Cisco Systems OL-24201-01 Camera Accessories manual

Page 1

Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 User Guide f or Cisco S ecure A ccess Contr ol S ystem 5.

Page 2

THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED.

Page 3

iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Serv ice Request xxv CHAPTER 1 Introducing ACS 5.

Page 4

Contents iv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Policy Terminology 3-3 Simple Polici es 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Po.

Page 5

Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-1.

Page 6

Contents vi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understand.

Page 7

Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operation s for Network Resources and Users 7-8 Exporting N.

Page 8

Contents viii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticatin.

Page 9

Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Us.

Page 10

Contents x User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permis sions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPT.

Page 11

Contents xi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compou.

Page 12

Contents xii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Understanding Alarm Schedules 12-9 Creating and E diting Alarm Schedule s 12-9 Assigning Alarm Schedules to Thresh olds .

Page 13

Contents xiii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Re ports 13-13 Understanding the Report_Na me.

Page 14

Contents xiv User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Organizing Report Data 13-4 1 Displaying and Organizing Re port Data 13-41 Reordering Columns in Interactive Viewer 13-4.

Page 15

Contents xv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Modifying Cha rts 13-76 Filtering Ch art Data 13-76 Changing Chart Subtype 13-77 Changing Cha rt Formatting 13-77 CHAPTER .

Page 16

Contents xvi User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring System Alarm Settings 15 -17 Configuring Alarm Syslog T argets 15 -17 Configuring Remote Database Settings 1.

Page 17

Contents xvii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instan ce 17-1 3 Deleting a Secondary Instan.

Page 18

Contents xviii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Configuring Local Server Certifica tes 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and .

Page 19

Contents xix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logg ing Categories 19-4 Log Message Severity Leve.

Page 20

Contents xx User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixe.

Page 21

Contents xxi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Authentication wi th RADIUS Key Wrap B-29 EAP-MSCHAPv2 B-30 Overview of EAP-MSCHAPv2 B-30 MSCHAPv2 for User Authentication B-30 MSCHAPv2 for Change Password B-30 Windows Machine Authentication Against AD B-31 EAP- MSCHAPv2 Flow in ACS 5.

Page 22

Contents xxii User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01.

Page 23

1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Revised: April 17, 201 4 This guide describes ho w to use Cisco Secure Access Control System (A CS) 5.3. Audience This guide is for securit y administrators who us e A CS, and who set up and maint ain network an d application security .

Page 24

2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface Caution Means rea d e r b e c a re f u l . Y ou are capable of doing something that might result in equipment damage or loss of data . T imesaver Me ans the described action saves time .

Page 25

3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Preface Note W e sometimes update th e printed an d electroni c documentation after original publication. Therefo re, you should also re view the documentati on on Cisco.com for any u pdates.

Page 26

4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Preface.

Page 27

CH A P T E R 1-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 1 Introducing ACS 5.3 This section contains the following topics: • Overvie w of A CS, page 1-1 • A CS Distribut.

Page 28

1-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Distributed Depl oyment A CS provides adv anced monitoring, reportin g, and troubleshooting to ols that help you administer and manage your A CS deployments.

Page 29

1-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 ACS Licensing Model A CS 4.x did not provide incremental repl ication, on ly full r eplication, and there was service do wntime for replication. A CS 5.

Page 30

1-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 ACS Management Interfa ces ACS Web-based Interface Y ou can use the A CS web-based interface to fully co nfig ure your A CS deplo yment, and perform monitoring and reporting operati ons.

Page 31

1-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported b y ACS For informati on about using the CLI, see the Command Line Interface Refer ence Guide for Cisco Secur e Access Contr ol System 5.

Page 32

1-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 1 Intro ducing ACS 5 .3 Hardware Mode ls Supported by ACS.

Page 33

CH A P T E R 2-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 A CS 4.x stores polic y and authentication information , such as T A CA CS+ command sets, in the user and user group records. In A CS 5.

Page 34

2-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration ut.

Page 35

2-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Before You Begin Note Y ou must install the latest patch for the su pported migration v ersions listed here. Also, if you ha ve any other versio n of A C S 4.

Page 36

2-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 • User-Def ined Fields (from the Interface Confi.

Page 37

2-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.

Page 38

2-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Functionality Ma pping from ACS 4.x to ACS 5.

Page 39

2-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The follo wing are some of the commo n scenarios that you encounter while migrating to A CS 5.

Page 40

2-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you ha ve A CS 3.x deployed in your en vironment, you cannot directly migrate to A CS 5.

Page 41

2-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 2 Migratin g from ACS 4.x to ACS 5.3 Common Scenarios in Migration Step 3 Perform b ulk import of data into A CS 5.3. For more inf ormation on performing b ulk import of A CS objects, see http://www .

Page 42

2-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 2 M igrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration.

Page 43

CH A P T E R 3-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 3 ACS 5.x Policy Model A CS 5.x is a policy-based access contr ol system. The term po licy model in A CS 5.x refers to the presentation of poli cy elemen ts, objects, and rules to the polic y administrator .

Page 44

3-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model For e xample, we use the informati on described for the grou p-based model: If identity-conditio n, r estriction-condi tion then authorization-p r of ile In A CS 5.

Page 45

3-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Policy Terminology Ta b l e 3 - 2 describes the rule-based polic y terminology .

Page 46

3-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies Y ou can conf igure all of you r A CS policies as rule-b ased policies.

Page 47

3-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Overview of the ACS 5. x Policy Model Types of Policies Ta b l e 3 - 3 describes the types of policies that y ou can configur e in A CS.

Page 48

3-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in A CS 5.

Page 49

3-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Ta b l e 3 - 5 describes an example of a set of access services.

Page 50

3-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS accepts the results of the requests and returns them to the N AS. Y ou must configure the external RADIUS and T ACA CS+ servers in A CS for A CS to forw ard requests to them.

Page 51

3-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services A CS can simultaneously act as a proxy server to mu ltiple e xternal RADIUS and T A CA C S+ servers. For A CS to act as a proxy serv er , you must configure a RAD IUS or T ACA CS+ proxy service in A CS.

Page 52

3-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services • Identity Sequ ence—Sequences o f the identity databases. The se quence is used for authentica tion and, if specified, an additional sequence is used to retrie ve only attrib utes.

Page 53

3-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity grou p mapping polic y is a standard polic y .

Page 54

3-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics • Policy T erminology , page 3- 3 • Authorization Pro.

Page 55

3-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, A CS d ecides which access service to use based on various configurable options.

Page 56

3-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, ag entless devices, and guest access in one access service, the policy is di vided into three access services.

Page 57

3-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default ru le specifies the po licy result that A CS uses when no other rules exist, or when the at tribute v alues in the access request do not match any rules.

Page 58

3-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Pro files for Network Access Policy Conditions Y ou can define simple conditions in.

Page 59

3-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes Y ou can define multiple authorization prof iles as a network access policy result.

Page 60

3-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Networ k Device Groups Related Topics • Managing Users an d Identity Stores, pa ge.

Page 61

3-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Figure 3-2 illu strates what this polic y rule table could look like. Figur e 3-2 Sample Rule-Based P olicy Each ro w in the polic y table represents a single rule.

Page 62

3-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies • Added users to the internal A CS identity store or add ex ternal identity st ores.

Page 63

3-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Config uring Services and Policies Related Topics • Policy T erminology , page 3- 3 �.

Page 64

3-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Flows for Configuring Services and Policies.

Page 65

CH A P T E R 4-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 4 Common Scenarios Using ACS Network contr ol refers to the process of controlli ng access to a network. T raditionally a username and password w as used to authenticate a user to a net work.

Page 66

4-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Cisco Secure Access Control System (A CS) allow s you to centrally manage access to your network services and resources (including d evices, such as IP phones, pr inters, and so on).

Page 67

4-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Overview of Device Administration If a command is matched to a command set, the corr espon ding permit or deny setting for the command is retrie ved.

Page 68

4-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Overview of Device Administration Step 5 Configure an access service polic y . See Access Service Policy Creation, page 10-4 . Step 6 Configure a service selection policy .

Page 69

4-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access TACACS+ Custom Services and Attributes This topic describes the co nfigur ation flo w to defin e T ACA CS+ custom attrib utes and services.

Page 70

4-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess Note During password-based access (or certificate-based acce ss), the user is not only authenticated b ut also authorized according to the A CS configuration.

Page 71

4-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to -end flo w for passwor d-based network access and lists the tasks that you must perform.

Page 72

4-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Password-Bas ed Network Ac cess For RADIUS, non- EAP authentication method s (RADIUS/P AP ,.

Page 73

4-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics • Authentication i n A CS 5.

Page 74

4-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Certificate-Based Network Access Y ou can conf igure two t ypes of certif icates in A CS: • T rust cert if icate—Also kno wn as CA certif icate.

Page 75

4-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4 Configure polic y elements. See Managing Polic y Conditions, page 9-1 , for more informat ion. Y ou can create custom conditions to use the certi ficate’ s attrib utes as a polic y condition.

Page 76

4-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Validating an LDAP Secure Authentication Connection Y ou can define a secure authenticati on connection for the LDAP e xtern al identity store, by using a CA certificate to vali date the connection.

Page 77

4-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provid es two features to accommodate no n-802.1x de vices. For e xample, MA C Authentication Bypass (Host Look up) and the Guest V LAN access by using web authentication.

Page 78

4-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access • Internal users • Activ e Directory Y ou can access the Active Directory via the LD AP API.

Page 79

4-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check Y ou may not want to copy the CallingSt ationID attrib ute v alue to the System UserName attrib ute v alue.

Page 80

4-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Agentless Network Access Flow This topic describes the end-to-end flo w for agentl ess network access and lis ts the tasks that you must perform.

Page 81

4-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7 Define the service selection. Step 8 Add the access service to your service sel ection policy . For more information, see Creating, Duplicating , and Editing Service Selection Ru les, page 10-8 .

Page 82

4-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS Agentless Networ k Access Previous Step: Network De vices and AAA Clients, page 7-5 Next S.

Page 83

4-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c. Select Network Access , and check Identity and A uthorization . The group mapping an d External Policy options are optional .

Page 84

4-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests T o.

Page 85

4-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols A CS 5.

Page 86

4-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS VPN Remote Network Access Supported VPN Networ k Access Servers A CS 5.

Page 87

4-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics • VPN Remote Network A ccess, page 4-2.

Page 88

4-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access 6. Config uring EAP-F AST Setti ngs for Security Group Access . 7. Creating an Access Service for Security Group Acces s .

Page 89

4-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices co nsider only the SGT v alue; the name and descr iption of a security group are a management con venience and are not con veyed to the de vices.

