10-16 | Cisco Systems OL-24201-01 manual

Chapter 10 Managing Access Policies

Configuring Access Services

Table 10-7	Access Service Properties—Allowed Protocols Page (continued)

Option		Description

Allow EAP-TLS		Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify
		how ACS verifies user identity as presented in the EAP Identity response from the end-user client.
		User identity is verified against information in the certificate that the end-user client presents.
		This comparison occurs after an EAP-TLS tunnel is established between ACS and the end-user
		client.
		EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only
		after you have completed the required steps to configure certificates. See Configuring Local
		Server Certificates, page 18-14for more information.

Allow LEAP		Enables LEAP authentication.

Allow PEAP		Enables the PEAP authentication protocol and PEAP settings. The default inner method is
		MSCHAPv2.
		When you check Allow PEAP, you can configure the following PEAP inner methods:
		• Allow EAP-TLS—Check to use EAP-TLS as the inner method.
		• Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method.
		– Allow Password Change—Check for ACS to support password changes.
		– Retry Attempts—Specifies how many times ACS requests user credentials before
		returning login failure. Valid values are 1 to 3.
		• Allow EAP-GTC—Check to use EAP-GTC as the inner method.
		– Allow Password Change—Check for ACS to support password changes.
		– Retry Attempts—Specifies how many times ACS requests user credentials before
		returning login failure. Valid values are 1 to 3.

	User Guide for Cisco Secure Access Control System 5.3
10-16	OL-24201-01

Image 280

Cisco Systems OL-24201-01 manual Server Certificates, page 18-14for more information, 10-16

Contents

User Guide for Cisco Secure Access Control System Americas HeadquartersPage N T E N T S Iii Rules-Based Service Selection Configuring an Authorization Policy for Host Lookup Requests My Account Exporting Network Devices and AAA Clients Vii Failover Viii Radius Identity Store in Identity Sequence Managing Access Policies Maximum User Session in Distributed Environment Creating and Editing Alarm Schedules Xii Exporting Report Data Xiii Adding Groups Xiv Filtering Chart Data Managing System Administrators Xvi Activating a Secondary Instance Xvii Configuring Logs Xviii Using Log Targets Xix PKI Usage EAP-MSCHAPv2 B-30 Xxi Xxii Document Conventions AudienceRevised April 17 Documentation Updates Related DocumentationDate Description Store Obtaining Documentation and Submitting a Service Request Preface User Guide for Cisco Secure Access Control System Introducing ACS Overview of ACS ACS Distributed Deployment ACS 4.x and 5.3 ReplicationRelated Topics Related Topic ACS Management Interfaces ACS Licensing ModelACS ACS Command Line Interface ACS Web-based Interface Config Hardware Models Supported by ACSACS Programmatic Interfaces ACS Web-based Interface, OL-24201-01 Migrating from ACS 4.x to ACS Overview of the Migration Process Migration RequirementsSupported Migration Versions Migration Requirements, Supported Migration Versions, Select System Administration Downloads Migration Utility Before You BeginDownloading Migration Files Migrating from ACS 4.x to ACS Migrating from ACS 4.x to ACS Functionality Mapping from ACS 4.x to ACS Radius Common Scenarios in Migration Migrating from ACS 4.2 on Csacs 1120 to ACSRadius VSA VSA Migrating from ACS 3.x to ACS Migrating Data from Other AAA Servers to ACS Migrating from ACS 4.x to ACS Common Scenarios in Migration OL-24201-01 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Information in ACS 5.3 Policy Element Policy Terminology Term Description Rule-Based Policies Simple PoliciesTypes of Policies, Types of Policies Access Services Policy Type Access Service B Access Service C Access Service a For Device Administration Hosts Wireless DevicesAccess Service Templates Radius and TACACS+ Proxy Services Feature ACS Identity Policy Failure Options Processing Rules with Multiple Command Sets Authorization Policy for Device AdministrationGroup Mapping Policy Service Selection Policy Simple Service SelectionException Authorization Policy Rules Simple Service Selection, Rules-Based Service Selection, Rules-Based Service Selection Access Services and Service Selection Scenarios First-Match Rule Tables Example Policy Rule Table Column Description Policy Conditions Authorization Profiles for Network AccessPolicy Results Processing Rules with Multiple