing a Licen se File, page 18-35 • V iewing the Base License , page 1[...]
-
Pagina 579
18-41 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 8 Managing Syste m Adm inistration Configurat ions Available Downloads Downloading Migration Utility Files T o do wnload migration ap plication f iles and the m igration g uide for A CS 5.4: Step 1 Choose System Administration > Downl o ads > Migration Utilit[...]
-
Pagina 580
18-42 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 18 Man agi ng Sy stem Ad minist rati on Co nfig urat ions Availa ble Do wnloads T o do wnload the s e sample scripts: Step 1 Choose System Administration > Downl o ads > Sample Python Script s . The Samp le Python Scr ipts page ap pear s. Step 2 Click one of t[...]
-
Pagina 581
CH A P T E R 19-1 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 19 Understanding Logging This c hapter d escrib es loggin g func tional ity in A C S 5.4. A dmini strators and u sers u se t he various managem ent i nterf aces of A CS to per form dif ferent tasks . Using the ad minist rativ e access control featu re, you can a [...]
-
Pagina 582
19-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Using Log Targets Y ou can specify to send customer log informatio n to multip le cons umers or Log T ar gets and s pecify wheth er the lo g mes sages a re store d locall y in text form at or forwarde d to syslog se rvers.[...]
-
Pagina 583
19-3 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Note F or comple x configuratio n items or attrib utes, such as policy or D ACL con tents, the ne w attrib ute val ue is reported as "Ne w/Updated" and the au dit does not c ontain the ac tu al attrib ute va l u e or[...]
-
Pagina 584
19-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging Each log message contains the follo wing information : • Event code— A unique message code. • Logging categor y—Iden tifies the catego ry to wh ich a log message belon gs. • Se verity le vel—Identif ies the le [...]
-
Pagina 585
19-5 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Local Store T arget Log messages in the local store ar e text f iles that are sent to one log file, located at /opt/CSCOacs/lo gs/localSto r e/ , regar dless of w hich lo gging ca tegory they be long to . The loca l store can [...]
-
Pagina 586
19-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging T able 19-2 Local Sto r e and S yslog Messag e F orma t Field Description timestamp Date of the mess age gene ratio n, acc ording t o the loca l cloc k of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh[...]
-
Pagina 587
19-7 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging Y o u can use the web in terface to con figure the numbe r of days to retain local store l og files; how ev er , the defa ult setting is to pur ge data when it excee d s 5 MB or each day , whichev er limit is f irst attained. [...]
-
Pagina 588
19-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging When you configure a critical log target, and a me ssage is sent to that critical log target, the messa ge is also se nt to the con figured noncriti cal log target on a best- effort basis. • When you conf igure a critica[...]
-
Pagina 589
19-9 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging T able 19-3 Remote S yslog M essag e Header F orma t Field Description pri_nu m Priority v alue of the message; a combination of the fac ility va lue and the se verity v alue of the me ssage. Priority v alue = ( facility v alu[...]
-
Pagina 590
19-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging About Lo gging The syslog messag e data or pa yload is the same as the Loca l Store Me ssage Format , which i s describe d in T abl e 19-2 . The remote syslog ser ver tar gets are identif ied by the facility co de names LOCAL0 to LOCAL7[...]
-
Pagina 591
19-11 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng About Logging The M onitori ng and R eport V iewer has t wo drawer o ptions: • Moni tori ng and R eports—Us e this dra wer to vie w and conf igure al arms , view l og repo rts, and perform trouble shoot ing tasks . • Monitori ng C on[...]
-
Pagina 592
19-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng ACS 4.x Versus ACS 5.4 Logging If you are familiar with the logging f unctionality in A C S 4. x, ensure that you familiarize yourself with the loggin g func tionality of A CS 5.4, which is consid erably [...]
-
Pagina 593
19-13 User Guide for C isco Secur e Access Cont rol System 5.4 OL-26225-01 Chapter 1 9 Understan ding Loggi ng ACS 4 .x Vers us ACS 5.4 Loggi ng Configuration Use the Sy stem Configuration > Logging page to d ef ine: • Logge rs an d individual lo gs • Critical loggers • Remote logging • CSV log file • Syslog log • ODBC log See Config[...]
