Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/newdedyk/domains/bkmanuals.com/public_html/includes/pages/manual_inc.php on line 26
Cisco Systems OL-24201-01 manuale d’uso - BKManuals

Cisco Systems OL-24201-01 manuale d’uso

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650

Vai alla pagina of

Un buon manuale d’uso

Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso Cisco Systems OL-24201-01. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica Cisco Systems OL-24201-01 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.

Che cosa è il manuale d’uso?

La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso Cisco Systems OL-24201-01 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.

Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.

Quindi cosa dovrebbe contenere il manuale perfetto?

Innanzitutto, il manuale d’uso Cisco Systems OL-24201-01 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo Cisco Systems OL-24201-01
- nome del fabbricante e anno di fabbricazione Cisco Systems OL-24201-01
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature Cisco Systems OL-24201-01
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti

Perché non leggiamo i manuali d’uso?

Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio Cisco Systems OL-24201-01 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti Cisco Systems OL-24201-01 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio Cisco Systems in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche Cisco Systems OL-24201-01, come nel caso della versione cartacea.

Perché leggere il manuale d’uso?

Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo Cisco Systems OL-24201-01, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.

Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso Cisco Systems OL-24201-01. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.

Sommario del manuale d’uso

  • Pagina 1

    Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure A ccess Contr ol S ystem 5.3 April 20 1 4 Text Part Number: OL -24201-01[...]

  • Pagina 2

    THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPO NSIBILITY FOR THEIR APPLICATION OF ANY PRO[...]

  • Pagina 3

    iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Serv ice Request xxv CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 ACS Distributed Deployment 1-2 ACS 4.x and 5.[...]

  • Pagina 4

    Contents iv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Policy Terminology 3-3 Simple Polici es 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Auth[...]

  • Pagina 5

    Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flo w 4-16 Adding a Host to an Internal Identity Store[...]

  • Pagina 6

    Contents vi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding th e Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface[...]

  • Pagina 7

    Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operation s for Network Resources and Users 7-8 Exporting Network Resources and Us ers 7-10 Creating, Duplicating, and Editin g Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying N[...]

  • Pagina 8

    Contents viii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Us ing a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating Exter[...]

  • Pagina 9

    Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-6 0 Creating, Duplicating, and Editing RADIUS Id entity Servers 8-60 Configurin[...]

  • Pagina 10

    Contents x User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permis sions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Acce ss Policies 10-1 Policy Creation Flow 10-1 Network Definition and Po licy Goals 10 -2 Policy Elements in the Policy Creation F low[...]

  • Pagina 11

    Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pa ges 10-45 Egress Policy Matrix Page 10-45 Editing a C[...]

  • Pagina 12

    Contents xii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules 12-9 Creating and E diting Alarm Schedule s 12-9 Assigning Alarm Schedules to Thresh olds 12-10 Deleting Alarm Schedules 12 -11 Creating, Editing, and Duplic ating Alarm Threshold s 12-11 Configuring General Threshold Info rmation 12-13 Con[...]

  • Pagina 13

    Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Re ports 13-13 Understanding the Report_Na me Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconne cting Active RADIUS Sessions 13-18 Customizing Reports 1[...]

  • Pagina 14

    Contents xiv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Organizing Report Data 13-4 1 Displaying and Organizing Re port Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Disp laying Report Item s 13-44 Hiding Co lumns 13-44 Displaying Hidden Columns 13-45 Merging Colu mns 13-45 Select[...]

  • Pagina 15

    Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Cha rts 13-76 Filtering Ch art Data 13-76 Changing Chart Subtype 13-77 Changing Cha rt Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer 14-1 Available Diagnostic and Trouble shooting Tools 14-1 Connectivity Tests 14-1 ACS S[...]

  • Pagina 16

    Contents xvi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings 15 -17 Configuring Alarm Syslog T argets 15 -17 Configuring Remote Database Settings 15-17 CHAPTER 16 Managing Syst em Administrators 16-1 Understanding Ad ministrator Roles and Accounts 16-2 Understanding Au thentication 16-3 Configuri[...]

  • Pagina 17

    Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instan ce 17-1 3 Deleting a Secondary Instanc e 17-13 Activating a Secondary Instan ce 17-14 Registering a Secondary Instance to a Primary In stance 17-14 Deregistering Secondary Instances from [...]

  • Pagina 18

    Contents xviii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring Local Server Certifica tes 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Proto cols 18-15 Generating Self-Signed Certificates 18-16 Generating a Certificate Sign ing Request 18-17 Binding CA Sign[...]

  • Pagina 19

    Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logg ing Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Ta rget 19-10 Viewing Log Mess[...]

  • Pagina 20

    Contents xx User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self[...]

  • Pagina 21

    Contents xxi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Authentication wi th RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD B-31 EAP- MSCHAPv2 Flow in ACS 5.3 B-31 CHAP B-31 LEAP B-31 Cer[...]

  • Pagina 22

    Contents xxii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...]

  • Pagina 23

    1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Revised: April 17, 201 4 This guide describes ho w to use Cisco Secure Access Control System (A CS) 5.3. Audience This guide is for securit y administrators who us e A CS, and who set up and maint ain network an d application security . Document Conventions This guide uses [...]

  • Pagina 24

    2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface Caution Means rea d e r b e c a re f u l . Y ou are capable of doing something that might result in equipment damage or loss of data . T imesaver Me ans the described action saves time . Y ou can s av e time by perfo rming the acti on described in the paragraph. Note Means[...]

  • Pagina 25

    3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Note W e sometimes update th e printed an d electroni c documentation after original publication. Therefo re, you should also re view the documentati on on Cisco.com for any u pdates. Obtaining Documentation and Submitting a Service Request For info rmation on obtaining doc[...]

  • Pagina 26

    4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface[...]

  • Pagina 27

    CH A P T E R 1-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 1 Introducing ACS 5.3 This section contains the following topics: • Overvie w of A CS, page 1-1 • A CS Distributed Depl oyment, page 1-2 • A CS Management Interfaces, page 1-3 Overview of ACS A CS is a policy-based security server that provides standards-co mp[...]

  • Pagina 28

    1-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Distributed Depl oyment A CS provides adv anced monitoring, reportin g, and troubleshooting to ols that help you administer and manage your A CS deployments. For more in formatio n on the monito ring, reporting, and troublesh ooting capabiliti[...]

  • Pagina 29

    1-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 ACS Licensing Model A CS 4.x did not provide incremental repl ication, on ly full r eplication, and there was service do wntime for replication. A CS 5.3 provides incrementa l replicati ons with no service do wntime. Y ou can also for ce a full repl[...]

  • Pagina 30

    1-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Management Interfa ces ACS Web-based Interface Y ou can use the A CS web-based interface to fully co nfig ure your A CS deplo yment, and perform monitoring and reporting operati ons. The web interface provides a consistent user e xperience, re[...]

  • Pagina 31

    1-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported b y ACS For informati on about using the CLI, see the Command Line Interface Refer ence Guide for Cisco Secur e Access Contr ol System 5.3 . Related Topic • A CS W eb-based Interface, page 1-4 ACS Programmatic Interfaces [...]

  • Pagina 32

    1-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 Hardware Mode ls Supported by ACS[...]

  • Pagina 33

    CH A P T E R 2-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 A CS 4.x stores polic y and authentication information , such as T A CA CS+ command sets, in the user and user group records. In A CS 5.3, polic y and authentication information are independent shared components that you use as b [...]

  • Pagina 34

    2-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utili ty completes the data migration pro cess in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the obje[...]

  • Pagina 35

    2-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Before You Begin Note Y ou must install the latest patch for the su pported migration v ersions listed here. Also, if you ha ve any other versio n of A C S 4.x installed, you must u pgrade to one of the supported v e rsions and in sta[...]

  • Pagina 36

    2-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 • User-Def ined Fields (from the Interface Configuration se ction) • User Groups • Shared Shell Command Auth orization Sets • User T ACA CS+ Shell Exec Attributes (migrated to user attributes)[...]

  • Pagina 37

    2-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In A CS 5.3, you define authorizati ons, shell prof iles, attributes, and other polic y elements as independent, reusable objects, and no t as[...]

  • Pagina 38

    2-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Functionality Ma pping from ACS 4.x to ACS 5.3 Command sets (command authorization sets) One of the follo wing: • Shared Prof ile Components > Command Authoriz ation Set • User Setup page • Group Setup page Policy Elements &g[...]

  • Pagina 39

    2-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The follo wing are some of the commo n scenarios that you encounter while migrating to A CS 5.3: • Migrating from ACS 4.2 on CSA CS 11 20 to A CS 5.3, page 2-7 • Migratin[...]

  • Pagina 40

    2-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you ha ve A CS 3.x deployed in your en vironment, you cannot directly migrate to A CS 5.3. Y ou must do the follo wing: Step 1 Upgrade to a migr ation-supported v ersi[...]

  • Pagina 41

    2-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform b ulk import of data into A CS 5.3. For more inf ormation on performing b ulk import of A CS objects, see http://www .ci sco.com/en/US/docs/n et_mgmt/cis co_sec ure_access_ control_sys tem/[...]

  • Pagina 42

    2-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration[...]

  • Pagina 43

    CH A P T E R 3-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 3 ACS 5.x Policy Model A CS 5.x is a policy-based access contr ol system. The term po licy model in A CS 5.x refers to the presentation of poli cy elemen ts, objects, and rules to the polic y administrator . A CS 5.x uses a rule-based policy mo del instead of the gr[...]

  • Pagina 44

    3-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For e xample, we use the informati on described for the grou p-based model: If identity-conditio n, r estriction-condi tion then authorization-p r of ile In A CS 5.3, you define conditi ons and results as glob a[...]

  • Pagina 45

    3-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Policy Terminology Ta b l e 3 - 2 describes the rule-based polic y terminology . T a ble 3-2 Rule-Based Po licy T er minology T erm Description Access service Sequential set of policies used to process access r[...]

  • Pagina 46

    3-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies Y ou can conf igure all of you r A CS policies as rule-b ased policies. Howe ver , in some cases, you can choose to conf igure a simple polic y , which select s a si ngle result to apply to all r[...]

  • Pagina 47

    3-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Types of Policies Ta b l e 3 - 3 describes the types of policies that y ou can configur e in A CS. The policies are listed in the order of their e valuation; any at tributes t hat a polic y retrie ves can be us[...]

  • Pagina 48

    3-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in A CS 5.x that allo w you to conf igure access policies for users and de vices that connect t o the network and for n etwork administrat ors who administer network devices[...]

  • Pagina 49

    3-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Ta b l e 3 - 5 describes an example of a set of access services. Ta b l e 3 - 6 describes a service selection poli cy . If A CS 5.3 receiv es a T ACA CS+ access request, it applies Ac cess Service A, which authentica tes the request[...]

  • Pagina 50

    3-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS accepts the results of the requests and returns them to the N AS. Y ou must configure the external RADIUS and T ACA CS+ servers in A CS for A CS to forw ard requests to them. Y ou can def ine the timeout period and the numb er [...]

  • Pagina 51

    3-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS can simultaneously act as a proxy server to mu ltiple e xternal RADIUS and T A CA C S+ servers. For A CS to act as a proxy serv er , you must configure a RAD IUS or T ACA CS+ proxy service in A CS. See Config uring General Acce[...]

  • Pagina 52

    3-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequ ence—Sequences o f the identity databases. The se quence is used for authentica tion and, if specified, an additional sequence is used to retrie ve only attrib utes. Y ou can select mult iple identity methods as[...]

  • Pagina 53

    3-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity grou p mapping polic y is a standard polic y . Conditions can be based on attrib utes or groups retrie ved from the e xternal attrib ute stores only , o r from certif icates, and the result is an i[...]

  • Pagina 54

    3-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy T erminology , page 3- 3 • Authorization Prof iles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-w orld problem is that, in day-to-day operations, you often ne[...]

  • Pagina 55

    3-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, A CS d ecides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The prot ocol used for the requ[...]

  • Pagina 56

    3-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, ag entless devices, and guest access in one access service, the policy is di vided into three access services. First-Match Rule Tables A CS 5.3 pro[...]

  • Pagina 57

    3-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specifies the po licy result that A CS uses when no other rules exist, or when the at tribute v alues in the access request do not match any rules. A CS ev aluates a set of rules in the f irst-match rule [...]

  • Pagina 58

    3-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Pro files for Network Access Policy Conditions Y ou can define simple conditions in rule tables b ased on attributes in: • Customizable conditions—Y ou can create custom con ditions based on protocol dictionaries and identity dic[...]

  • Pagina 59

    3-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can define multiple authorization prof iles as a network access policy result. In this way , you maintain a smaller number of aut horization prof iles , because you can use the authorizatio n profiles in combi[...]

  • Pagina 60

    3-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Networ k Device Groups Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Policy T erminology , page 3- 3 • T ypes of Policies, page 3-5 Policies and Network Device Groups Y ou can referenc e Network de vice group[...]

  • Pagina 61

    3-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Figure 3-2 illu strates what this polic y rule table could look like. Figur e 3-2 Sample Rule-Based P olicy Each ro w in the polic y table represents a single rule. Each rule, except f or the last Defau[...]

  • Pagina 62

    3-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Added users to the internal A CS identity store or add ex ternal identity st ores. See Creating Internal Users, page 8-11 , Managing Identity Attribu tes, page 8-7 , or Creating External LD AP Identi[...]

  • Pagina 63

    3-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Related Topics • Policy T erminology , page 3- 3 • Policy Conditions, page 3-16 • Policy Resul ts, page 3-16 • Policies and Identity Attr ibutes, p age 3-17[...]

  • Pagina 64

    3-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies[...]

  • Pagina 65

    CH A P T E R 4-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 4 Common Scenarios Using ACS Network contr ol refers to the process of controlli ng access to a network. T raditionally a username and password w as used to authenticate a user to a net work. No w a days with the rapid t echnological adv ancements, the traditiona l [...]

  • Pagina 66

    4-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Cisco Secure Access Control System (A CS) allow s you to centrally manage access to your network services and resources (including d evices, such as IP phones, pr inters, and so on). A CS 5.3 is a policy-b a[...]

  • Pagina 67

    4-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corr espon ding permit or deny setting for the command is retrie ved. If mul tiple results are found in the rules that are matched, they are consolidated and a si[...]

  • Pagina 68

    4-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Step 5 Configure an access service polic y . See Access Service Policy Creation, page 10-4 . Step 6 Configure a service selection policy . See Service Selection Polic y Creation, page 10-4 . Step 7 Config ur[...]

  • Pagina 69

    4-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the co nfigur ation flo w to defin e T ACA CS+ custom attrib utes and services. Step 1 Create a custom T A CACS+ condi tion to mo ve to T A CA CS+ servi[...]

  • Pagina 70

    4-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess Note During password-based access (or certificate-based acce ss), the user is not only authenticated b ut also authorized according to the A CS configuration. An d if N AS sends accounting requests, the user i[...]

  • Pagina 71

    4-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to -end flo w for passwor d-based network access and lists the tasks that you must perform. The info rmation about ho w to conf igure [...]

  • Pagina 72

    4-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess For RADIUS, non- EAP authentication method s (RADIUS/P AP , RADIUS/CHAP , RADIUS/MS-CHAPv1, RADIUS/ MSCHAPv2), and simple EAP methods ( EAP-MD5 and LEAP), you need to configure onl y the protocol in the Allowe[...]

  • Pagina 73

    4-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication i n A CS 5.3, page B-1 • Network De vices and AAA Clients, page 7-5 • Managing Access Policies, page 10-1 • Creating, Duplicating , and Editing Access Services, page 10-[...]

  • Pagina 74

    4-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Certificate-Based Network Access Y ou can conf igure two t ypes of certif icates in A CS: • T rust cert if icate—Also kno wn as CA certif icate. Us ed to form CTL trust hierarchy for verif ication of remote certificates. • Local certi[...]

  • Pagina 75

    4-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure polic y elements. See Managing Polic y Conditions, page 9-1 , for more informat ion. Y ou can create custom conditions to use the certi ficate’ s attrib utes as a polic y condition. See Cre[...]

  • Pagina 76

    4-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Validating an LDAP Secure Authentication Connection Y ou can define a secure authenticati on connection for the LDAP e xtern al identity store, by using a CA certificate to vali date the connection. T o v alidate a[...]

  • Pagina 77

    4-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provid es two features to accommodate no n-802.1x de vices. For e xample, MA C Authentication Bypass (Host Look up) and the Guest V LAN access by using web authentication. A CS 5.3 supports the Host Lookup fall[...]

  • Pagina 78

    4-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access • Internal users • Activ e Directory Y ou can access the Active Directory via the LD AP API. Y ou can use the Internal Users identity store for Host Lookup in cases where the rele vant host is already listed in[...]

