Americas Headquarters
User Guide for Cisco Secure Access Control System
Page
Iii
N T E N T S
Rules-Based Service Selection
Configuring an Authorization Policy for Host Lookup Requests
My Account
Vii
Exporting Network Devices and AAA Clients
Viii
Failover
Radius Identity Store in Identity Sequence
Managing Access Policies
Maximum User Session in Distributed Environment
Xii
Creating and Editing Alarm Schedules
Xiii
Exporting Report Data
Xiv
Adding Groups
Filtering Chart Data
Xvi
Managing System Administrators
Xvii
Activating a Secondary Instance
Xviii
Configuring Logs
Xix
Using Log Targets
PKI Usage
Xxi
EAP-MSCHAPv2 B-30
Xxii
Document Conventions
Audience
Revised April 17
Store
Documentation Updates
Related Documentation
Date Description
Obtaining Documentation and Submitting a Service Request
Preface User Guide for Cisco Secure Access Control System
Overview of ACS
Introducing ACS
Related Topic
ACS Distributed Deployment
ACS 4.x and 5.3 Replication
Related Topics
ACS Management Interfaces
ACS Licensing Model
ACS
ACS Web-based Interface
ACS Command Line Interface
ACS Web-based Interface,
Config
Hardware Models Supported by ACS
ACS Programmatic Interfaces
OL-24201-01
Migrating from ACS 4.x to ACS
Migration Requirements, Supported Migration Versions,
Overview of the Migration Process
Migration Requirements
Supported Migration Versions
Migrating from ACS 4.x to ACS
Select System Administration Downloads Migration Utility
Before You Begin
Downloading Migration Files
Migrating from ACS 4.x to ACS
Functionality Mapping from ACS 4.x to ACS
Radius
VSA
Common Scenarios in Migration
Migrating from ACS 4.2 on Csacs 1120 to ACS
Radius VSA
Migrating Data from Other AAA Servers to ACS
Migrating from ACS 3.x to ACS
Migrating from ACS 4.x to ACS Common Scenarios in Migration
OL-24201-01
Overview of the ACS 5.x Policy Model
ACS 5.x Policy Model
Information in ACS 5.3 Policy Element
Term Description
Policy Terminology
Rule-Based Policies
Simple Policies
Types of Policies,
Types of Policies
Policy Type
Access Services
Radius and TACACS+ Proxy Services
Access Service B Access Service C Access Service a
For Device Administration Hosts Wireless Devices
Access Service Templates
Feature ACS
Identity Policy
Failure Options
Processing Rules with Multiple Command Sets
Authorization Policy for Device Administration
Group Mapping Policy
Simple Service Selection, Rules-Based Service Selection,
Service Selection Policy
Simple Service Selection
Exception Authorization Policy Rules
Access Services and Service Selection Scenarios
Rules-Based Service Selection
Example Policy Rule Table
First-Match Rule Tables
Column Description
Policy Conditions
Authorization Profiles for Network Access
Policy Results
Policies and Identity Attributes
Processing Rules with Multiple Authorization Profiles
Example of a Rule-Based Policy
Policies and Network Device Groups
Prerequisites
Flows for Configuring Services and Policies
Editing a Custom Session Condition,
Editing Access Services,
Customizing a Policy, Configuring Access Service Policies,
Step Action Drawer in Web Interface
Related Topics
OL-24201-01
Common Scenarios Using ACS
Overview of Device Administration
Session Administration
Command Authorization
TACACS+ Custom Services and Attributes
Password-Based Network Access
Overview of Password-Based Network Access
PEAP-GTC
RADIUS-PAP RADIUS-CHAP
EAP-FAST-GTC EAP-MD5 Leap
Radius Chap
Password-Based Network Access Configuration Flow
Protocol Action
MAB Radius PAP
EAP-MSCHAPv2 or EAP-GTC or both
Peap
EAP-FAST
Overview of Certificate-Based Network Access
Certificate-Based Network Access
EAP-TLS
Using Certificates in ACS
Certificate-Based Network Access for EAP-TLS
Before you Begin
User Guide for Cisco Secure Access Control System
Overview of Agentless Network Access
Agentless Network Access
Validating an Ldap Secure Authentication Connection
Use Cases Attribute
Host Lookup
802.1x
Authentication with Call Check
Process Service-Type Call Check
PAP/EAP-MD5 Authentication
For more information, see , Managing Policy Elements
Agentless Network Access Flow
Next Step
Configuring an Ldap External Identity Store for Host Lookup
Adding a Host to an Internal Identity Store
Previous Step
Managing Identity Attributes,
Creating an Access Service for Host Lookup
Creating an Access Service for Host Lookup,