-
Pagina 594
19-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Chapt er 19 Un ders tand ing L og ging ACS 4.x Versus ACS 5.4 Loggi ng[...]
-
Pagina 595
A- 1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX A AAA Protocols This section con tains the follo wing topics: • T ypical Use Cases, page A-1 • Access Prot ocols—T ACA CS+ and RADIUS, page A -5 • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 Typical Use Case s This section con ta[...]
-
Pagina 596
A- 2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases Session Access Requests (Device Administration [TACAC S+]) Note Th e numbe rs refer to Figur e A-1 on pa ge A-1 . For session reque st: 1. An admini strator logs i nto a network device. 2. The network device sends a T A CACS+ acces[...]
-
Pagina 597
A-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Typical Use Cases – EAP proto cols that inv ol ve a TLS handshake and in whic h the clie nt uses the ACS server certi ficate t o perfo rm serve r auth ent icat ion: PEAP , using one of the fol lowing inner method s: PEAP/EAP- MSCH APv2 and PEAP/EAP[...]
-
Pagina 598
A- 4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Typical Us e Cases – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP me thods that us e certificat es fo r bot h ser ver and c lient aut hent icatio n – EAP- TLS – PEAP/EAP-T LS Whene ver EAP is in volv ed in the authen tication process, i[...]
-
Pagina 599
A-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Access Protoco ls—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section con tains the follo wing topics: • Overview of T A CACS+, page A-5 • Ove rvie w of RADIUS, page A- 6 A CS 5. 4 can use the T ACA C S+ an d RADIUS acc ess pr[...]
-
Pagina 600
A- 6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Overview of RADIUS This section con tains the follo wing topics: • RADIUS VSAs, page A-6 • A CS 5.4 as t he AAA Server , page A-7 • RADIUS Att ribute Support in ACS 5.4, page A-8 • RADIUS Acc e ss Requests, pag e A-11 RAD[...]
-
Pagina 601
A-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS ACS 5.4 as the AAA Se rver A AAA serv er is a server program th at handle s user req uests for acc ess to computer res ourc es, and fo r an enterp rise, pro vides AAA services. The AAA ser ver typically intera cts with netw ork acc[...]
-
Pagina 602
A- 8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S RADIUS Attribute Support in ACS 5.4 A CS 5. 4 supports the RA DIUS prot ocol as RFC 2865 descri bes. A CS 5. 4 supports th e following types of RADIUS att ributes: • IETF RADI US attrib utes • Generic an d Cisco VS As • Oth[...]
-
Pagina 603
A-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS Authentication A CS supports various aut hentica tion p rotocols transpor ted over RADI US. The support ed prot ocols tha t do not include EAP are: • PA P • CHAP • MSCHA Pv1 • MSCHA Pv2 In addi tion, various EAP-b ased pr o[...]
-
Pagina 604
A-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S Admin istrator can co nfigure th e att ribute opera tion cl ause fo r a spe cific proxy access servic e. Wh en this service i s selected , A CS pe rforms th e operat ion on the acce ss request and fo rwards the upda ted acce ss r[...]
-
Pagina 605
A-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix A AAA Protoco ls Overview of RADIUS • If the Mu ltiple attrib utes are allo wed, then the update o peration remo ves all the occu rrences of th is attribute a nd adds one attribute with a new value. Example: Login-IP- Host – a ttribu te Multi p le allo wed: On t[...]
-
Pagina 606
A-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix A AAA Protocol s Overvi ew of RADIU S When th e RADI US serv er recei ves t h e acces s-req uest fro m the N AD, it se arches a database fo r the user name . Dependi ng on the r esul t of t he databa se qu ery , an acce pt or rejec t is sent . A te xt messa ge can ac[...]
-
Pagina 607
B-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX B Auth enticat ion in ACS 5 .4 Authentic ation v erif ies user informa tion to c onfi rm the u ser's ide ntity . T r aditional a u thenticati o n uses a name a nd a fixed passwo rd. Mor e secu re m ethods use cryp tograp hic techn iques, such as those used [...]
-
Pagina 608
B-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PAP This ap pen dix d escr ibe s th e foll owing : • RADIUS-based authenticat ion that does not include EAP: – P AP , page B-2 – CHAP , page B- 32 – MSCHA Pv1 – EAP-MSCHA Pv2, pa ge B-30 • EAP family of prot ocols tran sported [...]