  • Pagina 79

    4-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check Y ou may not want to copy the CallingSt ationID attrib ute v alue to the System UserName attrib ute v alue. When the Process Host Lookup o ption is checke d, A C S uses the System User[...]

  • Pagina 80

    4-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Agentless Network Access Flow This topic describes the end-to-end flo w for agentl ess network access and lis ts the tasks that you must perform. The information abo ut how to conf igure the tasks is located in the[...]

  • Pagina 81

    4-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service sel ection policy . For more information, see Creating, Duplicating , and Editing Service Selection Ru les, page 10-8 . Related Topic[...]

  • Pagina 82

    4-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Previous Step: Network De vices and AAA Clients, page 7-5 Next Step: Config uring an Identity Group f or Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LD AP Identity Stores, pa[...]

  • Pagina 83

    4-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access , and check Identity and A uthorization . The group mapping an d External Policy options are optional . d. Make sure you select Process Host Lookup. If you want A CS to detect P AP or EAP-MD5[...]

  • Pagina 84

    4-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests T o conf igure an authorization polic y for Host Lookup requests: Step 1 Choose Access Policies > Access Services > <access_servicename> A ut[...]

  • Pagina 85

    4-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols A CS 5.3 supports the follo wing protocols for inner aut hentication inside the VPN tunn el: • RADIUS/P AP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 W ith the use[...]

  • Pagina 86

    4-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Supported VPN Networ k Access Servers A CS 5.3 supports the followi ng VPN network access serv ers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network A ccess, page 4-20 • S[...]

  • Pagina 87

    4-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network A ccess, page 4-20 • Supported Authenticati on Protocols, page 4-21 • Supported Identity Stores, pag e 4-21 • Supported VPN Netw ork Access Servers, page 4-22 ?[...]

  • Pagina 88

    4-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access 6. Config uring EAP-F AST Setti ngs for Security Group Access . 7. Creating an Access Service for Security Group Acces s . 8. Creating an Endpoint A dmission Control Po licy . 9. Creating an Egress Policy[...]

  • Pagina 89

    4-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices co nsider only the SGT v alue; the name and descr iption of a security group are a management con venience and are not con veyed to the de vices. Therefore, changing the name or description of the [...]

  • Pagina 90

    4-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access T o conf igure an ND A C polic y for a de vice: Step 1 Choose Access Policies > Security Gr oup Access Control > Security Group Access > Network Device Access > A uthorization Policy . Step 2 [...]

  • Pagina 91

    4-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next . The Access Services Properties page appears. Step 6 In the Authenticati on Protocols area, check the relev ant protoc ols for your access service. Step 7 Click Finish . Creating an Endp[...]

  • Pagina 92

    4-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access The first r ow (topmost) of t he matr ix contains the column headers, which display the destination SGT . The first co lumn (far left) contain s the row t itles, with the source SG displayed. At t he inte[...]

  • Pagina 93

    4-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests T o cr eate a default polic y: Step 1 Choose Access Policies > Security Gr oup Acc ess Control > Egress P olicy then choose Default Policy . Step 2 Fill in the f ields as in the Default Po licy for Eg[...]

  • Pagina 94

    4-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receiv es the following packets from the N AS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2. Receiv es the follo wing packets fr[...]

  • Pagina 95

    4-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests The T ACA CS+ proxy feature in A CS supports the follo wing protocols: • PA P • ASCII • CHAP • MSCHAP authentications types Related Topics • RADIUS and T A CACS+ Proxy Requests, page 4-29 • Supp[...]

  • Pagina 96

    4-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service T o conf igure proxy services: Step 1 Config ure a set of remote RADIUS and T ACA CS+ servers. For informatio n on how to configure remote servers, see Creating , Duplicating, and [...]

  • Pagina 97

    CH A P T E R 5-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure A CS web interface is designed to be vie wed using Microsoft Internet Explor er 7.x, 8.x, and 9.x and Mozi lla Firefox 3.x and 4.x. The web interface not only makes vie wing and administering A CS possible, but i t also [...]

  • Pagina 98

    5-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Task Guides Task Guides From the My W orkspace dra wer , you can access T asks Guides. When you click an y of the tasks, it opens a frame on the right side of the we b interface. This frame contains step -by-step instruc tions as well as lin[...]

  • Pagina 99

    5-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Related Topics • Config uring Authentication Settings for Administrato rs, page 16-9 • Changing the Ad ministrator Password, page 16-13 Using the Web Interface Y ou can conf igure and administer A CS through the [...]

  • Pagina 100

    5-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Logging In T o log in to the A CS web interf ace for the f irst time after installation: Step 1 Enter the A CS URL in your browser , for example https:// acs_host /acsadmin , where /acs_ho st is the IP address or Doma[...]

  • Pagina 101

    5-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Step 7 See Installing a License File, page 18 -35 to install a v alid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful , the follo wing error[...]

  • Pagina 102

    5-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 sho ws the overall design of the A CS w eb interface. Figure 5-1 ACS W eb Interf ace The interface contains: • Header , page 5-6 • Navig ation Pane, pag e 5-7 • Content Area, page[...]

  • Pagina 103

    5-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Navigation Pane Use the navigation pane to navigate through the drawers of the we b interface (see Figure 5-3 ). Figure 5-3 Navig ation P ane Ta b l e 5 - 3 describes the function o f each drawer . T o open a drawer [...]

  • Pagina 104

    5-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface The options listed beneath dra wers in the na vigation pane are or ganized in a tree structure, where appropriate. The options in the tr ee structure are dynamic and can chan ge based on administrator actions. Creatin[...]

  • Pagina 105

    5-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Web Interface Location Y our current location in the interface ap pears at the top of the content a rea. Figure 5-5 sho ws that the location is the Poli cy Elements drawer and t he Network De vices and AAA Clients pa[...]

  • Pagina 106

    5-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface T able 5-4 Common Cont ent Ar ea Butt o ns and Fields for List P ages Button or Field Description Rows per page Use the drop-down list to specify the num ber of items to disp lay on this page. Options: • 10—Up to[...]

  • Pagina 107

    5-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface T ree table pages are a v ariation of list pages (see Figure 5-6 ). Y ou can perform the same operations on tree table pages that you can on l ist pages, except for paging. In addition, with tree tabl e pages: • A[...]

  • Pagina 108

    5-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Filtering Large lists in a content area windo w or a secondary window (see Figure 5-9 ) can be dif ficult to navigate through and select the data that you w ant. Y ou can us e the web interface to f ilter data in the[...]

  • Pagina 109

    5-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface For pages that do not ha ve a Name or Description column, the sorting mechan ism may be supported in the left-most column of the pa ge, or the Descript ion column. Place your curs or ov er a column heading to determ[...]

  • Pagina 110

    5-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Figur e 5-9 Secondary Windo w In addition to selectin g and filt ering data, you can cr eate a selectable object within a secondary windo w . For ex ample, if you attempt to cr eate a us ers internal identity store, [...]

  • Pagina 111

    5-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Figur e 5-1 0 T ransf er Box T able 5-6 T ransf er Box Fields and But tons Field or Button Description A v ailable List of av ailable items for selection. Selected Ordered list of selected items. Right arrow (>) [...]

  • Pagina 112

    5-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10 ). Y ou use them to select activ e times for a policy element from a grid, where each ro w represents a day of the week and ea[...]

  • Pagina 113

    5-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Directly above the rule ta ble are two displa y options: • Standard Polic y—Click to display the stand ard policy rule tabl e. • Exception Po licy—Click to di splay the exceptio n policy rule tab le, which t[...]

  • Pagina 114

    5-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Related Topic • A CS 5.x Polic y Model Importing and Exporting ACS Objects through the Web Interface Y ou can use the import functionality in A CS to add, up date, or delete [...]

  • Pagina 115

    5-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Ta b l e 5 - 9 lists the A CS objects, their properties, and the property data types. The imp ort template for each of the objects contain s the properties described in this ta[...]

  • Pagina 116

    5-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Fields that ar e optional can be left empt y and A C S substitutes the def ault v alues for those f ields. For e xample, whe n fie lds that are rela ted to a hierar chy are lef[...]

  • Pagina 117

    5-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must downlo ad the import f ile templates from the A CS web interface. T o do wnload [...]

  • Pagina 118

    5-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface For e xample, the internal user Add temp late contains the fields described in Ta b l e 5 - 1 0 : Each ro w of the .csv f ile corresponds to one internal user re cord . Y ou mu[...]

  • Pagina 119

    5-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Figure 5-12 Add Users – Import File Step 4 Sav e the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in t[...]

  • Pagina 120

    5-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Figur e 5-13 Update Users–Import File Note The second column, Updated name, is the addi tional column that you can add to the Update template. Deleting Records from the ACS I[...]

  • Pagina 121

    5-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Common Errors Common Errors Y ou might encounter these common errors: • Concurrency Co nflict Errors, page 5-25 • Deletion Errors, page 5-26 • System F ailure Errors, page 5-27 • Accessibility , page 5- 27 Concurrency Conflict Error[...]

  • Pagina 122

    5-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Common Errors Error Message The item you are trying to Submit i s referencing items that do not exist anymore. Explanation Y ou attempted to edit or duplicate an it em that is referencing an item th at another user deleted while yo u tried [...]

  • Pagina 123

    5-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Accessibility System Failure Errors System failure errors occur when a system malfunc tion is detect ed. When a sys tem failur e error is detected, a dialog box appears, with an error messa ge and OK b utton. Read the error message, click O[...]

  • Pagina 124

    5-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Accessibility • Color used as an enhan cement of information only , not as the only indicator . F or example, required fields are associated with a red asterisk. • Confir mation messages for important setti ngs and actions. • User-con[...]

  • Pagina 125

    CH A P T E R 6-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of conf iguration tasks that you must perform to work with A CS. This chapter contains the follo wing sections: • Config uring Minimal System Setup, page 6-1 • Config uring A CS to Perform Syst[...]

  • Pagina 126

    6-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Configuring ACS to Perform System Administration Tasks Ta b l e 6 - 2 lists the set of syst em administration tasks that you must perform to admini ster A CS. Ta b l e 6 - 2 [...]

  • Pagina 127

    6-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Step 8 Add users or hosts to the internal identity sto re, or define external identity stores, or both. • For internal i dentity stores: Users and Identity Stores > Inte[...]

  • Pagina 128

    6-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Manage Access Polic ies Configuring ACS to Manage Access Policies Ta b l e 6 - 3 lists the set of tasks that you must perform to manage access restrictions and permissi ons. Configuring ACS to Monitor and Troubl[...]

  • Pagina 129

    6-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 4 Enable sys tem alarms an d specify ho w you wou ld like to recei ve notif ication. Monitoring Conf iguration > System Config uration > System Alarm S[...]

  • Pagina 130

    6-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Mo nitor and Troublesho ot Problems in the Network[...]

  • Pagina 131

    CH A P T E R 7-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resource s drawer defines elements within the networ k that issue requests to A CS or those that A CS interacts with as part of processing a requ est. This includes the network devices that issue the requests and external ser[...]

  • Pagina 132

    7-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Network Device Groups In A CS, you can de fine network de vice groups (ND Gs ), which are sets of de vices. These NDGs pro vide logical groupin g of devi ces, for examp le, Devi ce Location or T ype, which you can use i[...]

  • Pagina 133

    7-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Device Groups Step 4 Click Submit . The network de vice group conf iguration is sa ved. The Network De vice Groups page appears with the ne w network de vice group configurat ion. Related Topics • Network De vice Groups, page 7-2 [...]

  • Pagina 134

    7-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy Y ou can arrange the netw ork de vice group node hierarchy accord ing to your needs by choo sing parent and child relationships fo r new , d up[...]

  • Pagina 135

    7-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy T o delete a netw ork dev ice group from within a hierarch y: Step 1 Choose Network Resour ces > Network Device Gr oups . The Network De vice Groups page app[...]

  • Pagina 136

    7-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Y ou must install Security Group Access license to enable Security Group A ccess options. The Security Group Access options only appear if y ou hav e installed the Secur ity Group Access license. F or more in[...]

  • Pagina 137

    7-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients – Device T y pe Y ou can specify full IP ad dress, or IP address with wildcard “* ” or , with IP address range, such as [15-20] in the IP address search field. The wi ldcard “*” and the IP rang e [1[...]

  • Pagina 138

    7-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Step 2 Choose the filter condition and the Match if operator , and enter the f ilter criterion that you are looking for in the te xt box. Step 3 Click Go . A list of recor ds that match y our filter criterion[...]

  • Pagina 139

    7-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Step 3 Click any one of the follo wing operations if you hav e pre viously created a template-based .csv f ile on your local disk: • Add—Adds the records in th e .csv file to the records currently a v ail[...]

  • Pagina 140

    7-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Exporting Network Resources and Users T o e xport a list of network resources or u sers: Step 1 Click Export on the Users, Network De vices, or MA C Address page of the web interface. The Network De vice pag[...]

  • Pagina 141

    7-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients The first page of the Create Network De vice process appears if you are creating a ne w network d evice. The Network Device Properties page for the selected device appears if you are duplicating o r editing [...]

  • Pagina 142

    7-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients IP Range(s) By Mask Choose to enter an IP address range. Y ou can configure up to 40 IP addresses or sub net masks for each network device. If you use a subnet ma sk in th is field, all IP addresses within t[...]

  • Pagina 143

    7-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all T ACA CS+ communication wit h the network de vice. Choose one: • Legac y T A CA CS+ Single Conn ect Support • T A CA CS+ Draft Complian [...]

  • Pagina 144

    7-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Displaying Network Device Properties Choose Network Resour ces > Network De vices and AAA Clients , then click a de vice name or check the check box ne xt to a de vice name, and click Edit or Duplicate . [...]

  • Pagina 145

    7-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients IP Range(s) By Mask Choose to enter an IP addre ss range. Y ou can configure up to 40 IP addresses or subnet masks for each network de vice. If you use a subn et mask in this f iel d, all IP addresses within[...]

  • Pagina 146

    7-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients RADIUS Shared Secret Shared secret of the network d evice, if y ou hav e enabled the RA DIUS protocol. A shared secret is an expected string of te xt, which a user must pro vide before the netwo rk device au[...]

  • Pagina 147

    7-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Configuring a Default Network Device Related Topics: • V ie wing and Performing Bulk Operations fo r Network De vices, page 7-6 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Deleting Network Devices T o delet[...]

  • Pagina 148

    7-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Configuring a Default Network Device Choose Network Resour ces > Default Network De vice to conf igure the default network de vice. The Default Netw ork De vice page appears, di splaying the informat ion described in Ta b l e 7 - 6 . T a[...]

  • Pagina 149

    7-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Related Topics • Network De vice Groups, page 7-2 • Network De vices and AAA Clients, page 7-5 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Working with External Proxy [...]

  • Pagina 150

    7-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate . • Click the exte rnal proxy server nam[...]

  • Pagina 151

    7-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Note If you want A CS to forward un known RADIUS attrib utes you ha ve to define VSAs f or proxy . Related Topics • RADIUS and T A CA CS+ Proxy Services, page 3-7 • RADIUS and T A CACS+ Proxy Reques[...]

  • Pagina 152

    7-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers[...]

  • Pagina 153

    CH A P T E R 8-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview A CS manages your network de vices and other A C S clients by using the A CS network resource repositories and identity stores. When a host conn ects to the network through ACS requesting access to a particular network r[...]

  • Pagina 154

    8-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity grou p to which users belong Config urable components are: • Enable password f or T ACA CS+ authentication • Sets of[...]

  • Pagina 155

    8-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Tw o-Factor Authentication Y ou can use t he RSA SecurID T oken Serv er and RA DIUS Ident ity Server t o provide two-facto r authentication. These extern al identity stores use an O TP that pr ovides g re[...]

  • Pagina 156

    8-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Sequences Y ou can configure a complex condition where multiple identity stores an d prof iles are used to process a request. Y ou can define these identity met hods in an Identity Sequence[...]

  • Pagina 157

    8-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Authentication informatio n Note A CS 5.3 supports authent ication for internal users against th e internal identity sto re only . This section contains the following topics: • Authentication I[...]

  • Pagina 158

    8-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Groups Y ou can assign each i nternal user to one identit y group. Iden tity groups are def ined within a hi erarchical structure. Th ey are lo gical entities t hat are associ ated with use[...]

  • Pagina 159

    8-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Managing Intern al Identity Sto res, page 8-4 • Performing Bulk Operation s for Network Resources and Users, page 7-8 • Ident[...]

  • Pagina 160

    8-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal us er record. User Attributes Administrators can create and ad d user-d efined attribut es from the set of identi[...]