Authorization Profiles Policies and Identity Attributes Policies and Network Device Groups Example of a Rule-Based Policy Flows for Configuring Services and Policies Prerequisites Editing Access Services, Customizing a Policy, Configuring Access Service Policies,Step Action Drawer in Web Interface Editing a Custom Session Condition, Related Topics OL-24201-01 Common Scenarios Using ACS Overview of Device Administration Session Administration Command Authorization TACACS+ Custom Services and Attributes Password-Based Network AccessOverview of Password-Based Network Access PEAP-GTC RADIUS-PAP RADIUS-CHAPEAP-FAST-GTC EAP-MD5 Leap Password-Based Network Access Configuration Flow Protocol ActionMAB Radius PAP Radius Chap EAP-MSCHAPv2 or EAP-GTC or both PeapEAP-FAST Certificate-Based Network Access Overview of Certificate-Based Network Access Using Certificates in ACS Certificate-Based Network Access for EAP-TLSBefore you Begin EAP-TLS User Guide for Cisco Secure Access Control System Overview of Agentless Network Access Agentless Network AccessValidating an Ldap Secure Authentication Connection Use Cases Attribute Host Lookup802.1x Authentication with Call Check PAP/EAP-MD5 Authentication Process Service-Type Call Check Agentless Network Access Flow For more information, see , Managing Policy Elements Configuring an Ldap External Identity Store for Host Lookup Adding a Host to an Internal Identity StorePrevious Step Next Step Creating an Access Service for Host Lookup Creating an Access Service for Host Lookup,Previous Steps Managing Identity Attributes, See Viewing Identity Policies, page 10-21, for details Configuring an Identity Policy for Host Lookup RequestsClick Save Changes See Customizing a Policy, page 10-4, for more information VPN Remote Network AccessSelect Host Lookup and click OK Supported Authentication Protocols Supported Identity StoresRADIUS/PAP RADIUS/CHAP LDAP-RADIUS/PAP Configuring VPN Remote Access Service Supported VPN Network Access ServersSupported VPN Clients ACS and Cisco Security Group Access Adding Devices for Security Group Access Creating Security Groups Configuring an Ndac Policy Creating SGACLs Creating an Access Service for Security Group Access Configuring EAP-FAST Settings for Security Group AccessSelect Network Access, and check Identity and Authorization Creating an Endpoint Admission Control Policy Creating an Egress Policy Creating a Default Policy Radius and TACACS+ Proxy Requests Tacplusauthor Tacplusauthen Supported ProtocolsTacplusacct Supported Radius Attributes TACACS+ Body EncryptionConnection to TACACS+ Server PAP Ascii Chap Configuring Proxy Service My Workspace Welcome WelcomeField Description Task Guides My Account Accessing the Web Interface Using the Web InterfaceLogging In, Logging Out, Logging Understanding the Web Interface Logging Out Header, Navigation Pane, Content Area, Navigation Pane, Content Area,Web Interface Design Header Navigation Pane Drawer Function Content Area Header, Content Area, Web Interface Location Deleted item Button or Field Description Filtering Sorting Secondary Windows Transfer Boxes Secondary Window Transfer Box Fields and Buttons Rule Table Pages Schedule Boxes Option Description See Displaying Hit Counts, page 10-10for more information ACS 5.x Policy Model Supported ACS ObjectsSupported ACS Objects, Creating Import Files, Property Name Property Data Type Creating Import Files Uments Downloading the Template from the Web Interface Understanding the CSV TemplatesClick File Operations Click Download Add Template Creating the Import File Header Field Description Updating the Records in the ACS Internal Store Deleting Records from the ACS Internal Store Common Errors Concurrency Conflict Errors Deletion Errors System Failure Errors AccessibilityDisplay and Readability Features Keyboard and Mouse Features Obtaining Additional Accessibility Information Configuring Minimal System Setup Step No Task Drawer Refer to Configuring Local Server Configuring AuthenticationSettings for Administrators Configuring Administrator Step No Task Drawer Refer to Configuring ACS to Manage Access Policies Task Drawer Refer to Configuring System Alarm Settings,Understanding Alarm Duplicating Alarm OL-24201-01 Managing Network Resources External Servers Creating, Duplicating, and Editing Network Device Groups Network Device GroupsChoose Network Resources Network Device Groups Deleting Network Device Groups Field Description Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy Choose