Ir para a página of
Manuais similares
- 
									
                                        SwitchCisco Systems ME-C6524GS-8S46 páginas 4.87 mb
- 
									
                                        Network CardCisco Systems 11008 páginas 0.46 mb
- 
									
                                        SwitchCisco Systems 78-15328-011209 páginas 9.59 mb
- 
									
                                        Computer HardwareCisco Systems WAVE694K98 páginas 0.73 mb
- 
									
                                        ServerCisco Systems UCSEZB230EX25628 páginas 2.56 mb
- 
									
                                        Computer AccessoriesCisco Systems EHWIC1GESFPCU18 páginas 0.26 mb
- 
									
                                        Network CardCisco Systems OL-11567-0232 páginas 0.32 mb
- 
									
                                        Network RouterCisco Systems IOS Router11 páginas 0.18 mb
Bom manual de uso
As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Cisco Systems OL-24201-01. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoCisco Systems OL-24201-01 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.
O que é a instrução?
A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Cisco Systems OL-24201-01 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.
Infelizmente, pequenos usuários tomam o tempo para ler o manual Cisco Systems OL-24201-01, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.
Então, o que deve conter o manual perfeito?
Primeiro, o manual Cisco Systems OL-24201-01 deve conte: 
							 - dados técnicos do dispositivo Cisco Systems OL-24201-01 
							 - nome do fabricante e ano de fabricação do dispositivo Cisco Systems OL-24201-01 
							 - instruções de utilização, regulação e manutenção do dispositivo Cisco Systems OL-24201-01 
							 - sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes 
Por que você não ler manuais?
Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Cisco Systems OL-24201-01 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Cisco Systems OL-24201-01 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Cisco Systems na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Cisco Systems OL-24201-01, como para a versão papel.
Por que ler manuais?
Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Cisco Systems OL-24201-01, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.
Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Cisco Systems OL-24201-01. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação
Índice do manual
- 
                            Página 1Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure A ccess Contr ol S ystem 5.3 April 20 1 4 Text Part Number: OL -24201-01[...] 
- 
                            Página 2THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPO NSIBILITY FOR THEIR APPLICATION OF ANY PRO[...] 
- 
                            Página 3iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Serv ice Request xxv CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 ACS Distributed Deployment 1-2 ACS 4.x and 5.[...] 
- 
                            Página 4Contents iv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Policy Terminology 3-3 Simple Polici es 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Auth[...] 
- 
                            Página 5Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flo w 4-16 Adding a Host to an Internal Identity Store[...] 
- 
                            Página 6Contents vi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding th e Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface[...] 
- 
                            Página 7Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operation s for Network Resources and Users 7-8 Exporting Network Resources and Us ers 7-10 Creating, Duplicating, and Editin g Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying N[...] 
- 
                            Página 8Contents viii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Us ing a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating Exter[...] 
- 
                            Página 9Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-6 0 Creating, Duplicating, and Editing RADIUS Id entity Servers 8-60 Configurin[...] 
- 
                            Página 10Contents x User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permis sions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Acce ss Policies 10-1 Policy Creation Flow 10-1 Network Definition and Po licy Goals 10 -2 Policy Elements in the Policy Creation F low[...] 
- 
                            Página 11Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pa ges 10-45 Egress Policy Matrix Page 10-45 Editing a C[...] 
- 
                            Página 12Contents xii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules 12-9 Creating and E diting Alarm Schedule s 12-9 Assigning Alarm Schedules to Thresh olds 12-10 Deleting Alarm Schedules 12 -11 Creating, Editing, and Duplic ating Alarm Threshold s 12-11 Configuring General Threshold Info rmation 12-13 Con[...] 
- 
                            Página 13Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Re ports 13-13 Understanding the Report_Na me Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconne cting Active RADIUS Sessions 13-18 Customizing Reports 1[...] 
- 
                            Página 14Contents xiv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Organizing Report Data 13-4 1 Displaying and Organizing Re port Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Disp laying Report Item s 13-44 Hiding Co lumns 13-44 Displaying Hidden Columns 13-45 Merging Colu mns 13-45 Select[...] 
- 
                            Página 15Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Cha rts 13-76 Filtering Ch art Data 13-76 Changing Chart Subtype 13-77 Changing Cha rt Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer 14-1 Available Diagnostic and Trouble shooting Tools 14-1 Connectivity Tests 14-1 ACS S[...] 
- 
                            Página 16Contents xvi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings 15 -17 Configuring Alarm Syslog T argets 15 -17 Configuring Remote Database Settings 15-17 CHAPTER 16 Managing Syst em Administrators 16-1 Understanding Ad ministrator Roles and Accounts 16-2 Understanding Au thentication 16-3 Configuri[...] 
- 
                            Página 17Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instan ce 17-1 3 Deleting a Secondary Instanc e 17-13 Activating a Secondary Instan ce 17-14 Registering a Secondary Instance to a Primary In stance 17-14 Deregistering Secondary Instances from [...] 
- 
                            Página 18Contents xviii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring Local Server Certifica tes 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Proto cols 18-15 Generating Self-Signed Certificates 18-16 Generating a Certificate Sign ing Request 18-17 Binding CA Sign[...] 
- 
                            Página 19Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logg ing Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Ta rget 19-10 Viewing Log Mess[...] 
- 
                            Página 20Contents xx User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self[...] 
- 
                            Página 21Contents xxi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Authentication wi th RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD B-31 EAP- MSCHAPv2 Flow in ACS 5.3 B-31 CHAP B-31 LEAP B-31 Cer[...] 
- 
                            Página 22Contents xxii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...] 
- 
                            Página 231 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Revised: April 17, 201 4 This guide describes ho w to use Cisco Secure Access Control System (A CS) 5.3. Audience This guide is for securit y administrators who us e A CS, and who set up and maint ain network an d application security . Document Conventions This guide uses [...] 
- 
                            Página 242 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface Caution Means rea d e r b e c a re f u l . Y ou are capable of doing something that might result in equipment damage or loss of data . T imesaver Me ans the described action saves time . Y ou can s av e time by perfo rming the acti on described in the paragraph. Note Means[...] 
- 
                            Página 253 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Note W e sometimes update th e printed an d electroni c documentation after original publication. Therefo re, you should also re view the documentati on on Cisco.com for any u pdates. Obtaining Documentation and Submitting a Service Request For info rmation on obtaining doc[...] 
- 
                            Página 264 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface[...] 
- 
                            Página 27CH A P T E R 1-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 1 Introducing ACS 5.3 This section contains the following topics: • Overvie w of A CS, page 1-1 • A CS Distributed Depl oyment, page 1-2 • A CS Management Interfaces, page 1-3 Overview of ACS A CS is a policy-based security server that provides standards-co mp[...] 
- 
                            Página 281-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Distributed Depl oyment A CS provides adv anced monitoring, reportin g, and troubleshooting to ols that help you administer and manage your A CS deployments. For more in formatio n on the monito ring, reporting, and troublesh ooting capabiliti[...] 
- 
                            Página 291-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 ACS Licensing Model A CS 4.x did not provide incremental repl ication, on ly full r eplication, and there was service do wntime for replication. A CS 5.3 provides incrementa l replicati ons with no service do wntime. Y ou can also for ce a full repl[...] 
- 
                            Página 301-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Management Interfa ces ACS Web-based Interface Y ou can use the A CS web-based interface to fully co nfig ure your A CS deplo yment, and perform monitoring and reporting operati ons. The web interface provides a consistent user e xperience, re[...] 
- 
                            Página 311-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported b y ACS For informati on about using the CLI, see the Command Line Interface Refer ence Guide for Cisco Secur e Access Contr ol System 5.3 . Related Topic • A CS W eb-based Interface, page 1-4 ACS Programmatic Interfaces [...] 
- 
                            Página 321-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 Hardware Mode ls Supported by ACS[...] 
- 
                            Página 33CH A P T E R 2-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 A CS 4.x stores polic y and authentication information , such as T A CA CS+ command sets, in the user and user group records. In A CS 5.3, polic y and authentication information are independent shared components that you use as b [...] 
- 
                            Página 342-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utili ty completes the data migration pro cess in two phases: • Analysis and Export • Import In the Analysis and Export phase, you identify the obje[...] 
- 
                            Página 352-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Before You Begin Note Y ou must install the latest patch for the su pported migration v ersions listed here. Also, if you ha ve any other versio n of A C S 4.x installed, you must u pgrade to one of the supported v e rsions and in sta[...] 
- 
                            Página 362-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 • User-Def ined Fields (from the Interface Configuration se ction) • User Groups • Shared Shell Command Auth orization Sets • User T ACA CS+ Shell Exec Attributes (migrated to user attributes)[...] 
- 
                            Página 372-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In A CS 5.3, you define authorizati ons, shell prof iles, attributes, and other polic y elements as independent, reusable objects, and no t as[...] 
- 
                            Página 382-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Functionality Ma pping from ACS 4.x to ACS 5.3 Command sets (command authorization sets) One of the follo wing: • Shared Prof ile Components > Command Authoriz ation Set • User Setup page • Group Setup page Policy Elements &g[...] 
- 
                            Página 392-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The follo wing are some of the commo n scenarios that you encounter while migrating to A CS 5.3: • Migrating from ACS 4.2 on CSA CS 11 20 to A CS 5.3, page 2-7 • Migratin[...] 
- 
                            Página 402-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you ha ve A CS 3.x deployed in your en vironment, you cannot directly migrate to A CS 5.3. Y ou must do the follo wing: Step 1 Upgrade to a migr ation-supported v ersi[...] 
- 
                            Página 412-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform b ulk import of data into A CS 5.3. For more inf ormation on performing b ulk import of A CS objects, see http://www .ci sco.com/en/US/docs/n et_mgmt/cis co_sec ure_access_ control_sys tem/[...] 
- 
                            Página 422-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration[...] 
- 
                            Página 43CH A P T E R 3-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 3 ACS 5.x Policy Model A CS 5.x is a policy-based access contr ol system. The term po licy model in A CS 5.x refers to the presentation of poli cy elemen ts, objects, and rules to the polic y administrator . A CS 5.x uses a rule-based policy mo del instead of the gr[...] 
- 
                            Página 443-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For e xample, we use the informati on described for the grou p-based model: If identity-conditio n, r estriction-condi tion then authorization-p r of ile In A CS 5.3, you define conditi ons and results as glob a[...] 
- 
                            Página 453-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Policy Terminology Ta b l e 3 - 2 describes the rule-based polic y terminology . T a ble 3-2 Rule-Based Po licy T er minology T erm Description Access service Sequential set of policies used to process access r[...] 
- 
                            Página 463-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies Y ou can conf igure all of you r A CS policies as rule-b ased policies. Howe ver , in some cases, you can choose to conf igure a simple polic y , which select s a si ngle result to apply to all r[...] 
- 
                            Página 473-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Types of Policies Ta b l e 3 - 3 describes the types of policies that y ou can configur e in A CS. The policies are listed in the order of their e valuation; any at tributes t hat a polic y retrie ves can be us[...] 
- 
                            Página 483-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in A CS 5.x that allo w you to conf igure access policies for users and de vices that connect t o the network and for n etwork administrat ors who administer network devices[...] 
- 
                            Página 493-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Ta b l e 3 - 5 describes an example of a set of access services. Ta b l e 3 - 6 describes a service selection poli cy . If A CS 5.3 receiv es a T ACA CS+ access request, it applies Ac cess Service A, which authentica tes the request[...] 
- 
                            Página 503-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS accepts the results of the requests and returns them to the N AS. Y ou must configure the external RADIUS and T ACA CS+ servers in A CS for A CS to forw ard requests to them. Y ou can def ine the timeout period and the numb er [...] 
- 
                            Página 513-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS can simultaneously act as a proxy server to mu ltiple e xternal RADIUS and T A CA C S+ servers. For A CS to act as a proxy serv er , you must configure a RAD IUS or T ACA CS+ proxy service in A CS. See Config uring General Acce[...] 
- 
                            Página 523-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequ ence—Sequences o f the identity databases. The se quence is used for authentica tion and, if specified, an additional sequence is used to retrie ve only attrib utes. Y ou can select mult iple identity methods as[...] 
- 
                            Página 533-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity grou p mapping polic y is a standard polic y . Conditions can be based on attrib utes or groups retrie ved from the e xternal attrib ute stores only , o r from certif icates, and the result is an i[...] 
- 
                            Página 543-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy T erminology , page 3- 3 • Authorization Prof iles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-w orld problem is that, in day-to-day operations, you often ne[...] 
- 
                            Página 553-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, A CS d ecides which access service to use based on various configurable options. Some of them are: • AAA Protocol—The prot ocol used for the requ[...] 
- 
                            Página 563-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, ag entless devices, and guest access in one access service, the policy is di vided into three access services. First-Match Rule Tables A CS 5.3 pro[...] 
- 
                            Página 573-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specifies the po licy result that A CS uses when no other rules exist, or when the at tribute v alues in the access request do not match any rules. A CS ev aluates a set of rules in the f irst-match rule [...] 
- 
                            Página 583-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Pro files for Network Access Policy Conditions Y ou can define simple conditions in rule tables b ased on attributes in: • Customizable conditions—Y ou can create custom con ditions based on protocol dictionaries and identity dic[...] 
- 
                            Página 593-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can define multiple authorization prof iles as a network access policy result. In this way , you maintain a smaller number of aut horization prof iles , because you can use the authorizatio n profiles in combi[...] 
- 
                            Página 603-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Networ k Device Groups Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Policy T erminology , page 3- 3 • T ypes of Policies, page 3-5 Policies and Network Device Groups Y ou can referenc e Network de vice group[...] 
- 
                            Página 613-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Figure 3-2 illu strates what this polic y rule table could look like. Figur e 3-2 Sample Rule-Based P olicy Each ro w in the polic y table represents a single rule. Each rule, except f or the last Defau[...] 
- 
                            Página 623-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Added users to the internal A CS identity store or add ex ternal identity st ores. See Creating Internal Users, page 8-11 , Managing Identity Attribu tes, page 8-7 , or Creating External LD AP Identi[...] 
- 
                            Página 633-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Related Topics • Policy T erminology , page 3- 3 • Policy Conditions, page 3-16 • Policy Resul ts, page 3-16 • Policies and Identity Attr ibutes, p age 3-17[...] 
- 
                            Página 643-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies[...] 
- 
                            Página 65CH A P T E R 4-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 4 Common Scenarios Using ACS Network contr ol refers to the process of controlli ng access to a network. T raditionally a username and password w as used to authenticate a user to a net work. No w a days with the rapid t echnological adv ancements, the traditiona l [...] 
- 
                            Página 664-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Cisco Secure Access Control System (A CS) allow s you to centrally manage access to your network services and resources (including d evices, such as IP phones, pr inters, and so on). A CS 5.3 is a policy-b a[...] 
- 
                            Página 674-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corr espon ding permit or deny setting for the command is retrie ved. If mul tiple results are found in the rules that are matched, they are consolidated and a si[...] 
- 
                            Página 684-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Step 5 Configure an access service polic y . See Access Service Policy Creation, page 10-4 . Step 6 Configure a service selection policy . See Service Selection Polic y Creation, page 10-4 . Step 7 Config ur[...] 
- 
                            Página 694-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the co nfigur ation flo w to defin e T ACA CS+ custom attrib utes and services. Step 1 Create a custom T A CACS+ condi tion to mo ve to T A CA CS+ servi[...] 
- 
                            Página 704-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess Note During password-based access (or certificate-based acce ss), the user is not only authenticated b ut also authorized according to the A CS configuration. An d if N AS sends accounting requests, the user i[...] 
- 
                            Página 714-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to -end flo w for passwor d-based network access and lists the tasks that you must perform. The info rmation about ho w to conf igure [...] 
- 
                            Página 724-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess For RADIUS, non- EAP authentication method s (RADIUS/P AP , RADIUS/CHAP , RADIUS/MS-CHAPv1, RADIUS/ MSCHAPv2), and simple EAP methods ( EAP-MD5 and LEAP), you need to configure onl y the protocol in the Allowe[...] 
- 
                            Página 734-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication i n A CS 5.3, page B-1 • Network De vices and AAA Clients, page 7-5 • Managing Access Policies, page 10-1 • Creating, Duplicating , and Editing Access Services, page 10-[...] 
- 
                            Página 744-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Certificate-Based Network Access Y ou can conf igure two t ypes of certif icates in A CS: • T rust cert if icate—Also kno wn as CA certif icate. Us ed to form CTL trust hierarchy for verif ication of remote certificates. • Local certi[...] 
- 
                            Página 754-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure polic y elements. See Managing Polic y Conditions, page 9-1 , for more informat ion. Y ou can create custom conditions to use the certi ficate’ s attrib utes as a polic y condition. See Cre[...] 
- 
                            Página 764-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Validating an LDAP Secure Authentication Connection Y ou can define a secure authenticati on connection for the LDAP e xtern al identity store, by using a CA certificate to vali date the connection. T o v alidate a[...] 
- 
                            Página 774-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provid es two features to accommodate no n-802.1x de vices. For e xample, MA C Authentication Bypass (Host Look up) and the Guest V LAN access by using web authentication. A CS 5.3 supports the Host Lookup fall[...] 