Page 90

4-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access T o conf igure an ND A C polic y for a de vice: Step 1 Choose Access Policies > Security Gr oup Access Control > Security Group Access > Network Device Access > A uthorization Policy .

Page 91

4-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5 Click Next . The Access Services Properties page appears. Step 6 In the Authenticati on Protocols area, check the relev ant protoc ols for your access service.

Page 92

4-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS ACS and Cisco Security Group Access The first r ow (topmost) of t he matr ix contains the column headers, which display the destination SGT .

Page 93

4-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests T o cr eate a default polic y: Step 1 Choose Access Policies > Security Gr oup Acc ess Control > Egress P olicy then choose Default Policy .

Page 94

4-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1. Receiv es the following packets from the N AS and forwards them to the remote RADIUS server: • Access-Request • Accounting-Request packets 2.

Page 95

4-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Pro xy Requests The T ACA CS+ proxy feature in A CS supports the follo w.

Page 96

4-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenario s Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service T o conf igure proxy services: Step 1 Config ure a set of remote RADIUS and T ACA CS+ servers.

Page 97

CH A P T E R 5-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure A CS web interface is designed to be vie wed using Microsoft Internet Explor er 7.x, 8.x, and 9.x and Mozi lla Firefox 3.

Page 98

5-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Task Guides Task Guides From the My W orkspace dra wer , you can access T asks Guides. When you click an y of the tasks, it opens a frame on the right side of the we b interface.

Page 99

5-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Related Topics • Config uring Authentication Settings for Admini.

Page 100

5-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Logging In T o log in to the A CS web interf ace for the f irst tim.

Page 101

5-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Step 7 See Installing a License File, page 18 -35 to install a v alid license. • If your login is successful, the main page of the ACS web interface appears.

Page 102

5-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Web Interface Design Figure 5-1 sho ws the overall design of the A CS w eb interface.

Page 103

5-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Navigation Pane Use the navigation pane to navigate through the drawers of the we b interface (see Figure 5-3 ). Figure 5-3 Navig ation P ane Ta b l e 5 - 3 describes the function o f each drawer .

Page 104

5-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface The options listed beneath dra wers in the na vigation pane are or ganized in a tree structure, where appropriate. The options in the tr ee structure are dynamic and can chan ge based on administrator actions.

Page 105

5-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Web Interface Location Y our current location in the interface ap pears at the top of the content a rea.

Page 106

5-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface T able 5-4 Common Cont ent Ar ea Butt o ns and Fields for List P ages Button or Field Description Rows per page Use the drop-down list to specify the num ber of items to disp lay on this page.

Page 107

5-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface T ree table pages are a v ariation of list pages (see Figure 5-6 ). Y ou can perform the same operations on tree table pages that you can on l ist pages, except for paging.

Page 108

5-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Filtering Large lists in a content area windo w or a secondary window (see Figure 5-9 ) can be dif ficult to navigate through and select the data that you w ant.

Page 109

5-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface For pages that do not ha ve a Name or Description column, the sorting mechan ism may be supported in the left-most column of the pa ge, or the Descript ion column.

Page 110

5-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Figur e 5-9 Secondary Windo w In addition to selectin g and filt ering data, you can cr eate a selectable object within a secondary windo w .

Page 111

5-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Figur e 5-1 0 T ransf er Box T able 5-6 T ransf er Box Fields and But tons Field or Button Description A v ailable List of av ailable items for selection.

Page 112

5-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Using the Web Interface Schedule Boxes Schedule boxes are a common element in content area pages (see Figure 5-10 ).

Page 113

5-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Using the Web In terface Directly above the rule ta ble are two displa y options: • Standard Polic y—Click to display the stand ard policy rule tabl e.

Page 114

5-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Related Topic • A CS 5.

Page 115

5-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Ta b l e 5 - 9 lists the A CS objects, their properties, and the property data types.

Page 116

5-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Fields that ar e optional can be left empt y and A C S substitutes the def ault v alues for those f ields.

Page 117

5-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must downlo ad the import f ile templates from the A CS web interface.

Page 118

5-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface For e xample, the internal user Add temp late contains the fields described in Ta b l e 5 - 1 0 : Each ro w of the .

Page 119

5-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Importing and Exporting ACS Ob jects throug h the Web Interface Figure 5-12 Add Users – Import File Step 4 Sav e the add users import file to your local disk.

Page 120

5-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Importing and Ex porting ACS Objects through the Web In terface Figur e 5-13 Update Users–Import File Note The second column, Updated name, is the addi tional column that you can add to the Update template.

Page 121

5-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Common Errors Common Errors Y ou might encounter these common errors: • Concurrency Co n.

Page 122

5-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Common Errors Error Message The item you are trying to Submit i s referencing items that do not exist anymore.

Page 123

5-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 5 Understanding M y Workspace Accessibility System Failure Errors System failure errors occur when a system malfunc tion is detect ed. When a sys tem failur e error is detected, a dialog box appears, with an error messa ge and OK b utton.

Page 124

5-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 5 Un derstanding My Workspace Accessibility • Color used as an enhan cement of information only , not as the only indicator . F or example, required fields are associated with a red asterisk.

Page 125

CH A P T E R 6-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 6 Post-Installation Configuration Tasks This chapter pro vides a set of conf iguration tasks that you must perform to work with A CS.

Page 126

6-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Configuring ACS to Perform System Administration Tasks Ta b l e 6 - 2 lists the set of syst em administration tasks that you must perform to admini ster A CS.

Page 127

6-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Perfor m System Administration Tasks Step 8 Add users or hosts to the internal identity sto re, or define external identity stores, or both.

Page 128

6-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Manage Access Polic ies Configuring ACS to Manage Access Policies Ta b l e 6 - 3 lists the set of tasks that you must perform to manage access restrictions and permissi ons.

Page 129

6-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 6 Post-Ins tallation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 4 Enable sys tem alarms an d specify ho w you wou ld like to recei ve notif ication.

Page 130

6-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 6 Post-In stallation Configuration Tasks Configuring ACS to Mo nitor and Troublesho ot Problems in the Network.

Page 131

CH A P T E R 7-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resource s drawer defines elements within the networ k that issue requests to A CS or those that A CS interacts with as part of processing a requ est.

Page 132

7-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Network Device Groups In A CS, you can de fine network de vice groups (ND Gs ), which are sets of de vices.

Page 133

7-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Device Groups Step 4 Click Submit . The network de vice group conf iguration is sa ved. The Network De vice Groups page appears with the ne w network de vice group configurat ion.

Page 134

7-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hie.

Page 135

7-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy T o delete a netw ork dev ice group from within a hierarch y: Step 1 Choose Network Resour ces > Network Device Gr oups .

Page 136

7-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Y ou must install Security Group Access license to enable Security Group A ccess options. The Security Group Access options only appear if y ou hav e installed the Secur ity Group Access license.

Page 137

7-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients – Device T y pe Y ou can specify full IP ad dress, or IP address with wildcard “* ” or , with IP address range, such as [15-20] in the IP address search field.

Page 138

7-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Step 2 Choose the filter condition and the Match if operator , and enter the f ilter criterion that you are looking for in the te xt box.

Page 139

7-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Step 3 Click any one of the follo wing operations if you hav e pre viously created a template-based .csv f ile on your local disk: • Add—Adds the records in th e .

Page 140

7-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Exporting Network Resources and Users T o e xport a list of network resources or u sers: Step 1 Click Export on the Users, Network De vices, or MA C Address page of the web interface.

Page 141

7-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients The first page of the Create Network De vice process appears if you are creating a ne w network d evice.

Page 142

7-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients IP Range(s) By Mask Choose to enter an IP address range. Y ou can configure up to 40 IP addresses or sub net masks for each network device.

Page 143

7-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all T ACA CS+ communication wit h the network de vice.

Page 144

7-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients Displaying Network Device Properties Choose Network Resour ces > Network De vices and AAA Clients , then click a de vice name or check the check box ne xt to a de vice name, and click Edit or Duplicate .

Page 145

7-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Network Devices and AAA Clients IP Range(s) By Mask Choose to enter an IP addre ss range. Y ou can configure up to 40 IP addresses or subnet masks for each network de vice.

Page 146

7-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Network Devices and A AA Clients RADIUS Shared Secret Shared secret of the network d evice, if y ou hav e enabled the RA DIUS protocol.

Page 147

7-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Configuring a Default Network Device Related Topics: • V ie wing and Performing Bulk Op.

Page 148

7-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Configuring a Default Network Device Choose Network Resour ces > Default Network De vice to conf igure the default network de vice. The Default Netw ork De vice page appears, di splaying the informat ion described in Ta b l e 7 - 6 .

Page 149

7-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Related Topics • Network De vice Groups, page 7-2 .

Page 150

7-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the external proxy server that you want to duplicate, then click Duplicate .

Page 151

7-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 7 Managing Ne twork Resour ces Working with Extern al Proxy Servers Note If you want A CS to forward un known RADIUS attrib utes you ha ve to define VSAs f or proxy .

Page 152

7-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 7 Managin g Network Resources Working with Exte rnal Proxy Servers.

Page 153

CH A P T E R 8-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview A CS manages your network de vices and other A C S clients by using the A CS network resource repositories and identity stores.

Page 154

8-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Overview Fixed components are: • Name • Description • Password • Enabled or.

Page 155

8-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Tw o-Factor Authentication Y ou can use t he RSA SecurID T oken Serv er and RA DIUS Ident ity Server t o provide two-facto r authentication.

Page 156

8-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Sequences Y ou can configure a complex condition where multiple identity stores an d prof iles are used to process a request.

Page 157

8-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Authentication informatio n Note A CS 5.3 supports authent ication for internal users against th e internal identity sto re only .

Page 158

8-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Identity Groups Y ou can assign each i nternal user to one identit y group. Iden tity groups are def ined within a hi erarchical structure.

Page 159

8-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics • Managing Users an d Identity S.

Page 160

8-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal us er record.

Page 161

8-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores In A CS 5.3, you can configure i dentity attrib utes that are used within your policies, in th is order: 1.

Page 162

8-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 3 In the Advanced tab, enter the values for the criter ia th at you want to configure for your user authentication process.

Page 163

8-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit . The user password is configured with the de fined criteria. These criteria will apply only for future lo gins.

Page 164

8-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores • Click the username that you want to modify , or check the check box next to the name and click Edit .

Page 165

8-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Description (Optional) Descrip tion of the user . Identity Group Click Select to display the Id entity Groups windo w .

Page 166

8-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Step 5 Click Submit . The user configuration is saved. The Internal Users pa ge appears with the new configuration.

Page 167

8-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click OK .

Page 168

8-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Creating Hosts in Identity Stores T o create, d.