Previous Steps
See Viewing Identity Policies, page 10-21, for details
Configuring an Identity Policy for Host Lookup Requests
Click Save Changes
See Customizing a Policy, page 10-4, for more information
VPN Remote Network Access
Select Host Lookup and click OK
LDAP-RADIUS/PAP
Supported Authentication Protocols
Supported Identity Stores
RADIUS/PAP RADIUS/CHAP
Configuring VPN Remote Access Service
Supported VPN Network Access Servers
Supported VPN Clients
ACS and Cisco Security Group Access
Creating Security Groups
Adding Devices for Security Group Access
Creating SGACLs
Configuring an Ndac Policy
Creating an Access Service for Security Group Access
Configuring EAP-FAST Settings for Security Group Access
Select Network Access, and check Identity and Authorization
Creating an Egress Policy
Creating an Endpoint Admission Control Policy
Creating a Default Policy
Radius and TACACS+ Proxy Requests
Tacplusauthor Tacplusauthen
Supported Protocols
Tacplusacct
PAP Ascii Chap
Supported Radius Attributes
TACACS+ Body Encryption
Connection to TACACS+ Server
Configuring Proxy Service
My Workspace Welcome
Welcome
Field Description
My Account
Task Guides
Accessing the Web Interface
Using the Web Interface
Logging In, Logging Out,
Logging
Logging Out
Understanding the Web Interface
Header
Header, Navigation Pane, Content Area,
Navigation Pane, Content Area,
Web Interface Design
Drawer Function
Navigation Pane
Header, Content Area,
Content Area
Web Interface Location
Deleted item
Button or Field Description
Sorting
Filtering
Secondary Windows
Secondary Window
Transfer Boxes
Transfer Box Fields and Buttons
Schedule Boxes
Rule Table Pages
See Displaying Hit Counts, page 10-10for more information
Option Description
ACS 5.x Policy Model
Supported ACS Objects
Supported ACS Objects, Creating Import Files,
Property Name Property Data Type
Uments
Creating Import Files
Click Download Add Template
Downloading the Template from the Web Interface
Understanding the CSV Templates
Click File Operations
Header Field Description
Creating the Import File
Updating the Records in the ACS Internal Store
Deleting Records from the ACS Internal Store
Concurrency Conflict Errors
Common Errors
Deletion Errors
System Failure Errors
Accessibility
Display and Readability Features
Obtaining Additional Accessibility Information
Keyboard and Mouse Features
Step No Task Drawer Refer to
Configuring Minimal System Setup
Configuring Administrator
Configuring Local Server
Configuring Authentication
Settings for Administrators
Step No Task Drawer Refer to
Task Drawer Refer to
Configuring ACS to Manage Access Policies
Duplicating Alarm
Configuring System Alarm
Settings,
Understanding Alarm
OL-24201-01
External Servers
Managing Network Resources
Creating, Duplicating, and Editing Network Device Groups
Network Device Groups
Choose Network Resources Network Device Groups
Deleting Network Device Groups
Field Description
Deleting Network Device Groups from a Hierarchy
Network Devices and AAA Clients
Choose Network Resources Network Devices and AAA Clients
Viewing and Performing Bulk Operations for Network Devices
See Displaying Network Device Properties,
Network Device page appears
Exporting Network Devices and AAA Clients
Performing Bulk Operations for Network Resources and Users
Managing Network Resources Network Devices and AAA Clients
Creating, Duplicating, and Editing Network Devices
Exporting Network Resources and Users
Configuring Network Device and AAA Clients
TACACS+
SGT
KEK
Displaying Network Device Properties
TACACS+
Access Advanced Settings
Access
Security Group
Deleting Network Devices
Configuring a Default Network Device
About creating network device groups
Creating, Duplicating, and Editing External Proxy Servers
Working with External Proxy Servers
Choose Network Resources External Proxy Servers
Choose to create Radius proxy server
Deleting External Proxy Servers
OL-24201-01
Internal Identity Stores
Overview
Ldap
External Identity Stores
Identity Stores with Two-Factor Authentication
Certificate-Based Authentication
Identity Groups
Identity Sequences
Managing Internal Identity Stores
Authentication Information
Select Users and Identity Stores Identity Groups
Creating Identity Groups
Click File Operations to
Deleting an Identity Group
Managing Identity Attributes
Standard Attributes, User Attributes, Host Attributes,