- 
                            Página 784-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access • Internal users • Activ e Directory Y ou can access the Active Directory via the LD AP API. Y ou can use the Internal Users identity store for Host Lookup in cases where the rele vant host is already listed in[...] 
- 
                            Página 794-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check Y ou may not want to copy the CallingSt ationID attrib ute v alue to the System UserName attrib ute v alue. When the Process Host Lookup o ption is checke d, A C S uses the System User[...] 
- 
                            Página 804-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Agentless Network Access Flow This topic describes the end-to-end flo w for agentl ess network access and lis ts the tasks that you must perform. The information abo ut how to conf igure the tasks is located in the[...] 
- 
                            Página 814-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service sel ection policy . For more information, see Creating, Duplicating , and Editing Service Selection Ru les, page 10-8 . Related Topic[...] 
- 
                            Página 824-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Previous Step: Network De vices and AAA Clients, page 7-5 Next Step: Config uring an Identity Group f or Host Lookup Network Access Requests, page 4-18 Related Topics • Creating External LD AP Identity Stores, pa[...] 
- 
                            Página 834-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access , and check Identity and A uthorization . The group mapping an d External Policy options are optional . d. Make sure you select Process Host Lookup. If you want A CS to detect P AP or EAP-MD5[...] 
- 
                            Página 844-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests T o conf igure an authorization polic y for Host Lookup requests: Step 1 Choose Access Policies > Access Services > <access_servicename> A ut[...] 
- 
                            Página 854-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols A CS 5.3 supports the follo wing protocols for inner aut hentication inside the VPN tunn el: • RADIUS/P AP • RADIUS/CHAP • RADIUS/MS-CHAPv1 • RADIUS/MS-CHAPv2 W ith the use[...] 
- 
                            Página 864-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Supported VPN Networ k Access Servers A CS 5.3 supports the followi ng VPN network access serv ers: • Cisco ASA 5500 Series • Cisco VPN 3000 Series Related Topics • VPN Remote Network A ccess, page 4-20 • S[...] 
- 
                            Página 874-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network A ccess, page 4-20 • Supported Authenticati on Protocols, page 4-21 • Supported Identity Stores, pag e 4-21 • Supported VPN Netw ork Access Servers, page 4-22 ?[...] 
- 
                            Página 884-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access 6. Config uring EAP-F AST Setti ngs for Security Group Access . 7. Creating an Access Service for Security Group Acces s . 8. Creating an Endpoint A dmission Control Po licy . 9. Creating an Egress Policy[...] 
- 
                            Página 894-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices co nsider only the SGT v alue; the name and descr iption of a security group are a management con venience and are not con veyed to the de vices. Therefore, changing the name or description of the [...] 
- 
                            Página 904-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access T o conf igure an ND A C polic y for a de vice: Step 1 Choose Access Policies > Security Gr oup Access Control > Security Group Access > Network Device Access > A uthorization Policy . Step 2 [...] 
- 
                            Página 914-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next . The Access Services Properties page appears. Step 6 In the Authenticati on Protocols area, check the relev ant protoc ols for your access service. Step 7 Click Finish . Creating an Endp[...] 
- 
                            Página 924-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access The first r ow (topmost) of t he matr ix contains the column headers, which display the destination SGT . The first co lumn (far left) contain s the row t itles, with the source SG displayed. At t he inte[...] 
- 
                            Página 934-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests T o cr eate a default polic y: Step 1 Choose Access Policies > Security Gr oup Acc ess Control > Egress P olicy then choose Default Policy . Step 2 Fill in the f ields as in the Default Po licy for Eg[...] 
- 
                            Página 944-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receiv es the following packets from the N AS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2. Receiv es the follo wing packets fr[...] 
- 
                            Página 954-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests The T ACA CS+ proxy feature in A CS supports the follo wing protocols: • PA P • ASCII • CHAP • MSCHAP authentications types Related Topics • RADIUS and T A CACS+ Proxy Requests, page 4-29 • Supp[...] 
- 
                            Página 964-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service T o conf igure proxy services: Step 1 Config ure a set of remote RADIUS and T ACA CS+ servers. For informatio n on how to configure remote servers, see Creating , Duplicating, and [...] 
- 
                            Página 97CH A P T E R 5-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure A CS web interface is designed to be vie wed using Microsoft Internet Explor er 7.x, 8.x, and 9.x and Mozi lla Firefox 3.x and 4.x. The web interface not only makes vie wing and administering A CS possible, but i t also [...] 
- 
                            Página 985-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Task Guides Task Guides From the My W orkspace dra wer , you can access T asks Guides. When you click an y of the tasks, it opens a frame on the right side of the we b interface. This frame contains step -by-step instruc tions as well as lin[...] 
- 
                            Página 995-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Related Topics • Config uring Authentication Settings for Administrato rs, page 16-9 • Changing the Ad ministrator Password, page 16-13 Using the Web Interface Y ou can conf igure and administer A CS through the [...] 
- 
                            Página 1005-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Logging In T o log in to the A CS web interf ace for the f irst time after installation: Step 1 Enter the A CS URL in your browser , for example https:// acs_host /acsadmin , where /acs_ho st is the IP address or Doma[...] 
- 
                            Página 1015-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Step 7 See Installing a License File, page 18 -35 to install a v alid license. • If your login is successful, the main page of the ACS web interface appears. • If your login is unsuccessful , the follo wing error[...] 
- 
                            Página 1025-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 sho ws the overall design of the A CS w eb interface. Figure 5-1 ACS W eb Interf ace The interface contains: • Header , page 5-6 • Navig ation Pane, pag e 5-7 • Content Area, page[...] 
- 
                            Página 1035-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Navigation Pane Use the navigation pane to navigate through the drawers of the we b interface (see Figure 5-3 ). Figure 5-3 Navig ation P ane Ta b l e 5 - 3 describes the function o f each drawer . T o open a drawer [...] 
- 
                            Página 1045-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface The options listed beneath dra wers in the na vigation pane are or ganized in a tree structure, where appropriate. The options in the tr ee structure are dynamic and can chan ge based on administrator actions. Creatin[...] 
- 
                            Página 1055-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Web Interface Location Y our current location in the interface ap pears at the top of the content a rea. Figure 5-5 sho ws that the location is the Poli cy Elements drawer and t he Network De vices and AAA Clients pa[...] 
- 
                            Página 1065-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface T able 5-4 Common Cont ent Ar ea Butt o ns and Fields for List P ages Button or Field Description Rows per page Use the drop-down list to specify the num ber of items to disp lay on this page. Options: • 10—Up to[...] 
- 
                            Página 1075-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface T ree table pages are a v ariation of list pages (see Figure 5-6 ). Y ou can perform the same operations on tree table pages that you can on l ist pages, except for paging. In addition, with tree tabl e pages: • A[...] 
- 
                            Página 1085-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Filtering Large lists in a content area windo w or a secondary window (see Figure 5-9 ) can be dif ficult to navigate through and select the data that you w ant. Y ou can us e the web interface to f ilter data in the[...] 
- 
                            Página 1095-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface For pages that do not ha ve a Name or Description column, the sorting mechan ism may be supported in the left-most column of the pa ge, or the Descript ion column. Place your curs or ov er a column heading to determ[...] 
- 
                            Página 1105-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Figur e 5-9 Secondary Windo w In addition to selectin g and filt ering data, you can cr eate a selectable object within a secondary windo w . For ex ample, if you attempt to cr eate a us ers internal identity store, [...] 
- 
                            Página 1115-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Figur e 5-1 0 T ransf er Box T able 5-6 T ransf er Box Fields and But tons Field or Button Description A v ailable List of av ailable items for selection. Selected Ordered list of selected items. Right arrow (>) [...] 
- 
                            Página 1125-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10 ). Y ou use them to select activ e times for a policy element from a grid, where each ro w represents a day of the week and ea[...] 
- 
                            Página 1135-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Directly above the rule ta ble are two displa y options: • Standard Polic y—Click to display the stand ard policy rule tabl e. • Exception Po licy—Click to di splay the exceptio n policy rule tab le, which t[...] 
- 
                            Página 1145-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Related Topic • A CS 5.x Polic y Model Importing and Exporting ACS Objects through the Web Interface Y ou can use the import functionality in A CS to add, up date, or delete [...] 
- 
                            Página 1155-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Ta b l e 5 - 9 lists the A CS objects, their properties, and the property data types. The imp ort template for each of the objects contain s the properties described in this ta[...] 
- 
                            Página 1165-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Fields that ar e optional can be left empt y and A C S substitutes the def ault v alues for those f ields. For e xample, whe n fie lds that are rela ted to a hierar chy are lef[...] 
- 
                            Página 1175-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must downlo ad the import f ile templates from the A CS web interface. T o do wnload [...] 
- 
                            Página 1185-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface For e xample, the internal user Add temp late contains the fields described in Ta b l e 5 - 1 0 : Each ro w of the .csv f ile corresponds to one internal user re cord . Y ou mu[...] 
- 
                            Página 1195-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Figure 5-12 Add Users – Import File Step 4 Sav e the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in t[...] 
- 
                            Página 1205-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Figur e 5-13 Update Users–Import File Note The second column, Updated name, is the addi tional column that you can add to the Update template. Deleting Records from the ACS I[...] 
- 
                            Página 1215-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Common Errors Common Errors Y ou might encounter these common errors: • Concurrency Co nflict Errors, page 5-25 • Deletion Errors, page 5-26 • System F ailure Errors, page 5-27 • Accessibility , page 5- 27 Concurrency Conflict Error[...] 
- 
                            Página 1225-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Common Errors Error Message The item you are trying to Submit i s referencing items that do not exist anymore. Explanation Y ou attempted to edit or duplicate an it em that is referencing an item th at another user deleted while yo u tried [...] 
- 
                            Página 1235-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Accessibility System Failure Errors System failure errors occur when a system malfunc tion is detect ed. When a sys tem failur e error is detected, a dialog box appears, with an error messa ge and OK b utton. Read the error message, click O[...] 
- 
                            Página 1245-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Accessibility • Color used as an enhan cement of information only , not as the only indicator . F or example, required fields are associated with a red asterisk. • Confir mation messages for important setti ngs and actions. • User-con[...] 
- 
                            Página 125CH A P T E R 6-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of conf iguration tasks that you must perform to work with A CS. This chapter contains the follo wing sections: • Config uring Minimal System Setup, page 6-1 • Config uring A CS to Perform Syst[...] 
- 
                            Página 1266-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Configuring ACS to Perform System Administration Tasks Ta b l e 6 - 2 lists the set of syst em administration tasks that you must perform to admini ster A CS. Ta b l e 6 - 2 [...] 
- 
                            Página 1276-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Step 8 Add users or hosts to the internal identity sto re, or define external identity stores, or both. • For internal i dentity stores: Users and Identity Stores > Inte[...] 
- 
                            Página 1286-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Manage Access Polic ies Configuring ACS to Manage Access Policies Ta b l e 6 - 3 lists the set of tasks that you must perform to manage access restrictions and permissi ons. Configuring ACS to Monitor and Troubl[...] 
- 
                            Página 1296-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 4 Enable sys tem alarms an d specify ho w you wou ld like to recei ve notif ication. Monitoring Conf iguration > System Config uration > System Alarm S[...] 
- 
                            Página 1306-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Mo nitor and Troublesho ot Problems in the Network[...] 
- 
                            Página 131CH A P T E R 7-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resource s drawer defines elements within the networ k that issue requests to A CS or those that A CS interacts with as part of processing a requ est. This includes the network devices that issue the requests and external ser[...] 
- 
                            Página 1327-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Network Device Groups In A CS, you can de fine network de vice groups (ND Gs ), which are sets of de vices. These NDGs pro vide logical groupin g of devi ces, for examp le, Devi ce Location or T ype, which you can use i[...] 
- 
                            Página 1337-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Device Groups Step 4 Click Submit . The network de vice group conf iguration is sa ved. The Network De vice Groups page appears with the ne w network de vice group configurat ion. Related Topics • Network De vice Groups, page 7-2 [...] 
- 
                            Página 1347-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy Y ou can arrange the netw ork de vice group node hierarchy accord ing to your needs by choo sing parent and child relationships fo r new , d up[...] 
- 
                            Página 1357-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy T o delete a netw ork dev ice group from within a hierarch y: Step 1 Choose Network Resour ces > Network Device Gr oups . The Network De vice Groups page app[...] 
- 
                            Página 1367-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Y ou must install Security Group Access license to enable Security Group A ccess options. The Security Group Access options only appear if y ou hav e installed the Secur ity Group Access license. F or more in[...] 
- 
                            Página 1377-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients – Device T y pe Y ou can specify full IP ad dress, or IP address with wildcard “* ” or , with IP address range, such as [15-20] in the IP address search field. The wi ldcard “*” and the IP rang e [1[...] 
- 
                            Página 1387-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Step 2 Choose the filter condition and the Match if operator , and enter the f ilter criterion that you are looking for in the te xt box. Step 3 Click Go . A list of recor ds that match y our filter criterion[...] 
- 
                            Página 1397-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Step 3 Click any one of the follo wing operations if you hav e pre viously created a template-based .csv f ile on your local disk: • Add—Adds the records in th e .csv file to the records currently a v ail[...] 
- 
                            Página 1407-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Exporting Network Resources and Users T o e xport a list of network resources or u sers: Step 1 Click Export on the Users, Network De vices, or MA C Address page of the web interface. The Network De vice pag[...] 
- 
                            Página 1417-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients The first page of the Create Network De vice process appears if you are creating a ne w network d evice. The Network Device Properties page for the selected device appears if you are duplicating o r editing [...] 
- 
                            Página 1427-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients IP Range(s) By Mask Choose to enter an IP address range. Y ou can configure up to 40 IP addresses or sub net masks for each network device. If you use a subnet ma sk in th is field, all IP addresses within t[...] 
- 
                            Página 1437-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all T ACA CS+ communication wit h the network de vice. Choose one: • Legac y T A CA CS+ Single Conn ect Support • T A CA CS+ Draft Complian [...] 
- 
                            Página 1447-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Displaying Network Device Properties Choose Network Resour ces > Network De vices and AAA Clients , then click a de vice name or check the check box ne xt to a de vice name, and click Edit or Duplicate . [...] 
- 
                            Página 1457-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients IP Range(s) By Mask Choose to enter an IP addre ss range. Y ou can configure up to 40 IP addresses or subnet masks for each network de vice. If you use a subn et mask in this f iel d, all IP addresses within[...] 
- 
                            Página 1467-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients RADIUS Shared Secret Shared secret of the network d evice, if y ou hav e enabled the RA DIUS protocol. A shared secret is an expected string of te xt, which a user must pro vide before the netwo rk device au[...] 
- 
                            Página 1477-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Configuring a Default Network Device Related Topics: • V ie wing and Performing Bulk Operations fo r Network De vices, page 7-6 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Deleting Network Devices T o delet[...] 
- 
                            Página 1487-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Configuring a Default Network Device Choose Network Resour ces > Default Network De vice to conf igure the default network de vice. The Default Netw ork De vice page appears, di splaying the informat ion described in Ta b l e 7 - 6 . T a[...] 
- 
                            Página 1497-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Related Topics • Network De vice Groups, page 7-2 • Network De vices and AAA Clients, page 7-5 • Creating, Duplicati ng, and Editing Netw ork De vice Groups, page 7- 2 Working with External Proxy [...] 
- 
                            Página 1507-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate . • Click the exte rnal proxy server nam[...] 
- 
                            Página 1517-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Note If you want A CS to forward un known RADIUS attrib utes you ha ve to define VSAs f or proxy . Related Topics • RADIUS and T A CA CS+ Proxy Services, page 3-7 • RADIUS and T A CACS+ Proxy Reques[...] 
- 
                            Página 1527-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers[...] 
- 
                            Página 153CH A P T E R 8-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview A CS manages your network de vices and other A C S clients by using the A CS network resource repositories and identity stores. When a host conn ects to the network through ACS requesting access to a particular network r[...] 
- 
                            Página 1548-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or disabled status • Identity grou p to which users belong Config urable components are: • Enable password f or T ACA CS+ authentication • Sets of[...] 
- 
                            Página 1558-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Tw o-Factor Authentication Y ou can use t he RSA SecurID T oken Serv er and RA DIUS Ident ity Server t o provide two-facto r authentication. These extern al identity stores use an O TP that pr ovides g re[...] 
- 
                            Página 1568-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Sequences Y ou can configure a complex condition where multiple identity stores an d prof iles are used to process a request. Y ou can define these identity met hods in an Identity Sequence[...] 
- 
                            Página 1578-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Authentication informatio n Note A CS 5.3 supports authent ication for internal users against th e internal identity sto re only . This section contains the following topics: • Authentication I[...] 
- 
                            Página 1588-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Groups Y ou can assign each i nternal user to one identit y group. Iden tity groups are def ined within a hi erarchical structure. Th ey are lo gical entities t hat are associ ated with use[...] 