Page 169

8-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Step 4 Click Submit to sav e changes. The MA C address configuration is sa ved. The Internal MA C list page appears with the new configuration.

Page 170

8-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores Deleting Internal Hosts T o delete a MA C address: Step 1 Select Users and Identity Stores > Inter nal Identity Stor es > Hosts .

Page 171

8-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores • Policies and Identity Attr ibutes, p age 3-1.

Page 172

8-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Intern al Identity Stores The administrator can conf igure an y le vel of hi erarchy while def ining management centers or AAA client locations.

Page 173

8-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Id entity Stores Related Topics Config uring and Using HostI sInManagement Hierar chy Attrib utes, page 8-21 .

Page 174

8-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Managing External Identity Stores A CS 5.3 integrates with e xternal identity sy stems in a number of w ays.

Page 175

8-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • Config uring LD AP Groups, page 8-33 • V ie.

Page 176

8-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Failover A CS 5.

Page 177

8-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LD AP server to return bind (authentication) errors are: – Filtering errors—A search using f ilter criteria fails.

Page 178

8-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Unsigned Integer 32 • IPv4 Address For unsig ned integers and IPv 4 attrib utes, A CS conv erts the strings that it has retrie ved to the corresponding data types.

Page 179

8-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5 Continue with Conf iguring an External LD AP Server Connection, page 8-27 . Note N A C guest Server can also be used as an External LD AP Server .

Page 180

8-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonym ously .

Page 181

8-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Click Next . Step 3 Continue with Conf iguring External LD AP Directory Or ganization, page 8-29 .

Page 182

8-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T able 8-8 LD AP: Dir ect ory Or ganization P age Option Description Schema Subject Object class V alue of the LD AP objectClass attribute that id entifies th e subject.

Page 183

8-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search B ase Enter the distinguishe d name (DN ) fo r the subtree that contains all subjects.

Page 184

8-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Finis h .

Page 185

8-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics • Config uring LD AP Groups, pag.

Page 186

8-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Viewing LDAP Attributes Use this page to view the external LD A P attributes. Step 1 Select Users and Identity Stores > Exter nal Identity Stor es > LD AP .

Page 187

8-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means th e switch port to wh ich these de vices attach cannot authenticate them using the 802.

Page 188

8-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Figur e 8-1 LD AP Int erf ace Configur ation in NAC Pr ofiler Step 5 Click Update Serv er . Step 6 Click the Conf iguration tab and click A pply Changes .

Page 189

8-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2 Choose Conf iguration > Endpoint Pr of iles > V i ew/Edit Prof iles List . A list of prof iles in a table appears.

Page 190

8-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores T o edit the N A C Prof iler template in A CS: Step 1 Choose Users and Identity Stor es > External Identity Stor es > LD AP .

Page 191

8-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figur e 8-5 T est Bind to Server Dialog Bo x For more information, see Cr eating External LD AP Identity Stores, page 8-26 .

Page 192

8-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Number of Subjects: 100 • Number of Direc.

Page 193

8-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Ev ent Deli very Method and Activ e Response, see the Cisco N AC Pr ofiler Installation and Conf iguration Gu ide, Release 3.

Page 194

8-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The AD user password change using the abo ve met hods must fo llo w the AD passwor d policy . Y ou must check with your AD administrator to kno w the complete AD password pol icy rule.

Page 195

8-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a fi rew all between A CS and AD, certain ports need to be opened in order t o allow A CS to communicate with AD.

Page 196

8-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Attribute Retrieval for Authorization Y ou can configure A CS to retriev e user or machine AD attributes to be use d in authori zation and g roup mapping rules.

Page 197

8-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machin e authentication to user authentication an d authori zation process.

Page 198

8-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores The Engineers' rule is an example of MAR rule that only allows e ngineers access if their machine was successfully authenticated against windows DB.

Page 199

8-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on.

Page 200

8-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Joining ACS to an AD Domain After you conf igure the AD identity store in A CS th rough the A CS web interface, you must submi t the confi guration to join A CS to the AD domain.

Page 201

8-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3 Click: Username Predefined user in AD.

Page 202

8-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores • Sa ve Changes to sav e the conf iguration, join the A CS to the specified AD domain with the configured credentials, and start the AD agent.

Page 203

8-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD grou ps in the domain, as well as other trusted domains in the same forest.

Page 204

8-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 3 Click: • Sa ve Changes to sav e the configuration. • Discard Changes to discard all changes.

Page 205

8-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores • If AD is already con figured an d you want to del ete it, click Clear Conf iguration after you v erify that there are no policy rules that use cu stom conditions based on the AD dictionary .

Page 206

8-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RSA SecurID Server A CS supports the RSA SecurID server as an extern al database.

Page 207

8-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Override Automatic Load Balancing RSA SecurID Agent automatically balances the re quested loads on the RSA Sec urID servers in the realm.

Page 208

8-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 4 Click the A CS Instance Settings tab . See Configuring A CS Instance Settings, page 8-57 for more inform ation.

Page 209

8-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: • RSA SecurID Server , pa ge 8-.

Page 210

8-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Enable the RSA options file Y ou can enable the RSA options file ( sdopts.

Page 211

8-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1 Choose either of the follo wing options: • T o reset node secret on the agent host, check the Remove securid f ile on submit check box.

Page 212

8-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RSA SecurID Server , pa ge 8.

Page 213

8-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover A CS 5.3 allows you to configure mul tiple RADIUS identity stores. Each RADIUS i dentity store can hav e primary and secondary RADIUS servers.

Page 214

8-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores RADIUS Identity Store in Identity Sequence Y ou can add the RADIUS identity store for authentica tion sequence in an iden tity sequence.

Page 215

8-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safew ord token servers support bo th the formats.

Page 216

8-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Step 2 Click Cr eate . Y ou can also: • Check the check box ne xt to the identi ty store you want to d uplicate, then click Duplicate .

Page 217

8-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the pr imary RADIUS identity server f ails.

Page 218

8-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Managing Exter nal Identity Stores Related Topics • RADIUS Identity St ores, pag.

Page 219

8-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a reques t, RADIUS attributes are return ed along with the response.

Page 220

8-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates • Config uring Shell Prompts, page 8-6 6 • Config .

Page 221

8-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Y ou use the CA options to install digital certif icate s to support EAP-TLS authentication. A CS uses the X.

Page 222

8-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring CA Certificates Step 4 Click Submit . The new cert ificat e is sav ed. The T rust Certif i cate List page appears with the new certif icate.

Page 223

8-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3 Click Submit .

Page 224

8-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Certificat e Authentication Profiles Related Topic • Overvie w of EA.

Page 225

8-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificat e Authen tication Profiles T o cr eate, duplicate , or edit a certif icate authentication profile: Step 1 Select Users and Identity Stores > Cert ificate A uthe nticatio n Profile .

Page 226

8-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity polic y determines the iden tity sources that A CS uses for authentication and attrib ute retrie v al.

Page 227

8-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box ne xt to the sequence that you want to duplicat e, then click Duplicate .

Page 228

8-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences Step 3 Click Submit .

Page 229

8-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences • Managing Intern al Identity Sto res, page .

Page 230

8-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 8 Man aging Users and Identity Stores Configuring Identity Store Sequences.

Page 231

CH A P T E R 9-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy def ines the authenti cation and authorizat ion processing of cl ients that attempt to access the A CS network. A clien t can be a user , a network de vice, or a user associated with a netw ork de vice.

Page 232

9-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Y ou can map users and hosts to identity grou ps by using the group mapping polic y . Y ou can include identity groups in cond itions to conf igure common policy co nditions for all users in the group.

Page 233

9-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Deleting a Session Condition , page 9-6 • Managing Netw ork Conditions, page 9 -6 See Chapter 3, “ ACS 5.

Page 234

9-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions T o add date and ti me conditions to a policy , you must first customize the rule table. See Customizing a Polic y , page 10-4 .

Page 235

9-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and i dentity dictionaries co ntain a larg e number of at tribu tes.

Page 236

9-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 4 Click Submit . The new custom session condi tion is saved. The Custom Condition p age appears with th e new custom session conditio n.

Page 237

9-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions A CS of fers three types of filters: • End Station Filt er—Fil.

Page 238

9-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions This section contains the following topics: • Importing Netwo rk.

Page 239

9-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions T imesaver Instead of download ing the template and creati ng an i.

Page 240

9-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 5 Click Submit to sav e the changes.

Page 241

9-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Defining MAC Address-Based End Station Filters Y ou can create, duplicate, and edit the MA C addresses of end stati ons or destinations that you w ant to permit or deny access to .

Page 242

9-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the DNIS check box to enter the DNIS numb er of the destination machine. Y ou can optionally set this f ield to ANY to refer to an y DNIS number .

Page 243

9-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions Step 5 Click Submit to sav e the changes.

Page 244

9-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions • Check the check box next to the name-based de vice filter that you want to edi t, then click Edit . A dialog box appears.

Page 245

9-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Con ditions • Check the check box next to th e de vice port filter that yo u w ant to edit, then cli ck Edit . • Click Expor t to sav e a list of de vice port filters in a .

Page 246

9-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Policy Conditions Step 3 Check the Por t check box and enter t he port number . This f ield is of type string and can contain numbers or characters.

Page 247

9-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining NDG-Based Device Port Filters Y ou can create, duplicate, and ed it the network de vice group type and the port to which you want t o permit or deny access.

Page 248

9-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Aut horization Profiles for Network Access Y ou creat e authoriza tion profiles to de fine ho w di fferent types of users are authorized to access the network.

Page 249

9-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying Authorization Profiles Use this tab to conf igure the name and descripti on for a network access authori zation profil e.

Page 250

9-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9 -5 A uthorization Profile: Common T asks Page Option Description ACLS Downloadable A CL Name Includes a defined downloadable ACL.

Page 251

9-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to conf igure which RADIUS attri butes to include in the Acce ss-Accept packet for an authorization pro file.

Page 252

9-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 3 T o co nfigure: • Basic information o f an authorization prof ile; see Specifying Authorization Prof iles, page 9-19 .

Page 253

9-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Creating and Editing Security Groups Use this page to vie w names and details of security groups and securi ty group tags (SGTs), and to open pages to create, duplicate, and edit security gr oups.

Page 254

9-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions The Common T asks tab al lows you to select and conf igure the frequent ly used attrib utes for the prof ile.

Page 255

9-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Defining General Shel l Profile Properties Use this page to def ine a shell profil e’ s general properties.

Page 256

9-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions T able 9-9 Shell Pr ofile: Common T asks Option Desc.

Page 257

9-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Step 3 Click: • Submit to sa ve your chan ges and return to the Shell Prof iles page.