  • Pagina 161

    8-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores In A CS 5.3, you can configure i dentity attrib utes that are used within your policies, in th is order: 1. Define an identity attribute (using t he user dictionary). 2. Define custom conditions t o [...]

  • Pagina 162

    8-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 3 In the Advanced tab, enter the values for the criter ia th at you want to configure for your user authentication process. Ta b l e 8 - 3 describe s the fields in the Advanced tab . Passwor d[...]

  • Pagina 163

    8-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit . The user password is configured with the de fined criteria. These criteria will apply only for future lo gins. Note A CS supports an y character as passw ords and shar ed secre[...]

  • Pagina 164

    8-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores • Click the username that you want to modify , or check the check box next to the name and click Edit . • Check the check box next to the user whos e password you w ant to change, then click Ch[...]

  • Pagina 165

    8-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Description (Optional) Descrip tion of the user . Identity Group Click Select to display the Id entity Groups windo w . Choose an identity group and click OK to configure the user wi th a specif ic [...]

  • Pagina 166

    8-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 5 Click Submit . The user configuration is saved. The Internal Users pa ge appears with the new configuration. Related Topics • Config uring Authentication Settings for Users, page 8-9 • V[...]

  • Pagina 167

    8-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click OK . The Internal Users page appears without the deleted users. Related Topics • V iewing and Perform ing Bulk Operations for Internal Identity Store Users, page 8-15 • Creating Int[...]

  • Pagina 168

    8-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Creating Hosts in Identity Stores T o create, d uplicate, or edit a MA C address and assign identity groups to in ternal hosts: Step 1 Select Users and Identity Stores > Inter nal Identity Stor [...]

  • Pagina 169

    8-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit to sav e changes. The MA C address configuration is sa ved. The Internal MA C list page appears with the new configuration. Note Hosts with wildcards (suppor ted formats) for MA [...]

  • Pagina 170

    8-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Deleting Internal Hosts T o delete a MA C address: Step 1 Select Users and Identity Stores > Inter nal Identity Stor es > Hosts . The Internal MA C List page appears, w ith any configured MA [...]

  • Pagina 171

    8-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Policies and Identity Attr ibutes, p age 3-17 • Config uring an Identity Group f or Host Lookup Network Access Requ ests, page 4-18 Management Hierarchy Management Hierarch y enables the admin[...]

  • Pagina 172

    8-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores The administrator can conf igure an y le vel of hi erarchy while def ining management centers or AAA client locations. Th e syntax for ManagementHierarchy attrib ute is: <Hierar chyName>: <[...]

  • Pagina 173

    8-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics Config uring and Using HostI sInManagement Hierar chy Attrib utes, page 8-21 . Configuring and Using HostIsInM anagement Hierarchy Attributes T o configure and use HostIsInMana gement[...]

  • Pagina 174

    8-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Managing External Identity Stores A CS 5.3 integrates with e xternal identity sy stems in a number of w ays. Y ou can le verage an e xternal authentication service or use an ex ternal system to obt[...]

  • Pagina 175

    8-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Config uring LD AP Groups, page 8-33 • V ie wing LD AP Attrib utes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storin g and organ[...]

  • Pagina 176

    8-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Failover A CS 5.3 supports failo ver between a primary LD AP se rver and secondary LD AP server . In the context of LD AP authent ication with A CS , failover applie s when an authentication reques[...]

  • Pagina 177

    8-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LD AP server to return bind (authentication) errors are: – Filtering errors—A search using f ilter criteria fails. – Parameter errors—In valid parameters were entered.[...]

  • Pagina 178

    8-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Unsigned Integer 32 • IPv4 Address For unsig ned integers and IPv 4 attrib utes, A CS conv erts the strings that it has retrie ved to the corresponding data types. If con version f ails or if[...]

  • Pagina 179

    8-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Continue with Conf iguring an External LD AP Server Connection, page 8-27 . Note N A C guest Server can also be used as an External LD AP Server . For proced ure to use NA C guest server as an[...]

  • Pagina 180

    8-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonym ously . The server does not distinguish who th e client is and will allo w the cl ient read access to any data that[...]

  • Pagina 181

    8-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue with Conf iguring External LD AP Directory Or ganization, page 8-29 . Configuring External LDAP Directory Organization Use this page to configure an external LD AP[...]

  • Pagina 182

    8-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T able 8-8 LD AP: Dir ect ory Or ganization P age Option Description Schema Subject Object class V alue of the LD AP objectClass attribute that id entifies th e subject. Often, subject records hav [...]

  • Pagina 183

    8-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search B ase Enter the distinguishe d name (DN ) fo r the subtree that contains all subjects. For example: o=corporati on.com If the tree containing subjects is the base DN, enter: o=corporat[...]

  • Pagina 184

    8-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Finis h . The external identity st ore you created is sav ed. Username PrefixS uffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropr[...]

  • Pagina 185

    8-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Config uring LD AP Groups, page 8-33 • Deleting External LD AP Identity Stores, page 8 -33 Deleting External LDAP Identity Stores Y ou can delete one or more e xternal LD AP iden[...]

  • Pagina 186

    8-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Viewing LDAP Attributes Use this page to view the external LD A P attributes. Step 1 Select Users and Identity Stores > Exter nal Identity Stor es > LD AP . Step 2 Check the check box next to[...]

  • Pagina 187

    8-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means th e switch port to wh ich these de vices attach cannot authenticate them using the 802.1X exch ange of de vice or user creden tials and must re vert to an authenticati on mechanism other [...]

  • Pagina 188

    8-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Figur e 8-1 LD AP Int erf ace Configur ation in NAC Pr ofiler Step 5 Click Update Serv er . Step 6 Click the Conf iguration tab and click A pply Changes . The Update N A C Profiler Modules pa ge ap[...]

  • Pagina 189

    8-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Conf iguration > Endpoint Pr of iles > V i ew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve [...]

  • Pagina 190

    8-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T o edit the N A C Prof iler template in A CS: Step 1 Choose Users and Identity Stor es > External Identity Stor es > LD AP . Step 2 Click on the name of the N AC Prof iler template or ch eck[...]

  • Pagina 191

    8-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Server Dialog Bo x For more information, see Cr eating External LD AP Identity Stores, page 8-26 . Note The default password for LD AP is GBSbeacon . If you w ant to change [...]

  • Pagina 192

    8-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Number of Subjects: 100 • Number of Director y Groups: 6 Figur e 8-7 T est Configuration Dialog Bo x Number of Subjects —This v alue maps to the actual subj ect de vices already prof iled b[...]

  • Pagina 193

    8-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Ev ent Deli very Method and Activ e Response, see the Cisco N AC Pr ofiler Installation and Conf iguration Gu ide, Release 3.1 at the follo wing location: http:/[...]

  • Pagina 194

    8-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The AD user password change using the abo ve met hods must fo llo w the AD passwor d policy . Y ou must check with your AD administrator to kno w the complete AD password pol icy rule. AD passw ord[...]

  • Pagina 195

    8-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a fi rew all between A CS and AD, certain ports need to be opened in order t o allow A CS to communicate with AD. The foll owing are the default por ts to be opened: Note Dial-in users ar[...]

  • Pagina 196

    8-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Attribute Retrieval for Authorization Y ou can configure A CS to retriev e user or machine AD attributes to be use d in authori zation and g roup mapping rules. The attrib utes are mapped to the A [...]

  • Pagina 197

    8-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machin e authentication to user authentication an d authori zation process. The most common usage of MAR is to fail authen tication of users[...]

  • Pagina 198

    8-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The Engineers' rule is an example of MAR rule that only allows e ngineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an exam ple of a[...]

  • Pagina 199

    8-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Activ e Director y are supported on the follo wing serv ers: • W indo ws server 2003 • W indo ws server 2003 R2 • W indo ws server 2008 • W i[...]

  • Pagina 200

    8-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Joining ACS to an AD Domain After you conf igure the AD identity store in A CS th rough the A CS web interface, you must submi t the confi guration to join A CS to the AD domain. F or more informat[...]

  • Pagina 201

    8-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3 Click: Username Predefined user in AD. AD account require d for doma in access in A CS should have either of the follo wing: • Add workstations t o domain user right in correspo nding domain[...]

  • Pagina 202

    8-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Sa ve Changes to sav e the conf iguration, join the A CS to the specified AD domain with the configured credentials, and start the AD agent. • Discard Changes to discard all changes. • If A[...]

  • Pagina 203

    8-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD grou ps in the domain, as well as other trusted domains in the same forest. If you ha ve more group s that are not displayed, use t[...]

  • Pagina 204

    8-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 3 Click: • Sa ve Changes to sav e the configuration. • Discard Changes to discard all changes. T able 8-1 1 Activ e Direct ory: A t tr ibutes P age Option Description Name of ex ample Subj[...]

  • Pagina 205

    8-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already con figured an d you want to del ete it, click Clear Conf iguration after you v erify that there are no policy rules that use cu stom conditions based on the AD dictionary . AD D[...]

  • Pagina 206

    8-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RSA SecurID Server A CS supports the RSA SecurID server as an extern al database. RSA SecurID two-factor authentication consists of the user’ s personal identif ication number (PIN) and an indi v[...]

  • Pagina 207

    8-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the re quested loads on the RSA Sec urID servers in the realm. Ho we ver , you do hav e the option to manu ally balance the [...]

  • Pagina 208

    8-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 4 Click the A CS Instance Settings tab . See Configuring A CS Instance Settings, page 8-57 for more inform ation. Step 5 Click the Advanced tab . See Configuring A dvan ced Options, page 8-59 [...]

  • Pagina 209

    8-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server , pa ge 8-54 • Config uring A CS Instance Settings, page 8-57 • Config uring Adv anced Optio ns, page 8-59 Configuring ACS Instance Settings The A CS Instan[...]

  • Pagina 210

    8-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Enable the RSA options file Y ou can enable the RSA options file ( sdopts.r ec ) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the [...]

  • Pagina 211

    8-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the follo wing options: • T o reset node secret on the agent host, check the Remove securid f ile on submit check box. If you reset the node secret on t he agent host, you m[...]

  • Pagina 212

    8-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RSA SecurID Server , pa ge 8-54 • Creating and Editing RSA SecurI D T ok en Servers, pa ge 8-55 • Config uring A CS Instance Settings, page 8-57 • Editing A CS Instance Set[...]

  • Pagina 213

    8-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover A CS 5.3 allows you to configure mul tiple RADIUS identity stores. Each RADIUS i dentity store can hav e primary and secondary RADIUS servers. When AC S is unable to c onnect to t he primar [...]

  • Pagina 214

    8-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RADIUS Identity Store in Identity Sequence Y ou can add the RADIUS identity store for authentica tion sequence in an iden tity sequence. Howe ver , you cannot add th e RADIUS identity store fo r at[...]

  • Pagina 215

    8-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safew ord token servers support bo th the formats. A CS works with v arious token servers. While configuring a Safe word server , yo u must check the Safew ord Server check box for A CS to parse the [...]

  • Pagina 216

    8-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Cr eate . Y ou can also: • Check the check box ne xt to the identi ty store you want to d uplicate, then click Duplicate . • Click the iden tity store name that yo u want to modi f[...]

  • Pagina 217

    8-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the pr imary RADIUS identity server f ails. If you enable the secon[...]

  • Pagina 218

    8-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RADIUS Identity St ores, page 8-60 • Creating, Duplicating , and Editing RADIUS Identi ty Servers, page 8-63 • Config uring Shell Prompts, page 8-6 6 • Config uring Directo[...]

  • Pagina 219

    8-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a reques t, RADIUS attributes are return ed along with the response. Y ou can make use of these RADI US attrib utes in polic[...]

  • Pagina 220

    8-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates • Config uring Shell Prompts, page 8-6 6 • Config uring Adv anced Optio ns, page 8-68 Configuring Advanced Options In the Adv anced tab, you can do the follo wing: • Define what an access reject fro[...]

  • Pagina 221

    8-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Y ou use the CA options to install digital certif icate s to support EAP-TLS authentication. A CS uses the X.509 v3 digital certificate standard. A CS also supports manual certificate acquisition and pro v[...]

  • Pagina 222

    8-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates Step 4 Click Submit . The new cert ificat e is sav ed. The T rust Certif i cate List page appears with the new certif icate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of [...]

  • Pagina 223

    8-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3 Click Submit . The T rust Certificate page appe ars with the edited certificate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of EAP-TLS, page B-6 Deleting a Certifica[...]

  • Pagina 224

    8-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Certificat e Authentication Profiles Related Topic • Overvie w of EAP-TLS, page B-6 Exporting a Certificate Authority T o e xport a t rust certif icate: Step 1 Select Users and Identity Stores > Certif icate A uthor[...]

  • Pagina 225

    8-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificat e Authen tication Profiles T o cr eate, duplicate , or edit a certif icate authentication profile: Step 1 Select Users and Identity Stores > Cert ificate A uthe nticatio n Profile . The Certificate Authentic[...]

  • Pagina 226

    8-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity polic y determines the iden tity sources that A CS uses for authentication and attrib ute retrie v al. An identity source consi sts[...]

  • Pagina 227

    8-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box ne xt to the sequence that you want to duplicat e, then click Duplicate . • Click the sequence name that you want to[...]

  • Pagina 228

    8-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Step 3 Click Submit . The Identity Store Sequen ces page reappears. Related Topics • Performing Bulk Operation s for Network Resources and Users, page 7-8 • V ie wing Identity Polici es, page[...]

  • Pagina 229

    8-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Intern al Identity Sto res, page 8-4 • Managing External Iden tity Stores, page 8-22 • Config uring Certif icate Authentication Prof iles, page 8-72 • Creating, Duplicating , an[...]

  • Pagina 230

    8-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences[...]

  • Pagina 231

    CH A P T E R 9-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy def ines the authenti cation and authorizat ion processing of cl ients that attempt to access the A CS network. A clien t can be a user , a network de vice, or a user associated with a netw ork de vice. Policies are sets of rules.[...]

  • Pagina 232

    9-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Y ou can map users and hosts to identity grou ps by using the group mapping polic y . Y ou can include identity groups in cond itions to conf igure common policy co nditions for all users in the group. F or more info[...]

  • Pagina 233

    9-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Deleting a Session Condition , page 9-6 • Managing Netw ork Conditions, page 9 -6 See Chapter 3, “ ACS 5.x Polic y Model” for informati on about additional condit ions that you can use in policy ru les, alt[...]

  • Pagina 234

    9-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions T o add date and ti me conditions to a policy , you must first customize the rule table. See Customizing a Polic y , page 10-4 . Step 4 Click Submit . The date and time condition is sa ve d. The Date and T ime Condit[...]

  • Pagina 235

    9-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and i dentity dictionaries co ntain a larg e number of at tribu tes. T o u se any of these attri bute s as a condition in a p olicy rule, you[...]

  • Pagina 236

    9-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 4 Click Submit . The new custom session condi tion is saved. The Custom Condition p age appears with th e new custom session conditio n. Clients that are associated with this con dition are subject to it f or th[...]

  • Pagina 237

    9-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions A CS of fers three types of filters: • End Station Filt er—Filters end statio ns, such as a laptop or print er that initiates a connection based on the end station’ s IP address, MA C ad dress, CLID number , or[...]

  • Pagina 238

    9-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Netwo rk Conditions, page 9-8 • Exporting Netwo rk Conditions, page 9-9 • Creating, Duplicati ng, and Editing End Stati on Filters, page 9-9 • Creating,[...]

  • Pagina 239

    9-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions T imesaver Instead of download ing the template and creati ng an import f ile, you can use the e xport fi le of the particular f ilter , update the information in that f ile, sa ve it, and reu se it as your import f [...]

  • Pagina 240

    9-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9-6 • Importing Netwo rk Conditions, page 9-8 • Creating, Duplicating , and Editing De vice Filters, page 9-12 • [...]

  • Pagina 241

    9-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Defining MAC Address-Based End Station Filters Y ou can create, duplicate, and edit the MA C addresses of end stati ons or destinations that you w ant to permit or deny access to . T o do this: Step 1 From the MA C [...]

  • Pagina 242

    9-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS numb er of the destination machine. Y ou can optionally set this f ield to ANY to refer to an y DNIS number . Note Y ou can use ? and * wildcard charact ers to refer[...]

  • Pagina 243

    9-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9 -6 • Importing Network Co nditions, page 9-8 • Creating, Duplicati ng, and Editing End Stati on Filters, pa ge 9-[...]

  • Pagina 244

    9-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions • Check the check box next to the name-based de vice filter that you want to edi t, then click Edit . A dialog box appears. Step 2 Click Select to choose the netwo rk de vice that you want t o filt er . Step 3 Cli[...]

  • Pagina 245

    9-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Check the check box next to th e de vice port filter that yo u w ant to edit, then cli ck Edit . • Click Expor t to sav e a list of de vice port filters in a .csv file. F or more information, see Exporting Net[...]