Network Resources Network Devices and AAA Clients Viewing and Performing Bulk Operations for Network DevicesSee Displaying Network Device Properties, Exporting Network Devices and AAA Clients Network Device page appears Performing Bulk Operations for Network Resources and Users Managing Network Resources Network Devices and AAA Clients Exporting Network Resources and Users Creating, Duplicating, and Editing Network Devices Configuring Network Device and AAA Clients TACACS+ KEK SGT Displaying Network Device Properties TACACS+ Access Advanced Settings AccessSecurity Group Configuring a Default Network Device Deleting Network Devices About creating network device groups Creating, Duplicating, and Editing External Proxy Servers Working with External Proxy ServersChoose Network Resources External Proxy Servers Choose to create Radius proxy server Deleting External Proxy Servers OL-24201-01 Overview Internal Identity Stores External Identity Stores Ldap Identity Stores with Two-Factor Authentication Certificate-Based AuthenticationIdentity Groups Managing Internal Identity Stores Identity Sequences Authentication Information Select Users and Identity Stores Identity Groups Creating Identity GroupsClick File Operations to Deleting an Identity Group Managing Identity AttributesStandard Attributes, User Attributes, Host Attributes, User Attributes Standard AttributesAttribute Description Choose System Administration Users Authentication Settings Configuring Authentication Settings for UsersHost Attributes Password History Options Description Creating Internal Users Resources and Users, Defined under System Administration Users AuthenticationOption Administration Users Authentication Settings Identity Stores Internal Identity Stores Users Deleting Users from Internal Identity Stores Mon dd hhmmss UTC YYYY, where Internal Users page appears without the deleted users Creating Hosts in Identity Stores Hhmmss UTC Yyyy , where Deleting Internal Hosts Configuring AAA Devices for Management Hierarchy Configuring Users or Hosts for Management HierarchyManagement Hierarchy Attributes of Management Hierarchy Configuring and Using UserIsInManagement Hierarchy Attribute Related Topics Managing External Identity Stores Ldap Overview Directory Service Authentication Using LdapConfiguring Ldap Groups, Viewing Ldap Attributes, Multiple Ldap Instances Failover Authenticating a User Using a Bind ConnectionLdap Connection Management Group Membership Information Retrieval Attributes Retrieval Certificate Retrieval Creating External Ldap Identity Stores Configuring an External Ldap Server Connection Ldap Server Connection Configuring External Ldap Directory Organization Schema If the tree containing subjects is the base DN, enter External identity store you created is saved Configuring Ldap Groups Deleting External Ldap Identity Stores Leveraging Cisco NAC Profiler as an External MAB Database Viewing Ldap Attributes Click Server Advanced Options Active Response Delay Ldap Interface Configuration in NAC Profiler Configuring Endpoint Profiles in NAC Profiler Click Save Profile Click the Server Connection tab Edit NAC Profiler Definition General Click Test Configuration Test Bind to Server Dialog Box Number of Subjects Number of Directory Groups Supported Authentication Protocols Microsoft AD User Guide for Cisco Secure Access Control System Machine Authentication Protocol Port number Attribute Retrieval for Authorization Group Retrieval for AuthorizationCertificate Retrieval for EAP-TLS Authentication Concurrent Connection Management Machine Access Restrictions Dial-in Permissions Machine Authentication AD Group Required ATZ profileCallback Options for Dial-in users Dial-in Support Attributes ACS Response Machine Authentication, page B-34 Configuring an AD Identity StoreJoining ACS to an AD Domain Click Selecting an AD Group, Configuring AD Attributes, Selecting an AD Group Configuring AD Attributes Available from the Attributes secondary window only Joining ACS to Domain Controllers Configuring RSA SecurID Agents RSA SecurID Server Creating and Editing RSA SecurID Token Servers PIN RSA Realm Settings Tab Configuring ACS Instance Settings Enable the RSA options file, Reset Agent Files, Enable the RSA options file Reset Agent Files Configuring Advanced Options Check the Enable identity caching check box Radius Identity Stores Supported Authentication ProtocolsRadius PAP TACACS+ ASCII/PAP User Group Mapping Password PromptGroups and Attributes Mapping Authentication Failure Messages