User Attributes
Standard Attributes
Attribute Description
Choose System Administration Users Authentication Settings
Configuring Authentication Settings for Users
Host Attributes
Options Description
Password History
Creating Internal Users
Resources and Users,
Defined under System Administration Users Authentication
Option
Identity Stores Internal Identity Stores Users
Administration Users Authentication Settings
Mon dd hhmmss UTC YYYY, where
Deleting Users from Internal Identity Stores
Internal Users page appears without the deleted users
Creating Hosts in Identity Stores
Hhmmss UTC Yyyy , where
Deleting Internal Hosts
Attributes of Management Hierarchy
Configuring AAA Devices for Management Hierarchy
Configuring Users or Hosts for Management Hierarchy
Management Hierarchy
Configuring and Using UserIsInManagement Hierarchy Attribute
Related Topics
Ldap Overview
Managing External Identity Stores
Multiple Ldap Instances
Directory Service
Authentication Using Ldap
Configuring Ldap Groups, Viewing Ldap Attributes,
Failover
Authenticating a User Using a Bind Connection
Ldap Connection Management
Attributes Retrieval
Group Membership Information Retrieval
Creating External Ldap Identity Stores
Certificate Retrieval
Configuring an External Ldap Server Connection
Ldap Server Connection
Configuring External Ldap Directory Organization
Schema
If the tree containing subjects is the base DN, enter
External identity store you created is saved
Deleting External Ldap Identity Stores
Configuring Ldap Groups
Viewing Ldap Attributes
Leveraging Cisco NAC Profiler as an External MAB Database
Click Server
Ldap Interface Configuration in NAC Profiler
Advanced Options Active Response Delay
Click Save Profile
Configuring Endpoint Profiles in NAC Profiler
Edit NAC Profiler Definition General
Click the Server Connection tab
Test Bind to Server Dialog Box
Click Test Configuration
Number of Subjects Number of Directory Groups
Microsoft AD
Supported Authentication Protocols
User Guide for Cisco Secure Access Control System
Protocol Port number
Machine Authentication
Concurrent Connection Management
Attribute Retrieval for Authorization
Group Retrieval for Authorization
Certificate Retrieval for EAP-TLS Authentication
Machine Access Restrictions
Dial-in Permissions
Machine Authentication AD Group Required ATZ profile
Callback Options for Dial-in users
ACS Response
Dial-in Support Attributes
Machine Authentication, page B-34
Configuring an AD Identity Store
Joining ACS to an AD Domain
Click
Selecting an AD Group
Selecting an AD Group, Configuring AD Attributes,
Configuring AD Attributes
Available from the Attributes secondary window only
Joining ACS to Domain Controllers
RSA SecurID Server
Configuring RSA SecurID Agents
PIN
Creating and Editing RSA SecurID Token Servers
RSA Realm Settings Tab
Enable the RSA options file, Reset Agent Files,
Configuring ACS Instance Settings
Reset Agent Files
Enable the RSA options file
Check the Enable identity caching check box
Configuring Advanced Options
Radius Identity Stores
Supported Authentication Protocols
Radius PAP TACACS+ ASCII/PAP
User Group Mapping
Password Prompt
Groups and Attributes Mapping
Username Special Format with Safeword Server
Authentication Failure Messages
Cause of Authentication Failure Failure Cases
Radius Identity Store in Identity Sequence
Creating, Duplicating, and Editing Radius Identity Servers
User Attribute Cache
Radius PAP TACACS+ ASCII\PAP
Configuring General Settings
Server Connection
Configuring Shell Prompts
Cisco-av-pair.some-avpair
Configuring Directory Attributes
Configuring Shell Prompts, Configuring Advanced Options,
Configuring CA Certificates
Select Users and Identity Stores Certificate Authorities
Adding a Certificate Authority
Description of the certificate
Deleting a Certificate Authority
Exporting a Certificate Authority
Configuring Certificate Authentication Profiles
Certificate Authentication Profile page reappears
Attribute Retrieval Sequence
Configuring Identity Store Sequences
Authentication Sequence
Creating, Duplicating, and Editing Identity Store Sequences
22 Identity Store Sequence Properties
Deleting Identity Store Sequences
OL-24201-01
OL-24201-01
Managing Policy Conditions
Managing Policy Elements
Managing Policy Elements Managing Policy Conditions