  • Pagina 246

    9-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the Por t check box and enter t he port number . This f ield is of type string and can contain numbers or characters. Y ou ca n use the following wildcard characters: • ?—match a single character ?[...]

  • Pagina 247

    9-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining NDG-Based Device Port Filters Y ou can create, duplicate, and ed it the network de vice group type and the port to which you want t o permit or deny access. T o do this: Step 1 From the Netw or[...]

  • Pagina 248

    9-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Aut horization Profiles for Network Access Y ou creat e authoriza tion profiles to de fine ho w di fferent types of users are authorized to access the network. F or ex[...]

  • Pagina 249

    9-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying Authorization Profiles Use this tab to conf igure the name and descripti on for a network access authori zation profil e. Step 1 Select Policy Elements > A uthorization and P ermissions &g[...]

  • Pagina 250

    9-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9 -5 A uthorization Profile: Common T asks Page Option Description ACLS Downloadable A CL Name Includes a defined downloadable ACL. See Creating, Duplicat ing, and Editing Do wnloadable A CLs, pa[...]

  • Pagina 251

    9-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to conf igure which RADIUS attri butes to include in the Acce ss-Accept packet for an authorization pro file. This tab also displays t[...]

  • Pagina 252

    9-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 3 T o co nfigure: • Basic information o f an authorization prof ile; see Specifying Authorization Prof iles, page 9-19 . • Common tasks for an authorizat ion profi le; see Specifying Common At [...]

  • Pagina 253

    9-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Creating and Editing Security Groups Use this page to vie w names and details of security groups and securi ty group tags (SGTs), and to open pages to create, duplicate, and edit security gr oups. When [...]

  • Pagina 254

    9-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions The Common T asks tab al lows you to select and conf igure the frequent ly used attrib utes for the prof ile. The attributes that are in cluded he re are tho se defined by the T A CACS prot ocol draft s[...]

  • Pagina 255

    9-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining General Shel l Profile Properties Use this page to def ine a shell profil e’ s general properties. Step 1 Select P olicy Elements > A uthorization and Permissions > Device Admini strati[...]

  • Pagina 256

    9-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9-9 Shell Pr ofile: Common T asks Option Description Privilege Level Default Pri vilege (Optional) En ables the initial pri vilege le vel assi gnment that you allo w for a client, through shell a[...]

  • Pagina 257

    9-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Step 3 Click: • Submit to sa ve your chan ges and return to the Shell Prof iles page. • The General tab to conf igure the name and d escription for the authorizatio n profile; see Defi ning General [...]

  • Pagina 258

    9-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to def ine custom attrib utes for the shell prof ile. This tab also displays the Commo n T asks Attrib utes that you ha ve chosen i n the Common T asks tab . Step[...]

  • Pagina 259

    9-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions After you create command sets, you can use them in autho rizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shel l Profi le [...]

  • Pagina 260

    9-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 4 Click Submit . The command set is sav ed. The Command Sets page appears with the command set that you created or duplicat ed. T able 9-1 1 Command Set Pr operties P age Field Description Name Nam[...]

  • Pagina 261

    9-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Related Topics • Creating, Duplicating , and Editing Authorization Profiles for Netw ork Access, page 9-18 • Creating, Duplicating , and Editing a Shell Prof ile for Device Admi nistration, page 9-2[...]

  • Pagina 262

    9-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions – Click Start Export to e xport the D A CLs without any encryption. Step 3 Enter v alid conf iguration data in the required f ields as shown in Ta b l e 9 - 1 2 , and define one o r more A CLs by usin[...]

  • Pagina 263

    9-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Configuring Security Group Access Control Lists Security group access control lists (SG A CLs) are applied at Egress, based on the source and destination SGTs. Use this page to vie w , create, duplicate[...]

  • Pagina 264

    9-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions[...]

  • Pagina 265

    CH A P T E R 10-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 10 Managing Access Policies In A CS 5.3, policy dri ves all acti vities. Polici es cons ist mainly of rules that determi ne the action of the policy . Y ou c reate access services to define authen tication and authorizat ion policies for requests. A global service [...]

  • Pagina 266

    10-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Policy Creation Flow In short, you must determi ne the: • Details of your netw ork conf iguration. • Access services that implement your policies. • Rules that def ine the conditions un der which an access service can run. This section[...]

  • Pagina 267

    10-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creatio n Flow Policy Elements in the Policy Creation Flow The web interf ace provides these def aults for def ining de vice groups and i dentity groups: • All Locations • All De vice T ypes • All Groups The locations, de vice ty[...]

  • Pagina 268

    10-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Polic y Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an acce[...]

  • Pagina 269

    10-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy If you ha ve imp lemented Security Group Access function ality , you can also customize results for authorization po licies. Caution If you ha ve already defined rules, be certain that a rule is not u[...]

  • Pagina 270

    10-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Note If you create and sav e a simple policy , and then change to a rule-based polic y , the simple policy beco mes the default rule of the rule-based policy . If you have saved a rule-based polic y a[...]

  • Pagina 271

    10-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy T o conf igure a rule-based service selection policy , see these topics: • Creating, Duplicating , and Editing Service Selection Rul es, page 10-8 • Deleting Service Selection Rules, page 10 -10 A[...]

  • Pagina 272

    10-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determin e whic h access service processes incoming requests. The Default Rule pro vides a default access s[...]

  • Pagina 273

    10-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy • The Default Rule—Y ou can change only the access service. See T able 10-3 for field descri ptions: Step 4 Click OK. The Service Selection Polic y page appears with the rule that you conf igured.[...]

  • Pagina 274

    10-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count displ ay on the Rule-based Polic y page. T o di splay this page, click Hit Count on the Rule-based Polic y page. Deleting Servic[...]

  • Pagina 275

    10-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and au thorization policies for requests. Y ou c an create separate access services for different use cases; fo r example, de vice administrat[...]

  • Pagina 276

    10-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Edit the fields in the Allowed Protocols tab as d escribed in T able 10-7 . Step 4 Click Submit to sav e the changes you hav e made to the default access service. Creating, Duplicating, and Editing Access [...]

  • Pagina 277

    10-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box next to the access servic e that you want to du plicate; then click Duplicate . • Click the access service name that you w ant to mod[...]

  • Pagina 278

    10-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Click Next to conf igure the allowed pr otocols. See Configuring Access Servic e Allowed Protocols, page 10-15 . Description Description of the access service. Access Service Policy Structure Based on serv[...]

  • Pagina 279

    10-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Config uring Access Service Allo wed Protocols, page 10-15 • Config uring Access Services T empl ates, page 10-19 Configuring Access Serv ice Allowed Protocols The allowed protocols are the sec[...]

  • Pagina 280

    10-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authenticat ion protocol and configures EAP-TLS settin gs. Y ou can specify ho w A CS verif ies user identity as pre sented in the EAP Identity response from the end-user client.[...]

  • Pagina 281

    10-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allo w EAP-F AST Enable s the EAP-F AST authentication protocol an d EAP-F AST settings. Th e EAP-F AST protocol can support multiple int ernal protocols on the same server . The defa ult inner method is MSCHAPv2.[...]

  • Pagina 282

    10-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allo w EAP-F AST (continued) PA C O p t i o n s • T unnel P A C T ime T o Li ve—The T ime T o Live ( TTL) v alue restricts the lifetime of the P A C. Specify the lifetime value and unit s. The default is one [...]

  • Pagina 283

    10-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3 Click Finish to sav e your changes to the access service. T o enable an access service, you must add it to the service sel ection polic y . Configuring Access Services Templates Use a service template to de[...]

  • Pagina 284

    10-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Deleting an Access Service T o delete an access service: Step 1 Select Access Policies > Access Services . The Access Services page appea rs with a list of configured services. Step 2 Check one or more check b[...]

  • Pagina 285

    10-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Access Service Policies Y ou configure access service policies after you c reate the access service: • V ie wing Identity Polici es, page 10-21 • Config uring Identity Polic y Rule Propert[...]

  • Pagina 286

    10-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies In the rule-based policy , each rule contains one or more conditions an d a result, which is the identity source to use for authentication. Y ou can create, dupl icate, edit, and delete rules within the i[...]

  • Pagina 287

    10-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity , w here <servi ce> is the name of the access service. By default, th e Simple Identity P[...]

  • Pagina 288

    10-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 For info rmation about confi guring an identit y po[...]

  • Pagina 289

    10-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T able 1 0-1 1 Identity Rule Proper ties P age Option Description General Rule Name Name of th e rule. If you are duplicat ing a rule, you must enter a unique name as a minimum conf iguration; all other f[...]

  • Pagina 290

    10-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Config ure a group mapping polic y to map groups and attrib utes that are retrie ve d from external iden tity stores to A CS identity groups. When A CS processes a reque[...]

  • Pagina 291

    10-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 2 Select an identity group. Step 3 Click Sav e Changes to sa ve th e polic y . T o conf igure a rule-ba sed policy , see these topics: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, [...]

  • Pagina 292

    10-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Deleting Poli cy Rules, p age 10-39 Related Topics • V ie wing Identity Polici es, page 10-21 • Config uring a Session Authorization Po licy for Netw ork Access, page 10-29 • Config uring a Sess[...]

  • Pagina 293

    10-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring a Session Authorization Policy for Network Access When you create an access service for ne twork access authorization, it create s a Session Authorization policy . Y ou can then add and modify[...]

  • Pagina 294

    10-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T able 1 0-15 Networ k Access A uthorization P olicy P age Option Description Status Rule statuses are: • Enabled—The r ule is active. • Disabled—A CS does not apply the results of the rule. • M[...]

  • Pagina 295

    10-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Network Access Au thorization Rule Properties Use this page to create, duplicate, and edit the ru les to determine acce ss permissions in a network access service. Step 1 Select Access Policie[...]

  • Pagina 296

    10-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A dev ice administration authorization polic y determines the authorizations an d permissions for network administrators. Y ou create an authorizat[...]

  • Pagina 297

    10-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Device Administration Authorization Rule Properties Use this page to create , duplicate, and edit the r ules to det ermine author izations an d permissio ns in a device administration access s[...]

  • Pagina 298

    10-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Shell/Command Authoriza tion Policies for Device Administration When you create an access se rvice and select a service policy st ructure for Device Administration, A CS automatically creates [...]

  • Pagina 299

    10-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Configuring Authorizatio[...]

  • Pagina 300

    10-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Related Topics • Confi[...]

  • Pagina 301

    10-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Creating Policy Rules When you create rules, remember that the order of the rules is important. When A C S encounters a match as it processes the request of a client that tries to access the ACS network, [...]

  • Pagina 302

    10-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Duplicating a Rule Y ou can duplicate a rul e if you want to create a ne w rule that is the same, or very similar t o, an existing rule. The duplicat e rule name is based on the original rule with parenth[...]

  • Pagina 303

    10-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 4 Click OK . The Policy page appears with the edited rule. Step 5 Click Sav e Changes to sa ve th e ne w config uration. Step 6 Click Discard Changes to cancel t he edited information. Related Topics[...]

  • Pagina 304

    10-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound condi tions to def ine a set of conditions based on any attrib utes allowed in simple pol icy conditions. Y ou def ine com pound conditi ons in a policy rule page;[...]

  • Pagina 305

    10-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Note Dynamic attribut e mapping is not applicable for Exte rnalGroups attribute of T ype "String Enum" and "T ime And Date" attrib ute of type "Date T ime Period". For hierarchic[...]

  • Pagina 306

    10-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Figur e 1 0-2 Compound Expr ession - At omic Condition Single Nested Compound Condition Consists of a single operator followed by a set of pr edicates (>=2). The operator is applied between each of the pre[...]

  • Pagina 307

    10-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compound Expression with Dynamic value Y ou can select dynamic value to select another dict ionary attrib ute to compare agai nst the dict ionary attribute [...]

  • Pagina 308

    10-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-4 0 • Using the Co mpound Expre ssion Builder, page 10-44 Using the Compound Expression Builder Y ou construct compoun d conditions by using th[...]

  • Pagina 309

    10-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-4 0 • T ypes of Compoun d Conditions, page 10-41 Security Group Access Control Pages This section contains the following topics: • Egress [...]

  • Pagina 310

    10-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topic • Creating an Egress Polic y , page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to config ure the policy for the selected cell. Y ou can configure the SGA CLs to apply t[...]

  • Pagina 311

    10-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Con trol (ND A C) policy determines the SG T for network devices in a Security Group Access en vironmen t. The ND A C policy handles: • Peer authorization re[...]

  • Pagina 312

    10-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topics: • Config uring an ND AC Policy , page 4-25 • ND AC Polic y Properties Page, page 10-48 NDAC Policy Properties Page Use this page to create , duplicate, and edit rules to determine the[...]

  • Pagina 313

    10-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Note For endpoint admissi on control, you must def ine an access service and session authori zation policy . See Configuring Netw ork Access Authoriz ation Rule Properties, page 10-31 for information about[...]

  • Pagina 314

    10-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to conf igure parameters for the EAP-F AST protocol that the ND AC po licy uses. T o disp lay this page, choose Access Policies > Security Gr oup Access Con[...]

  • Pagina 315

    10-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings Y ou can confi gure maximum user session t o impose maximum session v alue for each users. T o conf igure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > [...]

  • Pagina 316

    10-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Unlimited is selected by def ault. Group le vel sessi on is applied based on the hierarchy . F or example: The group hierarch y is America:US:W est:CA and the maximum sessions are as follows: • America: 100 max sessi[...]

  • Pagina 317

    10-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics • Maximum User Sessions, page 10- 50 • Max Session Use r Settings, page 10-51 • Max Session Group Sett ings, page 10-51 • Purgin g User Sessions, page 10-53 • Maximum User Session in Distri bute[...]

  • Pagina 318

    10-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to pur ge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users i[...]

  • Pagina 319

    10-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accou nting requests should be sent to the same A CS server , else the Maximum Session feature will not work as desired. Related topics • Maximum User Sessions[...]

  • Pagina 320

    10-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions[...]

  • Pagina 321

    CH A P T E R 11-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 11 Monitoring and Reporting in ACS The Monitoring and Reports dra wer appears in th e primary web interf ace windo w and contains th e Launch Monitori ng & Report V ie wer option. The Monitoring & Re port V iewer provides monitoring, report ing, and troubl [...]

  • Pagina 322

    11-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Authentication Records and Details • Support for non-Engli sh characters (UTF-8)—Y ou can hav e non-English characters in: – Syslog messages—Conf igurable attribute v alu e, user name, and ACS named configuration objects – G[...]

  • Pagina 323

    11-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the follo wing tabs. • General—The General tab lists the follo wing: – Fi ve most recent alar ms—When you click the name of the alarm, a dial og bo[...]

  • Pagina 324

    11-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Working with Portlets – Authentication Snap shot—Provides a sn apshot of authenticatio ns in the graphical and tab ular formats for up to the past 30 days. In the graphical represen tation, the field based on which the records are[...]

  • Pagina 325

    11-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Working with Portlets Figure 1 1 -1 P ortlets T op 5 Alarms an d My Fa vorit e Reports appear in sepa rate windo ws. Y ou can edit each of these portlets separately . T o edit a portlet, click the edit b utton ( ) at the upper -right [...]

  • Pagina 326

    11-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Related Topic • Dashboard Pages, page 11 -2 • Running Authentication Loo kup Report, page 11-6 Running Authenticat ion Lookup Report When you run an Authenti cation Lookup rep ort, consider the [...]

  • Pagina 327

    11-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Configuring Tabs in the Dashbo ard Step 5 Click Add Page . A ne w tab of your choice is creat ed. Y ou can add the applications that you mo st frequently monitor in this tab Adding Applications to Tabs T o add an application to a tab:[...]

  • Pagina 328

    11-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Changing the Dashboard Layout Y ou can change the look an d feel of the Dashboard. A CS provides you with nine di fferent in- built layouts. T o choose a dif ferent layout: Step 1 From the Monitorin[...]

  • Pagina 329

    CH A P T E R 12-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 12 Managing Alarms The Monitoring feature in A CS generates alarms to notify you of critical system conditions. The monitoring component retrie ves data from A CS. Y ou can configure thresho lds and rules on this data to manage alarms. Alarm notif ications are disp[...]

  • Pagina 330

    12-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rms System Alarms System alarms notify you of cri ti cal conditions encountered durin g th e ex ecution of the A CS Monitoring and Reporting viewer . System alarms also pro vide informational status of system activities, such as data[...]

  • Pagina 331

    12-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Notifying Users of Events When a threshold is reached or a system ala rm is ge nerated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can vie w th e alarm details, add a comme[...]

