Tacacs Command Accounting, 12-19 | Cisco Systems OL-24201-01

Chapter 12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

The aggregation job begins at 00:05 hours every day. From 23:50 hours, up until the time the aggregation job completes, the authentication inactivity alarms are suppressed.

For example, if your aggregation job completes at 01:00 hours today, then the authentication inactivity alarms will be suppressed from 23:50 hours until 01:00 hours.

Note If you install ACS between 00:05 hours and 05:00 hours, or if you have shut down your appliance for maintenance at 00:05 hours, then the authentication inactivity alarms are suppressed until 05:00 hours.

Choose this category to define threshold criteria based on authentications that are inactive. Modify the fields in the Criteria tab as described in Table 12-12.

Table 12-12	Authentication Inactivity

Option	Description

ACS Instance	Click Select to choose a valid ACS instance on which to configure your threshold.

Device	Click Select to choose a valid device on which to configure your threshold.

Protocol	Use the drop-down list box to configure the protocol that you want to use for your
	threshold. Valid options are:
	•	RADIUS
	•	TACACS+

Inactive for	Use the drop-down list box to select one of these valid options:
	• Hours—Specify the number of hours in the range from 1 to 744.
	• Days—Specify the number of days from 1 to 31.

TACACS Command Accounting

When ACS evaluates this threshold, it examines the TACACS+ accounting records that it received during the interval between the previous and current alarm evaluation cycle.

If one or more TACACS+ accounting records match, it calculates the time that has elapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the TACACS+ accounting records received during the interval between the previous and current alarm evaluation cycle. I

If one or more TACACS+ accounting records match a specified command and privilege level, an alarm is triggered.

You can specify one or more filters to limit the accounting records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted.

Choose this category to define threshold criteria based on TACACS commands. Modify the fields in the Criteria tab as described in Table 12-13.

	User Guide for Cisco Secure Access Control System 5.3
	User Guide for Cisco Secure Access Control System 5.3
OL-24201-01		12-19
OL-24201-01		12-19

Cisco Systems OL-24201-01 manual Tacacs Command Accounting, 12-19

Models: OL-24201-01

Option

RADIUS

TACACS+

Related Topics

TACACS Command Accounting

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

12-19