-
Pagina 609
B-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP RADIUS PAP Authentication Y ou can use dif ferent le ve ls of security concurre ntly with A CS for dif ferent requiremen ts. P AP applies a tw o-w ay hand shaking pr ocedur e. If authentication succeed s, A CS returns a n ackno wledge[...]
-
Pagina 610
B-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP In A CS 5.4 , EAP is en capsulate d in the RADIUS prot ocol . Incoming and outg oing EAP mes sages are stored in a RA DIUS EAP-M essage att ribute (79). A single RADIU S packet ca n contai n multip le EAP-Mes sage att rib utes whe n th[...]
-
Pagina 611
B-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-MD5 A CS sup ports ful l EAP infrast ructu re, inclu ding EAP ty pe negotiati on, message s equenci ng and message r etransmi ssion. Al l protoc ols supp ort fr agme ntation of big message s. In A CS 5.4, you conf igure EAP methods fo[...]
-
Pagina 612
B-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Overvi ew of EAP- TLS EAP-TL S is one of th e me thods in the EAP au thenti cation framework, and is base d on the 80 2.1x and EAP archi tecture. Components in volv ed in th e 802.1x and EAP authentic ation proc ess are the: • Ho[...]
-
Pagina 613
B-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS • Using a third-par ty signature, usually from a CA, that v erifies the information in a certif icate. This third-pa rty bindin g is similar to the real-world eq uiv ale nt of the sta mp on a passport. Y ou trust the passport b[...]
-
Pagina 614
B-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Y ou can conf igure the timeo ut for each sessio n in the cac he, for eac h protocol indi vidually . The lif etime of a sessi on is measur ed fr om th e beginni ng of th e co n versation an d is d eterm ined when t he TLS s ession [...]
-
Pagina 615
B-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS For HTTPS, SFTP , SSH and Acti veM Q, an auto-generate d self-si gned certif icates can be use d as the means fo r serv er authenticati on. Fixed Management Certificates A CS gene rates and use s self-signe d certificates t o ide[...]
-
Pagina 616
B-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS • Initial Sel f-Signed Certific ate Generation, page B-10 • Certificate Gene ration, page B-10 Importing the ACS Ser ver Certificate When yo u manual ly impor t and A CS serve r certificat e you must supply t he certif icate f[...]
-
Pagina 617
B-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS There are tw o types of certif icate gener ation : • Self-sign ing c ertificat e gene ration— A C S sup ports ge nerat ion of an X. 509 c ertificate and a PKCS#12 p riv ate ke y . The pass phrase u sed to encr ypt the pri v [...]
-
Pagina 618
B-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-TLS Credentia ls Distributio n All certif icates are kept in the A CS database which is distrib uted and shared between all A CS nodes. The A CS serv er cer tificates ar e associated and desig nated f or a specif ic node, wh ich uses [...]
-
Pagina 619
B-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP- TLS Private Keys an d Passwords Backup The entir e A CS database is dist rib uted and ba cked-up on the prim ary A CS along with all the ce rtif icates, priv at e-keys and the en crypte d priv a te-key-pass words. The private-key-pa[...]
-
Pagina 620
B-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Note All co mmuni cation between t he host and A CS goes thro ugh the net work device. EAP-TLS authentic ation fails if the: • Serv er fails to v erify the cl ient’ s certif icate, an d reje cts EAP- TLS au thenticat ion. •[...]
-
Pagina 621
B-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 • Cisco AC 3.x • Funk Ody ssey Access C lient 4 .0.2 an d 5.x • Intel Supplican t 12.4.x Overvi ew of PE AP PEAP is a client -server sec urity ar chi tecture t hat you use to e ncrypt E AP transa ction s, there by protec [...]
-
Pagina 622
B-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 • Fast Reconnect, page B-16 • Session R esume, page B- 16 • Protecte d Ex chan ge of A rbitra ry Param eters, pa ge B-17 • Cryptobin ding TL V Ex tensio n, page B-17 Server Aut henticated and Unauthent icated Tunnel Estab[...]
-
Pagina 623
B-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 PEAPv 0/1 Protected E xchange of Arbitrar y Parame ters TL V tuples pro vide a way to e xchange ar bitrary informat ion betwee n the peer and A CS within a secure ch annel. Cryptobindi ng TLV Extensi on The cryp tobind ing TL V extensio [...]