  • Pagina 332

    12-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox T ime Display o nly . Indicates the time of the associat ed alarm generation in the format Ddd Mmm d d hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , Sat. • Mmm = Jan, Feb, Mar , A[...]

  • Pagina 333

    12-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Conf igure Incremental Backup Data Repository as Remote Reposit ory otherwise backup will fa il and Incremental backup mode will be changed to of f. Wa r n i n g Conf igure Remote Repository und er Purge Conf [...]

  • Pagina 334

    12-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Full Database Purg e Backup failed: Exceptio n Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recov ery fail ed: Exception Details Critical Vie w C o mp re ss Da[...]

  • Pagina 335

    12-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Failed to load backup library . Scheduled backup of A CS conf iguration db fail ed. Please check ADE.log for more details. Critical Symbol lookup er ror . Scheduled backup of A CS configurati on db failed. Ple[...]

  • Pagina 336

    12-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note A CS cannot be used as a remote sysl og se rver . But, you can use an external server as a syslog server . If you use an external server as a syslog server , no al arms can be generated in the A CS view as[...]

  • Pagina 337

    12-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Schedule s • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules Y ou can create alarm schedules to spec ify when a particular alarm thres hol d is run. Y ou can create, edit, and delete alarm schedules. Y ou can [...]

  • Pagina 338

    12-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Schedules Step 3 Click Submit to sav e the alarm schedule. The schedule that you create is added to the Schedu le list box in the Threshold pages. Assigning Alarm Schedules to Thresholds When you create an alarm threshold, you mu[...]

  • Pagina 339

    12-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Deleting Alarm Schedules Note Before you del ete an alarm schedul e, ensure that it is not reference d by any thresholds that are defined in A CS. Y o u cannot delete the default schedule (n onstop[...]

  • Pagina 340

    12-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the alarm th at you w ant to duplicate, then cl ick Duplicate . • Click the alarm name that you w ant to modi[...]

  • Pagina 341

    12-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Criteri a, page 12-14 • Config uring Threshold Notif ications, page 12-32 Configuring General[...]

  • Pagina 342

    12-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Configuring Threshold Criteria A CS 5.3 provides the follo wing threshold categor ies to defin e diff erent threshold crit eria: • Passed Authen tications, page 12-14 • Failed Auth entications,[...]

  • Pagina 343

    12-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Note Y ou can specify one or more f ilters to limit the passed au thentications that are considered for threshold e val uation. Each fi lter is associated with a particular attrib ute in the authen[...]

  • Pagina 344

    12-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 345

    12-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds An alarm is triggered because at le a st one Device IP has greater than 10 failed authentications in the past 2 hours. Note Y ou can specify one or more f ilters to limit the f ailed authentication[...]

  • Pagina 346

    12-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 347

    12-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds The aggregation job begins at 00:05 ho urs e very day . From 23:50 ho urs, up until the time the aggregation job completes, the authenticat ion inacti vity alarms are suppressed. For example, if yo[...]

  • Pagina 348

    12-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 349

    12-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 350

    12-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 351

    12-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 352

    12-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 353

    12-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 354

    12-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 355

    12-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Unknown NAD When A CS ev aluates thi s threshold, it examines the RADIUS or T ACA CS+ failed authent ications that hav e occurred durin g the specif ied time interv al up to the pre vious 24 hours.[...]

  • Pagina 356

    12-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 357

    12-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Y ou can specify one or more f ilters to limit t he failed authentications t hat are considered for threshold e v aluation. Each f ilter is ass ociated with a particular attrib ute in the records a[...]

  • Pagina 358

    12-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds If, in the past four hour s, RB A C L drops ha ve occurred fo r two dif ferent source grou p tags as sho wn in the follo wing table, an alarm is trigg ered, beca use at least one SGT has a count gr[...]

  • Pagina 359

    12-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds NAD-Reported AAA Downtime When A CS ev aluates thi s threshold, it examines the N AD-reported AAA do wn e vents that occurre d during the spec ified interval up to the pre vious 24 h ours. The AAA [...]

  • Pagina 360

    12-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...]

  • Pagina 361

    12-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Deleting Al arm Threshol ds Related Topics • V ie wing and Editing Alar ms in Y our Inbox, page 12-3 • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Deleting Alarm Thresholds, page 12-33 Deleting Alarm Thresholds T o delete[...]

  • Pagina 362

    12-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Configuring System Alarm Settin gs Configuring System Alarm Settings System alar ms are used to noti fy users of: • Errors that ar e encounter ed by the Monitor ing and Report ing services • Information on data purging Use this page to enable sys[...]

  • Pagina 363

    12-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslo g targ ets are th e destinatio ns where alarm syslog messages are sent. The Monitori ng & Report V ie wer sends alarm notifi cation in the form of syslog messages. [...]

  • Pagina 364

    12-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Syslog Targets Step 4 Click Submit . Related Topics • Understanding Alar m Syslog T ar gets, page 12-35 • Deleting Alarm Syslog T ar gets, page 12- 36 Deleting Alarm Syslog Targets Note Y ou cannot delete the def ault nonstop[...]

  • Pagina 365

    CH A P T E R 13-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 13 Managing Reports The Monitoring & Report V ie wer component of A CS collects log and conf iguration data from v arious A CS servers in your deployment, aggregates it, and provides interactive report s that help you analyze the data. The Monitoring & Repo[...]

  • Pagina 366

    13-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports • Catalog— Monitoring & Reports > Reports > Catalog > < r eport_type > For easy access, you can add reports to your F av o ri tes pa ge, from which you can customi ze and delete reports. Y ou can customize the reports that mus[...]

  • Pagina 367

    13-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in d etail the fo llowing: • W orking with F av orite Reports, page 13-3 • Sharing Reports, p age 13-6 • W orkin g with Catalog Reports, page 13-7 • V ie wing Reports, page 13-21 • Format[...]

  • Pagina 368

    13-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Favorite Reports Step 5 Click Add to F av orite . The report is added to yo ur Fa vori tes page. Related Topics • W orking with F av orite Reports, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Editing F av o ri[...]

  • Pagina 369

    13-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you vie w the e xisting parameters in your fa vori te report, you can ed it them. T o edit t he parameters in your fa vorite reports: Step 1 Choose Monitoring and Reports > Reports > [...]

  • Pagina 370

    13-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Sharing Reports The report is generated in the page . Step 3 Click Launch Interactive V iew er for more options. Related Topics • Adding Reports to Y our Fa vorites P age, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Runnin[...]

  • Pagina 371

    13-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 7 Click Sav e . The report is sa ved in your Shared folder and is a v ailable for all users. Working with Catalog Reports Catalog reports ar e system reports that are preco nfigured in A C S. This section contai n[...]

  • Pagina 372

    13-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Access Service Authentication Summar y Provid es RADIUS and T ACA CS+ authentication summary informat ion for a particular access service for a selected time peri od; along with a graphical represen tation. Passed au the[...]

  • Pagina 373

    13-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts A CS System Diagnostics Provides syst e m diagnostic details b ased on se verity for a selected time period. Internal Operations Diagnostics, distrib uted management, administrator authentication and autho rization T o[...]

  • Pagina 374

    13-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Session Status Summary Pro vides the port sessions and status of a particular network de vice obtained by SNMP . This report uses either the commu nity string provid ed in the report or the community string configured i[...]

  • Pagina 375

    13-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Running Catalog Reports T o run a r eport that is in the Catalog: Step 1 Select Monitoring & Reports > Reports > Catalog > r eport_type , where r eport_typ e is the type of report you want to run. The av [...]

  • Pagina 376

    13-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Ty p e Ty p e o f r e p o r t . Modified At Time that the associated report w as la st modified by an admini st rator , in the format Ddd Mmm dd hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri ,[...]

  • Pagina 377

    13-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 2 Click the radio b utton next to th e report name you w ant to run, t hen select one of the options under Run : • Run for T oday —The repo rt you specified is run a nd the generated results are displayed. ?[...]

  • Pagina 378

    13-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports T able 13-4 Repor ts > Report T ypes and Names <report_type> <report_name> AAA Protocol AAA Diagnosti cs Authentication T rend RADIUS Accoun ting RADIUS Authentication T ACA CS Accounting T ACA CS Authent[...]

  • Pagina 379

    13-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • Understanding the Report_N ame Page, page 13-15 Understanding the Report_Name Page Note Not all options listed in Ta b l e 1 3 - 5 are used in selecting[...]

  • Pagina 380

    13-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Failure Reason Enter a f ailure reason name or click Select to en ter a vali d failure reason name on w hich to run your report. Protocol Use the drop do wn list box to select which protocol on which you w ant to run yo[...]

  • Pagina 381

    13-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • W orking with F av orite Reports, page 13-3 • A v ailable Repo rts in the C atalog, page 13-7 • Running Catalog Reports, page 13-11 Administrator Na[...]

  • Pagina 382

    13-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Enabling RADIUS CoA Options on a Device T o vi ew all t he RADIUS Acti ve Session repo rts you ha ve to enable RADI US CoA options on the de vice. T o co nfigure th e RADIUS CoA options: Step 1 Config ure MAB, 802.1X an[...]

  • Pagina 383

    13-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Figure 13-2 RADIUS Active Session Report Step 2 Click the CoA link from the RADIUS session that y ou want to reauthenticate or termin ate. The Change of Aut horization Requ est page appear s. Step 3 Select a CoA optio[...]

  • Pagina 384

    13-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports • Shared secret mismatch Step 5 See the T roubleshoot ing RADIUS Authenticat ions, page 14-6 to troub leshoot a failed change of authorization attempt . A failed dynamic CoA will be li sted under failed RADIUS authent[...]

  • Pagina 385

    13-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Step 3 Click Ye s to conf irm that you want to reset the System Report f iles to the fact ory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default. Viewing Reports This section [...]

  • Pagina 386

    13-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-4 Context Menu for Colu m n Data in Int er active V iewer Figure 13-5 sh ows the con text menu you use to modi fy labels in Interacti ve V ie wer . T o disp lay this menu, select and right-cl ick a label. Use this menu t [...]

  • Pagina 387

    13-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the vie wer , you see the first page of data. T o vi ew or w ork with data, you use tools that hel p you navig ate the report. I n the vie wer , you can page through a report by using t he[...]

  • Pagina 388

    13-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-1 0 T able of Cont ents Expanded Entry T o na vigate to a specific page, cli ck the related link. Exporting Report Data The vie wer supports the ability t o export report d a ta to an Exc el spreadsh eet a s a comma-separ[...]

  • Pagina 389

    13-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for an y other spreadsheet. Step 1 In the viewer , sele ct Export Data. The Export Data dialog box appears, as sho wn in Figure 13-12 . Figure 13-12 The Export Dat [...]

  • Pagina 390

    13-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Printing Reports Y ou can print a repo rt that appears in the vie wer in HTML or PDF format. Because you can modify the report in Interacti ve V iewer , Interactiv e V ie wer supports printing either the original report or the repor[...]

  • Pagina 391

    13-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navig ate to the location where you want to sa ve the file. Step 3 T ype a f ile name and click Sa ve . Step 4 Click OK on the conf irmation message that appears. Formatting Reports in Interactive View[...]

  • Pagina 392

    13-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 2 Select Change T ext . The Edit T e xt dialog box appears. Step 3 Modify the tex t as desired and click A pply . Formatting Labels T o modify the formatting of a label: Step 1 Click on the label and th[...]

  • Pagina 393

    13-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment T o ch ange the alignment o f data in a co lumn, right-click t he column and select Alignment from the context menu. Then, choose one of the alignment options: Left, Center , or[...]

  • Pagina 394

    13-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Data Types In an information obj ect, as in the relational databases on w hich information objects are based, all the data in a column is of the same data type, e x cluding the column header . The[...]

  • Pagina 395

    13-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Numeric Data Numeric data can take se veral f orms. A column of postal codes requires dif ferent formatting from a column of sales figures. Figure 13-16 sho ws the numeric formats you can use. Figu[...]

  • Pagina 396

    13-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 7 In Neg ativ e Numbers, select an opt ion for displaying ne gati ve numbers, b y using either a minus sign before the number or parentheses around the nu mber . Step 8 Click A pply . Formatting Fixed o[...]

  • Pagina 397

    13-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code f ield, type a format pattern similar to those sho wn in T able 13-7 . Step 4 Click Apply . Formatting String Data Step 1 T o def ine the format fo r a column that contai ns string data,[...]

  • Pagina 398

    13-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 1 Select a string data column, th en click For m a t . The String column form at windo w appears. Step 2 In Format String as f ield, select Custom. A second field, F ormat Code, appears. Step 3 In the F[...]

  • Pagina 399

    13-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer T abl e 13-6 sho ws the standard date-and-time data ty pe formats. Step 1 Select a column that contains date o r time data, then click For m at . The Date and T ime Format windo w appears. Step 2 In Format Da[...]

  • Pagina 400

    13-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean e xpression e v aluates to T rue or False. Fo r example, you create a calculated column with the follo wing e xpression: ActualShipDate <= TargetShipDate If the actual sh[...]

  • Pagina 401

    13-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figur e 13-18 Conditional For mat ting in Int eractiv e View er Y ou can affect the formatting of one column based on the v alue in another column. F or example, if you select the CustomerName column, yo u ca[...]

  • Pagina 402

    13-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer b. In the next field, use the d rop-do wn list to select the operator to apply to the column you selected. Y ou can select Equal to, Less than, Le ss t han or Equal to, and so on. Depending on your selection[...]

  • Pagina 403

    13-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional F ormatting, cho ose Format, and set the for matting for the condi tional text . Y ou can set the font, font size, fo nt color , and background color . Y ou also can specifyi ng displayi[...]

  • Pagina 404

    13-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Figur e 13-23 Removing a Conditiona l F or mat in Int eractiv e Viewer Step 4 Click A pply . Setting and Removing Page Breaks in Detail Columns In Interactiv e V iewer , you can force page breaks after a pre[...]

  • Pagina 405

    13-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figur e 13-24 Setting a P age Br ea k Step 3 Specify whether to set a page break before e very group, or for e very group except the f irst or last groups. T o delete an e xisting page break, select No ne in Before group or Af[...]

  • Pagina 406

    13-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Reordering Columns in Interactive Viewer T o reorder columns: Step 1 Select and right-click a column. Step 2 From the conte xt menu, select Column > Reorder Columns . The Arrange Columns windo w appears Step 3 Select the c[...]

  • Pagina 407

    13-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Mov e to Gr ou p Header Dialog Box Step 3 From the Mov e to Group field, select a v alue. Step 4 In the Header row f ield, select the row number in which t o mov e the v alue you selected in Step 3. Step 5 Click A[...]

  • Pagina 408

    13-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Hiding or Displaying Report Items T o hide or d isplay report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items. The Hide or Sho w Items dialog box appears, similar to Figure 13-28 . Figure 13-28[...]

  • Pagina 409

    13-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO displ ay hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Col umns . The Show Columns dialog box appears. Step 3 Select any item s you want to di splay . Use C[...]

  • Pagina 410

    13-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figure 13-30 Merg ed Column T o mer ge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns . Selecting a Column from a Merged Column Y ou can aggreg ate, f ilter , and g[...]

  • Pagina 411

    13-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data sour ce determines the default sort order for the data ro ws. If the data source sorts a column in ascending order , the column is sorted in ascending order in the [...]

  • Pagina 412

    13-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-31 Sorting Multip le Columns If the report uses group ed data, the drop-do wn lists in Adv a nced Sort sho w only the detail columns in the report, not the column s you used to group the data. Grouping Data A repor[...]

  • Pagina 413

    13-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped D ata T o or ganize all thi s information into a u seful in vent ory report, you create data gr oups and data sections. Data groups contain relat ed data rows. For e xample, you can create a report that [...]

  • Pagina 414

    13-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Adding Groups T o ad d groups: Step 1 Select and right-click the column you want to use to create a group . Step 2 From the Conte xt menu, select Gr oup > Add Group . The ne w group appears in the vie wer . As shown in Fig[...]

  • Pagina 415

    13-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Step 4 T o set a grouping interv al, select Group ev ery and enter a value and select the grouping interv al. For e xample, to create a ne w group for e very month, type 1 and select Month f rom the drop-do wn list. The report[...]

  • Pagina 416

    13-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-37 Calculated Column T o create a calculation, you • Provide a ti tle for the calculated column. • Write an expression th at indicates which data to use and ho w to display the calculated data in the report. Th[...]

  • Pagina 417

    13-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions T abl e 13-11 provides e xamples of the functions you can use to create calcula tions. Note The Calculation dialog box does not support the use of uppercase TR UE and F ALSE functi[...]