- 
                            Página 1598-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics • Managing Users an d Identity Stores, pa ge 8-1 • Managing Intern al Identity Sto res, page 8-4 • Performing Bulk Operation s for Network Resources and Users, page 7-8 • Ident[...] 
- 
                            Página 1608-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal us er record. User Attributes Administrators can create and ad d user-d efined attribut es from the set of identi[...] 
- 
                            Página 1618-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores In A CS 5.3, you can configure i dentity attrib utes that are used within your policies, in th is order: 1. Define an identity attribute (using t he user dictionary). 2. Define custom conditions t o [...] 
- 
                            Página 1628-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 3 In the Advanced tab, enter the values for the criter ia th at you want to configure for your user authentication process. Ta b l e 8 - 3 describe s the fields in the Advanced tab . Passwor d[...] 
- 
                            Página 1638-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit . The user password is configured with the de fined criteria. These criteria will apply only for future lo gins. Note A CS supports an y character as passw ords and shar ed secre[...] 
- 
                            Página 1648-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores • Click the username that you want to modify , or check the check box next to the name and click Edit . • Check the check box next to the user whos e password you w ant to change, then click Ch[...] 
- 
                            Página 1658-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Description (Optional) Descrip tion of the user . Identity Group Click Select to display the Id entity Groups windo w . Choose an identity group and click OK to configure the user wi th a specif ic [...] 
- 
                            Página 1668-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 5 Click Submit . The user configuration is saved. The Internal Users pa ge appears with the new configuration. Related Topics • Config uring Authentication Settings for Users, page 8-9 • V[...] 
- 
                            Página 1678-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click OK . The Internal Users page appears without the deleted users. Related Topics • V iewing and Perform ing Bulk Operations for Internal Identity Store Users, page 8-15 • Creating Int[...] 
- 
                            Página 1688-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Creating Hosts in Identity Stores T o create, d uplicate, or edit a MA C address and assign identity groups to in ternal hosts: Step 1 Select Users and Identity Stores > Inter nal Identity Stor [...] 
- 
                            Página 1698-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit to sav e changes. The MA C address configuration is sa ved. The Internal MA C list page appears with the new configuration. Note Hosts with wildcards (suppor ted formats) for MA [...] 
- 
                            Página 1708-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Deleting Internal Hosts T o delete a MA C address: Step 1 Select Users and Identity Stores > Inter nal Identity Stor es > Hosts . The Internal MA C List page appears, w ith any configured MA [...] 
- 
                            Página 1718-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Policies and Identity Attr ibutes, p age 3-17 • Config uring an Identity Group f or Host Lookup Network Access Requ ests, page 4-18 Management Hierarchy Management Hierarch y enables the admin[...] 
- 
                            Página 1728-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores The administrator can conf igure an y le vel of hi erarchy while def ining management centers or AAA client locations. Th e syntax for ManagementHierarchy attrib ute is: <Hierar chyName>: <[...] 
- 
                            Página 1738-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics Config uring and Using HostI sInManagement Hierar chy Attrib utes, page 8-21 . Configuring and Using HostIsInM anagement Hierarchy Attributes T o configure and use HostIsInMana gement[...] 
- 
                            Página 1748-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Managing External Identity Stores A CS 5.3 integrates with e xternal identity sy stems in a number of w ays. Y ou can le verage an e xternal authentication service or use an ex ternal system to obt[...] 
- 
                            Página 1758-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Config uring LD AP Groups, page 8-33 • V ie wing LD AP Attrib utes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storin g and organ[...] 
- 
                            Página 1768-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Failover A CS 5.3 supports failo ver between a primary LD AP se rver and secondary LD AP server . In the context of LD AP authent ication with A CS , failover applie s when an authentication reques[...] 
- 
                            Página 1778-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LD AP server to return bind (authentication) errors are: – Filtering errors—A search using f ilter criteria fails. – Parameter errors—In valid parameters were entered.[...] 
- 
                            Página 1788-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Unsigned Integer 32 • IPv4 Address For unsig ned integers and IPv 4 attrib utes, A CS conv erts the strings that it has retrie ved to the corresponding data types. If con version f ails or if[...] 
- 
                            Página 1798-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Continue with Conf iguring an External LD AP Server Connection, page 8-27 . Note N A C guest Server can also be used as an External LD AP Server . For proced ure to use NA C guest server as an[...] 
- 
                            Página 1808-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonym ously . The server does not distinguish who th e client is and will allo w the cl ient read access to any data that[...] 
- 
                            Página 1818-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue with Conf iguring External LD AP Directory Or ganization, page 8-29 . Configuring External LDAP Directory Organization Use this page to configure an external LD AP[...] 
- 
                            Página 1828-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T able 8-8 LD AP: Dir ect ory Or ganization P age Option Description Schema Subject Object class V alue of the LD AP objectClass attribute that id entifies th e subject. Often, subject records hav [...] 
- 
                            Página 1838-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search B ase Enter the distinguishe d name (DN ) fo r the subtree that contains all subjects. For example: o=corporati on.com If the tree containing subjects is the base DN, enter: o=corporat[...] 
- 
                            Página 1848-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Finis h . The external identity st ore you created is sav ed. Username PrefixS uffix Stripping Strip start of subject name up to the last occurrence of the separator Enter the appropr[...] 
- 
                            Página 1858-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Config uring LD AP Groups, page 8-33 • Deleting External LD AP Identity Stores, page 8 -33 Deleting External LDAP Identity Stores Y ou can delete one or more e xternal LD AP iden[...] 
- 
                            Página 1868-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Viewing LDAP Attributes Use this page to view the external LD A P attributes. Step 1 Select Users and Identity Stores > Exter nal Identity Stor es > LD AP . Step 2 Check the check box next to[...] 
- 
                            Página 1878-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means th e switch port to wh ich these de vices attach cannot authenticate them using the 802.1X exch ange of de vice or user creden tials and must re vert to an authenticati on mechanism other [...] 
- 
                            Página 1888-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Figur e 8-1 LD AP Int erf ace Configur ation in NAC Pr ofiler Step 5 Click Update Serv er . Step 6 Click the Conf iguration tab and click A pply Changes . The Update N A C Profiler Modules pa ge ap[...] 
- 
                            Página 1898-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Conf iguration > Endpoint Pr of iles > V i ew/Edit Prof iles List . A list of prof iles in a table appears. Step 3 Click on the name of a prof ile to edit it. Step 4 In the Sa ve [...] 
- 
                            Página 1908-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T o edit the N A C Prof iler template in A CS: Step 1 Choose Users and Identity Stor es > External Identity Stor es > LD AP . Step 2 Click on the name of the N AC Prof iler template or ch eck[...] 
- 
                            Página 1918-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Server Dialog Bo x For more information, see Cr eating External LD AP Identity Stores, page 8-26 . Note The default password for LD AP is GBSbeacon . If you w ant to change [...] 
- 
                            Página 1928-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Number of Subjects: 100 • Number of Director y Groups: 6 Figur e 8-7 T est Configuration Dialog Bo x Number of Subjects —This v alue maps to the actual subj ect de vices already prof iled b[...] 
- 
                            Página 1938-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Ev ent Deli very Method and Activ e Response, see the Cisco N AC Pr ofiler Installation and Conf iguration Gu ide, Release 3.1 at the follo wing location: http:/[...] 
- 
                            Página 1948-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The AD user password change using the abo ve met hods must fo llo w the AD passwor d policy . Y ou must check with your AD administrator to kno w the complete AD password pol icy rule. AD passw ord[...] 
- 
                            Página 1958-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a fi rew all between A CS and AD, certain ports need to be opened in order t o allow A CS to communicate with AD. The foll owing are the default por ts to be opened: Note Dial-in users ar[...] 
- 
                            Página 1968-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Attribute Retrieval for Authorization Y ou can configure A CS to retriev e user or machine AD attributes to be use d in authori zation and g roup mapping rules. The attrib utes are mapped to the A [...] 
- 
                            Página 1978-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machin e authentication to user authentication an d authori zation process. The most common usage of MAR is to fail authen tication of users[...] 
- 
                            Página 1988-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The Engineers' rule is an example of MAR rule that only allows e ngineers access if their machine was successfully authenticated against windows DB. The Managers' rule is an exam ple of a[...] 
- 
                            Página 1998-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Activ e Director y are supported on the follo wing serv ers: • W indo ws server 2003 • W indo ws server 2003 R2 • W indo ws server 2008 • W i[...] 
- 
                            Página 2008-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Joining ACS to an AD Domain After you conf igure the AD identity store in A CS th rough the A CS web interface, you must submi t the confi guration to join A CS to the AD domain. F or more informat[...] 
- 
                            Página 2018-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3 Click: Username Predefined user in AD. AD account require d for doma in access in A CS should have either of the follo wing: • Add workstations t o domain user right in correspo nding domain[...] 
- 
                            Página 2028-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Sa ve Changes to sav e the conf iguration, join the A CS to the specified AD domain with the configured credentials, and start the AD agent. • Discard Changes to discard all changes. • If A[...] 
- 
                            Página 2038-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD grou ps in the domain, as well as other trusted domains in the same forest. If you ha ve more group s that are not displayed, use t[...] 
- 
                            Página 2048-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 3 Click: • Sa ve Changes to sav e the configuration. • Discard Changes to discard all changes. T able 8-1 1 Activ e Direct ory: A t tr ibutes P age Option Description Name of ex ample Subj[...] 
- 
                            Página 2058-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already con figured an d you want to del ete it, click Clear Conf iguration after you v erify that there are no policy rules that use cu stom conditions based on the AD dictionary . AD D[...] 
- 
                            Página 2068-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RSA SecurID Server A CS supports the RSA SecurID server as an extern al database. RSA SecurID two-factor authentication consists of the user’ s personal identif ication number (PIN) and an indi v[...] 
- 
                            Página 2078-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the re quested loads on the RSA Sec urID servers in the realm. Ho we ver , you do hav e the option to manu ally balance the [...] 
- 
                            Página 2088-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 4 Click the A CS Instance Settings tab . See Configuring A CS Instance Settings, page 8-57 for more inform ation. Step 5 Click the Advanced tab . See Configuring A dvan ced Options, page 8-59 [...] 
- 
                            Página 2098-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server , pa ge 8-54 • Config uring A CS Instance Settings, page 8-57 • Config uring Adv anced Optio ns, page 8-59 Configuring ACS Instance Settings The A CS Instan[...] 
- 
                            Página 2108-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Enable the RSA options file Y ou can enable the RSA options file ( sdopts.r ec ) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the [...] 
- 
                            Página 2118-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the follo wing options: • T o reset node secret on the agent host, check the Remove securid f ile on submit check box. If you reset the node secret on t he agent host, you m[...] 
- 
                            Página 2128-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RSA SecurID Server , pa ge 8-54 • Creating and Editing RSA SecurI D T ok en Servers, pa ge 8-55 • Config uring A CS Instance Settings, page 8-57 • Editing A CS Instance Set[...] 
- 
                            Página 2138-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover A CS 5.3 allows you to configure mul tiple RADIUS identity stores. Each RADIUS i dentity store can hav e primary and secondary RADIUS servers. When AC S is unable to c onnect to t he primar [...] 
- 
                            Página 2148-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RADIUS Identity Store in Identity Sequence Y ou can add the RADIUS identity store for authentica tion sequence in an iden tity sequence. Howe ver , you cannot add th e RADIUS identity store fo r at[...] 
- 
                            Página 2158-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safew ord token servers support bo th the formats. A CS works with v arious token servers. While configuring a Safe word server , yo u must check the Safew ord Server check box for A CS to parse the [...] 
- 
                            Página 2168-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Cr eate . Y ou can also: • Check the check box ne xt to the identi ty store you want to d uplicate, then click Duplicate . • Click the iden tity store name that yo u want to modi f[...] 
- 
                            Página 2178-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the pr imary RADIUS identity server f ails. If you enable the secon[...] 
- 
                            Página 2188-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RADIUS Identity St ores, page 8-60 • Creating, Duplicating , and Editing RADIUS Identi ty Servers, page 8-63 • Config uring Shell Prompts, page 8-6 6 • Config uring Directo[...] 
- 
                            Página 2198-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a reques t, RADIUS attributes are return ed along with the response. Y ou can make use of these RADI US attrib utes in polic[...] 
- 
                            Página 2208-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates • Config uring Shell Prompts, page 8-6 6 • Config uring Adv anced Optio ns, page 8-68 Configuring Advanced Options In the Adv anced tab, you can do the follo wing: • Define what an access reject fro[...] 
- 
                            Página 2218-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Y ou use the CA options to install digital certif icate s to support EAP-TLS authentication. A CS uses the X.509 v3 digital certificate standard. A CS also supports manual certificate acquisition and pro v[...] 
- 
                            Página 2228-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates Step 4 Click Submit . The new cert ificat e is sav ed. The T rust Certif i cate List page appears with the new certif icate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of [...] 
- 
                            Página 2238-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3 Click Submit . The T rust Certificate page appe ars with the edited certificate. Related Topics • User Certificate Auth entication, page B-6 • Overvie w of EAP-TLS, page B-6 Deleting a Certifica[...] 
- 
                            Página 2248-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Certificat e Authentication Profiles Related Topic • Overvie w of EAP-TLS, page B-6 Exporting a Certificate Authority T o e xport a t rust certif icate: Step 1 Select Users and Identity Stores > Certif icate A uthor[...] 
- 
                            Página 2258-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificat e Authen tication Profiles T o cr eate, duplicate , or edit a certif icate authentication profile: Step 1 Select Users and Identity Stores > Cert ificate A uthe nticatio n Profile . The Certificate Authentic[...] 
- 
                            Página 2268-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity polic y determines the iden tity sources that A CS uses for authentication and attrib ute retrie v al. An identity source consi sts[...] 
- 
                            Página 2278-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box ne xt to the sequence that you want to duplicat e, then click Duplicate . • Click the sequence name that you want to[...] 
- 
                            Página 2288-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Step 3 Click Submit . The Identity Store Sequen ces page reappears. Related Topics • Performing Bulk Operation s for Network Resources and Users, page 7-8 • V ie wing Identity Polici es, page[...] 
- 
                            Página 2298-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Intern al Identity Sto res, page 8-4 • Managing External Iden tity Stores, page 8-22 • Config uring Certif icate Authentication Prof iles, page 8-72 • Creating, Duplicating , an[...] 
- 
                            Página 2308-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences[...] 
- 
                            Página 231CH A P T E R 9-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy def ines the authenti cation and authorizat ion processing of cl ients that attempt to access the A CS network. A clien t can be a user , a network de vice, or a user associated with a netw ork de vice. Policies are sets of rules.[...] 
- 
                            Página 2329-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Y ou can map users and hosts to identity grou ps by using the group mapping polic y . Y ou can include identity groups in cond itions to conf igure common policy co nditions for all users in the group. F or more info[...] 
- 
                            Página 2339-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Deleting a Session Condition , page 9-6 • Managing Netw ork Conditions, page 9 -6 See Chapter 3, “ ACS 5.x Polic y Model” for informati on about additional condit ions that you can use in policy ru les, alt[...] 
- 
                            Página 2349-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions T o add date and ti me conditions to a policy , you must first customize the rule table. See Customizing a Polic y , page 10-4 . Step 4 Click Submit . The date and time condition is sa ve d. The Date and T ime Condit[...] 
- 
                            Página 2359-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and i dentity dictionaries co ntain a larg e number of at tribu tes. T o u se any of these attri bute s as a condition in a p olicy rule, you[...] 
- 
                            Página 2369-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 4 Click Submit . The new custom session condi tion is saved. The Custom Condition p age appears with th e new custom session conditio n. Clients that are associated with this con dition are subject to it f or th[...] 
- 
                            Página 2379-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions A CS of fers three types of filters: • End Station Filt er—Filters end statio ns, such as a laptop or print er that initiates a connection based on the end station’ s IP address, MA C ad dress, CLID number , or[...] 
- 
                            Página 2389-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Netwo rk Conditions, page 9-8 • Exporting Netwo rk Conditions, page 9-9 • Creating, Duplicati ng, and Editing End Stati on Filters, page 9-9 • Creating,[...] 
- 
                            Página 2399-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions T imesaver Instead of download ing the template and creati ng an import f ile, you can use the e xport fi le of the particular f ilter , update the information in that f ile, sa ve it, and reu se it as your import f [...] 
- 
                            Página 2409-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9-6 • Importing Netwo rk Conditions, page 9-8 • Creating, Duplicating , and Editing De vice Filters, page 9-12 • [...] 
- 
                            Página 2419-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Defining MAC Address-Based End Station Filters Y ou can create, duplicate, and edit the MA C addresses of end stati ons or destinations that you w ant to permit or deny access to . T o do this: Step 1 From the MA C [...] 
- 
                            Página 2429-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS numb er of the destination machine. Y ou can optionally set this f ield to ANY to refer to an y DNIS number . Note Y ou can use ? and * wildcard charact ers to refer[...] 
- 
                            Página 2439-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Step 5 Click Submit to sav e the changes. Related Topics • Managing Netw ork Conditions, page 9 -6 • Importing Network Co nditions, page 9-8 • Creating, Duplicati ng, and Editing End Stati on Filters, pa ge 9-[...] 
