Chapter 13 Managing Reports

Catalog—Monitoring & Reports > Reports > Catalog > <report_type>

For easy access, you can add reports to your Favorites page, from which you can customize and delete reports. You can customize the reports that must be shared within your group and add them to the Shared page. The Catalog pages provide a rich set of reports on log, diagnostic, and troubleshooting data retrieved from the ACS servers in your deployment.

The reports that reside in these pages can be:

System reports—Preconfigured with the ACS software; you can view the list of system reports in the Reports > Catalog pages.

Customized reports—System reports that you have configured and saved (see Customizing Reports, page 13-20).

Note Performance of reports in Internet Explorer (IE) 7.0 is slow because of a phishing filter, which is a new feature in IE 7.0. To resolve this issue, you must get the latest security updates from Microsoft. For more information on this, go to http://support.microsoft.com/kb/928089/.

In addition, ACS 5.3 introduces the Dynamic Change of Authorization (CoA) feature through a new report, the RADIUS Active Sessions report, which allows you to dynamically control active RADIUS sessions. With this feature, you can send a reauthenticate or disconnect request to a NAD to:

Troubleshoot issues related to authentication—You can use the Disconnect:None option to follow up with an attempt to reauthenticate again.

You must not use the disconnect option to restrict access. To restrict access, use the shutdown option.

Block a problematic host—You can use the Disconnect:Port Disable option to block an infected host that sends a lot of traffic over the network.

The RADIUS protocol currently does not support a method for re-enabling a port that is shut down.

Force endpoints to reacquire IP addresses—You can use the Disconnect:Port Bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after VLAN change.

Push an updated authorization policy to an endpoint—You can use the Re-Auth option to enforce an updated policy configuration, such as a change in the authorization policy on existing sessions based on the administrator’s discretion.

For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the endpoint’s identity and posture are known, it is possible to send the CoA Re-Auth command to the endpoint for the endpoint to acquire the actual authorization policy based on its posture.

Legacy NAS devices do not support the CoA feature. Cisco plans to support CoA in all its devices as part of the NPF program.

Note For the CoA commands to be understood correctly by the device, it is important that you configure the options appropriately.

For the CoA feature to work properly, you must configure in ACS the shared secret of each and every device for which you want to dynamically change the authorization. ACS uses the shared secret configuration, both for requesting access from the device and for issuing CoA commands to it.

See Changing Authorization and Disconnecting Active RADIUS Sessions, page 13-18for more information.

 

User Guide for Cisco Secure Access Control System 5.3

13-2

OL-24201-01

Page 366
Image 366
Cisco Systems OL-24201-01 manual Catalog-Monitoring & Reports Reports Catalog reporttype, 13-2