  • Pagina 418

    13-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data COUNT( ) Counts the ro ws in a table. COUNT( ) COUNT(groupLe vel) Counts the ro ws at the specif ied group le vel. COUNT(2) COUNTDISTINCT(expr) Counts the rows th at contain distinct v alues in a table. COUNTDISTINCT([Custome[...]

  • Pagina 419

    13-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data FIRST(expr , groupLev el) Displays the firs t value that appears in the specif ied column at the specified grou p lev el. FIRST([customerID], 3) IF(condition, doIfT rue, doIfFalse) Displays the result of an If...Then...Else st[...]

  • Pagina 420

    13-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data ISTOPNPERCENT(e xpr , percent, groupLe vel ) Displays T rue if the value is within the hi ghest n percentage v alues for the expression at the specified group le vel , and Fal se otherwise. ISTOPNPERCENT([SalesTotals], 5, 3) [...]

  • Pagina 421

    13-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data MONTH(date, option) Displays the m onth of a sp ecified d ate-and-time valu e, in one of three optional formats: • 1 - Displays the month number of 1 through 12. • 2 - Displays the complete month name i n the user’ s loc[...]

  • Pagina 422

    13-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data RANK(exp r) Displays the rank of a numb er , string, or date-and-time value, starting at 1. Duplicate v alues recei ve identical ran k but the d uplication does not af fect the ranking of subsequent v alues. RANK([AverageStar[...]

  • Pagina 423

    13-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data TRIM(str) Display s a string with all leading and trailing blank ch ar ac te r s re m oved . A ls o r e move s a ll co ns ec u tive blank characters. Leading and trailing blanks can be spaces, tabs, and so on. TRIM([customerNa[...]

  • Pagina 424

    13-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Understanding Supported Operators T abl e 13-12 describes the mathematical an d logical operators you can use in writing expressions th at create calculated columns. Using Numbers and Da tes in an Expression When you create a[...]

  • Pagina 425

    13-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns T o use multip ly va lues in calculated columns: Step 1 Select a column. In the report, the ne w calculated column appears to the right of the column you select. Step 2 Select Add Ca[...]

  • Pagina 426

    13-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Step 7 For the second ar gument, type the number of days to add. In this case, type 7. Step 8 V alidate the ex pression, then click A pply . The new calculated column appears in the report. F or e very v a lue in the Order Da[...]

  • Pagina 427

    13-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-39 A ggreg ate Ro w for a Group T abl e 13-13 sho ws the aggregate funct ions that you can use. T able 13-13 Aggr egate Functions Aggregate functions Description A verage Calculates the av erage va lue of a set of da[...]

  • Pagina 428

    13-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Creating an Aggregate Data Row T o create an aggregate data ro w: Step 1 Select a column, then select Aggr egation . The Aggreg ation dialog box appears. The name of th e column you selected is listed in the Selected Column f[...]

  • Pagina 429

    13-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate ro w for a column, you can add up to tw o more aggregate ro ws for the same column. F or an item total column, for e xample, you can create a sum of all the [...]

  • Pagina 430

    13-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Deleting Aggregate Rows T o delete an aggre gate ro w: Step 1 Select the calculated column th at contains the aggre gation you w ant to remo ve, th en select Aggr egation . The Aggre gation dialog box appears, disp [...]

  • Pagina 431

    13-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figure 13-43 Suppressed V alues Y ou can suppress duplicate v alues to make your repo rt easier to read. Y ou can suppress only conse cuti ve occurrences of dupl icate v alues. In the Locati on column in Figur e 13-[...]

  • Pagina 432

    13-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Figur e 13-44 Group Detail Rows Displa yed Figure 13-45 sho ws the results of hiding the detail r ows for t he creditrank gr ouping. Figure 13-45 Gr oup Detail Rows Hidden • T o collapse a group or section, sel ec[...]

  • Pagina 433

    13-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Types of Filter Conditions T abl e 13-15 describes the types of f ilter conditions and pr ovides e xamples of how f ilter conditions are translated into instructi ons to the data source. Bottom N Returns the lo west[...]

  • Pagina 434

    13-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Setting Filter Values After you choose a condition, you set a f ilter value. Step 1 T o vie w all the v alues for the selected column, select Select V alues . Additional f ields appear in the Filter dialog bo x as s[...]

  • Pagina 435

    13-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-46 Selecting a Filter V alue in Interactiv e Viewer Step 2 T o search for a v alue, type the value in the Find V alue field, then click Find . All v alues that match your f ilter text are returned. For e [...]

  • Pagina 436

    13-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 3 From the Condition pu lldow n menu, select a condition. T able 13-14 describes the conditions you can select. • If you select Between or Not Between , Va l u e F r o m and Va l u e To , additional field s a[...]

  • Pagina 437

    13-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-47 The Adv anced Filter Di alog Bo x in Intera ctive View er Adva nced Filter provi des a great deal of fle xibility in setti ng the filter v alue. For conditions that test equality and for the Between co[...]

  • Pagina 438

    13-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 7 V alidate the f ilter syntax by clicking Va l i d a t e . Y ou hav e now created a filter with one cond ition . The next step is to ad d conditions. Step 8 Follo w steps Step 3 to Step 7 to create each additi[...]

  • Pagina 439

    13-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldo wn menu, select a particular nu mber of rows or a percentage of ro ws, as shown in Figure 13-48 . Step 3 Enter a v alue in t he field n ext to the Fil ter pulldo wn menu to specify the nu mber or pe[...]

  • Pagina 440

    13-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-49 P arts of a Basic Bar Char t There are a variety of chart types. So me types of data are best depicted with a specific ty pe of chart. Charts can be used as reports in th emselves and they can be used togeth er wi[...]

  • Pagina 441

    13-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts hav e subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stack ed, Percent Stacked • Line chart—Overlay , Stacked, Percent Stacked • Area chart—Overlay , Stacked, Percen[...]

  • Pagina 442

    13-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-50 Chart F o r matting Options Y ou use this page to: • Edit and format the default chart titl e. • Edit and format the def ault title for the category , or x-, axis. • Modify settings for the labels o n the x-[...]

  • Pagina 443

    CH A P T E R 14-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the di agnostic and troublesho oting tools that the Monitor ing & Report V ie wer provides for the Cisco Secure Access Control Syste m. This chapter contains the following sec[...]

  • Pagina 444

    14-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Available Diag nostic and Troub leshooting Tools Support b undles typically contain t he A CS database, log f iles, core f iles, and Monitoring & Repo rt V iewer sup port files. Y ou can exclude certai[...]

  • Pagina 445

    14-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests Y ou can test your con nectiv ity to a network devi ce with the de vice’ s hostname or IP address. For exam ple, you can verify you r connectio[...]

  • Pagina 446

    14-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Downloading ACS Su pport Bund les for Diagnostic Information Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Connecti vity T ests, page 14-1 • A CS Support Bundle, [...]

  • Pagina 447

    14-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter • Include core files—Check this check box to include core f iles, then click All or click Include f iles from t he last and enter a value from 1 to 36 5 in the day(s[...]

  • Pagina 448

    14-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter • Comparing IP-SGT P airs on a De vice with A CS-Assigned SGT Records, page 14-14 • Comparing Device SGT with ACS-Assigned Device SGT , page 14-15 Related Topics •[...]

  • Pagina 449

    14-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click Search to display the RADIUS authentications that match your search criteria. The Search Result table is po pulated with the results of your search. The fol[...]

  • Pagina 450

    14-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 8 Click Done to return to th e Expert T roubleshoot er . The Progress Details page refreshes periodically to display the tasks that are performed as troubleshooting[...]

  • Pagina 451

    14-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 10 Click Done to return to the Expert T roubleshooter . The Monitoring & Report V ie wer pro vides you the diagnosis, steps to resolv e the problem, and trouble[...]

  • Pagina 452

    14-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run to run the sho w command on the specif ied network de vice. The Progress Details pag e appears. The Monitoring & Report V iewer prompts you for ad [...]

  • Pagina 453

    14-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 3 Click Run . The Progress Details pag e appears. The Monitoring & Report V ie wer prompts you for additional i nput. Step 4 Click the User Input Required b u [...]

  • Pagina 454

    14-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter 3. Compares the SGA CL policy obt ained from the netw ork de vice with the SGA CL policy obt ained from A CS. 4. Displays the source SGT —destinat ion SGT pair if the[...]

  • Pagina 455

    14-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click S XP-IP Mappings from the list of troublesho oting tools. The Expert T roubleshooter page refreshes and sho ws the following f ield: Network De vice IP—E[...]

  • Pagina 456

    14-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 10 Click Show Results Summary to vie w the diagnosis and resolution steps. The Results Summary page appears with the informatio n described in T able 14-6 . Relate[...]

  • Pagina 457

    14-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 6 Click Show Results Summary to vie w the diagnosis and resolution steps. Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Co[...]

  • Pagina 458

    14-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run . The Progress Details page appears with a summary . Step 4 Click Show Results Summary to vie w the results of devi ce SGT comparison. The Results Summ[...]

  • Pagina 459

    CH A P T E R 15-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 15 Managing System Operati ons and Configuration in the Monitoring & Report Viewer This chapter describes the tasks th at you must perform to co nfigure an d administer the Monitor ing & Report V ie wer . The Monitoring Co nfigu ration dra wer allows y ou t[...]

  • Pagina 460

    15-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er • Config ure and edit fail ure reasons—The Monitoring & Report V ie wer allows you to co nfigu re the description of the fail ure reason code and pro vide instructions to r[...]

  • Pagina 461

    15-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • Config uring Alarm Syslog T argets, page 15-17 • Config uring Remote Database Settings, page 15-17 Configuring Data Purgin g and [...]

  • Pagina 462

    15-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p – If the database disk usage is greater than 8 3 GB, a backup is run immediately follo wed by a purge u ntil the database disk [...]

  • Pagina 463

    15-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • A CS displays an alert message when the dif ference between the physical and a ctual size of the view database i s greater tha n 10[...]

  • Pagina 464

    15-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p Configuring NFS stagging If the ut ilization of /opt exceeds 30%, then it is req uired to use NFS staging with a remote repositor[...]

  • Pagina 465

    15-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from t he V iew database that was backed up ea rlier . Y ou can restore data from an incrementa[...]

  • Pagina 466

    15-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Note Y ou can use the refresh symbol to refresh the cont ents of the page. Related Topic Log Collection Deta ils Page, page 15- 9 T able 15-3 Log Co llecti[...]

  • Pagina 467

    15-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently co llected log names for an ACS serv er . Step 1 From the Monitoring & Rep ort V iewer , sel[...]

  • Pagina 468

    15-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Related Topic • V ie wing Log Collections, p age 15-7 T able 15-4 Log Collection Details P age Option Description Log Name Name of the log file. Last Sy[...]

  • Pagina 469

    15-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Recovering Log Message s Recovering Log Messages A CS server sends syslog messages to the Monitoring and Report V iewer fo r the acti vities such as passed authentication, failed at [...]

  • Pagina 470

    15-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Scheduled J obs Note When you change any schedule through the ACS web in terface, for th e ne w schedule to take ef fect, you must manually restart the Job Manager p roces[...]

  • Pagina 471

    15-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Process Sta tus Viewing Process Status Use this page to vie w the status of processes running in your A CS en vironment. From the Monitoring & Report V ie wer, select Mon[...]

  • Pagina 472

    15-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Data Upgr ade Status Viewing Data Upgrade Status After you upgrad e to A CS 5.3, ensure that the Monitoring & Report V iewer database upgrade is complete. Y ou can do [...]

  • Pagina 473

    15-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Specifying E-Mail Settings Related Topic V iewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address. [...]

  • Pagina 474

    15-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Understanding Collection Filters Understanding Collection Filters Y ou can create collection f ilters that allo w you to filt er and drop syslog ev ents that are n ot used for mon[...]

  • Pagina 475

    15-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring System Alarm Settings Related Topics • Creating and Editing Collect ion Filters, page 15-16 • Deleting C ollection Filt ers, page 15-17 Deleting Collection Filters T [...]

  • Pagina 476

    15-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Remo te Database Settings Step 1 From the Monitoring & Report V ie wer , choose Monitoring Conf iguration > System Conf iguration > Remote Database Settings [...]

  • Pagina 477

    CH A P T E R 16-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators ar e responsible for depl oying, conf iguring, maintain ing, and monitoring the A CS servers in your network. The y can perform v arious operations in A CS through the A CS administrati ve interface. When you [...]

  • Pagina 478

    16-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Administra tor Roles and Accounts • Config ure administrator session setting • Config ure administrator access setting The first t ime you log in to A CS 5.3, you are prompted for the predef ined administrator userna[...]

  • Pagina 479

    16-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Ad ministrators and Accou nts Understanding Authentication An authentication requ est is the fi rst operation for e v ery management session. If authenticati on fails, the management session is terminated. But if auth[...]

  • Pagina 480

    16-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Roles Permissions A permission is an access right that applies to a specif ic admini strati v e task . Permissions consist of: • A Resource – The list of A CS components that an administrator can acce ss, such as net[...]

  • Pagina 481

    16-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Role s Note At first logi n, only the Super Admin is assigned t o a specific admini strator . Related Topics • Administrator Accounts and Role Association • Creating, Dup licating, Edi ting, and Dele ting Admin istrato[...]

  • Pagina 482

    16-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Creating, Dup licating, Editing, and Deleti ng Administrator Accounts Administrator Accounts and Role Association Administrator account def initions consist of a name, status, description, e-mail ad dress, password, and role assignmen[...]

  • Pagina 483

    16-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicatin g, Editing, and D eleting Administrator Accounts Step 2 Do any of the follo wing: • Click Cr eate . • Check the check box next to the account that you want t o duplicate an d click Duplicate . • Click the acco[...]

  • Pagina 484

    16-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Viewing Predefined Role s The new account is sa ved. The Administrators page appears, with the new account that you created or duplicat ed. Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Ro le Associa[...]

  • Pagina 485

    16-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Auth entication Settings for Administrators Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • Config uring Authentication Settings for Administrato rs, page 16-[...]

  • Pagina 486

    16-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Configuring Authenticatio n Settings for Administrators Note A CS automatically deactiv ates or disable s your account based on your last login, last password change, or number of lo gin retries. The CLI and PI use r accounts are blo[...]

  • Pagina 487

    16-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeou t Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • V ie wing Predef ined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, [...]

  • Pagina 488

    16-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Resetting the Admi nistrator Password Step 3 Click Cr eate in the IP Range(s) area. A ne w window appears. Enter the IP address of the machine from which you want to allow remote access to A CS. Enter a subnet mask for an entire IP a[...]

  • Pagina 489

    16-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Admini strator Password http://www .ci sco.com/en/US/docs/net _mgmt/cisco_secure_access_ control_system/5.3/comman d/ reference/cli_app_a.html#wp189 3005 . Note Y ou cannot reset the administrat or password through the A C[...]

  • Pagina 490

    16-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Changing the Admi nistrator Password Resetting Another Administrator’s Password T o reset another administrator’ s password: Step 1 Choose System Administration > Administrators > Accounts . The Accounts page appears wi th [...]

  • Pagina 491

    CH A P T E R 17-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 17 Configuring System Operations Y ou can confi gure and deploy A CS instance s so that one A CS instance becomes the primary instance and the other A CS instances can be registered to the primary as secondary instances . An A CS instance represents A CS software t[...]

  • Pagina 492

    17-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment Understanding Distributed Deployment Y ou can confi gure multiple A CS servers in a deployment. W ithin any deplo yment, you designate one server as the primary server and all the other servers are [...]

  • Pagina 493

    17-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Note A CS 5.3 does not support the large deplo yment with more than ten A CS instances (one primary and nine secondaries). F or more informat ion on A CS server deployments, see: http://www .ci sco.co[...]

  • Pagina 494

    17-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment • Understanding Distrib uted Deplo yment, page 17-2 Promoting a Secondary Server There can be one server only that is functio ning as the prim ary se rver . Howe ver , you can promote a secondary [...]

  • Pagina 495

    17-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each co nfiguration chan ge is propagate d to all secondary instances. Unlike A CS 4.x where full replic ation was performe d, in A CS 5.3, o[...]

  • Pagina 496

    17-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Scheduled Backup s • Using the Deployment Operations Pa ge to Create a Local Mode Instanc e, page 17-22 Scheduled Backups Y ou can schedu le backups to be ru n at periodic in tervals. Y ou can schedule backups from the primar y web in[...]

  • Pagina 497

    17-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Seconda ry Instances Step 2 Click Submit to schedule t he backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances A CS provides you the option to back [...]

  • Pagina 498

    17-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Synchronizing Primary and Secondary Instan ces After Backup and Restore Step 4 Click Submit to run the backup i mmediately . Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Resto[...]

  • Pagina 499

    17-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distribu ted System Management page appears with two t ables: • Primary Instance table — Shows the primary instance. The primary instance is created as part of the installatio n process. • Secondary Instances [...]