Page 258

9-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to def ine custom attrib utes for the shell prof ile. This tab also displays the Commo n T asks Attrib utes that you ha ve chosen i n the Common T asks tab .

Page 259

9-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions After you create command sets, you can use them in autho rizations and permissions within rule tables. A rule can contain multiple command sets.

Page 260

9-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions Step 4 Click Submit . The command set is sav ed. The Command Sets page appears with the command set that you created or duplicat ed.

Page 261

9-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Related Topics • Creating, Duplicating , and Editi.

Page 262

9-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions – Click Start Export to e xport the D A CLs without any encryption.

Page 263

9-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authoriza tions and Permissions Configuring Security Group Access Control Lists Security group access control lists (SG A CLs) are applied at Egress, based on the source and destination SGTs.

Page 264

9-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 9 Man aging Policy Elements Managing Authorizations and Permissions.

Page 265

CH A P T E R 10-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 10 Managing Access Policies In A CS 5.3, policy dri ves all acti vities. Polici es cons ist mainly of rules that determi ne the action of the policy . Y ou c reate access services to define authen tication and authorizat ion policies for requests.

Page 266

10-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Policy Creation Flow In short, you must determi ne the: • Details of your netw ork conf iguration. • Access services that implement your policies.

Page 267

10-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creatio n Flow Policy Elements in the Policy Creation Flow The web interf ace provide.

Page 268

10-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Customizing a Policy Policy Creation Flow—Next Steps • Access Service Policy Creation, .

Page 269

10-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy If you ha ve imp lemented Security Group Access function ality , you can also customize results for authorization po licies.

Page 270

10-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Note If you create and sav e a simple policy , and then change to a rule-based polic y , the simple policy beco mes the default rule of the rule-based policy .

Page 271

10-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy T o conf igure a rule-based service selection poli.

Page 272

10-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determin e whic h access service processes incoming requests.

Page 273

10-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Servic e Selection Policy • The Default Rule—Y ou can change only the access service. See T able 10-3 for field descri ptions: Step 4 Click OK.

Page 274

10-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count displ ay on the Rule-based Polic y page.

Page 275

10-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and au thorization policies for requests.

Page 276

10-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Edit the fields in the Allowed Protocols tab as d escribed in T able 10-7 . Step 4 Click Submit to sav e the changes you hav e made to the default access service.

Page 277

10-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2 Do one of the foll ow ing: • Click Cr eate . • Check the check box next to the access servic e that you want to du plicate; then click Duplicate .

Page 278

10-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Step 3 Click Next to conf igure the allowed pr otocols. See Configuring Access Servic e Allowed Protocols, page 10-15 .

Page 279

10-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic • Config uring Access Service Allo wed Protocol.

Page 280

10-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authenticat ion protocol and configures EAP-TLS settin gs. Y ou can specify ho w A CS verif ies user identity as pre sented in the EAP Identity response from the end-user client.

Page 281

10-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allo w EAP-F AST Enable s the EAP-F AST authentication protocol an d EAP-F AST settings. Th e EAP-F AST protocol can support multiple int ernal protocols on the same server .

Page 282

10-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Allo w EAP-F AST (continued) PA C O p t i o n s • T unnel P A C T ime T o Li ve—The T ime T o Live ( TTL) v alue restricts the lifetime of the P A C.

Page 283

10-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3 Click Finish to sav e your changes to the access service. T o enable an access service, you must add it to the service sel ection polic y .

Page 284

10-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Services Deleting an Access Service T o delete an access service: Step 1 Select Access Policies > Access Services . The Access Services page appea rs with a list of configured services.

Page 285

10-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Access Service Policies Y ou configure acc.

Page 286

10-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies In the rule-based policy , each rule contains one or more conditions an d a result, which is the identity source to use for authentication.

Page 287

10-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity , w here <servi ce> is the name of the access service.

Page 288

10-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Creating Polic y Rules, page 10-37 • Duplicating.

Page 289

10-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T able 1 0-1 1 Identity Rule Proper ties P age Option Description General Rule Name Name of th e rule.

Page 290

10-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Config ure a group mapping polic y to map groups and attrib utes that are retrie ve d from external iden tity stores to A CS identity groups.

Page 291

10-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 2 Select an identity group.

Page 292

10-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies • Deleting Poli cy Rules, p age 10-39 Related Topics.

Page 293

10-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring a Session Authorization Policy for Network Access When you create an access service for ne twork access authorization, it create s a Session Authorization policy .

Page 294

10-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T able 1 0-15 Networ k Access A uthorization P olicy P age Option Description Status Rule statuses are: • Enabled—The r ule is active.

Page 295

10-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Network Access Au thorization Rule Properties Use this page to create, duplicate, and edit the ru les to determine acce ss permissions in a network access service.

Page 296

10-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Policies A dev ice administration authorization polic y determines the authorizations an d permissions for network administrators.

Page 297

10-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Configuring Device Administration Authorization Rule P.

Page 298

10-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Configuring Shell/Command Authoriza tion Policies for .

Page 299

10-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies T o conf igure rules, see: • Creating Polic y Rules,.

Page 300

10-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies T o conf igure rules, see: • Creating Polic y Rules,.

Page 301

10-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Creating Policy Rules When you create rules, remember that the order of the rules is important.

Page 302

10-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Access Service Policies Duplicating a Rule Y ou can duplicate a rul e if you want to create a ne w rule that is the same, or very similar t o, an existing rule.

Page 303

10-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Poli cies Step 4 Click OK . The Policy page appears with the edited rule. Step 5 Click Sav e Changes to sa ve th e ne w config uration.

Page 304

10-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Configuring Compound Conditions Use compound condi tions to def ine a set of conditions based on any attrib utes allowed in simple pol icy conditions.

Page 305

10-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Note Dynamic attribut e mapping is not applicable for Exte rnalGroups attribute of T ype "String Enum" and "T ime And Date" attrib ute of type "Date T ime Period".

Page 306

10-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Figur e 1 0-2 Compound Expr ession - At omic Condition Single Nested Compound Condition Consists of a single operator followed by a set of pr edicates (>=2).

Page 307

10-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Compoun d Conditions Figur e 1 0-4 Multiple Nest ed Compound Expr ession Compou.

Page 308

10-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Configuring Compound Conditions Related Topics • Compound Condition Building Blocks, pag.

Page 309

10-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics • Compound Condition Building Blocks, .

Page 310

10-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topic • Creating an Egress Polic y , page 4-27 Editing a Cell in the Egress Policy Matrix Use this page to config ure the policy for the selected cell.

Page 311

10-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Con trol (ND A C) policy determines the SG T for network devices in a Security Group Access en vironmen t.

Page 312

10-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Security Group Acce ss Control Pages Related Topics: • Config uring an ND AC Policy , pa.

Page 313

10-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Note For endpoint admissi on control, you must def ine an access service and session authori zation policy .

Page 314

10-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to conf igure parameters for the EAP-F AST protocol that the ND AC po licy uses.

Page 315

10-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings Y ou can confi gure maximum user session t o impose maximum session v alue for each users.

Page 316

10-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions Unlimited is selected by def ault.

Page 317

10-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics • Maximum User Sessions, page 10- 50 • Max Session.

Page 318

10-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2 Select the AAA client for which you want to pur ge the user sessions.

Page 319

10-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accou nting requests should be sent to the same A CS server , else the Maximum Session feature will not work as desired.

Page 320

10-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 10 Mana ging Access Policies Maximum User Sessions.

Page 321

CH A P T E R 11-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 11 Monitoring and Reporting in ACS The Monitoring and Reports dra wer appears in th e primary web interf ace windo w and contains th e Launch Monitori ng & Report V ie wer option.

Page 322

11-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Authentication Records and Details • Support for non-Engli sh characters (UTF-8)�.

Page 323

11-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Dashboard Pages Note These tabs are customizable, and you can modify or delete the follo wing tabs.

Page 324

11-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Working with Portlets – Authentication Snap shot—Provides a sn apshot of authenticatio ns in the graphical and tab ular formats for up to the past 30 days.

Page 325

11-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Working with Portlets Figure 1 1 -1 P ortlets T op 5 Alarms an d My Fa vorit e Reports appear in sepa rate windo ws. Y ou can edit each of these portlets separately .

Page 326

11-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Related Topic • Dashboard Pages, page 11 -2 �.

Page 327

11-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring and Re porting in ACS Configuring Tabs in the Dashbo ard Step 5 Click Add Page .

Page 328

11-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 11 Monitoring an d Reporting in ACS Configuring Tab s in the Dash board Changing the Dashboard Layout Y ou can change the look an d feel of the Dashboard. A CS provides you with nine di fferent in- built layouts.

Page 329

CH A P T E R 12-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 12 Managing Alarms The Monitoring feature in A CS generates alarms to notify you of critical system conditions. The monitoring component retrie ves data from A CS. Y ou can configure thresho lds and rules on this data to manage alarms.

Page 330

12-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rms System Alarms System alarms notify you of cri ti cal conditions encountered durin g th e ex ecution of the A CS Monitoring and Reporting viewer .

Page 331

12-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Notifying Users of Events When a threshold is reached or a system ala rm is ge nerated, the alarm appears in the Alarms Inbox of the web interface.

Page 332

12-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox T ime Display o nly . Indicates the time of the associat ed alarm generation in the format Ddd Mmm d d hh:mm:ss timezone yyyy , where: • Ddd = Sun, Mon, T ue, W ed, Thu, Fri , Sat.

Page 333

12-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Conf igure Incremental Backup Data Repository as Remote Reposit ory otherwise backup will fa il and Incremental backup mode will be changed to of f.

Page 334

12-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Full Database Purg e Backup failed: Exceptio n Details Criti.

Page 335

12-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Ala rms in Your Inbox Failed to load backup library . Scheduled backup of A CS conf iguration db fail ed. Please check ADE.log for more details.

Page 336

12-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Viewing and Editing Alarms in Your Inbox Note A CS cannot be used as a remote sysl og se rver . But, you can use an external server as a syslog server .

Page 337

12-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Schedule s • Deleting Alarm Thresholds, page 12-33 Understanding Alarm Schedules Y ou can create alarm schedules to spec ify when a particular alarm thres hol d is run.

Page 338

12-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Schedules Step 3 Click Submit to sav e the alarm schedule. The schedule that you create is added to the Schedu le list box in the Threshold pages.

Page 339

12-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Deleting Alarm Schedules Note Before you del ete an alarm schedul e, ensure that it is not reference d by any thresholds that are defined in A CS.

Page 340

12-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Step 2 Do one of the foll ow ing: • Click Crea te . • Check the check box next to the alarm th at you w ant to duplicate, then cl ick Duplicate .