- 
                            Página 2449-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions • Check the check box next to the name-based de vice filter that you want to edi t, then click Edit . A dialog box appears. Step 2 Click Select to choose the netwo rk de vice that you want t o filt er . Step 3 Cli[...] 
- 
                            Página 2459-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Check the check box next to th e de vice port filter that yo u w ant to edit, then cli ck Edit . • Click Expor t to sav e a list of de vice port filters in a .csv file. F or more information, see Exporting Net[...] 
- 
                            Página 2469-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the Por t check box and enter t he port number . This f ield is of type string and can contain numbers or characters. Y ou ca n use the following wildcard characters: • ?—match a single character ?[...] 
- 
                            Página 2479-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining NDG-Based Device Port Filters Y ou can create, duplicate, and ed it the network de vice group type and the port to which you want t o permit or deny access. T o do this: Step 1 From the Netw or[...] 
- 
                            Página 2489-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Aut horization Profiles for Network Access Y ou creat e authoriza tion profiles to de fine ho w di fferent types of users are authorized to access the network. F or ex[...] 
- 
                            Página 2499-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying Authorization Profiles Use this tab to conf igure the name and descripti on for a network access authori zation profil e. Step 1 Select Policy Elements > A uthorization and P ermissions &g[...] 
- 
                            Página 2509-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9 -5 A uthorization Profile: Common T asks Page Option Description ACLS Downloadable A CL Name Includes a defined downloadable ACL. See Creating, Duplicat ing, and Editing Do wnloadable A CLs, pa[...] 
- 
                            Página 2519-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to conf igure which RADIUS attri butes to include in the Acce ss-Accept packet for an authorization pro file. This tab also displays t[...] 
- 
                            Página 2529-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 3 T o co nfigure: • Basic information o f an authorization prof ile; see Specifying Authorization Prof iles, page 9-19 . • Common tasks for an authorizat ion profi le; see Specifying Common At [...] 
- 
                            Página 2539-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Creating and Editing Security Groups Use this page to vie w names and details of security groups and securi ty group tags (SGTs), and to open pages to create, duplicate, and edit security gr oups. When [...] 
- 
                            Página 2549-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions The Common T asks tab al lows you to select and conf igure the frequent ly used attrib utes for the prof ile. The attributes that are in cluded he re are tho se defined by the T A CACS prot ocol draft s[...] 
- 
                            Página 2559-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining General Shel l Profile Properties Use this page to def ine a shell profil e’ s general properties. Step 1 Select P olicy Elements > A uthorization and Permissions > Device Admini strati[...] 
- 
                            Página 2569-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9-9 Shell Pr ofile: Common T asks Option Description Privilege Level Default Pri vilege (Optional) En ables the initial pri vilege le vel assi gnment that you allo w for a client, through shell a[...] 
- 
                            Página 2579-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Step 3 Click: • Submit to sa ve your chan ges and return to the Shell Prof iles page. • The General tab to conf igure the name and d escription for the authorizatio n profile; see Defi ning General [...] 
- 
                            Página 2589-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to def ine custom attrib utes for the shell prof ile. This tab also displays the Commo n T asks Attrib utes that you ha ve chosen i n the Common T asks tab . Step[...] 
- 
                            Página 2599-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions After you create command sets, you can use them in autho rizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shel l Profi le [...] 
- 
                            Página 2609-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 4 Click Submit . The command set is sav ed. The Command Sets page appears with the command set that you created or duplicat ed. T able 9-1 1 Command Set Pr operties P age Field Description Name Nam[...] 
- 
                            Página 2619-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Related Topics • Creating, Duplicating , and Editing Authorization Profiles for Netw ork Access, page 9-18 • Creating, Duplicating , and Editing a Shell Prof ile for Device Admi nistration, page 9-2[...] 
- 
                            Página 2629-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions – Click Start Export to e xport the D A CLs without any encryption. Step 3 Enter v alid conf iguration data in the required f ields as shown in Ta b l e 9 - 1 2 , and define one o r more A CLs by usin[...] 
- 
                            Página 2639-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Configuring Security Group Access Control Lists Security group access control lists (SG A CLs) are applied at Egress, based on the source and destination SGTs. Use this page to vie w , create, duplicate[...] 
- 
                            Página 2649-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions[...] 
- 
                            Página 265CH A P T E R 10-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 10 Managing Access Policies In A CS 5.3, policy dri ves all acti vities. Polici es cons ist mainly of rules that determi ne the action of the policy . Y ou c reate access services to define authen tication and authorizat ion policies for requests. A global service [...] 
- 
                            Página 26610-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Policy Creation Flow In short, you must determi ne the: • Details of your netw ork conf iguration. • Access services that implement your policies. • Rules that def ine the conditions un der which an access service can run. This section[...] 
- 
                            Página 26710-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creatio n Flow Policy Elements in the Policy Creation Flow The web interf ace provides these def aults for def ining de vice groups and i dentity groups: • All Locations • All De vice T ypes • All Groups The locations, de vice ty[...] 
- 
                            Página 26810-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, page 10-4 • Service Selection Polic y Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an acce[...] 
- 
                            Página 26910-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy If you ha ve imp lemented Security Group Access function ality , you can also customize results for authorization po licies. Caution If you ha ve already defined rules, be certain that a rule is not u[...] 
- 
                            Página 27010-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Note If you create and sav e a simple policy , and then change to a rule-based polic y , the simple policy beco mes the default rule of the rule-based policy . If you have saved a rule-based polic y a[...] 
- 
                            Página 27110-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy T o conf igure a rule-based service selection policy , see these topics: • Creating, Duplicating , and Editing Service Selection Rul es, page 10-8 • Deleting Service Selection Rules, page 10 -10 A[...] 
- 
                            Página 27210-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determin e whic h access service processes incoming requests. The Default Rule pro vides a default access s[...] 
- 
                            Página 27310-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy • The Default Rule—Y ou can change only the access service. See T able 10-3 for field descri ptions: Step 4 Click OK. The Service Selection Polic y page appears with the rule that you conf igured.[...] 
- 
                            Página 27410-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count displ ay on the Rule-based Polic y page. T o di splay this page, click Hit Count on the Rule-based Polic y page. Deleting Servic[...] 
- 
                            Página 27510-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and au thorization policies for requests. Y ou c an create separate access services for different use cases; fo r example, de vice administrat[...] 
- 
                            Página 27610-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Edit the fields in the Allowed Protocols tab as d escribed in T able 10-7 . Step 4 Click Submit to sav e the changes you hav e made to the default access service. Creating, Duplicating, and Editing Access [...] 
- 
                            Página 27710-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box next to the access servic e that you want to du plicate; then click Duplicate . • Click the access service name that you w ant to mod[...] 
- 
                            Página 27810-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Click Next to conf igure the allowed pr otocols. See Configuring Access Servic e Allowed Protocols, page 10-15 . Description Description of the access service. Access Service Policy Structure Based on serv[...] 
- 
                            Página 27910-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Config uring Access Service Allo wed Protocols, page 10-15 • Config uring Access Services T empl ates, page 10-19 Configuring Access Serv ice Allowed Protocols The allowed protocols are the sec[...] 
- 
                            Página 28010-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authenticat ion protocol and configures EAP-TLS settin gs. Y ou can specify ho w A CS verif ies user identity as pre sented in the EAP Identity response from the end-user client.[...] 
- 
                            Página 28110-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allo w EAP-F AST Enable s the EAP-F AST authentication protocol an d EAP-F AST settings. Th e EAP-F AST protocol can support multiple int ernal protocols on the same server . The defa ult inner method is MSCHAPv2.[...] 
- 
                            Página 28210-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allo w EAP-F AST (continued) PA C O p t i o n s • T unnel P A C T ime T o Li ve—The T ime T o Live ( TTL) v alue restricts the lifetime of the P A C. Specify the lifetime value and unit s. The default is one [...] 
- 
                            Página 28310-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3 Click Finish to sav e your changes to the access service. T o enable an access service, you must add it to the service sel ection polic y . Configuring Access Services Templates Use a service template to de[...] 
- 
                            Página 28410-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Deleting an Access Service T o delete an access service: Step 1 Select Access Policies > Access Services . The Access Services page appea rs with a list of configured services. Step 2 Check one or more check b[...] 
- 
                            Página 28510-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Access Service Policies Y ou configure access service policies after you c reate the access service: • V ie wing Identity Polici es, page 10-21 • Config uring Identity Polic y Rule Propert[...] 
- 
                            Página 28610-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies In the rule-based policy , each rule contains one or more conditions an d a result, which is the identity source to use for authentication. Y ou can create, dupl icate, edit, and delete rules within the i[...] 
- 
                            Página 28710-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity , w here <servi ce> is the name of the access service. By default, th e Simple Identity P[...] 
- 
                            Página 28810-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 For info rmation about confi guring an identit y po[...] 
- 
                            Página 28910-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T able 1 0-1 1 Identity Rule Proper ties P age Option Description General Rule Name Name of th e rule. If you are duplicat ing a rule, you must enter a unique name as a minimum conf iguration; all other f[...] 
- 
                            Página 29010-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Config ure a group mapping polic y to map groups and attrib utes that are retrie ve d from external iden tity stores to A CS identity groups. When A CS processes a reque[...] 
- 
                            Página 29110-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 2 Select an identity group. Step 3 Click Sav e Changes to sa ve th e polic y . T o conf igure a rule-ba sed policy , see these topics: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, [...] 
- 
                            Página 29210-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Deleting Poli cy Rules, p age 10-39 Related Topics • V ie wing Identity Polici es, page 10-21 • Config uring a Session Authorization Po licy for Netw ork Access, page 10-29 • Config uring a Sess[...] 
- 
                            Página 29310-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring a Session Authorization Policy for Network Access When you create an access service for ne twork access authorization, it create s a Session Authorization policy . Y ou can then add and modify[...] 
- 
                            Página 29410-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T able 1 0-15 Networ k Access A uthorization P olicy P age Option Description Status Rule statuses are: • Enabled—The r ule is active. • Disabled—A CS does not apply the results of the rule. • M[...] 
- 
                            Página 29510-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Network Access Au thorization Rule Properties Use this page to create, duplicate, and edit the ru les to determine acce ss permissions in a network access service. Step 1 Select Access Policie[...] 
- 
                            Página 29610-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A dev ice administration authorization polic y determines the authorizations an d permissions for network administrators. Y ou create an authorizat[...] 
- 
                            Página 29710-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Device Administration Authorization Rule Properties Use this page to create , duplicate, and edit the r ules to det ermine author izations an d permissio ns in a device administration access s[...] 
- 
                            Página 29810-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Shell/Command Authoriza tion Policies for Device Administration When you create an access se rvice and select a service policy st ructure for Device Administration, A CS automatically creates [...] 
- 
                            Página 29910-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Configuring Authorizatio[...] 
- 
                            Página 30010-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T o conf igure rules, see: • Creating Polic y Rules, page 10-37 • Duplicating a Ru le, page 10-38 • Editing Polic y Rules, page 10-38 • Deleting Poli cy Rules, p age 10-39 Related Topics • Confi[...] 
- 
                            Página 30110-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Creating Policy Rules When you create rules, remember that the order of the rules is important. When A C S encounters a match as it processes the request of a client that tries to access the ACS network, [...] 
- 
                            Página 30210-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Duplicating a Rule Y ou can duplicate a rul e if you want to create a ne w rule that is the same, or very similar t o, an existing rule. The duplicat e rule name is based on the original rule with parenth[...] 
- 
                            Página 30310-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 4 Click OK . The Policy page appears with the edited rule. Step 5 Click Sav e Changes to sa ve th e ne w config uration. Step 6 Click Discard Changes to cancel t he edited information. Related Topics[...] 
- 
                            Página 30410-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound condi tions to def ine a set of conditions based on any attrib utes allowed in simple pol icy conditions. Y ou def ine com pound conditi ons in a policy rule page;[...] 
- 
                            Página 30510-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Note Dynamic attribut e mapping is not applicable for Exte rnalGroups attribute of T ype "String Enum" and "T ime And Date" attrib ute of type "Date T ime Period". For hierarchic[...] 
- 
                            Página 30610-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Figur e 1 0-2 Compound Expr ession - At omic Condition Single Nested Compound Condition Consists of a single operator followed by a set of pr edicates (>=2). The operator is applied between each of the pre[...] 
- 
                            Página 30710-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compound Expression with Dynamic value Y ou can select dynamic value to select another dict ionary attrib ute to compare agai nst the dict ionary attribute [...] 
- 
                            Página 30810-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, page 10-4 0 • Using the Co mpound Expre ssion Builder, page 10-44 Using the Compound Expression Builder Y ou construct compoun d conditions by using th[...] 
- 
                            Página 30910-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, page 10-4 0 • T ypes of Compoun d Conditions, page 10-41 Security Group Access Control Pages This section contains the following topics: • Egress [...] 
- 
                            Página 31010-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topic • Creating an Egress Polic y , page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to config ure the policy for the selected cell. Y ou can configure the SGA CLs to apply t[...] 
- 
                            Página 31110-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Con trol (ND A C) policy determines the SG T for network devices in a Security Group Access en vironmen t. The ND A C policy handles: • Peer authorization re[...] 
- 
                            Página 31210-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topics: • Config uring an ND AC Policy , page 4-25 • ND AC Polic y Properties Page, page 10-48 NDAC Policy Properties Page Use this page to create , duplicate, and edit rules to determine the[...] 
- 
                            Página 31310-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Note For endpoint admissi on control, you must def ine an access service and session authori zation policy . See Configuring Netw ork Access Authoriz ation Rule Properties, page 10-31 for information about[...] 
- 
                            Página 31410-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to conf igure parameters for the EAP-F AST protocol that the ND AC po licy uses. T o disp lay this page, choose Access Policies > Security Gr oup Access Con[...] 
- 
                            Página 31510-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings Y ou can confi gure maximum user session t o impose maximum session v alue for each users. T o conf igure maximum user sessions: Step 1 Choose Access Policies > Max User Session Policy > [...] 
- 
                            Página 31610-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Unlimited is selected by def ault. Group le vel sessi on is applied based on the hierarchy . F or example: The group hierarch y is America:US:W est:CA and the maximum sessions are as follows: • America: 100 max sessi[...] 
- 
                            Página 31710-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics • Maximum User Sessions, page 10- 50 • Max Session Use r Settings, page 10-51 • Max Session Group Sett ings, page 10-51 • Purgin g User Sessions, page 10-53 • Maximum User Session in Distri bute[...] 
- 
                            Página 31810-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to pur ge the user sessions. Step 3 Click Get Logged-in User List. A list of all the logged in users i[...] 
- 
                            Página 31910-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accou nting requests should be sent to the same A CS server , else the Maximum Session feature will not work as desired. Related topics • Maximum User Sessions[...] 
- 
                            Página 32010-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions[...] 
- 
                            Página 321CH A P T E R 11-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 11 Monitoring and Reporting in ACS The Monitoring and Reports dra wer appears in th e primary web interf ace windo w and contains th e Launch Monitori ng & Report V ie wer option. The Monitoring & Re port V iewer provides monitoring, report ing, and troubl [...] 
- 
                            Página 32211-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Authentication Records and Details • Support for non-Engli sh characters (UTF-8)—Y ou can hav e non-English characters in: – Syslog messages—Conf igurable attribute v alu e, user name, and ACS named configuration objects – G[...] 
- 
                            Página 32311-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the follo wing tabs. • General—The General tab lists the follo wing: – Fi ve most recent alar ms—When you click the name of the alarm, a dial og bo[...] 
- 
                            Página 32411-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Working with Portlets – Authentication Snap shot—Provides a sn apshot of authenticatio ns in the graphical and tab ular formats for up to the past 30 days. In the graphical represen tation, the field based on which the records are[...] 
- 
                            Página 32511-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Working with Portlets Figure 1 1 -1 P ortlets T op 5 Alarms an d My Fa vorit e Reports appear in sepa rate windo ws. Y ou can edit each of these portlets separately . T o edit a portlet, click the edit b utton ( ) at the upper -right [...] 
- 
                            Página 32611-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Related Topic • Dashboard Pages, page 11 -2 • Running Authentication Loo kup Report, page 11-6 Running Authenticat ion Lookup Report When you run an Authenti cation Lookup rep ort, consider the [...] 
- 
                            Página 32711-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Configuring Tabs in the Dashbo ard Step 5 Click Add Page . A ne w tab of your choice is creat ed. Y ou can add the applications that you mo st frequently monitor in this tab Adding Applications to Tabs T o add an application to a tab:[...] 
- 
                            Página 32811-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Changing the Dashboard Layout Y ou can change the look an d feel of the Dashboard. A CS provides you with nine di fferent in- built layouts. T o choose a dif ferent layout: Step 1 From the Monitorin[...] 
- 
                            Página 329CH A P T E R 12-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 12 Managing Alarms The Monitoring feature in A CS generates alarms to notify you of critical system conditions. The monitoring component retrie ves data from A CS. Y ou can configure thresho lds and rules on this data to manage alarms. Alarm notif ications are disp[...] 