  • Pagina 500

    17-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances Step 2 From the Primary Instance table, click the pr imary instance that you want to modify , or check the Name check box and click Edit . Step 3 Complete the fields in the Di stributed System Management Properties pa[...]

  • Pagina 501

    17-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4 Click Submit . Port Port for Management service. MA C Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every (only applies for primary instance)[...]

  • Pagina 502

    17-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances The Primary Instance table on the Distrib uted System Management page app ears with the edited primary instance. Related Topics • Replicating a Secondary Instance fr o m a Primary Instance , page 17-18 • V iewing [...]

  • Pagina 503

    17-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The follo wing warning message appears: Are you sure you want to delete the sel ected item/it ems? Step 5 Click OK . The Secondary Instances table on th e Distrib uted System Management page appears witho[...]

  • Pagina 504

    17-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Registering a Seconda ry Instance to a Prima ry Instance . T able 17 -6 S ystem Oper ations: Deployment Operations P age Option Description Instance Status Current Status Identifies the instance of the node you log in to as primary or [...]

  • Pagina 505

    17-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3 Specify the appropriate v alues in the Registration Section. Step 4 Click Register to Primary . The follo wing warnin g message is displayed. This operati on will regis ter t[...]

  • Pagina 506

    17-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Deregistering Secondary Instanc es from the Distr ibuted System Management Page Deregistering Secondary Instance s from the Distributed System Management Page T o deregister secondary instances from t he Distributed System Manageme nt [...]

  • Pagina 507

    17-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Mana gement Page The system displays the follo wing warning message: This operati on will dereg ister this ser ver as a seco ndary with the p rimary server . ACS will be rest ar[...]

  • Pagina 508

    17-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Promoting a Secondar y Instance from the Dep loyment Operations Pag e Promoting a Secondary Instance from the Deployment Operations Page T o promot e a secondary instance to a pri mary instance from the Deplo yment Operations page: Ste[...]

  • Pagina 509

    17-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Replicating a Secondary Instance from the Distributed System Management Page Note All A CS appliances must be in sync with the AD d omain clock. T o re plicate a seco ndary inst[...]

  • Pagina 510

    17-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Replicating a Secondary Instanc e from a Primary Instance The Distribu ted System Management page appears. On the Secondary Instance table, the Replication Status column sho ws UPD A TE D . Replication is complete on the secondary in s[...]

  • Pagina 511

    17-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Failover A CS 5.3 allows you to configure mul tiple A C S instances for a dep loyment scenario. Each deplo yment can hav e one primary and multiple secondar y A CS server . Scen[...]

  • Pagina 512

    17-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Cleanup..... .. Starting ACS... . The database on the primary se rver is restored successfully . Now , you can observe that all se condary servers in the distribute[...]

  • Pagina 513

    17-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Insta nce Y ou can use the conf iguration information on the A C S Config uration Audit report to manually restore the conf iguration infor mation for this inst ance. Creating,[...]

  • Pagina 514

    17-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Step 4 Click Submit . The new software repository is sa ved. The Soft ware Repository page appears, with the ne w software repository that you created, dupl icated,[...]

  • Pagina 515

    CH A P T E R 18-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Ci sco Secure A CS, you must conf igure and administer it t o manage your network eff iciently . The ACS web interface allo ws you to ea sily configure A CS to perform v arious operations. For a lis[...]

  • Pagina 516

    18-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Administration > Conf iguration > Global System Options > E[...]

  • Pagina 517

    18-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Op tions Configuring PEAP Settings Use the PEAP Settings page to conf igure PEAP ru ntim e characteristics. Select System Administration > Conf iguration > Global System Options > PEAP S[...]

  • Pagina 518

    18-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Generate P AC pag e to generate a user or machine P AC. Step 1 Select System Admini stration > Confi guration > Global System Options > E[...]

  • Pagina 519

    18-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to conf igure the RSA SecurID Prompt s. Managing Dictionaries The follo wing tasks ar e av ailable when you select System Administration > Conf iguration > Dictionaries : ?[...]

  • Pagina 520

    18-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries • RADIUS (RedCreek) • RADIUS (US Robotics) • TA C A C S + T o vie w and choose attributes from a p rotocol dictionary , select System Administ ration > Confi guration > Dictionaries >[...]

  • Pagina 521

    18-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to sav e the changes. Related Topics V iewi ng RADIUS and T ACA CS+ Attrib utes, page 18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes T o create, dup[...]

  • Pagina 522

    18-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries T able 18-9 Cr eating, Duplicating, and Ed iting RADIUS Subat tr ibutes Option Description General Attrib ute Name of the subattribut e. The name must be unique. Description (Optional) A brief descr[...]

  • Pagina 523

    18-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 4 Click Submit to sav e the suba ttribute. Viewing RADIUS Vendor-Specific Subattributes T o vi ew the att ribut es that are supported by a par ticular RADIUS v endor: Step 1 Choose Syst em Admi[...]

  • Pagina 524

    18-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Related Topic Creating, Duplicating , and Editing RADIUS V endor-Specif ic Attrib utes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplica[...]

  • Pagina 525

    18-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Configuring Internal Identity Attributes T abl e 18-10 describes the f ields in the internal < users | hosts > identit y attrib utes. T able 18-1 0 Identity Attr ibute Pr operties P age Optio[...]

  • Pagina 526

    18-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Deleting an Internal User Identity Attribute T o delete an internal user identity attrib ute: Step 1 Select System Administration > Conf iguration > Di ctionaries > Identity > Internal [...]

  • Pagina 527

    18-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Creating, Duplicating, and Editing an Internal Host Identity Attribute T o cr eate, duplicate, and edit an internal h ost identity attrib ute: Step 1 Select System Administration > Conf iguratio[...]

  • Pagina 528

    18-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store T o add stat ic IP address to a user in I nternal Identity Store: Step 1 Add a static IP attribute to inte rnal user attr[...]

  • Pagina 529

    18-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 2 Click Add . Step 3 Enter the informatio n in the Local Certif icate Store Properties page as described i n T able 1 8-12 : Importing Server Certificates and As sociating Certifica[...]

  • Pagina 530

    18-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating Self-Signed Certificates Step 1 Select System Administ[...]

  • Pagina 531

    18-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating a Certificate Signing Request Step 1 Select System Ad[...]

  • Pagina 532

    18-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Conf igurations > Loca l Server Certif icates > Local Certificates > Add. Step 2 Select Bind CA Signed Certif icate > Next . Step 3 En[...]

  • Pagina 533

    18-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Submit to ex tend the existing certif icate’ s v alidity . The Local Certificate Store page ap pears with the edited certificate. Related Topic • Config uring Local Serv[...]

  • Pagina 534

    18-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates T o e xport a certi fica te: Step 1 Select System Administration > Conf iguration > Loca l Server Certif icates > Local Certificates . Step 2 Check the box[...]

  • Pagina 535

    18-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Logs Log records are generated for: • Accounting messages • AAA audit and di agnostics messages • System diagnostics messages • Administrati ve and operatio nal audit messages The me[...]

  • Pagina 536

    18-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs • Remote Log T argets > Duplicate: “ lo g_tar get” , where log_tar get is the name of the remote log tar get you selected in Step 2 , if you are duplicat ing a remote log targ et. • Remote Log[...]

  • Pagina 537

    18-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Deleting a Remote Log Target T o delete a remote log t arget: Step 1 Select System Administration > Conf iguration > Log Conf iguration > Remote Log T argets . The Remote Log T a rgets page app[...]

  • Pagina 538

    18-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Conf iguration > Log Conf iguration > Local Log T arget . The Local Configurat ion page appears. Step 2 Click De lete Logs Now to immediately delete all loc[...]

  • Pagina 539

    18-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs If you ha ve compl eted your conf iguration, proceed to Step 6 . Step 4 T o conf igure a remote syslog target, click the Remot e Syslog T arget and proceed to Step 5 . Step 5 Complete the Remote Syslog [...]

  • Pagina 540

    18-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs T abl e 18-22 lists a set of adminis trativ e and operational logs under v arious categories that are no t logged to the local t arget. T able 18-22 Administr ative and Oper ationa l Logs Not Logged in t[...]

  • Pagina 541

    18-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Related Topic • Config uring Per -Instance Logging Cate gories, page 18-29 • V iewi ng ADE-OS Logs, page 18-28 Software-Management • A CS_UPGRADE—A CS upgraded • AC S _ P A T C H — AC S p a [...]

  • Pagina 542

    18-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in T abl e 18-22 are written to the ADE-OS logs. From the AC S CLI, you can use the follo wing command t o vie w the ADE-OS logs: show logging system This command list[...]

  • Pagina 543

    18-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:[...]

  • Pagina 544

    18-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings Y ou can conf igure the se verity lev e l and local lo g settings in a logging cate gory conf iguration for a specific o verridden or custom A C S insta[...]

  • Pagina 545

    18-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Per-Instance Remote Syslog Targets Use this page to configure remote sy slog targets for logging cate gories. Step 1 Select System Administration > Conf iguration > Log Conf iguration [...]

  • Pagina 546

    18-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Displaying Logging Categories Y ou can vie w a tree of conf igured logging cat egories for a specif ic ACS inst ance. In addition, you can confi gure a logging cate gory’ s sev erity le ve l, log targe[...]

  • Pagina 547

    18-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring the Log Collector Use the Log Collector pa ge to sel ect a log data collecto r and suspend or resume log data transmission. Step 1 Select System Administration > Conf iguration > Log C[...]

  • Pagina 548

    18-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview T o operate A CS, you must install a va lid license. A CS prompts you to install a v alid base license when you first access the web interface. Each A CS instance (p rimary or second[...]

  • Pagina 549

    18-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview , page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Adding Deplo yment License Files, page 18-39 • Delet[...]

  • Pagina 550

    18-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License T o upgrade the base license: Step 1 Select System Administration > Conf iguration > Licensing > Base Server Li cense . The Base Server License page appears wit[...]

  • Pagina 551

    18-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Serv er License, page 18-37 Upgrading the Base Server License Y ou can upgrade the base server license. Step 1 Select System Administration > Conf igurati[...]

  • Pagina 552

    18-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Fe ature Options Viewing License Feature Options Y ou can add, upgrade, or delete e xisting deploy ment licenses. The config uration pane at the top o f the page sho ws the deployment information. Select [...]

  • Pagina 553

    18-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License File s Adding Deployment License Files T o add a new base deployment license file: Step 1 Select System Administration > Conf iguration > Licensing > F eature Options . The Feature Opti[...]

  • Pagina 554

    18-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview , page 18-34 • T ypes of Licenses, page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Deleting De[...]

  • Pagina 555

    18-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Availabl e Downloa ds Downloading Migration Utility Files T o do wnload migration application files an d the migration gui de for A C S 5.3: Step 1 Choose System Administra tion > Download s > Migration Util ity . [...]

  • Pagina 556

    18-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Do wnloads T o do wnload these sample scripts: Step 1 Choose System Administration > Downl oads > Sample Python Scripts . The Sample Python Scripts pag e appears. Step 2 Click one of the follo wing: • P[...]

  • Pagina 557

    CH A P T E R 19-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logg ing functionality in A C S 5.3. Administrator s and users use the v arious management interfaces of A CS to perform dif feren t tasks. Using the administrati ve access control feature, you can assign permissi ons[...]

  • Pagina 558

    19-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Using Log Targets Y ou can specify to send cust omer log information to multiple consumers or Lo g T arg ets and specify whether the log messages are stored locally in te xt form at or forw arded to syslog servers. By default, a s[...]

  • Pagina 559

    19-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Note For comple x conf iguration items or attrib utes, such as policy or D A CL contents, the ne w attrib ute v alue is reported as "Ne w/Updated" and the audit does not contai n the actual at trib ute va l u e o r va l u[...]

  • Pagina 560

    19-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Each log message contains the follo wing information: • Event code—A un ique message code. • Logging category—Identif i es the catego ry to which a log message belongs. • Se verity le vel—Identifies th e lev e l of se [...]

  • Pagina 561

    19-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Local Store Target Log messages in the local stor e are text f iles that are sent to one log f ile, located at /opt/CSCOacs/lo gs/localStor e/ , regardless of which l ogging category they belo ng to. The local store can only contai[...]

  • Pagina 562

    19-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging T able 19-2 Local St or e and Syslog Message F or mat Field Description timestamp Date of the message generat ion, according to the local clock of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh: zm . Possible [...]

  • Pagina 563

    19-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Y ou can use the web in terface to configure the n umber of da ys to retain local store log files; howe ver , the default setting is to purge data when it exceeds 5 MB or each d ay , whiche ver limit is f irst attained. If you do c[...]

  • Pagina 564

    19-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging When you configure a critical log target, and a message is sent to that critical log tar get, the message is also sent to the configured noncriti cal log target on a best-effort basis. • When you configure a critical log tar get[...]

  • Pagina 565

    19-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging T able 19-3 Remote Syslog Messag e Header For mat Field Description pri_num Priority v alue of the message; a comb ination of the facility value an d the sev erity v alue of the message. Priority v alue = (facility valu e* 8) + se [...]

  • Pagina 566

    19-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging The syslog messa ge data or pay load is the same as the Local Store Message Format, which is described in T able 19-2 . The remote syslog server tar gets are id entified by the f acility code names LOCAL0 to LOCAL7 ( LOCAL6 is th[...]

  • Pagina 567

    19-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging The Monitoring & Report V ie wer has two dra wer options: • Monitoring and Reports—Use this dra wer to view and con figur e alarms, vie w log reports, an d perform troubleshooti ng tasks. • Monitoring Conf iguration—Us[...]

  • Pagina 568

    19-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are fa miliar with the loggin g functionality in A CS 4.x, ensure that you familiarize yo urself with the logging functionali ty of A CS 5.3, which is con siderably dif feren[...]

  • Pagina 569

    19-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Conf iguration Use the System Confi guration > Logging page to defi ne: • Loggers and indi vidual logs • Critical loggers • Remote logging • CSV log fi le • Syslog log • ODBC log See Config uring Lo[...]

  • Pagina 570

    19-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging[...]

  • Pagina 571

    A-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX A AAA Protocols This section contains the following topics: • T ypical Use Cases, page A-1 • Access Protocols—T A CACS+ and RADI US, page A-5 • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 Typical Use Cases This section contains the followin[...]

  • Pagina 572

    A-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s Session Access Requests (Dev ice Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1 . For session request: 1. An administrator l ogs into a networ k dev ice. 2. The network de vice sends a T A CA CS+ access req[...]

  • Pagina 573

    A-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Typical Us e Cases – EAP protocols that in volv e a TLS handshake a nd in which the client uses the A CS server certificate to perform se rv er authentication: PEAP , using one of the follo wing inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-F AS[...]

  • Pagina 574

    A-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP methods that use certi ficates for bo th server and client authentication – EAP-TLS Whene ver EAP is in volved in the au thenticat ion process, it is p receded by an EAP ne go[...]

  • Pagina 575

    A-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 A CS 5.3 can use the T A CA CS+ and RADIUS access prot ocols. Ta[...]

  • Pagina 576

    A-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • A CS 5.3 as the AAA Server , page A-7 • RADIUS Attribute Support in A CS 5.3, page A-8 • RADIUS Access Req uests, page A-9 RADIUS is a cl[...]

  • Pagina 577

    A-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to compu ter resources, and for an enterprise, provides AAA services. The AAA se rver typically interacts with network access and gate way [...]

  • Pagina 578

    A-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 A CS 5.3 supports the RADIUS protocol as RFC 2865 descri bes. A CS 5.3 supports the follo wing types of RADIUS at tributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vend ors?[...]

  • Pagina 579

    A-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS Authentication A CS supports various aut hentication protocols transpo rted ov er RADIUS. The support ed protocols that do not includ e EAP are: • PA P • CHAP • MSCHAPv1 • MSCHAPv2 In addition, v arious EAP-based protocols can b[...]

  • Pagina 580

    A-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS In RADIUS, authentication and authorization are coupl ed. If the RADIUS serv er finds the username and the password is correct, the RADIUS server retu rns an access-accept respon se, including a list of attrib ute-v alue pairs that d[...]

  • Pagina 581

    B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX B Authentication in ACS 5.3 Authentication v erif ies user information to conf irm the user's identity . T raditional authentication uses a name and a f ixed passw ord. More secure methods use cry ptographic techniques, such as those used inside the Challeng e Authe[...]

  • Pagina 582

    B-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the fo llowi ng: • RADIUS-based authen tica tion that d oes not inclu de EAP: – PA P, p a g e B - 2 – CHAP , page B-31 – MSCHAPv1 – EAP-MSCHAPv2, page B-3 0 • EAP family of protocol s transported over R[...]