Page 341

12-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Config uring General Thresho.

Page 342

12-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Configuring Threshold Criteria A CS 5.

Page 343

12-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Note Y ou can specify one or more f ilters to limit the passed au thentications that are considered for threshold e val uation.

Page 344

12-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 345

12-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds An alarm is triggered because at le a st one Device IP has greater than 10 failed authentications in the past 2 hours.

Page 346

12-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 347

12-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds The aggregation job begins at 00:05 ho urs e very day . From 23:50 ho urs, up until the time the aggregation job completes, the authenticat ion inacti vity alarms are suppressed.

Page 348

12-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 349

12-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 350

12-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 351

12-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 352

12-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 353

12-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 354

12-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 355

12-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Unknown NAD When A CS ev aluates thi s threshold, it examines the RADIUS or T ACA CS+ failed authent ications that hav e occurred durin g the specif ied time interv al up to the pre vious 24 hours.

Page 356

12-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 357

12-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds Y ou can specify one or more f ilters to limit t he failed authentications t hat are considered for threshold e v aluation.

Page 358

12-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds If, in the past four hour s, RB A C L drops ha .

Page 359

12-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Dup licating Alarm Thresholds NAD-Reported AAA Downtime When A CS ev aluates thi s threshold, it examines the N AD-reported AAA do wn e vents that occurre d during the spec ified interval up to the pre vious 24 h ours.

Page 360

12-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Du plicating Alarm Thresholds Related Topics • Creating, Editing, and Dup l.

Page 361

12-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Deleting Al arm Threshol ds Related Topics • V ie wing and Editing Alar ms in Y our Inbox, page 12.

Page 362

12-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Configuring System Alarm Settin gs Configuring System Alarm Settings System alar ms are used to noti.

Page 363

12-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Alarm Syslog Targets Understanding Alarm Syslog Targets Alarm syslo g targ ets are th e destinatio ns where alarm syslog messages are sent.

Page 364

12-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Understanding Ala rm Syslog Targets Step 4 Click Submit .

Page 365

CH A P T E R 13-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 13 Managing Reports The Monitoring & Report V ie wer component of A CS collects log and conf iguration data from v arious A CS servers in your deployment, aggregates it, and provides interactive report s that help you analyze the data.

Page 366

13-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports • Catalog— Monitoring & Reports > Reports > Catalog > < r eport_type > For easy access, you can add reports to your F av o ri tes pa ge, from which you can customi ze and delete reports.

Page 367

13-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports This chapter describes in d etail the fo llowing: • W orking with F .

Page 368

13-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Favorite Reports Step 5 Click Add to F av orite .

Page 369

13-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Working with Favorite Reports Editing Favorite Reports After you vie w the e xisting parameters in your fa vori te report, you can ed it them.

Page 370

13-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Sharing Reports The report is generated in the page .

Page 371

13-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 7 Click Sav e . The report is sa ved in your Shared folder and is a v ailable for all users. Working with Catalog Reports Catalog reports ar e system reports that are preco nfigured in A C S.

Page 372

13-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Access Service Authentication Summar y Provid es RADIUS and T ACA CS+ authentication summary informat ion for a particular access service for a selected time peri od; along with a graphical represen tation.

Page 373

13-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts A CS System Diagnostics Provides syst e m diagnostic details b ased on se verity for a selected time period.

Page 374

13-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Session Status Summary Pro vides the port sessions and status of a particular network de vice obtained by SNMP .

Page 375

13-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Running Catalog Reports T o run a r eport that is in the Catalog: Step 1 Select Monitoring & Reports > Reports > Catalog > r eport_type , where r eport_typ e is the type of report you want to run.

Page 376

13-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Ty p e Ty p e o f r e p o r t .

Page 377

13-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Step 2 Click the radio b utton next to th e report name you w ant to run, t hen select one of the options under Run : • Run for T oday —The repo rt you specified is run a nd the generated results are displayed.

Page 378

13-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports T able 13-4 Repor ts > Report T ypes and Names <report_type>.

Page 379

13-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • Un.

Page 380

13-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Failure Reason Enter a f ailure reason name or click Select to en ter a vali d failure reason name on w hich to run your report.

Page 381

13-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Related Topics • W orkin g with Catalog Reports, page 13-7 • W .

Page 382

13-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports Enabling RADIUS CoA Options on a Device T o vi ew all t he RADIUS Acti ve Session repo rts you ha ve to enable RADI US CoA options on the de vice.

Page 383

13-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Workin g with Ca talog Rep orts Figure 13-2 RADIUS Active Session Report Step 2 Click the CoA link from the RADIUS session that y ou want to reauthenticate or termin ate.

Page 384

13-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Working with Catalog Reports • Shared secret mismatch Step 5 See the T roubleshoot ing RADIUS Authenticat ions, page 14-6 to troub leshoot a failed change of authorization attempt .

Page 385

13-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Step 3 Click Ye s to conf irm that you want to reset the System Report f iles to the fact ory default. The page is refreshed, and the reports in Catalog > report_type are reset to the factory default.

Page 386

13-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-4 Context Menu for Colu m n Data in Int er active V iewer Figure 13-5 sh ows the con text menu you use to modi fy labels in Interacti ve V ie wer .

Page 387

13-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports Navigating Reports When you open a report in the vie wer , you see the first page of data. T o vi ew or w ork with data, you use tools that hel p you navig ate the report.

Page 388

13-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Figur e 13-1 0 T able of Cont ents Expanded Entry T o na vigate to a specific page, cli ck the related link.

Page 389

13-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Viewing Reports In Excel, you can resize columns and format the data as you would do for an y other spreadsheet. Step 1 In the viewer , sele ct Export Data.

Page 390

13-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Viewing Reports Printing Reports Y ou can print a repo rt that appears in the vie wer in HTML or PDF format.

Page 391

13-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 2 Navig ate to the location where you want to sa ve the file. Step 3 T ype a f ile name and click Sa ve .

Page 392

13-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 2 Select Change T ext . The Edit T e xt dialog box appears. Step 3 Modify the tex t as desired and click A pply .

Page 393

13-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Changing Column Data Alignment T o ch ange the alignment o f data in a co lumn, right-click t he column and select Alignment from the context menu.

Page 394

13-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Data Types In an information obj ect, as in the relational databases on w hich information objects are based, all the data in a column is of the same data type, e x cluding the column header .

Page 395

13-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Formatting Numeric Data Numeric data can take se veral f orms. A column of postal codes requires dif ferent formatting from a column of sales figures.

Page 396

13-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 7 In Neg ativ e Numbers, select an opt ion for displaying ne gati ve numbers, b y using either a minus sign before the number or parentheses around the nu mber .

Page 397

13-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 3 In Format Code f ield, type a format pattern similar to those sho wn in T able 13-7 . Step 4 Click Apply .

Page 398

13-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Step 1 Select a string data column, th en click For m a t . The String column form at windo w appears. Step 2 In Format String as f ield, select Custom.

Page 399

13-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer T abl e 13-6 sho ws the standard date-and-time data ty pe formats. Step 1 Select a column that contains date o r time data, then click For m at .

Page 400

13-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Formatting Boolean Data A Boolean e xpression e v aluates to T rue or False.

Page 401

13-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Figur e 13-18 Conditional For mat ting in Int eractiv e View er Y ou can affect the formatting of one column based on the v alue in another column.

Page 402

13-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer b. In the next field, use the d rop-do wn list to select the operator to apply to the column you selected. Y ou can select Equal to, Less than, Le ss t han or Equal to, and so on.

Page 403

13-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Formatting Reports in Interactive Viewer Step 4 On Conditional F ormatting, cho ose Format, and set the for matting for the condi tional text . Y ou can set the font, font size, fo nt color , and background color .

Page 404

13-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Formatting Reports in Interactive Viewer Figur e 13-23 Removing a Conditiona l F or mat in Int eractiv e Viewer Step 4 Click A pply .

Page 405

13-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figur e 13-24 Setting a P age Br ea k Step 3 Specify whether to set a page break before e very group, or for e very group except the f irst or last groups.

Page 406

13-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Reordering Columns in Interactive Viewer T o reorder columns: Step 1 Select and right-click a column. Step 2 From the conte xt menu, select Column > Reorder Columns .

Page 407

13-43 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-26 Mov e to Gr ou p Header Dialog Box Step 3 From the Mov e to Group field, select a v alue. Step 4 In the Header row f ield, select the row number in which t o mov e the v alue you selected in Step 3.

Page 408

13-44 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Hiding or Displaying Report Items T o hide or d isplay report items: Step 1 Select and right-click a column. Step 2 Select Hide or Show Items.

Page 409

13-45 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Displaying Hidden Columns TO displ ay hidden columns: Step 1 Select and right-click a column. Step 2 Select Column > Show Col umns .

Page 410

13-46 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figure 13-30 Merg ed Column T o mer ge data in multiple columns: Step 1 Select and right-click the columns Step 2 Select Column > Merge Columns .

Page 411

13-47 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Sorting Data When you place data in a report design, the data sour ce determines the default sort order for the data ro ws.

Page 412

13-48 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-31 Sorting Multip le Columns If the report uses group ed data, the drop-do wn lists in Adv a nced Sort sho w only the detail columns in the report, not the column s you used to group the data.

Page 413

13-49 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-32 Ungrouped D ata T o or ganize all thi s information into a u seful in vent ory report, you create data gr oups and data sections.

Page 414

13-50 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Adding Groups T o ad d groups: Step 1 Select and right-click the column you want to use to create a group . Step 2 From the Conte xt menu, select Gr oup > Add Group .

Page 415

13-51 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Step 4 T o set a grouping interv al, select Group ev ery and enter a value and select the grouping interv al. For e xample, to create a ne w group for e very month, type 1 and select Month f rom the drop-do wn list.

Page 416

13-52 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Figur e 13-37 Calculated Column T o create a calculation, you • Provide a ti tle for the calculated column. • Write an expression th at indicates which data to use and ho w to display the calculated data in the report.

Page 417

13-53 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Understanding Supported Calculation Functions T abl e 13-11 provides e xamples of the functions you can use to create calcula tions.

Page 418

13-54 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data COUNT( ) Counts the ro ws in a table. COUNT( ) COUNT(groupLe vel) Counts the ro ws at the specif ied group le vel. COUNT(2) COUNTDISTINCT(expr) Counts the rows th at contain distinct v alues in a table.

Page 419

13-55 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data FIRST(expr , groupLev el) Displays the firs t value that appears in the specif ied column at the specified grou p lev el. FIRST([customerID], 3) IF(condition, doIfT rue, doIfFalse) Displays the result of an If.