Select Policy Elements Session Conditions Date and Time
Deleting a Session Condition, Managing Network Conditions,
Policy,
Select Policy Elements Session Conditions Custom
Managing Network Conditions
Deleting a Session Condition
Managing Policy Elements Managing Policy Conditions
Importing Network Conditions
Creating, Duplicating, and Editing End Station Filters
Exporting Network Conditions
Defining IP Address-Based End Station Filters
Defining CLI or DNIS-Based End Station Filters
Defining MAC Address-Based End Station Filters
Creating, Duplicating, and Editing Device Filters
Defining Name-Based Device Filters
Defining IP Address-Based Device Filters
Defining NDG-Based Device Filters
Creating, Duplicating, and Editing Device Port Filters
Defining IP Address-Based Device Port Filters
Defining Name-Based Device Port Filters
Defining NDG-Based Device Port Filters
Managing Authorizations and Permissions
Authorization Profiles
Specifying Common Attributes in Authorization Profiles
Specifying Authorization Profiles
Vlan ID/Name Includes a Vlan assignment
Attribute, its name, value, and type appear in the table. To
Specifying Radius Attributes in Authorization Profiles
Dictionary
Creating Security Groups,
Creating and Editing Security Groups
Related Topics
Defining Common Tasks
Defining General Shell Profile Properties
Defining Common Tasks, Defining Custom Attributes,
Privilege Level
Shell Profile Common Tasks
Replace
Defining Custom Attributes
OL-24201-01
Duplicated
Show
Creating, Duplicating, and Editing Downloadable ACLs
Appears without the deleted object
Deleting an Authorizations and Permissions Policy Element
Configuring Security Group Access Control Lists
OL-24201-01
10-1
Policy Creation Flow
Policy Creation Flow-Next Steps
Network Definition and Policy Goals
10-2
10-3
Policy Elements in the Policy Creation Flow
Policy Creation Flow-Previous Step
Network Definition and Policy Goals,
10-4
Access Service Policy Creation
Service Selection Policy Creation
Customizing a Policy
Configuring a Policy-Next Steps
Configuring the Service Selection Policy
10-5
10-6
Configuring a Simple Service Selection Policy
Service Selection Policy
Select Access Policies Service Selection Policy
10-7
See Displaying Hit Counts,
Select Access Policies Service Selection Policy. If you
Creating, Duplicating, and Editing Service Selection Rules
10-8
10-9
Conditions
Displaying Hit Counts
Deleting Service Selection Rules
10-10
Editing Default Access Services
Configuring Access Services
10-11
Select Access Policies Access Services
Creating, Duplicating, and Editing Access Services
10-12
10-13
Configuring General Access Service Properties
10-14
Select Access Policies Access Services, then click
Configuring Access Service Allowed Protocols
10-15
10-16
Server Certificates, page 18-14for more information
10-17
10-18
10-19
Configuring Access Services Templates
10-20
Deleting an Access Service
Access Service
Type Protocols Policies Conditions Results
Viewing Identity Policies
Configuring Access Service Policies
10-21
10-22
10-23
Viewing Rules-Based Identity Policies
10-24
Configuring Identity Policy Rule Properties
10-25
10-26
Configuring a Group Mapping Policy
10-27
Displaying Hit Counts,
10-28
Configuring Group Mapping Policy Rule Properties
10-29
Select Access Policies Access Services service Authorization
10-30
10-31
Configuring Network Access Authorization Rule Properties
10-32
Configuring Device Administration Authorization Policies
10-33
10-34
Condition
10-35
Configuring Authorization Exception Policies
10-36
Condition Name
10-37
Creating Policy Rules
Editing Policy Rules
Duplicating a Rule
10-38
10-39
Deleting Policy Rules
Compound Condition Building Blocks
Configuring Compound Conditions
10-40
10-41
Types of Compound Conditions
Operand1 Operand2 Example
Atomic Condition
Multiple Nested Compound Condition
Single Nested Compound Condition
10-42
10-43
Compound Expression with Dynamic value
10-44
Using the Compound Expression Builder
Policy Page,
Security Group Access Control Pages
Egress Policy Matrix
Policy Matrix,
Creating an Egress Policy,
Defining a Default Policy for Egress Policy
Creating an Egress Policy, Creating a Default Policy,
Editing a Cell in the Egress Policy Matrix
10-47
Ndac Policy
Simple Policy
Rule-Based Policy
Ndac Policy Properties
Configuring an Ndac Policy, Ndac Policy Properties Page,