Cause of Authentication Failure Failure CasesRadius Identity Store in Identity Sequence Username Special Format with Safeword Server Creating, Duplicating, and Editing Radius Identity Servers User Attribute CacheRadius PAP TACACS+ ASCII\PAP Configuring General Settings Server Connection Configuring Shell Prompts Configuring Directory Attributes Cisco-av-pair.some-avpair Configuring CA Certificates Configuring Shell Prompts, Configuring Advanced Options, Adding a Certificate Authority Select Users and Identity Stores Certificate Authorities Description of the certificate Deleting a Certificate Authority Configuring Certificate Authentication Profiles Exporting a Certificate Authority Certificate Authentication Profile page reappears Configuring Identity Store Sequences Authentication SequenceCreating, Duplicating, and Editing Identity Store Sequences Attribute Retrieval Sequence 22 Identity Store Sequence Properties Deleting Identity Store Sequences OL-24201-01 OL-24201-01 Managing Policy Elements Managing Policy Conditions Managing Policy Elements Managing Policy Conditions Deleting a Session Condition, Managing Network Conditions, Select Policy Elements Session Conditions Date and Time Policy, Select Policy Elements Session Conditions Custom Deleting a Session Condition Managing Network Conditions Managing Policy Elements Managing Policy Conditions Importing Network Conditions Exporting Network Conditions Creating, Duplicating, and Editing End Station Filters Defining IP Address-Based End Station Filters Defining MAC Address-Based End Station Filters Defining CLI or DNIS-Based End Station Filters Creating, Duplicating, and Editing Device Filters Defining IP Address-Based Device Filters Defining Name-Based Device Filters Creating, Duplicating, and Editing Device Port Filters Defining NDG-Based Device Filters Defining IP Address-Based Device Port Filters Defining Name-Based Device Port Filters Managing Authorizations and Permissions Defining NDG-Based Device Port Filters Authorization Profiles Specifying Authorization Profiles Specifying Common Attributes in Authorization Profiles Vlan ID/Name Includes a Vlan assignment Specifying Radius Attributes in Authorization Profiles Attribute, its name, value, and type appear in the table. To Dictionary Creating and Editing Security Groups Creating Security Groups, Related Topics Defining Common Tasks Defining General Shell Profile PropertiesDefining Common Tasks, Defining Custom Attributes, Privilege Level Shell Profile Common Tasks Defining Custom Attributes Replace OL-24201-01 Show Duplicated Creating, Duplicating, and Editing Downloadable ACLs Deleting an Authorizations and Permissions Policy Element Appears without the deleted object Configuring Security Group Access Control Lists OL-24201-01 Policy Creation Flow 10-1 Policy Creation Flow-Next Steps Network Definition and Policy Goals10-2 Policy Elements in the Policy Creation Flow Policy Creation Flow-Previous StepNetwork Definition and Policy Goals, 10-3 Access Service Policy Creation Service Selection Policy CreationCustomizing a Policy 10-4 Configuring a Policy-Next Steps Configuring the Service Selection Policy10-5 Configuring a Simple Service Selection Policy Service Selection PolicySelect Access Policies Service Selection Policy 10-6 See Displaying Hit Counts, 10-7 Select Access Policies Service Selection Policy. If you Creating, Duplicating, and Editing Service Selection Rules10-8 Conditions 10-9 Displaying Hit Counts Deleting Service Selection Rules10-10 Editing Default Access Services Configuring Access Services10-11 Select Access Policies Access Services Creating, Duplicating, and Editing Access Services10-12 Configuring General Access Service Properties 10-13 10-14 Select Access Policies Access Services, then click Configuring Access Service Allowed Protocols10-15 Server Certificates, page 18-14for more information 10-16 10-17 10-18 Configuring Access Services Templates 10-19 Deleting an Access Service Access ServiceType Protocols Policies Conditions Results 10-20 Viewing Identity Policies Configuring Access Service Policies10-21 10-22 Viewing Rules-Based Identity Policies 10-23 Configuring Identity Policy Rule Properties 10-24 10-25 Configuring a Group Mapping Policy 10-26 Displaying Hit Counts, 10-27 Configuring Group Mapping Policy Rule Properties 10-28 Select Access Policies Access Services service Authorization 10-29 10-30 Configuring Network Access Authorization Rule Properties 10-31 Configuring Device Administration Authorization