Cisco Systems CSACS3415K9 Configuring Threshold Criteria

12-14

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

Configuring Threshold Criteria

ACS 5.4 provides the following threshold categories to define different threshold criteria:

•Passed Authentications, page 12-14

•Failed Authentications, page12-16

•Authentication Inactivity, page12-18

•TACACS Command Accounting, page12-19

•TACACS Command Authorization, page12-20

•ACS Configuration Changes, page 12-21

•ACS System Diagnostics, page12-22

•ACS Process Status, page 12-23

•ACS System Health, page 12-24

•ACS AAA Health, page12-25

•RADIUS Sessions, page 12-26

•Unknown NAD, page 12-27

•External DB Unavailable, page 12-28

•RBACL Drops, page 12-29

•NAD-Reported AAA Downtime, page 12-31

When ACS evaluates this threshold, it examines the RADIUS or TACACS+ passed authentications that

occurred during the time interval that you have specified up to the previous 24 hours.

These authentication records are grouped by a common attribute, suc h as ACS Instance, User, Identity

Group, and so on. The number of records within each of these groups is compute d. If the count computed

for any of these groups exceeds the specified threshold, an alarm is triggered.

For example, if you configure a threshold with the following criteria: Passed authentications greater than

1000 in the past 20 minutes for an ACS instance. When ACS evaluates this threshold and three ACS

instances have processed passed authentications as follows:

An alarm is triggered because at least one ACS instance has greater than 1000 passed authentications in

the past 20 minutes.

ACS Instance Passed Authentication Count

New York ACS 1543

Chicago ACS 879

Los Angeles 2096