10-48
10-49
Configuring an Ndac Policy, Ndac Policy Page,
Maximum User Sessions
Network Device Access EAP-FAST Settings
10-50
Max Session Group Settings
Max Session User Settings
10-51
Max User Session Global Settings
Max Session Global Setting
10-52
Purging User Sessions
Go to System Administration Users Purge User Sessions
10-53
Click Get Logged-in User List
Maximum User Session in Distributed Environment
10-54
10-55
Maximum User Session in Proxy Scenario
10-56
Epm logging
Logging monitor informational Logging origin-id ip
11-1
11-2
Authentication Records and Details
Authentication Records and Details,
Dashboard Pages
11-3
11-4
Working with Portlets
11-5
Working with Authentication Lookup Portlet
Adding Tabs to the Dashboard
Configuring Tabs in the Dashboard
Running Authentication Lookup Report
Dashboard Pages, Running Authentication Lookup Report,
Adding Applications to Tabs
Renaming Tabs in the Dashboard
11-7
11-8
Changing the Dashboard Layout
Deleting Tabs from the Dashboard
Click Manage Pages
12-1
Understanding Alarms
Threshold Alarms, System Alarms,
Threshold Alarms
Evaluation Cycle1
Evaluating Alarm Thresholds
System Alarms
Evaluating Alarm Thresholds, Notifying Users of Events,
Notifying Users of Events
Viewing and Editing Alarms in Your Inbox
12-3
12-4
Alarm Severity
12-5
12-6
12-7
12-8
Select Monitoring and Reports Alarms Inbox
12-9
Understanding Alarm Schedules
Creating and Editing Alarm Schedules
Choose Monitoring and Reports Alarms Schedules
Choose Monitoring and Reports Alarms Thresholds
Assigning Alarm Schedules to Thresholds
12-10
12-11
Creating, Editing, and Duplicating Alarm Thresholds
Deleting Alarm Schedules
Select Monitoring and Reports Alarms Thresholds
12-12
12-13
Configuring General Threshold Information
ACS Instance
Configuring Threshold Criteria
Passed Authentications
Passed Authentication Count
12-15
12-16
Failed Authentications
Failed Authentication Count
Device IP
12-17
12-18
Authentication Inactivity
12-19
Tacacs Command Accounting
12-20
Tacacs Command Authorization
12-21
ACS Configuration Changes
12-22
ACS System Diagnostics
12-23
ACS Process Status
CPU
ACS System Health
12-24
12-25
ACS AAA Health
12-26
Radius Sessions
Unknown NAD
Count of Unknown NAD Authentication Records
12-27
12-28
External DB Unavailable
12-29
Rbacl Drops
12-30
NAD
DGT
Dstip
Device IP Count of NAD-Reported AAA Down Events
NAD-Reported AAA Downtime
12-31
12-32
Configuring Threshold Notifications
12-33
Deleting Alarm Thresholds
12-34
Configuring System Alarm Settings
Creating and Editing Alarm Syslog Targets
Understanding Alarm Syslog Targets
12-35
12-36
Deleting Alarm Syslog Targets
13-1
Managing Reports
13-2
Catalog-Monitoring & Reports Reports Catalog reporttype
13-3
Working with Favorite Reports
Adding Reports to Your Favorites
Click Add to Favorites
13-4
Viewing Favorite-Report Parameters
Click Add to Favorite
Choose Monitoring and Reports Reports Favorites
13-5
Editing Favorite Reports
Running Favorite Reports
Select Monitoring & Reports Reports Favorites
Reports Reports Catalog ACS Instance
Sharing Reports
Deleting Reports from Favorites
Click Launch Interactive Viewer for more options
13-7
Working with Catalog Reports
Available Reports in the Catalog
Report Name Description Logging Category
13-8
13-9
13-10
13-11
Running Catalog Reports
13-12
Running Named Reports
Deleting Catalog Reports
13-13
13-14
Reporttype Reportname
13-15
Understanding the ReportName
13-16
13-17
13-18
Enabling Radius CoA Options on a Device
Radius Active Session Report
13-19
13-20
Customizing Reports
Restoring Reports
Click Launch Interactive Viewer
About Interactive Viewer’s Context Menus
Viewing Reports
About Standard Viewer
About Interactive Viewer
Context Menu for Column Data in Interactive Viewer
13-22
Navigating Reports
Using the Table of Contents
13-24
Exporting Report Data
12 The Export Data Dialog Box
13-25
Saving Report Designs in Interactive Viewer
Printing Reports
13-26
Editing Labels
Formatting Reports in Interactive Viewer
13-27
Select Change Text
Formatting Labels
Formatting Data
Resizing Columns
Select Style Font
Changing Column Data Alignment
Formatting Data in Columns
Formatting Data in Aggregate Rows
Data type Option Description
Formatting Data Types
13-30
13-31
Formatting Numeric Data
13-32
Formatting Fixed or Scientific Numbers or Percentages