- 
                            Página 33012-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rms System Alarms System alarms notify you of cri ti cal conditions encountered durin g th e ex ecution of the A CS Monitoring and Reporting viewer . System alarms also pro vide informational status of system activities, such as data[...] 
- 
                            Página 33112-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Notifying Users of Events When a threshold is reached or a system ala rm is ge nerated, the alarm appears in the Alarms Inbox of the web interface. From this page, you can vie w th e alarm details, add a comme[...] 
- 
                            Página 33212-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox T ime Display o nly . Indicates the time of the associat ed alarm generation in the format Ddd Mmm d d hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , Sat. • Mmm = Jan, Feb, Mar , A[...] 
- 
                            Página 33312-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Conf igure Incremental Backup Data Repository as Remote Reposit ory otherwise backup will fa il and Incremental backup mode will be changed to of f. Wa r n i n g Conf igure Remote Repository und er Purge Conf [...] 
- 
                            Página 33412-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Full Database Purg e Backup failed: Exceptio n Details Critical Incremental Backup Failed: Exception Details Critical Log Recovery Log Message Recov ery fail ed: Exception Details Critical Vie w C o mp re ss Da[...] 
- 
                            Página 33512-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Failed to load backup library . Scheduled backup of A CS conf iguration db fail ed. Please check ADE.log for more details. Critical Symbol lookup er ror . Scheduled backup of A CS configurati on db failed. Ple[...] 
- 
                            Página 33612-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note A CS cannot be used as a remote sysl og se rver . But, you can use an external server as a syslog server . If you use an external server as a syslog server , no al arms can be generated in the A CS view as[...] 
- 
                            Página 33712-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Schedule s • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules Y ou can create alarm schedules to spec ify when a particular alarm thres hol d is run. Y ou can create, edit, and delete alarm schedules. Y ou can [...] 
- 
                            Página 33812-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Schedules Step 3 Click Submit to sav e the alarm schedule. The schedule that you create is added to the Schedu le list box in the Threshold pages. Assigning Alarm Schedules to Thresholds When you create an alarm threshold, you mu[...] 
- 
                            Página 33912-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Deleting Alarm Schedules Note Before you del ete an alarm schedul e, ensure that it is not reference d by any thresholds that are defined in A CS. Y o u cannot delete the default schedule (n onstop[...] 
- 
                            Página 34012-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the alarm th at you w ant to duplicate, then cl ick Duplicate . • Click the alarm name that you w ant to modi[...] 
- 
                            Página 34112-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Criteri a, page 12-14 • Config uring Threshold Notif ications, page 12-32 Configuring General[...] 
- 
                            Página 34212-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Configuring Threshold Criteria A CS 5.3 provides the follo wing threshold categor ies to defin e diff erent threshold crit eria: • Passed Authen tications, page 12-14 • Failed Auth entications,[...] 
- 
                            Página 34312-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Note Y ou can specify one or more f ilters to limit the passed au thentications that are considered for threshold e val uation. Each fi lter is associated with a particular attrib ute in the authen[...] 
- 
                            Página 34412-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 34512-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds An alarm is triggered because at le a st one Device IP has greater than 10 failed authentications in the past 2 hours. Note Y ou can specify one or more f ilters to limit the f ailed authentication[...] 
- 
                            Página 34612-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 34712-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds The aggregation job begins at 00:05 ho urs e very day . From 23:50 ho urs, up until the time the aggregation job completes, the authenticat ion inacti vity alarms are suppressed. For example, if yo[...] 
- 
                            Página 34812-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 34912-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35012-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35112-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35212-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35312-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35412-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35512-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Unknown NAD When A CS ev aluates thi s threshold, it examines the RADIUS or T ACA CS+ failed authent ications that hav e occurred durin g the specif ied time interv al up to the pre vious 24 hours.[...] 
- 
                            Página 35612-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 35712-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Y ou can specify one or more f ilters to limit t he failed authentications t hat are considered for threshold e v aluation. Each f ilter is ass ociated with a particular attrib ute in the records a[...] 
- 
                            Página 35812-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds If, in the past four hour s, RB A C L drops ha ve occurred fo r two dif ferent source grou p tags as sho wn in the follo wing table, an alarm is trigg ered, beca use at least one SGT has a count gr[...] 
- 
                            Página 35912-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds NAD-Reported AAA Downtime When A CS ev aluates thi s threshold, it examines the N AD-reported AAA do wn e vents that occurre d during the spec ified interval up to the pre vious 24 h ours. The AAA [...] 
- 
                            Página 36012-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Config uring General Threshold Informatio n, page 12-13 • Config uring Threshold Notif ications, page 12-32[...] 
- 
                            Página 36112-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Deleting Al arm Threshol ds Related Topics • V ie wing and Editing Alar ms in Y our Inbox, page 12-3 • Creating, Editing, and Dup licating Alarm Thresholds, page 12-11 • Deleting Alarm Thresholds, page 12-33 Deleting Alarm Thresholds T o delete[...] 
- 
                            Página 36212-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Configuring System Alarm Settin gs Configuring System Alarm Settings System alar ms are used to noti fy users of: • Errors that ar e encounter ed by the Monitor ing and Report ing services • Information on data purging Use this page to enable sys[...] 
- 
                            Página 36312-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslo g targ ets are th e destinatio ns where alarm syslog messages are sent. The Monitori ng & Report V ie wer sends alarm notifi cation in the form of syslog messages. [...] 
- 
                            Página 36412-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Syslog Targets Step 4 Click Submit . Related Topics • Understanding Alar m Syslog T ar gets, page 12-35 • Deleting Alarm Syslog T ar gets, page 12- 36 Deleting Alarm Syslog Targets Note Y ou cannot delete the def ault nonstop[...] 
- 
                            Página 365CH A P T E R 13-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 13 Managing Reports The Monitoring & Report V ie wer component of A CS collects log and conf iguration data from v arious A CS servers in your deployment, aggregates it, and provides interactive report s that help you analyze the data. The Monitoring & Repo[...] 
- 
                            Página 36613-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports • Catalog— Monitoring & Reports > Reports > Catalog > < r eport_type > For easy access, you can add reports to your F av o ri tes pa ge, from which you can customi ze and delete reports. Y ou can customize the reports that mus[...] 
- 
                            Página 36713-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in d etail the fo llowing: • W orking with F av orite Reports, page 13-3 • Sharing Reports, p age 13-6 • W orkin g with Catalog Reports, page 13-7 • V ie wing Reports, page 13-21 • Format[...] 
- 
                            Página 36813-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Favorite Reports Step 5 Click Add to F av orite . The report is added to yo ur Fa vori tes page. Related Topics • W orking with F av orite Reports, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Editing F av o ri[...] 
- 
                            Página 36913-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you vie w the e xisting parameters in your fa vori te report, you can ed it them. T o edit t he parameters in your fa vorite reports: Step 1 Choose Monitoring and Reports > Reports > [...] 
- 
                            Página 37013-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Sharing Reports The report is generated in the page . Step 3 Click Launch Interactive V iew er for more options. Related Topics • Adding Reports to Y our Fa vorites P age, page 13-3 • V ie wing Fa v orite-Report P arameters, page 13-4 • Runnin[...] 
- 
                            Página 37113-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 7 Click Sav e . The report is sa ved in your Shared folder and is a v ailable for all users. Working with Catalog Reports Catalog reports ar e system reports that are preco nfigured in A C S. This section contai n[...] 
- 
                            Página 37213-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Access Service Authentication Summar y Provid es RADIUS and T ACA CS+ authentication summary informat ion for a particular access service for a selected time peri od; along with a graphical represen tation. Passed au the[...] 
- 
                            Página 37313-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts A CS System Diagnostics Provides syst e m diagnostic details b ased on se verity for a selected time period. Internal Operations Diagnostics, distrib uted management, administrator authentication and autho rization T o[...] 
- 
                            Página 37413-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Session Status Summary Pro vides the port sessions and status of a particular network de vice obtained by SNMP . This report uses either the commu nity string provid ed in the report or the community string configured i[...] 
- 
                            Página 37513-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Running Catalog Reports T o run a r eport that is in the Catalog: Step 1 Select Monitoring & Reports > Reports > Catalog > r eport_type , where r eport_typ e is the type of report you want to run. The av [...] 
- 
                            Página 37613-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Ty p e Ty p e o f r e p o r t . Modified At Time that the associated report w as la st modified by an admini st rator , in the format Ddd Mmm dd hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri ,[...] 
- 
                            Página 37713-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 2 Click the radio b utton next to th e report name you w ant to run, t hen select one of the options under Run : • Run for T oday —The repo rt you specified is run a nd the generated results are displayed. ?[...] 
- 
                            Página 37813-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports T able 13-4 Repor ts > Report T ypes and Names <report_type> <report_name> AAA Protocol AAA Diagnosti cs Authentication T rend RADIUS Accoun ting RADIUS Authentication T ACA CS Accounting T ACA CS Authent[...] 
- 
                            Página 37913-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • Understanding the Report_N ame Page, page 13-15 Understanding the Report_Name Page Note Not all options listed in Ta b l e 1 3 - 5 are used in selecting[...] 
- 
                            Página 38013-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Failure Reason Enter a f ailure reason name or click Select to en ter a vali d failure reason name on w hich to run your report. Protocol Use the drop do wn list box to select which protocol on which you w ant to run yo[...] 
- 
                            Página 38113-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • W orking with F av orite Reports, page 13-3 • A v ailable Repo rts in the C atalog, page 13-7 • Running Catalog Reports, page 13-11 Administrator Na[...] 
- 
                            Página 38213-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Enabling RADIUS CoA Options on a Device T o vi ew all t he RADIUS Acti ve Session repo rts you ha ve to enable RADI US CoA options on the de vice. T o co nfigure th e RADIUS CoA options: Step 1 Config ure MAB, 802.1X an[...] 
- 
                            Página 38313-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Figure 13-2 RADIUS Active Session Report Step 2 Click the CoA link from the RADIUS session that y ou want to reauthenticate or termin ate. The Change of Aut horization Requ est page appear s. Step 3 Select a CoA optio[...] 
- 
                            Página 38413-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports • Shared secret mismatch Step 5 See the T roubleshoot ing RADIUS Authenticat ions, page 14-6 to troub leshoot a failed change of authorization attempt . A failed dynamic CoA will be li sted under failed RADIUS authent[...] 
- 
                            Página 38513-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Step 3 Click Ye s to conf irm that you want to reset the System Report f iles to the fact ory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default. Viewing Reports This section [...] 
- 
                            Página 38613-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-4 Context Menu for Colu m n Data in Int er active V iewer Figure 13-5 sh ows the con text menu you use to modi fy labels in Interacti ve V ie wer . T o disp lay this menu, select and right-cl ick a label. Use this menu t [...] 
- 
                            Página 38713-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the vie wer , you see the first page of data. T o vi ew or w ork with data, you use tools that hel p you navig ate the report. I n the vie wer , you can page through a report by using t he[...] 
- 
                            Página 38813-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-1 0 T able of Cont ents Expanded Entry T o na vigate to a specific page, cli ck the related link. Exporting Report Data The vie wer supports the ability t o export report d a ta to an Exc el spreadsh eet a s a comma-separ[...] 
- 
                            Página 38913-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for an y other spreadsheet. Step 1 In the viewer , sele ct Export Data. The Export Data dialog box appears, as sho wn in Figure 13-12 . Figure 13-12 The Export Dat [...] 
- 
                            Página 39013-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Printing Reports Y ou can print a repo rt that appears in the vie wer in HTML or PDF format. Because you can modify the report in Interacti ve V iewer , Interactiv e V ie wer supports printing either the original report or the repor[...] 
- 
                            Página 39113-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navig ate to the location where you want to sa ve the file. Step 3 T ype a f ile name and click Sa ve . Step 4 Click OK on the conf irmation message that appears. Formatting Reports in Interactive View[...] 
- 
                            Página 39213-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 2 Select Change T ext . The Edit T e xt dialog box appears. Step 3 Modify the tex t as desired and click A pply . Formatting Labels T o modify the formatting of a label: Step 1 Click on the label and th[...] 
- 
                            Página 39313-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment T o ch ange the alignment o f data in a co lumn, right-click t he column and select Alignment from the context menu. Then, choose one of the alignment options: Left, Center , or[...] 
- 
                            Página 39413-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Data Types In an information obj ect, as in the relational databases on w hich information objects are based, all the data in a column is of the same data type, e x cluding the column header . The[...] 
- 
                            Página 39513-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Numeric Data Numeric data can take se veral f orms. A column of postal codes requires dif ferent formatting from a column of sales figures. Figure 13-16 sho ws the numeric formats you can use. Figu[...] 
- 
                            Página 39613-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 7 In Neg ativ e Numbers, select an opt ion for displaying ne gati ve numbers, b y using either a minus sign before the number or parentheses around the nu mber . Step 8 Click A pply . Formatting Fixed o[...] 
- 
                            Página 39713-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code f ield, type a format pattern similar to those sho wn in T able 13-7 . Step 4 Click Apply . Formatting String Data Step 1 T o def ine the format fo r a column that contai ns string data,[...] 
- 
                            Página 39813-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 1 Select a string data column, th en click For m a t . The String column form at windo w appears. Step 2 In Format String as f ield, select Custom. A second field, F ormat Code, appears. Step 3 In the F[...] 
- 
                            Página 39913-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer T abl e 13-6 sho ws the standard date-and-time data ty pe formats. Step 1 Select a column that contains date o r time data, then click For m at . The Date and T ime Format windo w appears. Step 2 In Format Da[...] 
- 
                            Página 40013-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean e xpression e v aluates to T rue or False. Fo r example, you create a calculated column with the follo wing e xpression: ActualShipDate <= TargetShipDate If the actual sh[...] 
- 
                            Página 40113-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figur e 13-18 Conditional For mat ting in Int eractiv e View er Y ou can affect the formatting of one column based on the v alue in another column. F or example, if you select the CustomerName column, yo u ca[...] 
- 
                            Página 40213-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer b. In the next field, use the d rop-do wn list to select the operator to apply to the column you selected. Y ou can select Equal to, Less than, Le ss t han or Equal to, and so on. Depending on your selection[...] 
- 
                            Página 40313-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional F ormatting, cho ose Format, and set the for matting for the condi tional text . Y ou can set the font, font size, fo nt color , and background color . Y ou also can specifyi ng displayi[...] 
- 
                            Página 40413-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Figur e 13-23 Removing a Conditiona l F or mat in Int eractiv e Viewer Step 4 Click A pply . Setting and Removing Page Breaks in Detail Columns In Interactiv e V iewer , you can force page breaks after a pre[...] 
- 
                            Página 40513-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figur e 13-24 Setting a P age Br ea k Step 3 Specify whether to set a page break before e very group, or for e very group except the f irst or last groups. T o delete an e xisting page break, select No ne in Before group or Af[...] 
- 
                            Página 40613-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Reordering Columns in Interactive Viewer T o reorder columns: Step 1 Select and right-click a column. Step 2 From the conte xt menu, select Column > Reorder Columns . The Arrange Columns windo w appears Step 3 Select the c[...] 
- 
                            Página 40713-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Mov e to Gr ou p Header Dialog Box Step 3 From the Mov e to Group field, select a v alue. Step 4 In the Header row f ield, select the row number in which t o mov e the v alue you selected in Step 3. Step 5 Click A[...] 
- 
                            Página 40813-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Hiding or Displaying Report Items T o hide or d isplay report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items. The Hide or Sho w Items dialog box appears, similar to Figure 13-28 . Figure 13-28[...] 
- 
                            Página 40913-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO displ ay hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Col umns . The Show Columns dialog box appears. Step 3 Select any item s you want to di splay . Use C[...] 
- 
                            Página 41013-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figure 13-30 Merg ed Column T o mer ge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns . Selecting a Column from a Merged Column Y ou can aggreg ate, f ilter , and g[...] 
- 
                            Página 41113-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data sour ce determines the default sort order for the data ro ws. If the data source sorts a column in ascending order , the column is sorted in ascending order in the [...] 
- 
                            Página 41213-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-31 Sorting Multip le Columns If the report uses group ed data, the drop-do wn lists in Adv a nced Sort sho w only the detail columns in the report, not the column s you used to group the data. Grouping Data A repor[...] 
- 
                            Página 41313-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped D ata T o or ganize all thi s information into a u seful in vent ory report, you create data gr oups and data sections. Data groups contain relat ed data rows. For e xample, you can create a report that [...] 
- 
                            Página 41413-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Adding Groups T o ad d groups: Step 1 Select and right-click the column you want to use to create a group . Step 2 From the Conte xt menu, select Gr oup > Add Group . The ne w group appears in the vie wer . As shown in Fig[...] 
- 
                            Página 41513-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Step 4 T o set a grouping interv al, select Group ev ery and enter a value and select the grouping interv al. For e xample, to create a ne w group for e very month, type 1 and select Month f rom the drop-do wn list. The report[...] 