-
Pagina 624
B-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 PEAPv0/1 Figur e B-3 PEAP Pr ocessin g Flo w Creating the TLS Tunnel The fo llowing describes th e process for creatin g the TLS tun nel: 271629 Phase 1 Phase 2 User authentication credentials are sent through TLS Tunnel again using EAP .[...]
-
Pagina 625
B-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Authenticatin g with MS CHAP v2 After the TLS tunnel is created, follo w these steps to authentica te the wireless clien t credentials with MSCHA Pv2: At the end of this mutual a uthentication e xchange, the wir eless clien t h[...]
-
Pagina 626
B-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST EAP-F AST is a c lient-server security architec ture that encrypts EAP tran sactions with a TLS tunnel. While similar to PE AP in this respect, it d if fers signif icantly in that EAP-F AST tunnel establis hment is based o n stro[...]
-
Pagina 627
B-21 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST EAP-F AST can protect the username in all EAP-F AST transac tions. A CS does no t perform user authenti cation based on a use r name that is presented in phase one, ho wev er , whether the user name is protec ted d uring ph ase[...]
-
Pagina 628
B-22 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST • A CS- Supported Fea tures for P A Cs, pag e B-25 • Master Key Genera tion an d P A C TTL s, page B-27 • EAP-F AST for Allow TLS R enegotiatio n, page B -27 About Master-Keys EAP-F AST mas ter- keys are strong se crets tha[...]
-
Pagina 629
B-23 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Provisioning Modes A CS sup ports out- of-band and in-ban d provisioning mo des. The in -band provision ing mod e operate s inside a TLS tunnel raised by Anonymous DH or Authenticate d DH or RSA algorithm for k ey agre eme nt. [...]
-
Pagina 630
B-24 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The v arious means b y whi ch an end- user client can r eceiv e P A Cs are : • P A C provisioning —Requ ired w hen an e nd-user c lient has no P AC. For more infor mation a bout how maste r-ke y and P A C states dete rmine wh[...]
-
Pagina 631
B-25 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST T o con trol whet her A CS perform s Automa tic In- Band P A C Provisioni ng, use t he options on th e Globa l System Options pages in the System Administration drawer . For more information, see EAP-F AST , page B-19 . Manual [...]
-
Pagina 632
B-26 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST The proac tive P AC update time is con figured for th e A CS se rver in the Allowed Protocols Page. Th is mecha nism all ows the client to be always updated wi th a valid P A C. Note There is no proacti ve P A C update for Mach i[...]
-
Pagina 633
B-27 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST Master Key Generation and PAC TTLs The values for master key genera tion and P A C TTLs deter mine their states, as d escrib ed in About Master-Ke ys, page B-22 and T ypes of P ACs, page B-23 . Master k ey and P A C states d et[...]
-
Pagina 634
B-28 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP-FAST For informat ion about how master key generatio n and P AC TTL v a lues det ermin e wheth er P A C provisioning or P A C re fresh ing is requ ired, see Ma ster Key Genera tion and P A C TT Ls, page B- 27 . Step 3 Determ ine whe t[...]
-
Pagina 635
B-29 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-F AST • P A C M igrat ion fr om A CS 4.x, pag e B-29 Key Distribution Algorithm The comm on seed- key is a rela tiv e ly la rge and a com plete ly ra ndom buffer th at is genera ted by t he primar y A CS server . T he see d-key is [...]
-
Pagina 636
B-30 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 EAP Authe ntication wi th RADIUS Key Wrap • A list of retire d A C S 4.x master-keys. The list is taken fro m the A CS 4. x configurati on and plac ed in a ne w table in A CS 5.4. Each migrat ed master -ke y is associate d with its expe[...]
-
Pagina 637
B-31 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 EAP-M SCHAPv 2 Overview of EAP-MSCHAPv2 Some of the specif ic members of the EAP family of authen tication proto cols, specif ically EAP-F AST and PEAP , support th e notion of an “EAP inner method. ” This means tha t another EAP- ba[...]