Formatting Custom Numeric Data
Data in the data set Result of formatting
13-33
Symbol
Formatting String Data
Formatting Custom String Data
Data in the data source Results of formatting
Formatting Date and Time
13-34
13-35
Formatting Custom Date and Time
Format Result of formatting
Mmmm
Applying Conditional Formats
Formatting Boolean Data
13-36
Select Style Conditional Formatting
Setting Conditional Formatting for Columns
13-37
19 Comparison Value Field
13-38
13-39
Deleting Conditional Formatting
Setting and Removing Page Breaks in a Group Column
Setting and Removing Page Breaks in Detail Columns
13-40
Displaying and Organizing Report Data
Organizing Report Data
13-41
Select Column Move to Group Header
Reordering Columns in Interactive Viewer
13-42
13-43
Removing Columns
Select Column Hide Column
Hiding or Displaying Report Items
Hiding Columns
Select Hide or Show Items
13-45
Displaying Hidden Columns
Merging Columns
Select Column Show Columns
Select Column Merge Columns
Selecting a Column from a Merged Column
13-46
Sorting a Single Column, Sorting Multiple Columns,
Sorting Data
Sorting a Single Column
Sorting Multiple Columns
13-48
Grouping Data
13-49
Grouping Data Based on Date or Time
Adding Groups
13-50
Creating Report Calculations
Removing an Inner Group
13-51
37 Calculated Column
13-52
Function Description Example of use
Understanding Supported Calculation Functions
13-53
Countdistinct
Count
13-54
13-55
Isbottomnpercent
13-56
13-57
Movingaverage
13-58
Today
13-59
Weightedaverage
13-60
Using Numbers and Dates in an Expression
Understanding Supported Operators
Operator Description
13-61
Using Multiply Values in Calculated Columns
Adding Days to an Existing Date Value
Select Add Calculation
Subtracting Date Values in a Calculated Column
Working with Aggregate Data
13-62
13-63
Aggregate functions Description
13-64
Creating an Aggregate Data Row
Click Add aggregation
Adding Additional Aggregate Rows
13-65
13-66
Hiding and Filtering Report Data
Deleting Aggregate Rows
Hiding or Displaying Column Data
Hiding or Displaying Detail Rows in Groups or Sections
Displaying Repeated Values
13-67
Condition Description
Working with Filters
13-68
13-69
Types of Filter Conditions
13-70
Setting Filter Values
13-71
Creating Filters
Creating a Filter with Multiple Conditions
Modifying or Clearing a Filter
13-72
Click Add Condition
Click Advanced Filter
13-73
13-74
Filtering Highest or Lowest Values in Columns
13-75
Understanding Charts
Filtering Chart Data
Modifying Charts
13-76
13-77
Changing Chart Subtype
Changing Chart Formatting
Select Chart Subtype
13-78
50 Chart Formatting Options
14-1
Available Diagnostic and Troubleshooting Tools
Connectivity Tests
ACS Support Bundle
14-2
Expert Troubleshooter
ACS-Assigned SGT Records, page 14-14for more information
Diagnostic Tool Description
Performing Connectivity Tests
See Comparing Sgacl Policy Between a Network Device and ACS
14-4
Downloading ACS Support Bundles for Diagnostic Information
14-5
Working with Expert Troubleshooter
NAS IP
Troubleshooting Radius Authentications
14-6
14-7
14-8
Click Show Results Summary
14-9
Executing the Show Command on a Network Device
AAA
Evaluating the Configuration of a Network Device
14-10
SGA
Comparing Sgacl Policy Between a Network Device and ACS
14-11
14-12
Comparing the SXP-IP Mappings Between a Device and its Peers
VRF
Click the User Input Required button
14-13
14-14
14-15
Comparing Device SGT with ACS-Assigned Device SGT
14-16
15-1
15-2
15-3
Configuring Data Purging and Incremental Backup
15-4
15-5
15-6
Configuring NFS stagging
15-7
Restoring Data from a Backup
Configuring Data Purging and Incremental Backup,
Viewing Log Collections
15-8
Log Collection Details Page,
15-9
Log Collection Details
15-10
Viewing Scheduled Jobs
Recovering Log Messages
15-11
15-12
15-13
Viewing Process Status
Failure Reasons Editor
Viewing Data Upgrade Status
Viewing Failure Reasons
Editing Failure Reasons
15-15
Specifying E-Mail Settings
Configuring Snmp Preferences
Email Settings
Creating and Editing Collection Filters
Understanding Collection Filters
15-16
15-17
Configuring Alarm Syslog Targets
Configuring Remote Database Settings
Deleting Collection Filters
15-18
16-1
Managing System Administrators
16-2
Understanding Administrator Roles and Accounts
16-3