- 
                            Página 41613-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-37 Calculated Column T o create a calculation, you • Provide a ti tle for the calculated column. • Write an expression th at indicates which data to use and ho w to display the calculated data in the report. Th[...] 
- 
                            Página 41713-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions T abl e 13-11 provides e xamples of the functions you can use to create calcula tions. Note The Calculation dialog box does not support the use of uppercase TR UE and F ALSE functi[...] 
- 
                            Página 41813-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data COUNT( ) Counts the ro ws in a table. COUNT( ) COUNT(groupLe vel) Counts the ro ws at the specif ied group le vel. COUNT(2) COUNTDISTINCT(expr) Counts the rows th at contain distinct v alues in a table. COUNTDISTINCT([Custome[...] 
- 
                            Página 41913-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data FIRST(expr , groupLev el) Displays the firs t value that appears in the specif ied column at the specified grou p lev el. FIRST([customerID], 3) IF(condition, doIfT rue, doIfFalse) Displays the result of an If...Then...Else st[...] 
- 
                            Página 42013-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data ISTOPNPERCENT(e xpr , percent, groupLe vel ) Displays T rue if the value is within the hi ghest n percentage v alues for the expression at the specified group le vel , and Fal se otherwise. ISTOPNPERCENT([SalesTotals], 5, 3) [...] 
- 
                            Página 42113-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data MONTH(date, option) Displays the m onth of a sp ecified d ate-and-time valu e, in one of three optional formats: • 1 - Displays the month number of 1 through 12. • 2 - Displays the complete month name i n the user’ s loc[...] 
- 
                            Página 42213-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data RANK(exp r) Displays the rank of a numb er , string, or date-and-time value, starting at 1. Duplicate v alues recei ve identical ran k but the d uplication does not af fect the ranking of subsequent v alues. RANK([AverageStar[...] 
- 
                            Página 42313-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data TRIM(str) Display s a string with all leading and trailing blank ch ar ac te r s re m oved . A ls o r e move s a ll co ns ec u tive blank characters. Leading and trailing blanks can be spaces, tabs, and so on. TRIM([customerNa[...] 
- 
                            Página 42413-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Understanding Supported Operators T abl e 13-12 describes the mathematical an d logical operators you can use in writing expressions th at create calculated columns. Using Numbers and Da tes in an Expression When you create a[...] 
- 
                            Página 42513-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns T o use multip ly va lues in calculated columns: Step 1 Select a column. In the report, the ne w calculated column appears to the right of the column you select. Step 2 Select Add Ca[...] 
- 
                            Página 42613-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Step 7 For the second ar gument, type the number of days to add. In this case, type 7. Step 8 V alidate the ex pression, then click A pply . The new calculated column appears in the report. F or e very v a lue in the Order Da[...] 
- 
                            Página 42713-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-39 A ggreg ate Ro w for a Group T abl e 13-13 sho ws the aggregate funct ions that you can use. T able 13-13 Aggr egate Functions Aggregate functions Description A verage Calculates the av erage va lue of a set of da[...] 
- 
                            Página 42813-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Creating an Aggregate Data Row T o create an aggregate data ro w: Step 1 Select a column, then select Aggr egation . The Aggreg ation dialog box appears. The name of th e column you selected is listed in the Selected Column f[...] 
- 
                            Página 42913-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate ro w for a column, you can add up to tw o more aggregate ro ws for the same column. F or an item total column, for e xample, you can create a sum of all the [...] 
- 
                            Página 43013-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Deleting Aggregate Rows T o delete an aggre gate ro w: Step 1 Select the calculated column th at contains the aggre gation you w ant to remo ve, th en select Aggr egation . The Aggre gation dialog box appears, disp [...] 
- 
                            Página 43113-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figure 13-43 Suppressed V alues Y ou can suppress duplicate v alues to make your repo rt easier to read. Y ou can suppress only conse cuti ve occurrences of dupl icate v alues. In the Locati on column in Figur e 13-[...] 
- 
                            Página 43213-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Figur e 13-44 Group Detail Rows Displa yed Figure 13-45 sho ws the results of hiding the detail r ows for t he creditrank gr ouping. Figure 13-45 Gr oup Detail Rows Hidden • T o collapse a group or section, sel ec[...] 
- 
                            Página 43313-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Types of Filter Conditions T abl e 13-15 describes the types of f ilter conditions and pr ovides e xamples of how f ilter conditions are translated into instructi ons to the data source. Bottom N Returns the lo west[...] 
- 
                            Página 43413-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Setting Filter Values After you choose a condition, you set a f ilter value. Step 1 T o vie w all the v alues for the selected column, select Select V alues . Additional f ields appear in the Filter dialog bo x as s[...] 
- 
                            Página 43513-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-46 Selecting a Filter V alue in Interactiv e Viewer Step 2 T o search for a v alue, type the value in the Find V alue field, then click Find . All v alues that match your f ilter text are returned. For e [...] 
- 
                            Página 43613-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 3 From the Condition pu lldow n menu, select a condition. T able 13-14 describes the conditions you can select. • If you select Between or Not Between , Va l u e F r o m and Va l u e To , additional field s a[...] 
- 
                            Página 43713-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-47 The Adv anced Filter Di alog Bo x in Intera ctive View er Adva nced Filter provi des a great deal of fle xibility in setti ng the filter v alue. For conditions that test equality and for the Between co[...] 
- 
                            Página 43813-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 7 V alidate the f ilter syntax by clicking Va l i d a t e . Y ou hav e now created a filter with one cond ition . The next step is to ad d conditions. Step 8 Follo w steps Step 3 to Step 7 to create each additi[...] 
- 
                            Página 43913-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldo wn menu, select a particular nu mber of rows or a percentage of ro ws, as shown in Figure 13-48 . Step 3 Enter a v alue in t he field n ext to the Fil ter pulldo wn menu to specify the nu mber or pe[...] 
- 
                            Página 44013-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-49 P arts of a Basic Bar Char t There are a variety of chart types. So me types of data are best depicted with a specific ty pe of chart. Charts can be used as reports in th emselves and they can be used togeth er wi[...] 
- 
                            Página 44113-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts hav e subtypes, which you can change as needed: • Bar chart—Side-by-Side, Stack ed, Percent Stacked • Line chart—Overlay , Stacked, Percent Stacked • Area chart—Overlay , Stacked, Percen[...] 
- 
                            Página 44213-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-50 Chart F o r matting Options Y ou use this page to: • Edit and format the default chart titl e. • Edit and format the def ault title for the category , or x-, axis. • Modify settings for the labels o n the x-[...] 
- 
                            Página 443CH A P T E R 14-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the di agnostic and troublesho oting tools that the Monitor ing & Report V ie wer provides for the Cisco Secure Access Control Syste m. This chapter contains the following sec[...] 
- 
                            Página 44414-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Available Diag nostic and Troub leshooting Tools Support b undles typically contain t he A CS database, log f iles, core f iles, and Monitoring & Repo rt V iewer sup port files. Y ou can exclude certai[...] 
- 
                            Página 44514-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests Y ou can test your con nectiv ity to a network devi ce with the de vice’ s hostname or IP address. For exam ple, you can verify you r connectio[...] 
- 
                            Página 44614-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Downloading ACS Su pport Bund les for Diagnostic Information Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Connecti vity T ests, page 14-1 • A CS Support Bundle, [...] 
- 
                            Página 44714-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter • Include core files—Check this check box to include core f iles, then click All or click Include f iles from t he last and enter a value from 1 to 36 5 in the day(s[...] 
- 
                            Página 44814-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter • Comparing IP-SGT P airs on a De vice with A CS-Assigned SGT Records, page 14-14 • Comparing Device SGT with ACS-Assigned Device SGT , page 14-15 Related Topics •[...] 
- 
                            Página 44914-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click Search to display the RADIUS authentications that match your search criteria. The Search Result table is po pulated with the results of your search. The fol[...] 
- 
                            Página 45014-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 8 Click Done to return to th e Expert T roubleshoot er . The Progress Details page refreshes periodically to display the tasks that are performed as troubleshooting[...] 
- 
                            Página 45114-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 10 Click Done to return to the Expert T roubleshooter . The Monitoring & Report V ie wer pro vides you the diagnosis, steps to resolv e the problem, and trouble[...] 
- 
                            Página 45214-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run to run the sho w command on the specif ied network de vice. The Progress Details pag e appears. The Monitoring & Report V iewer prompts you for ad [...] 
- 
                            Página 45314-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 3 Click Run . The Progress Details pag e appears. The Monitoring & Report V ie wer prompts you for additional i nput. Step 4 Click the User Input Required b u [...] 
- 
                            Página 45414-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter 3. Compares the SGA CL policy obt ained from the netw ork de vice with the SGA CL policy obt ained from A CS. 4. Displays the source SGT —destinat ion SGT pair if the[...] 
- 
                            Página 45514-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click S XP-IP Mappings from the list of troublesho oting tools. The Expert T roubleshooter page refreshes and sho ws the following f ield: Network De vice IP—E[...] 
- 
                            Página 45614-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 10 Click Show Results Summary to vie w the diagnosis and resolution steps. The Results Summary page appears with the informatio n described in T able 14-6 . Relate[...] 
- 
                            Página 45714-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 6 Click Show Results Summary to vie w the diagnosis and resolution steps. Related Topics • A v ailable Diagno stic and T roubleshooting T ools, p age 14-1 • Co[...] 
- 
                            Página 45814-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run . The Progress Details page appears with a summary . Step 4 Click Show Results Summary to vie w the results of devi ce SGT comparison. The Results Summ[...] 
- 
                            Página 459CH A P T E R 15-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 15 Managing System Operati ons and Configuration in the Monitoring & Report Viewer This chapter describes the tasks th at you must perform to co nfigure an d administer the Monitor ing & Report V ie wer . The Monitoring Co nfigu ration dra wer allows y ou t[...] 
- 
                            Página 46015-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er • Config ure and edit fail ure reasons—The Monitoring & Report V ie wer allows you to co nfigu re the description of the fail ure reason code and pro vide instructions to r[...] 
- 
                            Página 46115-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • Config uring Alarm Syslog T argets, page 15-17 • Config uring Remote Database Settings, page 15-17 Configuring Data Purgin g and [...] 
- 
                            Página 46215-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p – If the database disk usage is greater than 8 3 GB, a backup is run immediately follo wed by a purge u ntil the database disk [...] 
- 
                            Página 46315-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incremental Backup • A CS displays an alert message when the dif ference between the physical and a ctual size of the view database i s greater tha n 10[...] 
- 
                            Página 46415-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and Increm ental Backu p Configuring NFS stagging If the ut ilization of /opt exceeds 30%, then it is req uired to use NFS staging with a remote repositor[...] 
- 
                            Página 46515-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from t he V iew database that was backed up ea rlier . Y ou can restore data from an incrementa[...] 
- 
                            Página 46615-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Note Y ou can use the refresh symbol to refresh the cont ents of the page. Related Topic Log Collection Deta ils Page, page 15- 9 T able 15-3 Log Co llecti[...] 
- 
                            Página 46715-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently co llected log names for an ACS serv er . Step 1 From the Monitoring & Rep ort V iewer , sel[...] 
- 
                            Página 46815-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Related Topic • V ie wing Log Collections, p age 15-7 T able 15-4 Log Collection Details P age Option Description Log Name Name of the log file. Last Sy[...] 
- 
                            Página 46915-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Recovering Log Message s Recovering Log Messages A CS server sends syslog messages to the Monitoring and Report V iewer fo r the acti vities such as passed authentication, failed at [...] 
- 
                            Página 47015-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Scheduled J obs Note When you change any schedule through the ACS web in terface, for th e ne w schedule to take ef fect, you must manually restart the Job Manager p roces[...] 
- 
                            Página 47115-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Process Sta tus Viewing Process Status Use this page to vie w the status of processes running in your A CS en vironment. From the Monitoring & Report V ie wer, select Mon[...] 
- 
                            Página 47215-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Data Upgr ade Status Viewing Data Upgrade Status After you upgrad e to A CS 5.3, ensure that the Monitoring & Report V iewer database upgrade is complete. Y ou can do [...] 
- 
                            Página 47315-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Specifying E-Mail Settings Related Topic V iewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address. [...] 
- 
                            Página 47415-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Understanding Collection Filters Understanding Collection Filters Y ou can create collection f ilters that allo w you to filt er and drop syslog ev ents that are n ot used for mon[...] 
- 
                            Página 47515-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring System Alarm Settings Related Topics • Creating and Editing Collect ion Filters, page 15-16 • Deleting C ollection Filt ers, page 15-17 Deleting Collection Filters T [...] 
- 
                            Página 47615-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Remo te Database Settings Step 1 From the Monitoring & Report V ie wer , choose Monitoring Conf iguration > System Conf iguration > Remote Database Settings [...] 
- 
                            Página 477CH A P T E R 16-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators ar e responsible for depl oying, conf iguring, maintain ing, and monitoring the A CS servers in your network. The y can perform v arious operations in A CS through the A CS administrati ve interface. When you [...] 
- 
                            Página 47816-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Administra tor Roles and Accounts • Config ure administrator session setting • Config ure administrator access setting The first t ime you log in to A CS 5.3, you are prompted for the predef ined administrator userna[...] 
- 
                            Página 47916-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Ad ministrators and Accou nts Understanding Authentication An authentication requ est is the fi rst operation for e v ery management session. If authenticati on fails, the management session is terminated. But if auth[...] 
- 
                            Página 48016-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Roles Permissions A permission is an access right that applies to a specif ic admini strati v e task . Permissions consist of: • A Resource – The list of A CS components that an administrator can acce ss, such as net[...] 
- 
                            Página 48116-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Role s Note At first logi n, only the Super Admin is assigned t o a specific admini strator . Related Topics • Administrator Accounts and Role Association • Creating, Dup licating, Edi ting, and Dele ting Admin istrato[...] 
- 
                            Página 48216-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Creating, Dup licating, Editing, and Deleti ng Administrator Accounts Administrator Accounts and Role Association Administrator account def initions consist of a name, status, description, e-mail ad dress, password, and role assignmen[...] 
- 
                            Página 48316-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicatin g, Editing, and D eleting Administrator Accounts Step 2 Do any of the follo wing: • Click Cr eate . • Check the check box next to the account that you want t o duplicate an d click Duplicate . • Click the acco[...] 
- 
                            Página 48416-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Viewing Predefined Role s The new account is sa ved. The Administrators page appears, with the new account that you created or duplicat ed. Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Ro le Associa[...] 
- 
                            Página 48516-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Auth entication Settings for Administrators Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • Config uring Authentication Settings for Administrato rs, page 16-[...] 
- 
                            Página 48616-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Configuring Authenticatio n Settings for Administrators Note A CS automatically deactiv ates or disable s your account based on your last login, last password change, or number of lo gin retries. The CLI and PI use r accounts are blo[...] 
- 
                            Página 48716-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeou t Related Topics • Understanding Roles, page 16-3 • Administrator Accounts and Role Associati on, page 16-6 • V ie wing Predef ined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, [...] 
- 
                            Página 48816-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Resetting the Admi nistrator Password Step 3 Click Cr eate in the IP Range(s) area. A ne w window appears. Enter the IP address of the machine from which you want to allow remote access to A CS. Enter a subnet mask for an entire IP a[...] 
- 
                            Página 48916-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Admini strator Password http://www .ci sco.com/en/US/docs/net _mgmt/cisco_secure_access_ control_system/5.3/comman d/ reference/cli_app_a.html#wp189 3005 . Note Y ou cannot reset the administrat or password through the A C[...] 
- 
                            Página 49016-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Changing the Admi nistrator Password Resetting Another Administrator’s Password T o reset another administrator’ s password: Step 1 Choose System Administration > Administrators > Accounts . The Accounts page appears wi th [...] 
- 
                            Página 491CH A P T E R 17-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 17 Configuring System Operations Y ou can confi gure and deploy A CS instance s so that one A CS instance becomes the primary instance and the other A CS instances can be registered to the primary as secondary instances . An A CS instance represents A CS software t[...] 
- 
                            Página 49217-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment Understanding Distributed Deployment Y ou can confi gure multiple A CS servers in a deployment. W ithin any deplo yment, you designate one server as the primary server and all the other servers are [...] 
- 
                            Página 49317-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Note A CS 5.3 does not support the large deplo yment with more than ten A CS instances (one primary and nine secondaries). F or more informat ion on A CS server deployments, see: http://www .ci sco.co[...] 
- 
                            Página 49417-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment • Understanding Distrib uted Deplo yment, page 17-2 Promoting a Secondary Server There can be one server only that is functio ning as the prim ary se rver . Howe ver , you can promote a secondary [...] 
- 
                            Página 49517-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each co nfiguration chan ge is propagate d to all secondary instances. Unlike A CS 4.x where full replic ation was performe d, in A CS 5.3, o[...] 
- 
                            Página 49617-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Scheduled Backup s • Using the Deployment Operations Pa ge to Create a Local Mode Instanc e, page 17-22 Scheduled Backups Y ou can schedu le backups to be ru n at periodic in tervals. Y ou can schedule backups from the primar y web in[...] 