Policies 10-32 10-33 Condition 10-34 Configuring Authorization Exception Policies 10-35 Condition Name 10-36 Creating Policy Rules 10-37 Editing Policy Rules Duplicating a Rule10-38 Deleting Policy Rules 10-39 Compound Condition Building Blocks Configuring Compound Conditions10-40 Types of Compound Conditions Operand1 Operand2 ExampleAtomic Condition 10-41 Multiple Nested Compound Condition Single Nested Compound Condition10-42 Compound Expression with Dynamic value 10-43 Using the Compound Expression Builder 10-44 Security Group Access Control Pages Egress Policy MatrixPolicy Matrix, Policy Page, Defining a Default Policy for Egress Policy Creating an Egress Policy, Creating a Default Policy,Editing a Cell in the Egress Policy Matrix Creating an Egress Policy, Ndac Policy Simple PolicyRule-Based Policy 10-47 Ndac Policy Properties Configuring an Ndac Policy, Ndac Policy Properties Page,10-48 Configuring an Ndac Policy, Ndac Policy Page, 10-49 Maximum User Sessions Network Device Access EAP-FAST Settings10-50 Max Session Group Settings Max Session User Settings10-51 Max User Session Global Settings Max Session Global Setting10-52 Purging User Sessions Go to System Administration Users Purge User Sessions10-53 Click Get Logged-in User List Maximum User Session in Distributed Environment10-54 Maximum User Session in Proxy Scenario 10-55 10-56 Epm logging Logging monitor informational Logging origin-id ip11-1 Authentication Records and Details Authentication Records and Details,Dashboard Pages 11-2 11-3 Working with Portlets 11-4 Working with Authentication Lookup Portlet 11-5 Configuring Tabs in the Dashboard Running Authentication Lookup ReportDashboard Pages, Running Authentication Lookup Report, Adding Tabs to the Dashboard Adding Applications to Tabs Renaming Tabs in the Dashboard11-7 Changing the Dashboard Layout Deleting Tabs from the DashboardClick Manage Pages 11-8 Understanding Alarms Threshold Alarms, System Alarms,Threshold Alarms 12-1 Evaluating Alarm Thresholds System AlarmsEvaluating Alarm Thresholds, Notifying Users of Events, Evaluation Cycle1 Notifying Users of Events Viewing and Editing Alarms in Your Inbox12-3 Alarm Severity 12-4 12-5 12-6 12-7 Select Monitoring and Reports Alarms Inbox 12-8 Understanding Alarm Schedules Creating and Editing Alarm SchedulesChoose Monitoring and Reports Alarms Schedules 12-9 Choose Monitoring and Reports Alarms Thresholds Assigning Alarm Schedules to Thresholds12-10 Creating, Editing, and Duplicating Alarm Thresholds Deleting Alarm SchedulesSelect Monitoring and Reports Alarms Thresholds 12-11 12-12 Configuring General Threshold Information 12-13 Configuring Threshold Criteria Passed AuthenticationsPassed Authentication Count ACS Instance 12-15 Failed Authentications Failed Authentication CountDevice IP 12-16 12-17 Authentication Inactivity 12-18 Tacacs Command Accounting 12-19 Tacacs Command Authorization 12-20 ACS Configuration Changes 12-21 ACS System Diagnostics 12-22 ACS Process Status 12-23 CPU ACS System Health12-24 ACS AAA Health 12-25 Radius Sessions 12-26 Unknown NAD Count of Unknown NAD Authentication Records12-27 External DB Unavailable 12-28 Rbacl Drops 12-29 NAD DGTDstip 12-30 Device IP Count of NAD-Reported AAA Down Events NAD-Reported AAA Downtime12-31 Configuring Threshold Notifications 12-32 Deleting Alarm Thresholds 12-33 Configuring System Alarm Settings 12-34 Creating and Editing Alarm Syslog Targets Understanding Alarm Syslog Targets12-35 Deleting Alarm Syslog Targets 12-36 Managing Reports 13-1 Catalog-Monitoring & Reports Reports Catalog reporttype 13-2 Working with Favorite Reports Adding Reports to Your FavoritesClick Add to Favorites 13-3 Viewing Favorite-Report Parameters Click Add to FavoriteChoose Monitoring and Reports Reports Favorites 13-4 Editing Favorite Reports Running Favorite ReportsSelect Monitoring & Reports Reports Favorites 13-5 Sharing Reports Deleting Reports from FavoritesClick Launch Interactive Viewer for more options Reports Reports Catalog ACS Instance Working with Catalog Reports Available Reports in the CatalogReport Name Description Logging Category 13-7 13-8 13-9 13-10 Running Catalog Reports 13-11 13-12 Running Named Reports Deleting Catalog Reports13-13 Reporttype Reportname 13-14 Understanding the ReportName 13-15 13-16 13-17 Enabling Radius CoA Options on a Device 13-18 13-19 Radius Active Session Report Customizing Reports Restoring ReportsClick Launch Interactive Viewer 13-20 Viewing Reports About Standard ViewerAbout Interactive