Configuring System Administrators and Accounts
Understanding Authentication
Understanding Roles
16-4
Permissions
Predefined Roles
Role Privileges
16-5
Changing Role Associations
Choose System Administration Administrators Accounts
Administrator Accounts and Role Association
16-6
16-7
Button and click View
Choose System Administration Administrators Roles
Viewing Predefined Roles
Viewing Role Properties
16-9
Configuring Authentication Settings for Administrators
16-10
Allow All IP Addresses to Connect
Configuring Session Idle Timeout
Configuring Administrator Access Settings
Choose System Administration Administrators Settings Access
Access-setting accept-all
Resetting the Administrator Password
16-12
16-13
Changing the Administrator Password
Changing Your Own Administrator Password
Choose My Workspace My Account
16-14
Resetting Another Administrator’s Password
17-1
Configuring System Operations
17-2
Service Port
Understanding Distributed Deployment
Aaa-server radius-authport
17-3
Activating Secondary Servers
Removing Secondary Servers
Activating Secondary Servers,
17-4
Understanding Local Mode
Promoting a Secondary Server
Understanding Distributed Deployment,
Understanding Full Replication
Specifying a Hardware Replacement
17-5
Choose System Administration Operations Scheduled Backups
Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups,
Backing Up Primary and Secondary Instances,
Backing Up Primary and Secondary Instances
17-7
Viewing and Editing a Primary Instance
Editing Instances
17-8
17-9
Ddmmyyyy
17-10
GUI
17-11
17-12
Viewing and Editing a Secondary Instance
Deleting a Secondary Instance
Editing Instances, Viewing and Editing a Primary Instance,
17-13
Activating a Secondary Instance
Registering a Secondary Instance to a Primary Instance
Click Activate
17-14
17-15
Click Register to Primary
Click Deregister from Primary
Click Deregister
17-16
17-17
17-18
Replicating a Secondary Instance from a Primary Instance
17-19
Click Full Replication
17-20
See Registering a Secondary Instance to a Primary Instance,
17-21
Failover
17-22
Click Request Local Mode
17-23
17-24
18-1
Configuring Global System Options
Configuring TACACS+ Settings
Manage licensing. See Licensing Overview,
18-2
Configuring EAP-TLS Settings
18-3
Configuring Peap Settings
Configuring EAP-FAST Settings
Generating EAP-FAST PAC,
Tokencode
Configuring RSA SecurID Prompts
Generating EAP-FAST PAC
Click Generate PAC
Radius Ietf
Managing Dictionaries
Viewing Radius and TACACS+ Attributes
YOU Prepared to Accept a SYSTEM-GENERATED PIN?
18-6
Radius VSAs, page A-6
18-7
Viewing Radius and TACACS+ Attributes,
18-8
18-9
Viewing Radius Vendor-Specific Subattributes
18-10
Configuring Identity Dictionaries
18-11
Configuring Internal Identity Attributes
Policy Elements Session Conditions Custom
Deleting an Internal User Identity Attribute
18-12
18-13
Deleting an Internal Host Identity Attribute
Adding Local Server Certificates
Configuring Local Server Certificates
18-14
Signing Request,
Associating Certificates to Protocols,
18-15
18-16
Generating Self-Signed Certificates
EAP
Select Generate Self Signed Certificate Next
Click Finish
Generating a Certificate Signing Request
Binding CA Signed Certificates
Select Generate Certificate Signing Request Next
Select Bind CA Signed Certificate Next
Editing and Renewing Certificates
18-18
18-19
Deleting Certificates
Viewing Outstanding Signing Requests
Exporting Certificates
18-20
Configuring Remote Log Targets
Configuring Logs
18-21
18-22
Target Configuration
General
Deleting a Remote Log Target,
Deleting Local Log Data
Configuring the Local Log
Configuring Remote Log Targets,
Deleting a Remote Log Target
18-24
Configuring Logging Categories
Configuring Global Logging Categories
Option Descriptions
18-25
18-26
Category Log and Description
18-27
18-28
Show logging system
Configuring Per-Instance Security and Log Settings,
Configuring Per-Instance Logging Categories
18-29
18-30
Configuring Per-Instance Security and Log Settings
18-31
Configuring Per-Instance Remote Syslog Targets
Configure Logged Attributes
Click the Remote Syslog Target tab
18-32
Displaying Logging Categories
Viewing the Log Message Catalog
Configuring the Log Collector
18-33
18-34
Licensing Overview
Types of Licenses
License Description
18-35
Installing a License File
PAK
Viewing the Base License
18-36