  • Pagina 583

    B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication Y ou can use dif ferent le vels of secur ity concurrently wi th A CS for dif ferent requirements. P AP applies a two-w ay handshaking procedure. If auth entication succeeds, A CS returns an ackno wledgement; other[...]

  • Pagina 584

    B-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In A CS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a partic ul[...]

  • Pagina 585

    B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 A CS supports full EAP infrastructure, including EAP typ e negotiation, message sequencing and message retransmission. All prot ocols support fragmentation of big messages. In A CS 5.3, you configure EAP method s for authentication as [...]

  • Pagina 586

    B-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of th e methods in the EAP authenti cation frame work, and i s based on the 802.1x and EAP architecture. Componen ts in v olved in the 80 2.1x and EAP authentication p rocess are the: • Host—The [...]

  • Pagina 587

    B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third- party signature, usually fr om a CA, th at verif ies the informatio n in a certif icate. This third-party binding is similar to the real-world eq ui valent of t he stamp on a passport. Y ou trust the passport be caus[...]

  • Pagina 588

    B-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anony mous Dif fie-Hel lman tunnel relates to the establi shment of a completely anon ymous tunnel between a client and a serv er for cases where none of the peers authenticates itself. A CS runtime supports anon ymous Dif fie-Hell[...]

  • Pagina 589

    B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates A CS generates and use s self-signe d certificates to identi fy various management protocols such as the W eb bro wser , HTTPS, Activ eMQ SSH, and SFTP . Self-signed certif icates are generated when ACS is[...]

  • Pagina 590

    B-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Se rver Certificate When you manually import and A CS server cer tificate yo u must supply the certif icate file, the pri v ate key file, and the pri vate ke y password used to decr ypt the PKCS#12 pri vate ke y . T[...]

  • Pagina 591

    B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of cert ificate generation: • Self signing certif icate generation — A CS supp orts generation of an X.5 09 certifi cate and a PKCS#12 priv ate key . The passphrase used to encr ypt the pri v ate ke y in the PK[...]

  • Pagina 592

    B-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certifi cates are kept in the A CS database which is distributed and shared between all A CS nodes. The A CS server certif icates are associated and designat ed for a specific node, which uses that specif[...]

  • Pagina 593

    B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire A CS database is distributed and backed-up on the primary A CS along with all the certif icates, priv ate-keys and the encrypted pri v ate-key-passwor d s. The pri vate-k ey-passw ord-ke y [...]

  • Pagina 594

    B-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between t he host and A CS goes through the network de vice. EAP-TLS authenticatio n fails if th e: • Server f ails to verify the client’ s certif icate, and rejects EAP-TLS authentication. • Client fail[...]

  • Pagina 595

    B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that yo u use to encrypt EAP transactions, thereby protecting the contents of EAP authenticatio ns. PEAP uses server -side public ke y certificat es to authenticate the s[...]

  • Pagina 596

    B-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unau thenticated Tunnel Establishmen t Modes T unnel esta blishment helps prev ent an attacker from in jecting pac kets betw een the client and the network access serv er (N AS) or , to allo w ne gotiatio n [...]

  • Pagina 597

    B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allo ws authentication between A CS and the peer by usin g the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 pro tocol as the inner method i nside the tunnel. The local certificate [...]

  • Pagina 598

    B-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireles s client credentials with MSCHAPv2: At the end of this mutu al authentication e xchange, the wireless client has prov ided [...]

  • Pagina 599

    B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST is a client-server security architecture that encrypts EA P transactions with a TLS tunn el. While similar to PEAP in this respect, it differs sign ifican tly in that EAP-F AST tunnel establishment is based on strong secret[...]

  • Pagina 600

    B-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST can protect t he username in all EAP-F AST transaction s. A CS does not perform user authentication based on a username that is presented in phase one, howe ver , whether the username is protected during phase one depends [...]

  • Pagina 601

    B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST • A CS-Supported Features for P A Cs, page B-24 • Master Key Generation and P A C TTLs, page B -26 • EAP-F AST for Allo w TLS Renegotiation, page B-26 About Master-Keys EAP-F AST master-ke ys are strong secrets that A CS automa[...]

  • Pagina 602

    B-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes A CS supports out-of-band and in-band pro visioning modes. The in- band provision ing mode operates inside a TLS tunnel raised by Anonymou s DH or Authenticated DH or RSA algorithm for k ey agreement. T o minimize[...]

  • Pagina 603

    B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The v arious means by which an end- user client can rece i ve P ACs are: • P A C pro visioning —Requi red when an end-user client has no P A C. For mor e information about ho w master-k ey and P AC states determine whet her P A C[...]

  • Pagina 604

    B-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o cont rol whether A CS performs Automatic In-Band P A C Provision ing, use the options on the Global System Options pages in the Syst em Administration dra wer . For more information, see EAP-F AST , page B-18 . Manual PAC Provis[...]

  • Pagina 605

    B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proacti ve P A C update time is conf igured for the A CS server in the Allo wed Protocols Page. Thi s mechanism allows the client to be alw ays updated with a valid P A C. Note There is no proacti ve P A C update for Machine and [...]

  • Pagina 606

    B-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The v alues for master ke y generation and P AC TTLs determine their states, as described in About Master-K eys, page B-21 and T ypes of P ACs, page B-22 . Master k ey and P AC states determine whe[...]

  • Pagina 607

    B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o enable A CS to perform EAP-F AST authentication: Step 1 Config ure an identity store that supp orts EAP-F AST authen tication. T o determine which i dentity stores support EAP-F AST authent ication, see Authentication Pro tocol a[...]

  • Pagina 608

    B-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme impro ves the secu rity by reducing the amount of cry ptographic sensiti ve material that is transmitted. This section contains the following topics: • Ke y Distribution Algorith m, page B-28 • EAP-F AST P A C-Opaque[...]

  • Pagina 609

    B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RA DIUS Key Wrap PAC Migration from ACS 4.x Although the conf iguration can be migrated from 4.x, the P A Cs themselves, as being stored only in supplicants, m ay still be issued from versions a s far back as A CS 3.x.[...]

  • Pagina 610

    B-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshak e Authentication Prot ocol (MSCHAP v2) provi des two-way authentica tion, also known as mutu al authentication. The remote access client re ceiv es verif ication that the remote access s[...]

  • Pagina 611

    B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for ma chine auth entication. EAP-MSCHAPv2 W indows machine authentication is the same as u ser authentication. The dif ference is that you must use the Acti ve Directory[...]

  • Pagina 612

    B-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes A CS parses the follo wing client certifi cate’ s attributes: • Certif icate serial-number (in binary format) • Encoded certificate (in binary DER format) • Subject’ s CN attribute • [...]

  • Pagina 613

    B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes A CS collects client certificate te xtual attributes and places them in the A CS context dictionary . A CS can apply any r ule based policy on these attr ibutes as with an y rule att[...]

  • Pagina 614

    B-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Au thentication • For auto matic do wnloading, you def ine the amount of time before the CRL f ile expires, should A CS do wnload it. The CRL e xpiration time is tak en from the CRL ne xtUpdate fie l d . For both modes, if the do w[...]

  • Pagina 615

    B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol an d Identity Store Compatibility Note Microsoft PEAP clients may also ini tiate machine authen tication whene ver a user logs of f. This feature prepares the netwo rk connection for the ne xt user login. Mi crosoft PE[...]

  • Pagina 616

    B-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authenti cation protoc ol support. T able B-5 EAP A uthentication Pr otocol and User D atabase Compatibility Identity Store E AP-MD5 EAP-TLS 1 1. In EAP-TL[...]

  • Pagina 617

    C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX C Open Source License Acknowledgments See http://www .cisco.com/en/US/produ cts/ps9911 /produ cts_licensing_infor mation_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The follo wing notices pertain [...]

  • Pagina 618

    C-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments Notices 4. The names “OpenSSL T oolkit” and “OpenSSL Projec t” must no t be used to endorse or promote products deri ved from this softw are without prior written permi ssion. F or written permission, please contact openss[...]

  • Pagina 619

    C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgmen ts 4. If you include an y W indows specif ic code (or a deri vati ve ther eof) from the apps dir ectory (application code) you must include an ackno wle dgement: “Thi s product includes sof tware written by T im Hudson (tjh@cryptsoft[...]

  • Pagina 620

    C-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments[...]

  • Pagina 621

    GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAA Authentication, autho rization, and accounting (AAA ) is a term for a frame work for intelligently controlling access to computer re sources, enforcing policies, auditin g usage, and providi ng the information necessary t o bill fo r services. These combined proce[...]

  • Pagina 622

    Glossary GL-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 accounts The capability of A CS to record user sessions in a log f ile. ACS System Administrators Ad m i ni s t ra t or s w it h di ff e re n t access privile ges define d under the System Conf iguratio n section of the A CS web interface. The y administer and manage A[...]

  • Pagina 623

    Glossar y GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticity The v alidity and conformance of the or iginal information. authorization The approv al, permission, or empowermen t for someone or something to do so mething. authorization profile The basic "permissions container" for a RADIUS -based network ac[...]

  • Pagina 624

    Glossary GL-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 certificate-based authentication The use of Secure Sockets Layer (SSL) and certifi cates to authenticate and encrypt HTTP traf fic. certificate Digital representation of user or de vice attrib utes, including a public k ey , that is sig ned with an authoritati ve pri v[...]

  • Pagina 625

    Glossar y GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration management The process of es tablishing a k nown baseline condition and managin g it. cookie Data exchanged between an HTTP server and a browser ( a client of the server) to store state information on the client side an d retrie ve it later for serv er us[...]

  • Pagina 626

    Glossary GL-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 D daemon A program which is often started at the time the system boots and runs continuo usly without interventi on from any of the u sers on the system. The daemon program forwards the requ ests to other programs (or processes) as appropri ate. The term da emon is a U[...]

  • Pagina 627

    Glossar y GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelope An en crypted message with the encr ypted session key . digital sign ature A hash of a message that uniquely identifies the se nder of the messag e and prov es the message hasn't changed since transmission. DSA digital signature algorithm. An asym[...]

  • Pagina 628

    Glossary GL-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 dumpsec A security tool that du mps a variet y of informati on about a system's users, file system, re gistry , permissions, password policy , and services. DLL Dynamic Link Library . A collection of small programs , an y of which can be called when needed by a la[...]

  • Pagina 629

    Glossar y GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Extensible Authenticatio n Protocol. A protocol for wireless netw orks that expands on Au thentication methods used by the PPP (Point-to-Point Protocol), a protocol oft en used when connecting a computer to the Internet. EAP can support multiple auth entication mec[...]

  • Pagina 630

    Glossary GL-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 G gateway A network point that acts as an entrance to another netw ork. global system options Configuring T ACA CS+, EAP-TTLS, PEAP , and EAP- F AST runtime character istics and generating EAP-F AST P A C. H hash func tions Used to generate a one way "check sum&q[...]

  • Pagina 631

    Glossar y GL-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 I I18N Intern ationaliza tion and loca liza tion are means of adapting softwa re for non-nati ve en vironments, especially other nations and culture s. Internationalizati on is the adaptation of products fo r potential use virtually ev erywhere, while localization is [...]

  • Pagina 632

    Glossary GL-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ISO International Or ganization for Stand ardization, a volun tary , non-treaty , non-go vernmen t organizat ion, established in 1947 , with vo ting members that ar e de signated standards bodies of participatin g nations and non-v oting observ er org anizations. ISP [...]

  • Pagina 633

    Glossar y GL-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 M MAC Address A physical address; a numeric v alue that uniquely identif ies that netw ork de vice from e very ot her de vice on the planet. matchingRul e (LDAP) The method by which an attrib ute is compared in a search operation. A matchingRule i s an ASN.1 defini ti[...]

  • Pagina 634

    Glossary GL-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 PI (Programm atic Interface) The A CS PI is a programmatic interf ace that provides e xternal applic ations the ability to communicate with A CS to configure and operate A CS; this includes performing the follo wing operations on A CS objects: create, update, delete a[...]

  • Pagina 635

    Glossar y GL-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 R RDN (LDAP) Th e Relative Distinguished Name (fre quently but incorrectly written as Relati vely Distinguished Name). The name gi ven to an attri bute(s) that is unique at its le vel in the hierarch y . RDNs may be single v alued or multi-v alued in which case two or[...]

  • Pagina 636

    Glossary GL-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Schema (LDAP) A package of attr ibut es and object classes that a r e sometimes (nominally) related. The sch ema(s) in which the object classes and attributes that the applic ation will u se (ref erence) are packaged are identif ied to the LD AP server so that it can [...]

  • Pagina 637

    Glossar y GL-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 SOAP (Simple Object Access Protocol) A lightweight XML-based pr otocol for ex change of information in a decentrali zed, distrib uted en vironment. SOAP consists of three parts: an env elope tha t defines a framework for describing what is in a message and ho w to pro[...]

  • Pagina 638

    Glossary GL-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 U UDP User Datagram Protocol. A communicati ons protocol that of fers a limited amount of service when messages are exchanged between computers in a ne twork that uses the Internet Protocol (IP) URL Uniform Resource Locator . The un ique address for a file that is acc[...]

  • Pagina 639

    Glossar y GL-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 X X.509 A standard for pub lic ke y infrastructure. X.509 spec if ies, amongst other things, standard formats for public ke y certif icates and a certificatio n path v alidation algorith m. XML (eXtensi ble Markup Language) XML is a flexib le way to create common info[...]

  • Pagina 640

    Glossary GL-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...]

  • Pagina 641

    IN-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 INDEX Symbols ! formatting symbol 13-33 % operator 13-60 & formatting symbol 13-33 & operator 13-60 * operator 13-60 + operat or 13-60 / operator 13-60 <= operator 13-60 <> operator 13-60 < formatting symbol 13-33 < operat or 13-60 = operat or 13-60 >= [...]

  • Pagina 642

    Index IN-2 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Arrange Columns dialog 13-42 ascending sort order 13-47 AVERAGE function 13-53 Average function 13-63 averages 13-53, 13-57, 13-59, 13-63 B background colors 13-39 Between condition 13-68, 13-73 BETWEEN function 13-53 Between operator 13-38 blank characters 13-59 Boolean [...]

  • Pagina 643

    Index IN-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 formatting data and 13-36 context menus 13-21 conversions 13-33 COUNT_DISTINCT func tion 13-54 COUNT function 13-54 Count function 13-63 Count Value function 13-63 creating aggregate rows 13-64, 13-65 calculated columns 13-51, 13-60 data filter s 13-68, 13-70, 13-71, 13-72[...]

  • Pagina 644

    Index IN-4 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 downloads 18-40 duplicate values 13-66, 13-67 E EAP-FAST enabling B-26 identity protection B-20 logging B-19 master keys definition B-21 PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 refresh B-26 phases B-19 EAP-FAST settings configuring 18-3 [...]

  • Pagina 645

    Index IN-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 G General Date format op tion 13-30 General N umber fo rmat opti on 13-30 Go to page pick li st 13-23 Greater Than conditi on 13-69 greater than operator 13-60 Greater Than or Eq ual to condition 13-69 greater than or equal to operator 13-60 Group Detail dial og 13-50 grou[...]

  • Pagina 646

    Index IN-6 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 locales creating charts and 13-77 customizing formats for 13-30, 13-31, 13-35 locating text valu es 13-54, 13-58 logical operators 13-60 Long Date fo rmat option 13-30 Long Time format option 13-30 lowercase characters 13-56 Lowercase format option 13-31 LOWER function 13[...]

  • Pagina 647

    Index IN-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 numeric data types 13-30 numeric expression s 13-60, 13-61 numeric values 13-24, 13-32 O opening exported data files 13-25 Interactive Viewer 13-21 operators 13-38, 13-60 OR operator 13-60, 13-74 P PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 [...]

  • Pagina 648

    Index IN-8 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 report viewers 13-21 resizing columns 13-25, 13-28 RIGHT function 13-58 ROUNDDOWN func tion 13-58 ROUND function 13-58 rounding 13-53, 13-58 ROUNDUP func tion 13-58 row-by-row comparisons 13-54 rows 13-66, 13-67 RUNNINGSUM function 13-58 running total s 13-58 S Save As di[...]

  • Pagina 649

    Index IN-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 time data types 13-30 time formats 13-30, 13-34 timesaver, descript ion of ii-xxiv time stamps 13-57, 13-58 time values 13-34, 13-50 TODAY function 13-58 Top N condition 13-69 Top Percent condition 13-69 totals 13-37, 13-58, 13-63 trailing characters 13-59 TRIM function 13[...]

  • Pagina 650

    Index IN-10 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 X x-axis values 13-75 Y y-axis values 13-75 YEAR function 13-59[...]