Viewer About Interactive Viewer’s Context Menus 13-22 Context Menu for Column Data in Interactive Viewer Using the Table of Contents Navigating Reports Exporting Report Data 13-24 13-25 12 The Export Data Dialog Box Saving Report Designs in Interactive Viewer Printing Reports13-26 Editing Labels Formatting Reports in Interactive Viewer13-27 Formatting Labels Formatting DataResizing Columns Select Change Text Changing Column Data Alignment Formatting Data in ColumnsFormatting Data in Aggregate Rows Select Style Font Data type Option Description Formatting Data Types13-30 Formatting Numeric Data 13-31 Formatting Fixed or Scientific Numbers or Percentages Formatting Custom Numeric DataData in the data set Result of formatting 13-32 Symbol Formatting String DataFormatting Custom String Data 13-33 Data in the data source Results of formatting Formatting Date and Time13-34 Formatting Custom Date and Time Format Result of formattingMmmm 13-35 Applying Conditional Formats Formatting Boolean Data13-36 Select Style Conditional Formatting Setting Conditional Formatting for Columns13-37 13-38 19 Comparison Value Field Deleting Conditional Formatting 13-39 Setting and Removing Page Breaks in a Group Column Setting and Removing Page Breaks in Detail Columns13-40 Displaying and Organizing Report Data Organizing Report Data13-41 Select Column Move to Group Header Reordering Columns in Interactive Viewer13-42 Removing Columns 13-43 Hiding or Displaying Report Items Hiding ColumnsSelect Hide or Show Items Select Column Hide Column Displaying Hidden Columns Merging ColumnsSelect Column Show Columns 13-45 Select Column Merge Columns Selecting a Column from a Merged Column13-46 Sorting Data Sorting a Single ColumnSorting Multiple Columns Sorting a Single Column, Sorting Multiple Columns, Grouping Data 13-48 13-49 Grouping Data Based on Date or Time Adding Groups13-50 Creating Report Calculations Removing an Inner Group13-51 13-52 37 Calculated Column Function Description Example of use Understanding Supported Calculation Functions13-53 Countdistinct Count13-54 Isbottomnpercent 13-55 13-56 Movingaverage 13-57 Today 13-58 Weightedaverage 13-59 Using Numbers and Dates in an Expression Understanding Supported OperatorsOperator Description 13-60 Using Multiply Values in Calculated Columns Adding Days to an Existing Date ValueSelect Add Calculation 13-61 Subtracting Date Values in a Calculated Column Working with Aggregate Data13-62 Aggregate functions Description 13-63 Creating an Aggregate Data Row 13-64 Click Add aggregation Adding Additional Aggregate Rows13-65 Hiding and Filtering Report Data Deleting Aggregate RowsHiding or Displaying Column Data 13-66 Hiding or Displaying Detail Rows in Groups or Sections Displaying Repeated Values13-67 Condition Description Working with Filters13-68 Types of Filter Conditions 13-69 Setting Filter Values 13-70 Creating Filters 13-71 Creating a Filter with Multiple Conditions Modifying or Clearing a Filter13-72 Click Add Condition Click Advanced Filter13-73 Filtering Highest or Lowest Values in Columns 13-74 Understanding Charts 13-75 Filtering Chart Data Modifying Charts13-76 Changing Chart Subtype Changing Chart FormattingSelect Chart Subtype 13-77 50 Chart Formatting Options 13-78 Available Diagnostic and Troubleshooting Tools Connectivity TestsACS Support Bundle 14-1 Expert Troubleshooter 14-2 Diagnostic Tool Description Performing Connectivity TestsSee Comparing Sgacl Policy Between a Network Device and ACS ACS-Assigned SGT Records, page 14-14for more information Downloading ACS Support Bundles for Diagnostic Information 14-4 Working with Expert Troubleshooter 14-5 NAS IP Troubleshooting Radius Authentications14-6 14-7 Click Show Results Summary 14-8 Executing the Show Command on a Network Device 14-9 AAA Evaluating the Configuration of a Network Device14-10 SGA Comparing Sgacl Policy Between a Network Device and ACS14-11 Comparing the SXP-IP Mappings Between a Device and its Peers 14-12 VRF Click the User Input Required button14-13 14-14 Comparing Device SGT with ACS-Assigned Device SGT 14-15 14-16 15-1 15-2 Configuring Data Purging and Incremental Backup 15-3 15-4 15-5 Configuring NFS stagging 15-6 Restoring Data from a Backup Configuring Data Purging and Incremental Backup,Viewing Log Collections 15-7 Log Collection Details Page, 15-8 Log Collection Details 15-9 15-10 Viewing Scheduled Jobs Recovering Log Messages15-11 15-12 Viewing Process Status 15-13 Viewing Data Upgrade Status Viewing Failure ReasonsEditing Failure