-
Pagina 638
B-32 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 CHAP EAP- MS CHAPv2 Flo w in ACS 5.4 Components in vo lve d in the 802.1x and MSCHAPv2 authentication process a re the: • Host—The e nd entity , or en d user’ s machine. • AAA clien t—The netw ork access point. • Authentic ati[...]
-
Pagina 639
B-33 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Certificate Attributes • Subject ’ s ST attr ibut e (State Pro vince) • Subject ’ s E a ttrib ute (e Mail) • Subject ’ s SN at tribute (Subject Seria l Numbe r) • Issue r I attrib ute • SAN (Sub ject Alternati ve N ame) Y[...]
-
Pagina 640
B-34 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Cert ific ate At tr ibute s • Subject 's ST attrib ute (State Provi nce) • Subject 's E attr ibute (eMail) • Subject 's SN a ttrib ute (Subjec t Serial Number) • Issue r I attrib ute • SAN (Subje ct Alternati ve N[...]
-
Pagina 641
B-35 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Machine Authentication The conf iguration of URLs an d their association to CA's is distrib uted to the entire A CS domain. The downloaded CRLs are not dist ributed and are autono mously populate d in parallel i n each A CS server .[...]
-
Pagina 642
B-36 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility Related Topics • Micr osof t AD, pa ge 8 -41 • Managin g Exte rnal I denti ty Stores , p age 8- 22 Authentication Protocol and Identity Store Compatibili ty A CS supports va[...]
-
Pagina 643
B-37 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix B Authent ication in ACS 5.4 Authentication Protocol and Identity Store Compatibility[...]
-
Pagina 644
B-38 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendix B Authenti cation in ACS 5.4 Authent ication Proto col and Ide ntity Store Comp atibility[...]
-
Pagina 645
C-1 Use r Guid e fo r Cis co S ecure Acce ss Co ntr ol Sy stem 5.4 OL-26225-01 APPENDIX C Open Source License Acknowledgements See http://www .ci sco.co m/en/U S/produc ts/ps991 1/produc ts_lic ensing_i nforma tion_li sting.ht ml for all the Ope n Source and T hird Party L icens es use d in Cisc o Sec ure Acc ess Cont rol Syste m, 5.4. Notices The [...]
-
Pagina 646
C-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s Notices 4. The name s “OpenSSL T oolki t” and “Ope nSSL Projec t” must not be us ed to endor se or prom ote products derived from this software without pr ior written permission. For written permission, please conta c[...]
-
Pagina 647
C-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 Append ix C Open Sourc e License Acknow ledg ements 4. If you incl ude any W indows specific co de (or a derivati ve th ereo f) from the apps dir ectory (applic ation code) you must i nclude an ackn owledgemen t: “Th is produc t incl udes so ftware wr itten by T im Hud son ([...]
-
Pagina 648
C-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Appendi x C Open Source Lice nse Acknow ledgement s[...]
-
Pagina 649
GL-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 GLOSSAR Y A AAA Authentic ation, authorization , and accountin g (AAA) is a term for a fr ame work for intell igently contro lling access to comp uter res ources, e nforcin g policie s, auditi ng usage, an d providing t he informatio n necessary to bill for service s. These c[...]
-
Pagina 650
Glos sary GL-2 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 accounts The cap ability of A CS to record user sessions in a log file. ACS System Administrators Ad m in i st r a to r s w i th di ff er en t access pri v ileges d efined u nder the System Conf iguration section o f the A CS web interface. T hey administer and man [...]
-
Pagina 651
Glossary GL-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 authenticity The validity and conf orman ce of the or igin al info rmati on. authorization The approval, p ermissi on, or empowerm ent fo r so meone or som ethin g to do some thing. authorization profile The basi c "permi ssions cont ainer" for a RADIUS -ba[...]
-
Pagina 652
Glos sary GL-4 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 certificate-based authentication The u se of Secure Sockets La yer (SSL) an d certif icate s to au thenticate and en crypt HTTP t r af fic. certificate Digital represe ntation of user or de vice attrib utes, includ ing a public ke y , that is signed with an author i[...]
-
Pagina 653
Glossary GL-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 configuration manageme nt The proce ss of establi shing a kno wn baselin e condit ion and ma naging it. cookie Data exchan ged betwe en an HTTP ser ver an d a browser ( a cl ient o f the server ) to st ore s tate i nfor mat ion on the client si de and retrieve it lat[...]