Page 420

13-56 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data ISTOPNPERCENT(e xpr , percent, groupLe vel ) Displays T rue if the value is within the hi ghest n percentage v alues for the expression at the specified group le vel , and Fal se otherwise.

Page 421

13-57 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data MONTH(date, option) Displays the m onth of a sp ecified d ate-and-time valu e, in one of three optional formats: • 1 - Displays the month number of 1 through 12.

Page 422

13-58 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data RANK(exp r) Displays the rank of a numb er , string, or date-and-time value, starting at 1. Duplicate v alues recei ve identical ran k but the d uplication does not af fect the ranking of subsequent v alues.

Page 423

13-59 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data TRIM(str) Display s a string with all leading and trailing blank ch ar ac te r s re m oved . A ls o r e move s a ll co ns ec u tive blank characters.

Page 424

13-60 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Understanding Supported Operators T abl e 13-12 describes the mathematical an d logical operators you can use in writing expressions th at create calculated columns.

Page 425

13-61 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Using Multiply Values in Calculated Columns T o use multip ly va lues in calculated columns: Step 1 Select a column. In the report, the ne w calculated column appears to the right of the column you select.

Page 426

13-62 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Step 7 For the second ar gument, type the number of days to add. In this case, type 7. Step 8 V alidate the ex pression, then click A pply .

Page 427

13-63 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Figure 13-39 A ggreg ate Ro w for a Group T abl e 13-13 sho ws the aggregate funct ions that you can use.

Page 428

13-64 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Organizing Report Data Creating an Aggregate Data Row T o create an aggregate data ro w: Step 1 Select a column, then select Aggr egation . The Aggreg ation dialog box appears.

Page 429

13-65 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Organizing Report Data Adding Additional Aggregate Rows After you create a single aggregate ro w for a column, you can add up to tw o more aggregate ro ws for the same column.

Page 430

13-66 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Deleting Aggregate Rows T o delete an aggre gate ro w: Step 1 Select the calculated column th at contains the aggre gation you w ant to remo ve, th en select Aggr egation .

Page 431

13-67 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figure 13-43 Suppressed V alues Y ou can suppress duplicate v alues to make your repo rt easier to read. Y ou can suppress only conse cuti ve occurrences of dupl icate v alues.

Page 432

13-68 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Figur e 13-44 Group Detail Rows Displa yed Figure 13-45 sho ws the results of hiding the detail r ows for t he creditrank gr ouping.

Page 433

13-69 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Types of Filter Conditions T abl e 13-15 describes the types of f ilter conditions and pr ovides e xamples of how f ilter conditions are translated into instructi ons to the data source.

Page 434

13-70 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Setting Filter Values After you choose a condition, you set a f ilter value. Step 1 T o vie w all the v alues for the selected column, select Select V alues .

Page 435

13-71 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-46 Selecting a Filter V alue in Interactiv e Viewer Step 2 T o search for a v alue, type the value in the Find V alue field, then click Find .

Page 436

13-72 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 3 From the Condition pu lldow n menu, select a condition. T able 13-14 describes the conditions you can select.

Page 437

13-73 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Hiding and Filtering Repor t Data Figur e 13-47 The Adv anced Filter Di alog Bo x in Intera ctive View er Adva nced Filter provi des a great deal of fle xibility in setti ng the filter v alue.

Page 438

13-74 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Hiding and Filtering Report Data Step 7 V alidate the f ilter syntax by clicking Va l i d a t e . Y ou hav e now created a filter with one cond ition .

Page 439

13-75 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Step 2 From the Filter pulldo wn menu, select a particular nu mber of rows or a percentage of ro ws, as shown in Figure 13-48 .

Page 440

13-76 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-49 P arts of a Basic Bar Char t There are a variety of chart types. So me types of data are best depicted with a specific ty pe of chart.

Page 441

13-77 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts hav e subtypes, which you can change as needed: .

Page 442

13-78 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 13 Managing Re ports Understanding Char ts Figure 13-50 Chart F o r matting Options Y ou use this page to: • Edit and format the default chart titl e. • Edit and format the def ault title for the category , or x-, axis.

Page 443

CH A P T E R 14-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the di agnostic and troublesho oting tools that the Monitor ing & Report V ie wer provides for the Cisco Secure Access Control Syste m.

Page 444

14-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Available Diag nostic and Troub leshooting Tools Support b undles typically contain t he A CS database, log f iles, core f iles, and Monitoring & Repo rt V iewer sup port files.

Page 445

14-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests Y ou can test your con nectiv ity to a network devi ce with the de vice’ s hostname or IP address.

Page 446

14-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Downloading ACS Su pport Bund les for Diagnostic Inform.

Page 447

14-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter • Include core fi.

Page 448

14-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter • Comparing IP-SG.

Page 449

14-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click Search to display the RADIUS authentications that match your search criteria.

Page 450

14-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 8 Click Done to return to th e Expert T roubleshoot er .

Page 451

14-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 10 Click Done to return to the Expert T roubleshooter .

Page 452

14-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run to run the sho w command on the specif ied network de vice.

Page 453

14-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 3 Click Run . The Progress Details pag e appears. The Monitoring & Report V ie wer prompts you for additional i nput.

Page 454

14-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter 3. Compares the SGA CL policy obt ained from the netw ork de vice with the SGA CL policy obt ained from A CS.

Page 455

14-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 4 Click S XP-IP Mappings from the list of troublesho oting tools.

Page 456

14-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 10 Click Show Results Summary to vie w the diagnosis and resolution steps.

Page 457

14-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 14 Troub leshooting ACS w ith the Monitoring & Report Viewer Working with Expert Troub leshooter Step 6 Click Show Results Summary to vie w the diagnosis and resolution steps.

Page 458

14-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 14 Trouble shooting ACS with the Monitoring & Report View er Working with Exper t Troubleshooter Step 3 Click Run . The Progress Details page appears with a summary .

Page 459

CH A P T E R 15-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 15 Managing System Operati ons and Configuration in the Monitoring & Report Viewer This chapter describes the tasks th at you must perform to co nfigure an d administer the Monitor ing & Report V ie wer .

Page 460

15-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er • Config ure and edit fail u.

Page 461

15-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incr.

Page 462

15-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and .

Page 463

15-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring Data Purging and Incr.

Page 464

15-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Data Purg ing and .

Page 465

15-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from t he V iew database that was backed up ea rlier .

Page 466

15-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Note Y ou can use the refresh symbol to refresh the cont ents of the page.

Page 467

15-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Log Collections Log Collection Details Page Use this page to view the recently co llected log names for an ACS serv er .

Page 468

15-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Lo g Collections Related Topic • V ie wing Log Collections, p age 15-7 T able 15-4 Log Collection Details P age Option Description Log Name Name of the log file.

Page 469

15-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Recovering Log Message s Recover.

Page 470

15-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Scheduled J obs Note .

Page 471

15-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Viewing Process Sta tus Viewing Process Status Use this page to vie w the status of processes running in your A CS en vironment.

Page 472

15-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Viewing Data Upgr ade Status Viewing Data Upgrade Status After you upgrad e to A CS 5.

Page 473

15-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Specifying E-Mail Settings Related Topic V iewing Failure Reasons, page 15-14 Specifying E-Mail Settings Use this page to specify the e-mail server and administrator e-mail address.

Page 474

15-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Understanding Collection Filt.

Page 475

15-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Operations and Configuration in the Monitori ng & Report Viewer Configuring System Alarm Setting.

Page 476

15-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 15 Managing System Op erations a nd Configuration in the Mo nitoring & Report View er Configuring Remo te Database .

Page 477

CH A P T E R 16-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 16 Managing System Administrators System administrators ar e responsible for depl oying, conf iguring, maintain ing, and monitoring the A CS servers in your network. The y can perform v arious operations in A CS through the A CS administrati ve interface.

Page 478

16-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Administra tor Roles and Accounts • Config ure administrator session setting • Config ure administrator access setting The first t ime you log in to A CS 5.

Page 479

16-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring System Ad ministrators and Accou nts Understanding Authentication An authentication requ est is the fi rst operation for e v ery management session.

Page 480

16-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Understanding Roles Permissions A permission is an access right that applies to a specif ic admini strati v e task .

Page 481

16-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Role s Note At first logi n, only the Super Admin is assigned t o a specific admini strator .

Page 482

16-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Creating, Dup licating, Editing, and Deleti ng Administrator Accounts Administrator .

Page 483

16-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicatin g, Editing, and D eleting Administrator Accounts Step 2 Do any of the follo wing: • Click Cr eate . • Check the check box next to the account that you want t o duplicate an d click Duplicate .

Page 484

16-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Viewing Predefined Role s The new account is sa ved. The Administrators page appears, with the new account that you created or duplicat ed.

Page 485

16-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Auth entication Settings for Administrators Related Topics • Understandi.

Page 486

16-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Configuring Authenticatio n Settings for Administrators Note A CS automatically deactiv ates or disable s your account based on your last login, last password change, or number of lo gin retries.

Page 487

16-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeou t Related Topics • Understanding Roles, page 16-3 �.

Page 488

16-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Resetting the Admi nistrator Password Step 3 Click Cr eate in the IP Range(s) area. A ne w window appears. Enter the IP address of the machine from which you want to allow remote access to A CS.

Page 489

16-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Admini strator Password http://www .ci sco.com/en/US/docs/net _mgmt/cisco_secure_access_ control_system/5.3/comman d/ reference/cli_app_a.

Page 490

16-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 16 Mana gi ng System Administrators Changing the Admi nistrator Password Resetting Another Administrator’s Password T o reset another administrator’ s password: Step 1 Choose System Administration > Administrators > Accounts .

Page 491

CH A P T E R 17-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 17 Configuring System Operations Y ou can confi gure and deploy A CS instance s so that one A CS instance becomes the primary instance and the other A CS instances can be registered to the primary as secondary instances .

Page 492

17-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment Understanding Distributed Deployment Y ou can confi gure multiple A CS servers in a deployment.

Page 493

17-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Note A CS 5.3 does not support the large deplo yment with more than ten A CS instances (one primary and nine secondaries).

Page 494

17-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Understanding Distr ibuted Deployment • Understanding Distrib uted Deplo yment, page 17-2 Promoting a Secondary Server There can be one server only that is functio ning as the prim ary se rver .

Page 495

17-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each co nfiguration chan ge is propagate d to all secondary instances.

Page 496

17-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Scheduled Backup s • Using the Deployment Operations Pa ge to Create a Local Mode Instanc e, page 17-22 Scheduled Backups Y ou can schedu le backups to be ru n at periodic in tervals.

Page 497

17-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Seconda ry Instances Step 2 Click Submit to schedule t he backup.