Reasons Failure Reasons Editor Specifying E-Mail Settings Configuring Snmp PreferencesEmail Settings 15-15 Creating and Editing Collection Filters Understanding Collection Filters15-16 Configuring Alarm Syslog Targets Configuring Remote Database SettingsDeleting Collection Filters 15-17 15-18 Managing System Administrators 16-1 Understanding Administrator Roles and Accounts 16-2 Configuring System Administrators and Accounts Understanding AuthenticationUnderstanding Roles 16-3 Permissions Predefined RolesRole Privileges 16-4 Changing Role Associations 16-5 Choose System Administration Administrators Accounts Administrator Accounts and Role Association16-6 16-7 Choose System Administration Administrators Roles Viewing Predefined RolesViewing Role Properties Button and click View Configuring Authentication Settings for Administrators 16-9 16-10 Configuring Session Idle Timeout Configuring Administrator Access SettingsChoose System Administration Administrators Settings Access Allow All IP Addresses to Connect Access-setting accept-all Resetting the Administrator Password16-12 Changing the Administrator Password Changing Your Own Administrator PasswordChoose My Workspace My Account 16-13 Resetting Another Administrator’s Password 16-14 Configuring System Operations 17-1 Service Port Understanding Distributed DeploymentAaa-server radius-authport 17-2 Activating Secondary Servers Removing Secondary ServersActivating Secondary Servers, 17-3 Understanding Local Mode Promoting a Secondary ServerUnderstanding Distributed Deployment, 17-4 Understanding Full Replication Specifying a Hardware Replacement17-5 Scheduled Backups Creating, Duplicating, and Editing Scheduled BackupsCreating, Duplicating, and Editing Scheduled Backups, Choose System Administration Operations Scheduled Backups Backing Up Primary and Secondary Instances, Backing Up Primary and Secondary Instances17-7 Viewing and Editing a Primary Instance Editing Instances17-8 Ddmmyyyy 17-9 GUI 17-10 17-11 Viewing and Editing a Secondary Instance Deleting a Secondary InstanceEditing Instances, Viewing and Editing a Primary Instance, 17-12 Activating a Secondary Instance Registering a Secondary Instance to a Primary InstanceClick Activate 17-13 17-14 Click Register to Primary 17-15 Click Deregister from Primary Click Deregister17-16 17-17 Replicating a Secondary Instance from a Primary Instance 17-18 Click Full Replication 17-19 See Registering a Secondary Instance to a Primary Instance, 17-20 Failover 17-21 Click Request Local Mode 17-22 17-23 17-24 Configuring Global System Options Configuring TACACS+ SettingsManage licensing. See Licensing Overview, 18-1 Configuring EAP-TLS Settings 18-2 Configuring Peap Settings Configuring EAP-FAST SettingsGenerating EAP-FAST PAC, 18-3 Configuring RSA SecurID Prompts Generating EAP-FAST PACClick Generate PAC Tokencode Managing Dictionaries Viewing Radius and TACACS+ AttributesYOU Prepared to Accept a SYSTEM-GENERATED PIN? Radius Ietf Radius VSAs, page A-6 18-6 Viewing Radius and TACACS+ Attributes, 18-7 18-8 Viewing Radius Vendor-Specific Subattributes 18-9 Configuring Identity Dictionaries 18-10 Configuring Internal Identity Attributes 18-11 Policy Elements Session Conditions Custom Deleting an Internal User Identity Attribute18-12 Deleting an Internal Host Identity Attribute 18-13 Adding Local Server Certificates Configuring Local Server Certificates18-14 Signing Request, Associating Certificates to Protocols,18-15 Generating Self-Signed Certificates EAPSelect Generate Self Signed Certificate Next 18-16 Generating a Certificate Signing Request Binding CA Signed CertificatesSelect Generate Certificate Signing Request Next Click Finish Select Bind CA Signed Certificate Next Editing and Renewing Certificates18-18 Deleting Certificates 18-19 Viewing Outstanding Signing Requests Exporting Certificates18-20 Configuring Remote Log Targets Configuring Logs18-21 Target Configuration GeneralDeleting a Remote Log Target, 18-22 Configuring the Local Log Configuring Remote Log Targets,Deleting a Remote Log Target Deleting Local Log Data Configuring Logging Categories Configuring Global Logging CategoriesOption Descriptions 18-24 18-25 Category Log and Description 18-26 18-27 Show logging system 18-28 Configuring Per-Instance Security and Log Settings, Configuring Per-Instance Logging Categories18-29 Configuring Per-Instance Security and Log Settings 18-30 Configuring Per-Instance Remote Syslog Targets Configure Logged AttributesClick the Remote Syslog Target tab 18-31 