- 
                            Página 49717-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Seconda ry Instances Step 2 Click Submit to schedule t he backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances A CS provides you the option to back [...] 
- 
                            Página 49817-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Synchronizing Primary and Secondary Instan ces After Backup and Restore Step 4 Click Submit to run the backup i mmediately . Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Resto[...] 
- 
                            Página 49917-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distribu ted System Management page appears with two t ables: • Primary Instance table — Shows the primary instance. The primary instance is created as part of the installatio n process. • Secondary Instances [...] 
- 
                            Página 50017-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances Step 2 From the Primary Instance table, click the pr imary instance that you want to modify , or check the Name check box and click Edit . Step 3 Complete the fields in the Di stributed System Management Properties pa[...] 
- 
                            Página 50117-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4 Click Submit . Port Port for Management service. MA C Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every (only applies for primary instance)[...] 
- 
                            Página 50217-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances The Primary Instance table on the Distrib uted System Management page app ears with the edited primary instance. Related Topics • Replicating a Secondary Instance fr o m a Primary Instance , page 17-18 • V iewing [...] 
- 
                            Página 50317-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The follo wing warning message appears: Are you sure you want to delete the sel ected item/it ems? Step 5 Click OK . The Secondary Instances table on th e Distrib uted System Management page appears witho[...] 
- 
                            Página 50417-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Registering a Seconda ry Instance to a Prima ry Instance . T able 17 -6 S ystem Oper ations: Deployment Operations P age Option Description Instance Status Current Status Identifies the instance of the node you log in to as primary or [...] 
- 
                            Página 50517-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3 Specify the appropriate v alues in the Registration Section. Step 4 Click Register to Primary . The follo wing warnin g message is displayed. This operati on will regis ter t[...] 
- 
                            Página 50617-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Deregistering Secondary Instanc es from the Distr ibuted System Management Page Deregistering Secondary Instance s from the Distributed System Management Page T o deregister secondary instances from t he Distributed System Manageme nt [...] 
- 
                            Página 50717-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Mana gement Page The system displays the follo wing warning message: This operati on will dereg ister this ser ver as a seco ndary with the p rimary server . ACS will be rest ar[...] 
- 
                            Página 50817-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Promoting a Secondar y Instance from the Dep loyment Operations Pag e Promoting a Secondary Instance from the Deployment Operations Page T o promot e a secondary instance to a pri mary instance from the Deplo yment Operations page: Ste[...] 
- 
                            Página 50917-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Replicating a Secondary Instance from the Distributed System Management Page Note All A CS appliances must be in sync with the AD d omain clock. T o re plicate a seco ndary inst[...] 
- 
                            Página 51017-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Replicating a Secondary Instanc e from a Primary Instance The Distribu ted System Management page appears. On the Secondary Instance table, the Replication Status column sho ws UPD A TE D . Replication is complete on the secondary in s[...] 
- 
                            Página 51117-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Failover A CS 5.3 allows you to configure mul tiple A C S instances for a dep loyment scenario. Each deplo yment can hav e one primary and multiple secondar y A CS server . Scen[...] 
- 
                            Página 51217-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Cleanup..... .. Starting ACS... . The database on the primary se rver is restored successfully . Now , you can observe that all se condary servers in the distribute[...] 
- 
                            Página 51317-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Insta nce Y ou can use the conf iguration information on the A C S Config uration Audit report to manually restore the conf iguration infor mation for this inst ance. Creating,[...] 
- 
                            Página 51417-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Step 4 Click Submit . The new software repository is sa ved. The Soft ware Repository page appears, with the ne w software repository that you created, dupl icated,[...] 
- 
                            Página 515CH A P T E R 18-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Ci sco Secure A CS, you must conf igure and administer it t o manage your network eff iciently . The ACS web interface allo ws you to ea sily configure A CS to perform v arious operations. For a lis[...] 
- 
                            Página 51618-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Administration > Conf iguration > Global System Options > E[...] 
- 
                            Página 51718-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Op tions Configuring PEAP Settings Use the PEAP Settings page to conf igure PEAP ru ntim e characteristics. Select System Administration > Conf iguration > Global System Options > PEAP S[...] 
- 
                            Página 51818-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Generate P AC pag e to generate a user or machine P AC. Step 1 Select System Admini stration > Confi guration > Global System Options > E[...] 
- 
                            Página 51918-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to conf igure the RSA SecurID Prompt s. Managing Dictionaries The follo wing tasks ar e av ailable when you select System Administration > Conf iguration > Dictionaries : ?[...] 
- 
                            Página 52018-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries • RADIUS (RedCreek) • RADIUS (US Robotics) • TA C A C S + T o vie w and choose attributes from a p rotocol dictionary , select System Administ ration > Confi guration > Dictionaries >[...] 
- 
                            Página 52118-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to sav e the changes. Related Topics V iewi ng RADIUS and T ACA CS+ Attrib utes, page 18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes T o create, dup[...] 
- 
                            Página 52218-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries T able 18-9 Cr eating, Duplicating, and Ed iting RADIUS Subat tr ibutes Option Description General Attrib ute Name of the subattribut e. The name must be unique. Description (Optional) A brief descr[...] 
- 
                            Página 52318-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 4 Click Submit to sav e the suba ttribute. Viewing RADIUS Vendor-Specific Subattributes T o vi ew the att ribut es that are supported by a par ticular RADIUS v endor: Step 1 Choose Syst em Admi[...] 
- 
                            Página 52418-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Related Topic Creating, Duplicating , and Editing RADIUS V endor-Specif ic Attrib utes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: • Creating, Duplica[...] 
- 
                            Página 52518-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Configuring Internal Identity Attributes T abl e 18-10 describes the f ields in the internal < users | hosts > identit y attrib utes. T able 18-1 0 Identity Attr ibute Pr operties P age Optio[...] 
- 
                            Página 52618-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Deleting an Internal User Identity Attribute T o delete an internal user identity attrib ute: Step 1 Select System Administration > Conf iguration > Di ctionaries > Identity > Internal [...] 
- 
                            Página 52718-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Creating, Duplicating, and Editing an Internal Host Identity Attribute T o cr eate, duplicate, and edit an internal h ost identity attrib ute: Step 1 Select System Administration > Conf iguratio[...] 
- 
                            Página 52818-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store T o add stat ic IP address to a user in I nternal Identity Store: Step 1 Add a static IP attribute to inte rnal user attr[...] 
- 
                            Página 52918-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 2 Click Add . Step 3 Enter the informatio n in the Local Certif icate Store Properties page as described i n T able 1 8-12 : Importing Server Certificates and As sociating Certifica[...] 
- 
                            Página 53018-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating Self-Signed Certificates Step 1 Select System Administ[...] 
- 
                            Página 53118-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate. Generating a Certificate Signing Request Step 1 Select System Ad[...] 
- 
                            Página 53218-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Conf igurations > Loca l Server Certif icates > Local Certificates > Add. Step 2 Select Bind CA Signed Certif icate > Next . Step 3 En[...] 
- 
                            Página 53318-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Submit to ex tend the existing certif icate’ s v alidity . The Local Certificate Store page ap pears with the edited certificate. Related Topic • Config uring Local Serv[...] 
- 
                            Página 53418-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates T o e xport a certi fica te: Step 1 Select System Administration > Conf iguration > Loca l Server Certif icates > Local Certificates . Step 2 Check the box[...] 
- 
                            Página 53518-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Logs Log records are generated for: • Accounting messages • AAA audit and di agnostics messages • System diagnostics messages • Administrati ve and operatio nal audit messages The me[...] 
- 
                            Página 53618-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs • Remote Log T argets > Duplicate: “ lo g_tar get” , where log_tar get is the name of the remote log tar get you selected in Step 2 , if you are duplicat ing a remote log targ et. • Remote Log[...] 
- 
                            Página 53718-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Deleting a Remote Log Target T o delete a remote log t arget: Step 1 Select System Administration > Conf iguration > Log Conf iguration > Remote Log T argets . The Remote Log T a rgets page app[...] 
- 
                            Página 53818-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Conf iguration > Log Conf iguration > Local Log T arget . The Local Configurat ion page appears. Step 2 Click De lete Logs Now to immediately delete all loc[...] 
- 
                            Página 53918-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs If you ha ve compl eted your conf iguration, proceed to Step 6 . Step 4 T o conf igure a remote syslog target, click the Remot e Syslog T arget and proceed to Step 5 . Step 5 Complete the Remote Syslog [...] 
- 
                            Página 54018-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs T abl e 18-22 lists a set of adminis trativ e and operational logs under v arious categories that are no t logged to the local t arget. T able 18-22 Administr ative and Oper ationa l Logs Not Logged in t[...] 
- 
                            Página 54118-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Related Topic • Config uring Per -Instance Logging Cate gories, page 18-29 • V iewi ng ADE-OS Logs, page 18-28 Software-Management • A CS_UPGRADE—A CS upgraded • AC S _ P A T C H — AC S p a [...] 
- 
                            Página 54218-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in T abl e 18-22 are written to the ADE-OS logs. From the AC S CLI, you can use the follo wing command t o vie w the ADE-OS logs: show logging system This command list[...] 
- 
                            Página 54318-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729 Sep 29 09:[...] 
- 
                            Página 54418-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings Y ou can conf igure the se verity lev e l and local lo g settings in a logging cate gory conf iguration for a specific o verridden or custom A C S insta[...] 
- 
                            Página 54518-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Per-Instance Remote Syslog Targets Use this page to configure remote sy slog targets for logging cate gories. Step 1 Select System Administration > Conf iguration > Log Conf iguration [...] 
- 
                            Página 54618-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Displaying Logging Categories Y ou can vie w a tree of conf igured logging cat egories for a specif ic ACS inst ance. In addition, you can confi gure a logging cate gory’ s sev erity le ve l, log targe[...] 
- 
                            Página 54718-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring the Log Collector Use the Log Collector pa ge to sel ect a log data collecto r and suspend or resume log data transmission. Step 1 Select System Administration > Conf iguration > Log C[...] 
- 
                            Página 54818-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview T o operate A CS, you must install a va lid license. A CS prompts you to install a v alid base license when you first access the web interface. Each A CS instance (p rimary or second[...] 
- 
                            Página 54918-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview , page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Adding Deplo yment License Files, page 18-39 • Delet[...] 
- 
                            Página 55018-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License T o upgrade the base license: Step 1 Select System Administration > Conf iguration > Licensing > Base Server Li cense . The Base Server License page appears wit[...] 
- 
                            Página 55118-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Serv er License, page 18-37 Upgrading the Base Server License Y ou can upgrade the base server license. Step 1 Select System Administration > Conf igurati[...] 
- 
                            Página 55218-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Fe ature Options Viewing License Feature Options Y ou can add, upgrade, or delete e xisting deploy ment licenses. The config uration pane at the top o f the page sho ws the deployment information. Select [...] 
- 
                            Página 55318-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License File s Adding Deployment License Files T o add a new base deployment license file: Step 1 Select System Administration > Conf iguration > Licensing > F eature Options . The Feature Opti[...] 
- 
                            Página 55418-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overview , page 18-34 • T ypes of Licenses, page 18-34 • Installing a License File, page 18-35 • V iewing the Base License , page 18-36 • Deleting De[...] 
- 
                            Página 55518-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Availabl e Downloa ds Downloading Migration Utility Files T o do wnload migration application files an d the migration gui de for A C S 5.3: Step 1 Choose System Administra tion > Download s > Migration Util ity . [...] 
- 
                            Página 55618-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Do wnloads T o do wnload these sample scripts: Step 1 Choose System Administration > Downl oads > Sample Python Scripts . The Sample Python Scripts pag e appears. Step 2 Click one of the follo wing: • P[...] 
- 
                            Página 557CH A P T E R 19-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logg ing functionality in A C S 5.3. Administrator s and users use the v arious management interfaces of A CS to perform dif feren t tasks. Using the administrati ve access control feature, you can assign permissi ons[...] 
- 
                            Página 55819-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Using Log Targets Y ou can specify to send cust omer log information to multiple consumers or Lo g T arg ets and specify whether the log messages are stored locally in te xt form at or forw arded to syslog servers. By default, a s[...] 
- 
                            Página 55919-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Note For comple x conf iguration items or attrib utes, such as policy or D A CL contents, the ne w attrib ute v alue is reported as "Ne w/Updated" and the audit does not contai n the actual at trib ute va l u e o r va l u[...] 
- 
                            Página 56019-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Each log message contains the follo wing information: • Event code—A un ique message code. • Logging category—Identif i es the catego ry to which a log message belongs. • Se verity le vel—Identifies th e lev e l of se [...] 
- 
                            Página 56119-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Local Store Target Log messages in the local stor e are text f iles that are sent to one log f ile, located at /opt/CSCOacs/lo gs/localStor e/ , regardless of which l ogging category they belo ng to. The local store can only contai[...] 
- 
                            Página 56219-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging T able 19-2 Local St or e and Syslog Message F or mat Field Description timestamp Date of the message generat ion, according to the local clock of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh: zm . Possible [...] 
- 
                            Página 56319-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Y ou can use the web in terface to configure the n umber of da ys to retain local store log files; howe ver , the default setting is to purge data when it exceeds 5 MB or each d ay , whiche ver limit is f irst attained. If you do c[...] 
- 
                            Página 56419-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging When you configure a critical log target, and a message is sent to that critical log tar get, the message is also sent to the configured noncriti cal log target on a best-effort basis. • When you configure a critical log tar get[...] 
- 
                            Página 56519-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging T able 19-3 Remote Syslog Messag e Header For mat Field Description pri_num Priority v alue of the message; a comb ination of the facility value an d the sev erity v alue of the message. Priority v alue = (facility valu e* 8) + se [...] 
- 
                            Página 56619-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging The syslog messa ge data or pay load is the same as the Local Store Message Format, which is described in T able 19-2 . The remote syslog server tar gets are id entified by the f acility code names LOCAL0 to LOCAL7 ( LOCAL6 is th[...] 
- 
                            Página 56719-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging The Monitoring & Report V ie wer has two dra wer options: • Monitoring and Reports—Use this dra wer to view and con figur e alarms, vie w log reports, an d perform troubleshooti ng tasks. • Monitoring Conf iguration—Us[...] 
- 
                            Página 56819-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are fa miliar with the loggin g functionality in A CS 4.x, ensure that you familiarize yo urself with the logging functionali ty of A CS 5.3, which is con siderably dif feren[...] 
- 
                            Página 56919-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Conf iguration Use the System Confi guration > Logging page to defi ne: • Loggers and indi vidual logs • Critical loggers • Remote logging • CSV log fi le • Syslog log • ODBC log See Config uring Lo[...] 
- 
                            Página 57019-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging[...] 
- 
                            Página 571A-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX A AAA Protocols This section contains the following topics: • T ypical Use Cases, page A-1 • Access Protocols—T A CACS+ and RADI US, page A-5 • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 Typical Use Cases This section contains the followin[...] 
- 
                            Página 572A-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s Session Access Requests (Dev ice Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1 . For session request: 1. An administrator l ogs into a networ k dev ice. 2. The network de vice sends a T A CA CS+ access req[...] 
- 
                            Página 573A-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Typical Us e Cases – EAP protocols that in volv e a TLS handshake a nd in which the client uses the A CS server certificate to perform se rv er authentication: PEAP , using one of the follo wing inner methods: PEAP/EAP-MSCHAPv2 and PEAP/EAP-GTC EAP-F AS[...] 
- 
                            Página 574A-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP methods that use certi ficates for bo th server and client authentication – EAP-TLS Whene ver EAP is in volved in the au thenticat ion process, it is p receded by an EAP ne go[...] 
- 
                            Página 575A-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 A CS 5.3 can use the T A CA CS+ and RADIUS access prot ocols. Ta[...] 
- 
                            Página 576A-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • A CS 5.3 as the AAA Server , page A-7 • RADIUS Attribute Support in A CS 5.3, page A-8 • RADIUS Access Req uests, page A-9 RADIUS is a cl[...] 
- 
                            Página 577A-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to compu ter resources, and for an enterprise, provides AAA services. The AAA se rver typically interacts with network access and gate way [...] 
- 
                            Página 578A-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 A CS 5.3 supports the RADIUS protocol as RFC 2865 descri bes. A CS 5.3 supports the follo wing types of RADIUS at tributes: • IETF RADIUS attributes • Generic and Cisco VSAs • Other vend ors?[...] 
- 
                            Página 579A-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS Authentication A CS supports various aut hentication protocols transpo rted ov er RADIUS. The support ed protocols that do not includ e EAP are: • PA P • CHAP • MSCHAPv1 • MSCHAPv2 In addition, v arious EAP-based protocols can b[...] 
- 
                            Página 580A-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS In RADIUS, authentication and authorization are coupl ed. If the RADIUS serv er finds the username and the password is correct, the RADIUS server retu rns an access-accept respon se, including a list of attrib ute-v alue pairs that d[...] 
- 
                            Página 581B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX B Authentication in ACS 5.3 Authentication v erif ies user information to conf irm the user's identity . T raditional authentication uses a name and a f ixed passw ord. More secure methods use cry ptographic techniques, such as those used inside the Challeng e Authe[...] 