Page 498

17-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Synchronizing Primary and Secondary Instan ces After Backup and Restore Step 4 Click Submit to run the backup i mmediately .

Page 499

17-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distribu ted System Management page appears with two t ables: • Primary Instance table — Shows the primary instance.

Page 500

17-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances Step 2 From the Primary Instance table, click the pr imary instance that you want to modify , or check the Name check box and click Edit .

Page 501

17-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4 Click Submit . Port Port for Management service. MA C Address MAC address for the instance. Description Description of the primary or secondary instance.

Page 502

17-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Editing Instances The Primary Instance table on the Distrib uted System Management page app ears with the edited primary instance.

Page 503

17-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The follo wing warning message appears: Are you sure you want to delete the sel ected item/it ems? Step 5 Click OK .

Page 504

17-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Registering a Seconda ry Instance to a Prima ry Instance .

Page 505

17-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3 Specify the appropriate v alues in the Registration Section. Step 4 Click Register to Primary .

Page 506

17-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Deregistering Secondary Instanc es from the Distr ibuted System Management Page Dereg.

Page 507

17-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Mana gement Page The system displays the follo wing warning message: This operati on will dereg ister this ser ver as a seco ndary with the p rimary server .

Page 508

17-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Promoting a Secondar y Instance from the Dep loyment Operations Pag e Promoting a Sec.

Page 509

17-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Replicating a Secondary Instance from the Distributed System Management Page Note All A CS appliances must be in sync with the AD d omain clock.

Page 510

17-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Replicating a Secondary Instanc e from a Primary Instance The Distribu ted System Management page appears. On the Secondary Instance table, the Replication Status column sho ws UPD A TE D .

Page 511

17-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instanc e from a Primary Insta nce Failover A CS 5.3 allows you to configure mul tiple A C S instances for a dep loyment scenario.

Page 512

17-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Cleanup..... .. Starting ACS... . The database on the primary se rver is restored successfully .

Page 513

17-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Insta nce Y ou can use the conf iguration information on the A C S Config uration Audit report to manually restore the conf iguration infor mation for this inst ance.

Page 514

17-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 17 Config uring System Operations Using the Deploym ent Operation s Page to Create a Local Mode Instance Step 4 Click Submit .

Page 515

CH A P T E R 18-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Ci sco Secure A CS, you must conf igure and administer it t o manage your network eff iciently . The ACS web interface allo ws you to ea sily configure A CS to perform v arious operations.

Page 516

18-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics.

Page 517

18-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Op tions Configuring PEAP Settings Use the PEAP Settings page to conf igure PEAP ru ntim e characteristics.

Page 518

18-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prom pts Generating EAP-FAST PAC Use the EAP-F AST Generate P AC pag e to generate a user or machine P AC.

Page 519

18-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to conf igure the RSA SecurID Prompt s.

Page 520

18-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries • RADIUS (RedCreek) • RADIUS (US Robotics) �.

Page 521

18-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 3 Click Submit to sav e the changes.

Page 522

18-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries T able 18-9 Cr eating, Duplicating, and Ed iting RADIUS Subat tr ibutes Option Description General Attrib ute Name of the subattribut e.

Page 523

18-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Step 4 Click Submit to sav e the suba ttribute.

Page 524

18-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Related Topic Creating, Duplicating , and Editi.

Page 525

18-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Configuring Internal Identity Attributes T abl e 18-10 describes the f ields in the internal < users | hosts > identit y attrib utes.

Page 526

18-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Diction aries Deleting an Internal User Identity Attribute T .

Page 527

18-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictiona ries Creating, Duplicating, and Editing an Internal .

Page 528

18-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to User.

Page 529

18-15 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 2 Click Add .

Page 530

18-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate.

Page 531

18-17 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Finish . The new certif icate is sav ed. The Local Certific ate Store page appears with the new certificate.

Page 532

18-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 1 Select System Administration > Conf igurations > Loca l Server Certif icates > Local Certificates > Add.

Page 533

18-19 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Serve r Certificates Step 4 Click Submit to ex tend the existing certif icate’ s v alidity . The Local Certificate Store page ap pears with the edited certificate.

Page 534

18-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Exporting Certificates T o e xport a certi fica te: Step 1 Select System Administration > Conf iguration > Loca l Server Certif icates > Local Certificates .

Page 535

18-21 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Logs Log records are generated for: • .

Page 536

18-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs • Remote Log T argets > Duplicate: “ lo g_tar get” , where log_tar get is the name of the remote log tar get you selected in Step 2 , if you are duplicat ing a remote log targ et.

Page 537

18-23 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Deleting a Remote Log Target T o delete a remote log t arget: Step 1 Select System Administration > Conf iguration > Log Conf iguration > Remote Log T argets .

Page 538

18-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Step 1 Select System Administration > Conf iguration > Log Conf iguration > Local Log T arget .

Page 539

18-25 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs If you ha ve compl eted your conf iguration, proceed to Step 6 . Step 4 T o conf igure a remote syslog target, click the Remot e Syslog T arget and proceed to Step 5 .

Page 540

18-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs T abl e 18-22 lists a set of adminis trativ e and operational logs under v arious categories that are no t logged to the local t arget.

Page 541

18-27 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Related Topic • Config uring Per -Instance Logging.

Page 542

18-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Viewing ADE-OS Logs The logs listed in T abl e 18-22 are written to the ADE-OS logs.

Page 543

18-29 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: AC.

Page 544

18-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Configuring Per-Instance Security and Log Settings Y .

Page 545

18-31 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring Per-Instance Remote Syslog Targets Use this page to configure remote sy slog targets for logging cate gories.

Page 546

18-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Logs Displaying Logging Categories Y ou can vie w a tree of conf igured logging cat egories for a specif ic ACS inst ance.

Page 547

18-33 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuri ng Logs Configuring the Log Collector Use the Log Collector pa ge to sel ect a log data collecto r and suspend or resume log data transmission.

Page 548

18-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Licensing Overview Licensing Overview T o operate A CS, you must install a va lid license. A CS prompts you to install a v alid base license when you first access the web interface.

Page 549

18-35 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topics • Licensing Overview , page.

Page 550

18-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Viewing the Base License T o upgrade the base license: Step 1 Select System Administration > Conf iguration > Licensing > Base Server Li cense .

Page 551

18-37 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Installing a License File Related Topic • Upgrading the Base Serv er License, page 18-37 Upgrading the Base Server License Y ou can upgrade the base server license.

Page 552

18-38 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Viewing License Fe ature Options Viewing License Feature Options Y ou can add, upgrade, or delete e xisting deploy ment licenses.

Page 553

18-39 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Deployment License File s Adding Deployment License Files T o add a new base deployment license file: Step 1 Select System Administration > Conf iguration > Licensing > F eature Options .

Page 554

18-40 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Deleting Deployment License Files Related Topics • Licensing Overvie.

Page 555

18-41 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Availabl e Downloa ds Downloading Migration Utility Files T o do wnload migration application files an d the migration gui de for A C S 5.

Page 556

18-42 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Available Do wnloads T o do wnload these sample scripts: Step 1 Choose System Administration > Downl oads > Sample Python Scripts .

Page 557

CH A P T E R 19-1 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 19 Understanding Logging This chapter describes logg ing functionality in A C S 5.3. Administrator s and users use the v arious management interfaces of A CS to perform dif feren t tasks.

Page 558

19-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Using Log Targets Y ou can specify to send cust omer log information to multiple consumers or Lo g T arg ets and specify whether the log messages are stored locally in te xt form at or forw arded to syslog servers.

Page 559

19-3 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Note For comple x conf iguration items or attrib utes, such as policy or D A CL c.

Page 560

19-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging Each log message contains the follo wing information: • Event code—A un ique message code. • Logging category—Identif i es the catego ry to which a log message belongs.

Page 561

19-5 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Local Store Target Log messages in the local stor e are text f iles that are sent to one log f ile, located at /opt/CSCOacs/lo gs/localStor e/ , regardless of which l ogging category they belo ng to.

Page 562

19-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging T able 19-2 Local St or e and Syslog Message F or mat Field Description timestamp Date of the message generat ion, according to the local clock of the originating A CS, in the format YYYY - MM-DD hh:mm:ss:xxx +/-zh: zm .

Page 563

19-7 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging Y ou can use the web in terface to configure the n umber of da ys to retain local store log files; howe ver , the default setting is to purge data when it exceeds 5 MB or each d ay , whiche ver limit is f irst attained.

Page 564

19-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging When you configure a critical log target, and a message is sent to that critical log tar get, the message is also sent to the configured noncriti cal log target on a best-effort basis.

Page 565

19-9 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging T able 19-3 Remote Syslog Messag e Header For mat Field Description pri_num Priority v alue of the message; a comb ination of the facility value an d the sev erity v alue of the message.

Page 566

19-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging About Logging The syslog messa ge data or pay load is the same as the Local Store Message Format, which is described in T able 19-2 .

Page 567

19-11 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging About Logging The Monitoring & Report V ie wer has two dra wer options: • Monitoring and Reports—Use this dra wer to view and con figur e alarms, vie w log reports, an d perform troubleshooti ng tasks.

Page 568

19-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging ACS 4.x Versus ACS 5.3 Logging If you are fa miliar with the loggin g functionality in A CS 4.x, ensure that you familiarize yo urself with the logging functionali ty of A CS 5.

Page 569

19-13 User Guide for Cisco Secur e Access Control System 5.3 OL-24201-01 Chapter 19 Understanding Logging ACS 4.x Versus ACS 5.3 Logging Conf iguration Use the System Confi guration > Logging page .

Page 570

19-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Chapter 19 Understa nding Logging ACS 4.x Versus ACS 5.3 Logging.

Page 571

A-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX A AAA Protocols This section contains the following topics: • T ypical Use Cases, page A-1 • Access Protocols—T A C.

Page 572

A-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s Session Access Requests (Dev ice Administration [TACACS+]) Note The numbers refer to Figure A-1 on page A-1 . For session request: 1. An administrator l ogs into a networ k dev ice.

Page 573

A-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Typical Us e Cases – EAP protocols that in volv e a TLS handshake a nd in which the client uses the A C.

Page 574

A-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Typical Use Case s – EAP-F AST/EAP-MSCHAPv2 – EAP-F AST/EAP-GTC • EAP methods that use certi fica.

Page 575

A-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Access Protocols—TACACS+ and RADIUS Access Protocols—TACACS+ and RADIUS This section contains the following topics: • Overvie w of T A CACS+, page A-5 • Overvie w of RADIUS, page A-6 A CS 5.

Page 576

A-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS Overview of RADIUS This section contains the following topics: • RADIUS VSAs, page A-6 • A CS 5.3 as the AAA Server , page A-7 • RADIUS Attribute Support in A CS 5.