-
Pagina 654
Glos sary GL-6 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 D daemon A program wh ich i s often starte d at the time the sys tem bo ots and runs conti nuously wi thout intervent ion from a ny of the users o n the system. The daem on progr am forward s the re quests to other program s (or proc esses) as a ppropriat e. Th e te[...]
-
Pagina 655
Glossary GL-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 digital envelop e An en crypted message with the encry p ted sess ion ke y . digital signature A hash of a message tha t uniquely identifies the sender of the messag e and proves the message hasn't chan ged s ince t ran smissi on. DSA digita l signatur e algori [...]
-
Pagina 656
Glos sary GL-8 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 dumpsec A security tool that dumps a variety of information a bout a sy stem's users, file system, registry , permis sions, passwor d policy , and services . DLL Dynamic Link Librar y . A coll ection of small programs, any of whi ch can be calle d when ne eded [...]
-
Pagina 657
Glossary GL-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 EAP Extens ible Aut hentic ation Protoc ol. A p rotoco l for w ireless networks that expand s on A uthenti cation methods used by the PPP ( Point-to-Point Protocol) , a protocol often used wh en connecting a computer to the I nternet. EAP can support m ultiple authen[...]
-
Pagina 658
Glos sary GL-10 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 G gateway A n etwork point tha t acts as an entrance to anot her netwo rk. global system options Conf igur ing T A CA CS+, EAP-T TLS, PEAP , and EAP-F AST ru ntime cha racteris tic s and ge neratin g EAP-F AST P A C. H hash func tions Used to g enerate a one way &q[...]
-
Pagina 659
Glossary GL-11 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 I I18N Int ernationaliza tion and localizatio n are m eans of adapting sof tware for non- nati ve en vironments, especi ally other nations and cultur es. Interna tiona lizati on is the a dapta tion o f pro ducts f or po tentia l use virtual ly ev erywhere, while loc[...]
-
Pagina 660
Glos sary GL-12 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 ISO Interna tional Or ganization for Standardizat ion, a volu ntary , non-treaty , non-go vernment o rg anization, establi shed in 194 7, with voting membe rs that ar e designat ed standar ds bodies of participa ting natio ns and non -voting observer organizati ons[...]
-
Pagina 661
Glossary GL-13 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 M MAC Address A physical addres s; a numeri c value tha t uni quely ident ifies that network device from every other device on the plane t. matchingRul e (LDAP) The m ethod b y which an attri bute is c o mpar ed in a sear ch opera tion. A matchi ngRule is an ASN. 1 [...]
-
Pagina 662
Glos sary GL-14 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 PI (Programma tic Interface) The A CS PI is a prog rammatic in terface that provides e xternal ap plicati ons the ability to communicate with ACS to configure an d opera te A C S; this incl udes perf ormi ng the following op eration s on A CS objects: creat e, upda[...]
-
Pagina 663
Glossary GL-15 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 R RDN (LDAP) Th e Relative Distinguished N ame (freque ntly but incorre ctly writte n as Relatively Distinguish ed Name). The name gi ven to an attrib ute(s) that is unique at its le vel in the hierarchy . RDNs may be single v alued or multi-v alued in which ca se t[...]
-
Pagina 664
Glos sary GL-16 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 Schema (LDAP) A package o f attrib utes and object clas ses that ar e someti mes (nomi n ally) re lated. Th e schema (s) in which th e object classes an d attrib utes that th e appli cation will u se (re ference) a r e packag ed ar e identif ied to the LD AP server[...]
-
Pagina 665
Glossary GL-17 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 SOAP (Simple Object Acce ss Prot oc ol) A lightw eight X ML- based p rotocol for excha nge o f infor mation in a decent ralized , distr ibuted en viro nment. SO AP consis ts of th ree pa rts: an en v elope that def ines a fra me work f or de scri bing what is in a m[...]
-
Pagina 666
Glos sary GL-18 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01 U UDP User D atagram Prot ocol. A com munica tions pro tocol that o ffers a li mited a mount of se rvice when messag es ar e e xchang ed betw een comput ers in a networ k that uses t h e Int ernet Protoc ol (IP) URL Unifor m Resource Locat or . The uni que addr ess[...]