Upgrading the Base Server License,
Upgrading the Base Server License
18-37
18-38
Viewing License Feature Options
18-39
Adding Deployment License Files
18-40
Deleting Deployment License Files
Available Downloads
Click Delete to delete the license file
18-41
Downloading UCP Web Service Files
Downloading Migration Utility Files
Downloading Sample Python Scripts
Choose System Administration Downloads Rest Service
Downloading Rest Services
18-42
About Logging, ACS 4.x Versus ACS 5.3 Logging,
About Logging
19-1
Logging Categories
Using Log Targets
19-2
19-3
Log Message Severity Levels
Global and Per-Instance Logging Categories
19-4
ACS Severity Syslog Severity Level Description
Local Store Target
19-5
19-6
19-7
Critical Log Target
19-8
Remote Syslog Server Target
19-9
Viewing Log Messages
Monitoring and Reports Server Target
19-10
19-11
Debug Logs
CSV
ACS 4.x Versus ACS 5.3 Logging
19-12
Use the Reports and Activity pages
Use the System Configuration Logging
19-13
19-14
Typical Use Cases
Device Administration TACACS+
PAP Chap
Network Access Radius With and Without EAP
Session Access Requests Device Administration TACACS+
Command Authorization Requests
EAP-FAST/EAP-GTC
RADIUS-Based Flow Without EAP Authentication
RADIUS-Based Flows with EAP Authentication
PEAP/EAP-GTC
Figure A-3shows a RADIUS-based authentication with EAP
Overview of TACACS+
Access Protocols-TACACS+ and Radius
Point of Comparison
Radius VSAs
Overview of Radius
ACS 5.3 as the AAA Server
Address IP Integer Time
Radius Attribute Support in ACS
Accounting
Radius Access Requests
Authentication
Authorization
OL-24201-01
Authentication and User Databases
Authentication Considerations
EAP-MSCHAPv2, page B-30
PAP, page B-2 CHAP, page B-31
EAP
Radius PAP Authentication
EAP-GTC
EAP message type EAP code
EAP Method Description
Information see EAP-MSCHAPv2, page B-30
Overview of EAP-MD5
Host Lookup, Overview of Agentless Network Access,
EAP- MD5 Flow in ACS
Overview of EAP-TLS
User Certificate Authentication
PKI Authentication
PKI Usage
PKI Credentials
Fixed Management Certificates
Acquiring Local Certificates
Importing Trust Certificates
Initial Self-Signed Certificate Generation
Importing the ACS Server Certificate
Certificate Generation
Exporting Credentials
Credentials Distribution
Hardware Replacement and Certificates
Securing the Cryptographic Sensitive Material
EAP-TLS Flow in ACS
Private Keys and Passwords Backup
Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30
PEAPv0/1
Overview of Peap
Supported Peap Features
Fast Reconnect
Creating the TLS Tunnel
Peap Flow in ACS
Overview of EAP-FAST
Authenticating with MSCHAPv2
EAP-FAST
EAP-FAST Benefits
EAP-FAST in ACS
About PACs
About Master-Keys
Types of PACs
Provisioning Modes
Automatic In-Band PAC Provisioning
Machine PAC Authentication
ACS-Supported Features for PACs
Proactive PAC Update
PAC
Accept Peer on Authenticated Provisioning
PAC-Less Authentication
PAC Type Tunnel v1/v1a/SGA Machine Authorization
Master Key Generation and PAC TTLs
EAP-FAST Flow in ACS
EAP-FAST for Allow TLS Renegotiation
EAP-FAST PAC Management
EAP-FAST PAC-Opaque Packing and Unpacking
Key Distribution Algorithm
Revocation Method
PAC Migration from ACS
EAP Authentication with Radius Key Wrap
Overview of EAP-MSCHAPv2
MSCHAPv2 for User Authentication
MSCHAPv2 for Change Password
EAP-MSCHAPv2
EAP- MSCHAPv2 Flow in ACS
Windows Machine Authentication Against AD
SAN-DNS
Certificate Attributes
Certificate Binary Comparison
SAN
Rules Relating to Textual Attributes
Certificate Revocation
Machine Authentication
MSCHAPv1/MSCHAPv2
Authentication Protocol and Identity Store Compatibility
Microsoft AD, Managing External Identity Stores,
Identity Store
EAP-MSCHAPv2
EAP-TLS
OpenSSL/Open SSL Project
License Issues
OpenSSL License
Original SSLeay License
Appendix C Open Source License Acknowledgments
OL-24201-01
GL-1
O S S a R Y
GL-2
Capability of ACS to record user sessions in a log file
GL-3
Validity and conformance of the original information
GL-4
GL-5
GL-6
GL-7
GL-8
FTP
GL-9
GL-10
EAP-FAST PAC
GL-11
GL-12
GL-13
Service providerISP
GL-14
GL-15
Extension within certificate information
GL-16
GL-17
GL-18
GL-19
GL-20
IN-1
Symbols
IN-2
IN-3
Date expressions
IN-4
Formatting symbols
IN-5
Hide Detail command
IN-6
IN-7
Or operator 13-60,13-74
IN-8
Summary values
IN-9
Upper function
IN-10
