Chapter 12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted.

Choose this category to define threshold criteria based on an external database that ACS is unable to connect to. Modify the fields in the Criteria tab as described in Table 12-22.

Table 12-22 External DB Unavailable

Option

Description

 

 

External DB Unavailable

percentcount greater than num in the past time MinutesHours for a object, where:

 

PercentCount value can be Percent or Count.

 

num values can be any one of the following:

 

 

0 to 99 for percent

 

 

0 to 99999 for count

 

time values can be 1 to 1440 minutes, or 1 to 24 hours.

 

MinutesHours value can be Minutes or Hours.

 

object values can be:

 

 

ACS Instance

 

 

Identity Store

 

 

 

 

Filter

 

 

 

 

 

ACS Instance

Click Select to choose a valid ACS instance on which to configure your threshold.

 

 

Identity Group

Click Select to choose a valid identity group name on which to configure your threshold.

 

 

Identity Store

Click Select to choose a valid identity store name on which to configure your threshold.

 

 

Access Service

Click Select to choose a valid access service name on which to configure your threshold.

 

 

Protocol

Use the drop-down list box to configure the protocol that you want to use for your threshold.

 

Valid options are:

 

RADIUS

 

TACACS+

 

 

 

 

Related Topics

Creating, Editing, and Duplicating Alarm Thresholds, page 12-11

Configuring General Threshold Information, page 12-13

Configuring Threshold Notifications, page 12-32

RBACL Drops

When ACS evaluates this threshold, it examines Cisco Security Group Access RBACL drops that occurred during the specified interval up to the previous 24 hours. The RBACL drop records are grouped by a particular common attribute, such as NAD, SGT, and so on.

A count of such records within each of those groups is computed. If the count for any group exceeds the specified threshold, an alarm is triggered. For example, consider the following threshold configuration:

RBACL Drops greater than 10 in the past 4 hours by a SGT.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

12-29

 

 

 

 

 

Page 357
Image 357
Cisco Systems OL-24201-01 manual Rbacl Drops, 12-29