Displaying Logging Categories 18-32 Viewing the Log Message Catalog Configuring the Log Collector18-33 Licensing Overview Types of LicensesLicense Description 18-34 Installing a License File 18-35 PAK Viewing the Base License18-36 Upgrading the Base Server License, Upgrading the Base Server License18-37 Viewing License Feature Options 18-38 Adding Deployment License Files 18-39 Deleting Deployment License Files Available DownloadsClick Delete to delete the license file 18-40 Downloading UCP Web Service Files Downloading Migration Utility FilesDownloading Sample Python Scripts 18-41 Choose System Administration Downloads Rest Service Downloading Rest Services18-42 About Logging, ACS 4.x Versus ACS 5.3 Logging, About Logging19-1 Logging Categories Using Log Targets19-2 19-3 Log Message Severity Levels Global and Per-Instance Logging Categories19-4 ACS Severity Syslog Severity Level Description Local Store Target19-5 19-6 Critical Log Target 19-7 Remote Syslog Server Target 19-8 19-9 Viewing Log Messages Monitoring and Reports Server Target19-10 Debug Logs 19-11 CSV ACS 4.x Versus ACS 5.3 Logging19-12 Use the Reports and Activity pages Use the System Configuration Logging19-13 19-14 Device Administration TACACS+ Typical Use Cases Network Access Radius With and Without EAP Session Access Requests Device Administration TACACS+Command Authorization Requests PAP Chap RADIUS-Based Flow Without EAP Authentication RADIUS-Based Flows with EAP AuthenticationPEAP/EAP-GTC EAP-FAST/EAP-GTC Figure A-3shows a RADIUS-based authentication with EAP Overview of TACACS+ Access Protocols-TACACS+ and RadiusPoint of Comparison Overview of Radius Radius VSAs ACS 5.3 as the AAA Server Radius Attribute Support in ACS Address IP Integer Time Radius Access Requests AuthenticationAuthorization Accounting OL-24201-01 Authentication Considerations Authentication and User Databases PAP, page B-2 CHAP, page B-31 EAP-MSCHAPv2, page B-30 Radius PAP Authentication EAP EAP message type EAP code EAP Method DescriptionInformation see EAP-MSCHAPv2, page B-30 EAP-GTC Overview of EAP-MD5 Host Lookup, Overview of Agentless Network Access,EAP- MD5 Flow in ACS User Certificate Authentication Overview of EAP-TLS PKI Authentication PKI Credentials PKI Usage Fixed Management Certificates Acquiring Local CertificatesImporting Trust Certificates Initial Self-Signed Certificate Generation Importing the ACS Server CertificateCertificate Generation Exporting Credentials Credentials Distribution Hardware Replacement and CertificatesSecuring the Cryptographic Sensitive Material Private Keys and Passwords Backup EAP-TLS Flow in ACS PEAPv0/1 Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30 Supported Peap Features Overview of Peap Fast Reconnect Peap Flow in ACS Creating the TLS Tunnel Authenticating with MSCHAPv2 Overview of EAP-FAST EAP-FAST EAP-FAST in ACS EAP-FAST Benefits About Master-Keys About PACs Provisioning Modes Types of PACs Automatic In-Band PAC Provisioning Machine PAC Authentication ACS-Supported Features for PACsProactive PAC Update Accept Peer on Authenticated Provisioning PAC-Less AuthenticationPAC Type Tunnel v1/v1a/SGA Machine Authorization PAC Master Key Generation and PAC TTLs EAP-FAST Flow in ACSEAP-FAST for Allow TLS Renegotiation EAP-FAST PAC Management EAP-FAST PAC-Opaque Packing and Unpacking Key Distribution AlgorithmRevocation Method EAP Authentication with Radius Key Wrap PAC Migration from ACS MSCHAPv2 for User Authentication MSCHAPv2 for Change PasswordEAP-MSCHAPv2 Overview of EAP-MSCHAPv2 Windows Machine Authentication Against AD EAP- MSCHAPv2 Flow in ACS Certificate Attributes Certificate Binary ComparisonSAN SAN-DNS Certificate Revocation Rules Relating to Textual Attributes Machine Authentication Authentication Protocol and Identity Store Compatibility Microsoft AD, Managing External Identity Stores,Identity Store MSCHAPv1/MSCHAPv2 EAP-TLS EAP-MSCHAPv2 OpenSSL/Open SSL Project License IssuesOpenSSL License Original SSLeay License Appendix C Open Source License Acknowledgments OL-24201-01 O S S a R Y GL-1 Capability of ACS to record user sessions in a log file GL-2 Validity and conformance of the original information GL-3 GL-4 GL-5 GL-6 GL-7 GL-8 GL-9 FTP EAP-FAST PAC GL-10 GL-11 GL-12 Service providerISP GL-13 GL-14 Extension within certificate information GL-15 GL-16 GL-17 GL-18 GL-19 GL-20 Symbols IN-1 IN-2 Date expressions IN-3 Formatting symbols IN-4 Hide Detail command IN-5 IN-6 Or operator 13-60,13-74 IN-7 Summary values IN-8 Upper function IN-9 IN-10