-
Pagina 667
Glossary GL-19 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 X X.509 A standard for public key infrastruct ure. X .509 specifies, am ongst ot her things, standar d format s for public k ey ce rtif icates and a certif ication path v alidation algorithm. XML (eXtensible Markup Lan guage) XML is a fle xible wa y to create co mmo[...]
-
Pagina 668
Glos sary GL-20 User Guide f or Cisco S ecure Access Contro l System 5.4 OL-26225-01[...]
-
Pagina 669
IN-1 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 INDEX Symbols ! format ting symb ol 13-34 % operat or 13-61 & formatt ing symbol 13-34 & operator 13-61 * operator 13-61 + oper ator 13-61 / oper ato r 13-61 <= opera tor 13-61 <> opera tor 13-61 < format ting symbol 13-34 < oper ator 13-61 = oper ator [...]
-
Pagina 670
Index IN-2 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 Arrang e Columns di alog 13-42 ascendin g sort order 13-47 AVERAGE functio n 13-54 Averag e functi on 13-64 aver ages 13-54, 13-57, 13-60, 13-64 B backgro und c olor s 13-39 Between condition 13-69, 13-74 BETWEEN function 13-54 Bet ween oper ator 13-38 blank ch arac t[...]
-
Pagina 671
Inde x IN-3 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 formatti n g data and 13-37 conte xt m enus 13-21 conversi ons 13-34 COUNT_DI STINCT function 13-54 COUNT fu nction 13-54 Count function 13-64 Count Value function 13-64 crea ting aggreg ate rows 13-65, 13-66 calc ulate d co lumns 13-52, 13-61 data filte rs 13-69, 13-7[...]
-
Pagina 672
Index IN-4 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 download s 18-40 duplicat e values 13-67, 13-68 E EAP-FAST enab lin g B-27 identity pro tection B-21 logging B- 20 mas ter ke ys definition B- 22 PAC automatic p rovisioning B-24 definition B- 22 manual prov isioning B-25 refresh B- 27 phases B-2 0 EAP-FAST settings c[...]
-
Pagina 673
Inde x IN-5 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 G General D a te format o ption 13-31 General N u mber f ormat optio n 13-31 Go to page pick list 13-22 Greater Than co nditio n 13-70 greate r than operator 13-61 Greater Than o r Equal to condition 13-70 greater than or equa l to opera tor 13-6 1 Group D etail dial o[...]
-
Pagina 674
Index IN-6 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 locales creat ing ch arts and 13-78 customiz ing forma ts for 13-30, 13-32, 13-35 locating text valu es 13-55, 13-59 logical ope rators 13-61 Long Dat e format option 13-31 Long Tim e forma t option 13-31 lowerc ase characters 13-57 Lowe rcas e form at opti on 13-31 L[...]
-
Pagina 675
Inde x IN-7 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 numeric da ta types 13-31 numeric expr essions 13-61, 13-62 numeric va lues 13-24, 13-33 O opening exported data files 13-25 Inter active Vi ewer 13-21 operator s 13-38, 13-61 OR oper ator 13-61, 13-75 P PAC automatic p rovisioning B-24 definition B- 22 manual prov isi[...]
-
Pagina 676
Index IN-8 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 report viewer s 13-21 resizing colu mns 13-24, 13-29 RIGHT functi o n 13-58 ROUNDDOWN fu nction 13-59 ROUND fu nction 13-5 8 roundin g 13-54, 13-58 ROUNDUP fun ction 13-59 row-by- row co mpariso ns 13-55 rows 13-67, 13-68 RUNNING SUM functio n 13-59 running total s 13[...]
-
Pagina 677
Inde x IN-9 User Guide f or Cisco Se cure Access C ontrol System 5.4 OL-26225-01 time data types 13-31 time form ats 13-31, 13-35 timesav er, descr iption of ii-xxi v time stamps 13-57, 13-59 time values 13-35, 13-50 TODAY functi on 13-59 Top N condition 13-70 Top Percen t condition 13-70 totals 13-37, 13-59, 13-64 trailin g charact ers 13-59 TRIM [...]
-
Pagina 678
Index IN- 10 User Guide f or Cisco S e cure Acce ss Control System 5. 4 OL-26225-01 X x-axis va lues 13-7 6 Y y-axis va lues 13-7 6 YEAR fu nction 13-60[...]