Page 577

A-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS ACS 5.3 as the AAA Server A AAA server is a server program that handles user requests for access to compu ter resources, and for an enterprise, provides AAA services.

Page 578

A-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS RADIUS Attribute Support in ACS 5.3 A CS 5.

Page 579

A-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix A AAA Protocols Overview of RADIUS Authentication A CS supports various aut hentication protocols transpo rted ov er RADIUS.

Page 580

A-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix A AAA Pro tocols Overview of RADIUS In RADIUS, authentication and authorization are coupl ed.

Page 581

B-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX B Authentication in ACS 5.3 Authentication v erif ies user information to conf irm the user's identity . T raditional authentication uses a name and a f ixed passw ord.

Page 582

B-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PAP This appendix describes the fo llowi ng: • RADIUS-based authen tica tion that d oes no.

Page 583

B-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP RADIUS PAP Authentication Y ou can use dif ferent le vels of secur ity concurrently wi th A CS for dif ferent requirements. P AP applies a two-w ay handshaking procedure.

Page 584

B-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP In A CS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79).

Page 585

B-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MD5 A CS supports full EAP infrastructure, including EAP typ e negotiation, message sequencing and message retransmission. All prot ocols support fragmentation of big messages.

Page 586

B-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Overview of EAP-TLS EAP-TLS is one of th e methods in the EAP authenti cation frame work, and i s based on the 802.1x and EAP architecture.

Page 587

B-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS • Using a third- party signature, usually fr om a CA, th at verif ies the informatio n in a certif icate. This third-party binding is similar to the real-world eq ui valent of t he stamp on a passport.

Page 588

B-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS An anony mous Dif fie-Hel lman tunnel relates to the establi shment of a completely anon ymous tunnel between a client and a serv er for cases where none of the peers authenticates itself.

Page 589

B-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Fixed Management Certificates A CS generates and use s self-signe d certificates to identi fy various management protocols such as the W eb bro wser , HTTPS, Activ eMQ SSH, and SFTP .

Page 590

B-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Importing the ACS Se rver Certificate When you manually import and A CS server cer tificate yo u must supply the certif icate file, the pri v ate key file, and the pri vate ke y password used to decr ypt the PKCS#12 pri vate ke y .

Page 591

B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of cert ificate generation: • Self signing certif icate generation — A CS supp orts generation of an X.5 09 certifi cate and a PKCS#12 priv ate key .

Page 592

B-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certifi cates are kept in the A CS database which is distributed and shared between all A CS nodes.

Page 593

B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire A CS database is distributed and backed-up on the primary A CS along with all the certif icates, priv ate-keys and the encrypted pri v ate-key-passwor d s.

Page 594

B-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Note All communication between t he host and A CS goes through the network de vice. EAP-TLS authenticatio n fails if th e: • Server f ails to verify the client’ s certif icate, and rejects EAP-TLS authentication.

Page 595

B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that yo u use to encrypt EAP transactions, thereby protecting the contents of EAP authenticatio ns.

Page 596

B-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unau thenticated Tunnel Establishmen t Modes T unnel esta.

Page 597

B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allo ws authentication between A CS and the peer by usin g the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 pro tocol as the inner method i nside the tunnel.

Page 598

B-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps t.

Page 599

B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST is a client-server security architecture that encrypts EA P transactions with a TLS tunn el.

Page 600

B-20 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-F AST can protect t he username in all EAP-F AST transaction s.

Page 601

B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST • A CS-Supported Features for P A Cs, page B-24 • Master Key Generation and P A.

Page 602

B-22 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes A CS supports out-of-band and in-band pro visioning modes. The in- band provision ing mode operates inside a TLS tunnel raised by Anonymou s DH or Authenticated DH or RSA algorithm for k ey agreement.

Page 603

B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The v arious means by which an end- user client can rece i ve P ACs are: • P A C pro visioning —Requi red when an end-user client has no P A C.

Page 604

B-24 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o cont rol whether A CS performs Automatic In-Band P A C Provision ing, use the options on the Global System Options pages in the Syst em Administration dra wer .

Page 605

B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proacti ve P A C update time is conf igured for the A CS server in the Allo wed Protocols Page. Thi s mechanism allows the client to be alw ays updated with a valid P A C.

Page 606

B-26 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The v alues for master ke y generation and P AC TTLs determine their states, as described in About Master-K eys, page B-21 and T ypes of P ACs, page B-22 .

Page 607

B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST T o enable A CS to perform EAP-F AST authentication: Step 1 Config ure an identity store that supp orts EAP-F AST authen tication.

Page 608

B-28 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme impro ves the secu rity by reducing the amount of cry ptographic sensiti ve material that is transmitted.

Page 609

B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RA DIUS Key Wrap PAC Migration from ACS 4.x Although the conf iguration can be migrated from 4.x, the P A Cs themselves, as being stored only in supplicants, m ay still be issued from versions a s far back as A CS 3.

Page 610

B-30 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshak e Authentication Prot ocol (MSCHAP v2) provi des two-way authentica tion, also known as mutu al authentication.

Page 611

B-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 CHAP Windows Machine Authentication Against AD EAP-MSCHAPv2 can be used for ma chine auth entication. EAP-MSCHAPv2 W indows machine authentication is the same as u ser authentication.

Page 612

B-32 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Certificate Attributes A CS parses the follo wing client certifi cat.

Page 613

B-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Certificate Attributes Rules Relating to Textual Attributes A CS collects client certificate te xtual attributes and places them in the A CS context dictionary .

Page 614

B-34 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Machine Au thentication • For auto matic do wnloading, you def ine the amount of time before the CRL f ile expires, should A CS do wnload it.

Page 615

B-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol an d Identity Store Compatibility Note Microsoft PEAP clients may also ini tiate machine authen tication whene ver a user logs of f.

Page 616

B-36 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 Authentication Protocol and Identity Store Compatibility Ta b l e B - 5 specifies EAP authenti cation protoc ol support. T able B-5 EAP A uthentication Pr otocol and User D atabase Compatibility Identity Store E AP-MD5 EAP-TLS 1 1.

Page 617

C-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 APPENDIX C Open Source License Acknowledgments See http://www .cisco.com/en/US/produ cts/ps9911 /produ cts_licensing_infor mation_listing.html for all the Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.

Page 618

C-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments Notices 4. The names “OpenSSL T oolkit” and “OpenSSL Projec t” must no t be used to endorse or promote products deri ved from this softw are without prior written permi ssion.

Page 619

C-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix C Open Source License Acknowledgmen ts 4. If you include an y W indows specif ic code (or a deri vati ve ther eof) from t.

Page 620

C-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Appendix C Op en Source License Ackn owledgments.

Page 621

GL-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 GLOSSARY A AAA Authentication, autho rization, and accounting (AAA ) is a term for a frame work for intelligently controlling access to computer re sources, enforcing policies, auditin g usage, and providi ng the information necessary t o bill fo r services.

Page 622

Glossary GL-2 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 accounts The capability of A CS to record user sessions in a log f ile. ACS System Administrators Ad m i ni s t ra t or s w it h di ff e re n t access privile ges define d under the System Conf iguratio n section of the A CS web interface.

Page 623

Glossar y GL-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 authenticity The v alidity and conformance of the or iginal information. authorization The approv al, permission, or empowermen t for someone or something to do so mething.

Page 624

Glossary GL-4 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 certificate-based authentication The use of Secure Sockets Layer (SSL) and certifi cates to authenticate and encrypt HTTP traf fic.

Page 625

Glossar y GL-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 configuration management The process of es tablishing a k nown baseline condition and managin g it.

Page 626

Glossary GL-6 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 D daemon A program which is often started at the time the system boots and runs continuo usly without interventi on from any of the u sers on the system. The daemon program forwards the requ ests to other programs (or processes) as appropri ate.

Page 627

Glossar y GL-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 digital envelope An en crypted message with the encr ypted session key . digital sign ature A hash of a message that uniquely identifies the se nder of the messag e and prov es the message hasn't changed since transmission.

Page 628

Glossary GL-8 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 dumpsec A security tool that du mps a variet y of informati on about a system's users, file system, re gistry , permissions, password policy , and services. DLL Dynamic Link Library .

Page 629

Glossar y GL-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 EAP Extensible Authenticatio n Protocol. A protocol for wireless netw orks that expands on Au thentication methods used by the PPP (Point-to-Point Protocol), a protocol oft en used when connecting a computer to the Internet.

Page 630

Glossary GL-10 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 G gateway A network point that acts as an entrance to another netw ork. global system options Configuring T ACA CS+, EAP-TTLS, PEAP , and EAP- F AST runtime character istics and generating EAP-F AST P A C.

Page 631

Glossar y GL-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 I I18N Intern ationaliza tion and loca liza tion are means of adapting softwa re for non-nati ve en vironments, especially other nations and culture s.

Page 632

Glossary GL-12 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 ISO International Or ganization for Stand ardization, a volun tary , non-treaty , non-go vernmen t organizat ion, established in 1947 , with vo ting members that ar e de signated standards bodies of participatin g nations and non-v oting observ er org anizations.

Page 633

Glossar y GL-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 M MAC Address A physical address; a numeric v alue that uniquely identif ies that netw ork de vice from e very ot her de vice on the planet. matchingRul e (LDAP) The method by which an attrib ute is compared in a search operation.

Page 634

Glossary GL-14 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 PI (Programm atic Interface) The A CS PI is a programmatic interf ace that provides e xternal applic ations the abilit.

Page 635

Glossar y GL-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 R RDN (LDAP) Th e Relative Distinguished Name (fre quently but incorrectly written as Relati vely Distinguished Name). The name gi ven to an attri bute(s) that is unique at its le vel in the hierarch y .

Page 636

Glossary GL-16 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 Schema (LDAP) A package of attr ibut es and object classes that a r e sometimes (nominally) related.

Page 637

Glossar y GL-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 SOAP (Simple Object Access Protocol) A lightweight XML-based pr otocol for ex change of information in a decentrali zed, distrib uted en vironment.

Page 638

Glossary GL-18 User Guide for Cisco Secu re Access Control System 5.3 OL-24201-01 U UDP User Datagram Protocol. A communicati ons protocol that of fers a limited amount of service when messages are exchanged between computers in a ne twork that uses the Internet Protocol (IP) URL Uniform Resource Locator .

Page 639

Glossar y GL-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 X X.509 A standard for pub lic ke y infrastructure. X.509 spec if ies, amongst other things, standard formats for public ke y certif icates and a certificatio n path v alidation algorith m.

Cisco Systems OL-24201-01 manual

Share URL

Similar manuals