- 
                            Página 582B-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the fo llowi ng: • RADIUS-based authen tica tion that d oes not inclu de EAP: – PA P, p a g e B - 2 – CHAP , page B-31 – MSCHAPv1 – EAP-MSCHAPv2, page B-3 0 • EAP family of protocol s transported over R[...] 
- 
                            Página 583B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication Y ou can use dif ferent le vels of secur ity concurrently wi th A CS for dif ferent requirements. P AP applies a two-w ay handshaking procedure. If auth entication succeeds, A CS returns an ackno wledgement; other[...] 
- 
                            Página 584B-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In A CS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a partic ul[...] 
- 
                            Página 585B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 A CS supports full EAP infrastructure, including EAP typ e negotiation, message sequencing and message retransmission. All prot ocols support fragmentation of big messages. In A CS 5.3, you configure EAP method s for authentication as [...] 
- 
                            Página 586B-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of th e methods in the EAP authenti cation frame work, and i s based on the 802.1x and EAP architecture. Componen ts in v olved in the 80 2.1x and EAP authentication p rocess are the: • Host—The [...] 
- 
                            Página 587B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third- party signature, usually fr om a CA, th at verif ies the informatio n in a certif icate. This third-party binding is similar to the real-world eq ui valent of t he stamp on a passport. Y ou trust the passport be caus[...] 
- 
                            Página 588B-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anony mous Dif fie-Hel lman tunnel relates to the establi shment of a completely anon ymous tunnel between a client and a serv er for cases where none of the peers authenticates itself. A CS runtime supports anon ymous Dif fie-Hell[...] 
- 
                            Página 589B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates A CS generates and use s self-signe d certificates to identi fy various management protocols such as the W eb bro wser , HTTPS, Activ eMQ SSH, and SFTP . Self-signed certif icates are generated when ACS is[...] 
- 
                            Página 590B-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Se rver Certificate When you manually import and A CS server cer tificate yo u must supply the certif icate file, the pri v ate key file, and the pri vate ke y password used to decr ypt the PKCS#12 pri vate ke y . T[...] 
- 
                            Página 591B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of cert ificate generation: • Self signing certif icate generation — A CS supp orts generation of an X.5 09 certifi cate and a PKCS#12 priv ate key . The passphrase used to encr ypt the pri v ate ke y in the PK[...] 
- 
                            Página 592B-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certifi cates are kept in the A CS database which is distributed and shared between all A CS nodes. The A CS server certif icates are associated and designat ed for a specific node, which uses that specif[...] 
- 
                            Página 593B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire A CS database is distributed and backed-up on the primary A CS along with all the certif icates, priv ate-keys and the encrypted pri v ate-key-passwor d s. The pri vate-k ey-passw ord-ke y [...] 
- 
                            Página 594B-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between t he host and A CS goes through the network de vice. EAP-TLS authenticatio n fails if th e: • Server f ails to verify the client’ s certif icate, and rejects EAP-TLS authentication. • Client fail[...] 
- 
                            Página 595B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that yo u use to encrypt EAP transactions, thereby protecting the contents of EAP authenticatio ns. PEAP uses server -side public ke y certificat es to authenticate the s[...] 
- 
                            Página 596B-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unau thenticated Tunnel Establishmen t Modes T unnel esta blishment helps prev ent an attacker from in jecting pac kets betw een the client and the network access serv er (N AS) or , to allo w ne gotiatio n [...] 
- 
                            Página 597B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allo ws authentication between A CS and the peer by usin g the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 pro tocol as the inner method i nside the tunnel. The local certificate [...] 
- 
                            Página 598B-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireles s client credentials with MSCHAPv2: At the end of this mutu al authentication e xchange, the wireless client has prov ided [...] 
- 
                            Página 599B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST is a client-server security architecture that encrypts EA P transactions with a TLS tunn el. While similar to PEAP in this respect, it differs sign ifican tly in that EAP-F AST tunnel establishment is based on strong secret[...] 
- 
                            Página 600B-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST can protect t he username in all EAP-F AST transaction s. A CS does not perform user authentication based on a username that is presented in phase one, howe ver , whether the username is protected during phase one depends [...] 
- 
                            Página 601B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST • A CS-Supported Features for P A Cs, page B-24 • Master Key Generation and P A C TTLs, page B -26 • EAP-F AST for Allo w TLS Renegotiation, page B-26 About Master-Keys EAP-F AST master-ke ys are strong secrets that A CS automa[...] 
- 
                            Página 602B-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes A CS supports out-of-band and in-band pro visioning modes. The in- band provision ing mode operates inside a TLS tunnel raised by Anonymou s DH or Authenticated DH or RSA algorithm for k ey agreement. T o minimize[...] 
- 
                            Página 603B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The v arious means by which an end- user client can rece i ve P ACs are: • P A C pro visioning —Requi red when an end-user client has no P A C. For mor e information about ho w master-k ey and P AC states determine whet her P A C[...] 
- 
                            Página 604B-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o cont rol whether A CS performs Automatic In-Band P A C Provision ing, use the options on the Global System Options pages in the Syst em Administration dra wer . For more information, see EAP-F AST , page B-18 . Manual PAC Provis[...] 
- 
                            Página 605B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proacti ve P A C update time is conf igured for the A CS server in the Allo wed Protocols Page. Thi s mechanism allows the client to be alw ays updated with a valid P A C. Note There is no proacti ve P A C update for Machine and [...] 
- 
                            Página 606B-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The v alues for master ke y generation and P AC TTLs determine their states, as described in About Master-K eys, page B-21 and T ypes of P ACs, page B-22 . Master k ey and P AC states determine whe[...] 
- 
                            Página 607B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o enable A CS to perform EAP-F AST authentication: Step 1 Config ure an identity store that supp orts EAP-F AST authen tication. T o determine which i dentity stores support EAP-F AST authent ication, see Authentication Pro tocol a[...] 
- 
                            Página 608B-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme impro ves the secu rity by reducing the amount of cry ptographic sensiti ve material that is transmitted. This section contains the following topics: • Ke y Distribution Algorith m, page B-28 • EAP-F AST P A C-Opaque[...] 
- 
                            Página 609B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RA DIUS Key Wrap PAC Migration from ACS 4.x Although the conf iguration can be migrated from 4.x, the P A Cs themselves, as being stored only in supplicants, m ay still be issued from versions a s far back as A CS 3.x.[...] 
- 
                            Página 610B-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshak e Authentication Prot ocol (MSCHAP v2) provi des two-way authentica tion, also known as mutu al authentication. The remote access client re ceiv es verif ication that the remote access s[...] 
- 
                            Página 611B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for ma chine auth entication. EAP-MSCHAPv2 W indows machine authentication is the same as u ser authentication. The dif ference is that you must use the Acti ve Directory[...] 
- 
                            Página 612B-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes A CS parses the follo wing client certifi cate’ s attributes: • Certif icate serial-number (in binary format) • Encoded certificate (in binary DER format) • Subject’ s CN attribute • [...] 
- 
                            Página 613B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes A CS collects client certificate te xtual attributes and places them in the A CS context dictionary . A CS can apply any r ule based policy on these attr ibutes as with an y rule att[...] 
- 
                            Página 614B-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Au thentication • For auto matic do wnloading, you def ine the amount of time before the CRL f ile expires, should A CS do wnload it. The CRL e xpiration time is tak en from the CRL ne xtUpdate fie l d . For both modes, if the do w[...] 
- 
                            Página 615B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol an d Identity Store Compatibility Note Microsoft PEAP clients may also ini tiate machine authen tication whene ver a user logs of f. This feature prepares the netwo rk connection for the ne xt user login. Mi crosoft PE[...] 
- 
                            Página 616B-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authenti cation protoc ol support. T able B-5 EAP A uthentication Pr otocol and User D atabase Compatibility Identity Store E AP-MD5 EAP-TLS 1 1. In EAP-TL[...] 
- 
                            Página 617C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX C Open Source License Acknowledgments See http://www .cisco.com/en/US/produ cts/ps9911 /produ cts_licensing_infor mation_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3. Notices The follo wing notices pertain [...] 
- 
                            Página 618C-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments Notices 4. The names “OpenSSL T oolkit” and “OpenSSL Projec t” must no t be used to endorse or promote products deri ved from this softw are without prior written permi ssion. F or written permission, please contact openss[...] 
- 
                            Página 619C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgmen ts 4. If you include an y W indows specif ic code (or a deri vati ve ther eof) from the apps dir ectory (application code) you must include an ackno wle dgement: “Thi s product includes sof tware written by T im Hudson (tjh@cryptsoft[...] 
- 
                            Página 620C-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments[...] 
- 
                            Página 621GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAA Authentication, autho rization, and accounting (AAA ) is a term for a frame work for intelligently controlling access to computer re sources, enforcing policies, auditin g usage, and providi ng the information necessary t o bill fo r services. These combined proce[...] 
- 
                            Página 622Glossary GL-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 accounts The capability of A CS to record user sessions in a log f ile. ACS System Administrators Ad m i ni s t ra t or s w it h di ff e re n t access privile ges define d under the System Conf iguratio n section of the A CS web interface. The y administer and manage A[...] 
- 
                            Página 623Glossar y GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticity The v alidity and conformance of the or iginal information. authorization The approv al, permission, or empowermen t for someone or something to do so mething. authorization profile The basic "permissions container" for a RADIUS -based network ac[...] 
- 
                            Página 624Glossary GL-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 certificate-based authentication The use of Secure Sockets Layer (SSL) and certifi cates to authenticate and encrypt HTTP traf fic. certificate Digital representation of user or de vice attrib utes, including a public k ey , that is sig ned with an authoritati ve pri v[...] 
- 
                            Página 625Glossar y GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration management The process of es tablishing a k nown baseline condition and managin g it. cookie Data exchanged between an HTTP server and a browser ( a client of the server) to store state information on the client side an d retrie ve it later for serv er us[...] 
- 
                            Página 626Glossary GL-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 D daemon A program which is often started at the time the system boots and runs continuo usly without interventi on from any of the u sers on the system. The daemon program forwards the requ ests to other programs (or processes) as appropri ate. The term da emon is a U[...] 
- 
                            Página 627Glossar y GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelope An en crypted message with the encr ypted session key . digital sign ature A hash of a message that uniquely identifies the se nder of the messag e and prov es the message hasn't changed since transmission. DSA digital signature algorithm. An asym[...] 
- 
                            Página 628Glossary GL-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 dumpsec A security tool that du mps a variet y of informati on about a system's users, file system, re gistry , permissions, password policy , and services. DLL Dynamic Link Library . A collection of small programs , an y of which can be called when needed by a la[...] 
- 
                            Página 629Glossar y GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Extensible Authenticatio n Protocol. A protocol for wireless netw orks that expands on Au thentication methods used by the PPP (Point-to-Point Protocol), a protocol oft en used when connecting a computer to the Internet. EAP can support multiple auth entication mec[...] 
- 
                            Página 630Glossary GL-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 G gateway A network point that acts as an entrance to another netw ork. global system options Configuring T ACA CS+, EAP-TTLS, PEAP , and EAP- F AST runtime character istics and generating EAP-F AST P A C. H hash func tions Used to generate a one way "check sum&q[...] 
- 
                            Página 631Glossar y GL-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 I I18N Intern ationaliza tion and loca liza tion are means of adapting softwa re for non-nati ve en vironments, especially other nations and culture s. Internationalizati on is the adaptation of products fo r potential use virtually ev erywhere, while localization is [...] 
- 
                            Página 632Glossary GL-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ISO International Or ganization for Stand ardization, a volun tary , non-treaty , non-go vernmen t organizat ion, established in 1947 , with vo ting members that ar e de signated standards bodies of participatin g nations and non-v oting observ er org anizations. ISP [...] 
- 
                            Página 633Glossar y GL-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 M MAC Address A physical address; a numeric v alue that uniquely identif ies that netw ork de vice from e very ot her de vice on the planet. matchingRul e (LDAP) The method by which an attrib ute is compared in a search operation. A matchingRule i s an ASN.1 defini ti[...] 
- 
                            Página 634Glossary GL-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 PI (Programm atic Interface) The A CS PI is a programmatic interf ace that provides e xternal applic ations the ability to communicate with A CS to configure and operate A CS; this includes performing the follo wing operations on A CS objects: create, update, delete a[...] 
- 
                            Página 635Glossar y GL-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 R RDN (LDAP) Th e Relative Distinguished Name (fre quently but incorrectly written as Relati vely Distinguished Name). The name gi ven to an attri bute(s) that is unique at its le vel in the hierarch y . RDNs may be single v alued or multi-v alued in which case two or[...] 
- 
                            Página 636Glossary GL-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Schema (LDAP) A package of attr ibut es and object classes that a r e sometimes (nominally) related. The sch ema(s) in which the object classes and attributes that the applic ation will u se (ref erence) are packaged are identif ied to the LD AP server so that it can [...] 
- 
                            Página 637Glossar y GL-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 SOAP (Simple Object Access Protocol) A lightweight XML-based pr otocol for ex change of information in a decentrali zed, distrib uted en vironment. SOAP consists of three parts: an env elope tha t defines a framework for describing what is in a message and ho w to pro[...] 
- 
                            Página 638Glossary GL-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 U UDP User Datagram Protocol. A communicati ons protocol that of fers a limited amount of service when messages are exchanged between computers in a ne twork that uses the Internet Protocol (IP) URL Uniform Resource Locator . The un ique address for a file that is acc[...] 
- 
                            Página 639Glossar y GL-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 X X.509 A standard for pub lic ke y infrastructure. X.509 spec if ies, amongst other things, standard formats for public ke y certif icates and a certificatio n path v alidation algorith m. XML (eXtensi ble Markup Language) XML is a flexib le way to create common info[...] 
- 
                            Página 640Glossary GL-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01[...] 
- 
                            Página 641IN-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 INDEX Symbols ! formatting symbol 13-33 % operator 13-60 & formatting symbol 13-33 & operator 13-60 * operator 13-60 + operat or 13-60 / operator 13-60 <= operator 13-60 <> operator 13-60 < formatting symbol 13-33 < operat or 13-60 = operat or 13-60 >= [...] 
- 
                            Página 642Index IN-2 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Arrange Columns dialog 13-42 ascending sort order 13-47 AVERAGE function 13-53 Average function 13-63 averages 13-53, 13-57, 13-59, 13-63 B background colors 13-39 Between condition 13-68, 13-73 BETWEEN function 13-53 Between operator 13-38 blank characters 13-59 Boolean [...] 
- 
                            Página 643Index IN-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 formatting data and 13-36 context menus 13-21 conversions 13-33 COUNT_DISTINCT func tion 13-54 COUNT function 13-54 Count function 13-63 Count Value function 13-63 creating aggregate rows 13-64, 13-65 calculated columns 13-51, 13-60 data filter s 13-68, 13-70, 13-71, 13-72[...] 
- 
                            Página 644Index IN-4 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 downloads 18-40 duplicate values 13-66, 13-67 E EAP-FAST enabling B-26 identity protection B-20 logging B-19 master keys definition B-21 PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 refresh B-26 phases B-19 EAP-FAST settings configuring 18-3 [...] 
- 
                            Página 645Index IN-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 G General Date format op tion 13-30 General N umber fo rmat opti on 13-30 Go to page pick li st 13-23 Greater Than conditi on 13-69 greater than operator 13-60 Greater Than or Eq ual to condition 13-69 greater than or equal to operator 13-60 Group Detail dial og 13-50 grou[...] 
- 
                            Página 646Index IN-6 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 locales creating charts and 13-77 customizing formats for 13-30, 13-31, 13-35 locating text valu es 13-54, 13-58 logical operators 13-60 Long Date fo rmat option 13-30 Long Time format option 13-30 lowercase characters 13-56 Lowercase format option 13-31 LOWER function 13[...] 
- 
                            Página 647Index IN-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 numeric data types 13-30 numeric expression s 13-60, 13-61 numeric values 13-24, 13-32 O opening exported data files 13-25 Interactive Viewer 13-21 operators 13-38, 13-60 OR operator 13-60, 13-74 P PAC automatic provisio ning B-23 definition B-21 manual provisi oning B-24 [...] 
- 
                            Página 648Index IN-8 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 report viewers 13-21 resizing columns 13-25, 13-28 RIGHT function 13-58 ROUNDDOWN func tion 13-58 ROUND function 13-58 rounding 13-53, 13-58 ROUNDUP func tion 13-58 row-by-row comparisons 13-54 rows 13-66, 13-67 RUNNINGSUM function 13-58 running total s 13-58 S Save As di[...] 
- 
                            Página 649Index IN-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 time data types 13-30 time formats 13-30, 13-34 timesaver, descript ion of ii-xxiv time stamps 13-57, 13-58 time values 13-34, 13-50 TODAY function 13-58 Top N condition 13-69 Top Percent condition 13-69 totals 13-37, 13-58, 13-63 trailing characters 13-59 TRIM function 13[...] 
- 
                            Página 650Index IN-10 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 X x-axis values 13-75 Y y-axis values 13-75 YEAR function 13-59[...] 

