User Guide for Cisco Secure Access Control System
Americas Headquarters
Page
N T E N T S
Iii
Rules-Based Service Selection
Configuring an Authorization Policy for Host Lookup Requests
My Account
Exporting Network Devices and AAA Clients
Vii
Failover
Viii
Radius Identity Store in Identity Sequence
Managing Access Policies
Maximum User Session in Distributed Environment
Creating and Editing Alarm Schedules
Xii
Exporting Report Data
Xiii
Adding Groups
Xiv
Filtering Chart Data
Managing System Administrators
Xvi
Activating a Secondary Instance
Xvii
Configuring Logs
Xviii
Using Log Targets
Xix
PKI Usage
EAP-MSCHAPv2 B-30
Xxi
Xxii
Document Conventions
Audience
Revised April 17
Documentation Updates
Related Documentation
Date Description
Store
Obtaining Documentation and Submitting a Service Request
Preface User Guide for Cisco Secure Access Control System
Introducing ACS
Overview of ACS
ACS Distributed Deployment
ACS 4.x and 5.3 Replication
Related Topics
Related Topic
ACS Management Interfaces
ACS Licensing Model
ACS
ACS Command Line Interface
ACS Web-based Interface
Config
Hardware Models Supported by ACS
ACS Programmatic Interfaces
ACS Web-based Interface,
OL-24201-01
Migrating from ACS 4.x to ACS
Overview of the Migration Process
Migration Requirements
Supported Migration Versions
Migration Requirements, Supported Migration Versions,
Select System Administration Downloads Migration Utility
Before You Begin
Downloading Migration Files
Migrating from ACS 4.x to ACS
Migrating from ACS 4.x to ACS
Functionality Mapping from ACS 4.x to ACS
Radius
Common Scenarios in Migration
Migrating from ACS 4.2 on Csacs 1120 to ACS
Radius VSA
VSA
Migrating from ACS 3.x to ACS
Migrating Data from Other AAA Servers to ACS
Migrating from ACS 4.x to ACS Common Scenarios in Migration
OL-24201-01
ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Information in ACS 5.3 Policy Element
Policy Terminology
Term Description
Rule-Based Policies
Simple Policies
Types of Policies,
Types of Policies
Access Services
Policy Type
Access Service B Access Service C Access Service a
For Device Administration Hosts Wireless Devices
Access Service Templates
Radius and TACACS+ Proxy Services
Feature ACS
Identity Policy
Failure Options
Processing Rules with Multiple Command Sets
Authorization Policy for Device Administration
Group Mapping Policy
Service Selection Policy
Simple Service Selection
Exception Authorization Policy Rules
Simple Service Selection, Rules-Based Service Selection,
Rules-Based Service Selection
Access Services and Service Selection Scenarios
First-Match Rule Tables
Example Policy Rule Table
Column Description
Policy Conditions
Authorization Profiles for Network Access
Policy Results
Processing Rules with Multiple Authorization Profiles
Policies and Identity Attributes
Policies and Network Device Groups
Example of a Rule-Based Policy
Flows for Configuring Services and Policies
Prerequisites
Editing Access Services,
Customizing a Policy, Configuring Access Service Policies,
Step Action Drawer in Web Interface
Editing a Custom Session Condition,
Related Topics
OL-24201-01
Common Scenarios Using ACS
Overview of Device Administration
Session Administration
Command Authorization
TACACS+ Custom Services and Attributes
Password-Based Network Access
Overview of Password-Based Network Access
PEAP-GTC
RADIUS-PAP RADIUS-CHAP
EAP-FAST-GTC EAP-MD5 Leap
Password-Based Network Access Configuration Flow
Protocol Action
MAB Radius PAP
Radius Chap
EAP-MSCHAPv2 or EAP-GTC or both
Peap
EAP-FAST
Certificate-Based Network Access
Overview of Certificate-Based Network Access
Using Certificates in ACS
Certificate-Based Network Access for EAP-TLS
Before you Begin
EAP-TLS
User Guide for Cisco Secure Access Control System
Overview of Agentless Network Access
Agentless Network Access
Validating an Ldap Secure Authentication Connection
Use Cases Attribute
Host Lookup
802.1x
Authentication with Call Check
PAP/EAP-MD5 Authentication
Process Service-Type Call Check
Agentless Network Access Flow
For more information, see , Managing Policy Elements
Configuring an Ldap External Identity Store for Host Lookup
Adding a Host to an Internal Identity Store
Previous Step
Next Step
Creating an Access Service for Host Lookup
Creating an Access Service for Host Lookup,
Previous Steps
Managing Identity Attributes,
See Viewing Identity Policies, page 10-21, for details
Configuring an Identity Policy for Host Lookup Requests
Click Save Changes
See Customizing a Policy, page 10-4, for more information
VPN Remote Network Access
Select Host Lookup and click OK
Supported Authentication Protocols
Supported Identity Stores
RADIUS/PAP RADIUS/CHAP
LDAP-RADIUS/PAP
Configuring VPN Remote Access Service
Supported VPN Network Access Servers
Supported VPN Clients
ACS and Cisco Security Group Access
Adding Devices for Security Group Access
Creating Security Groups
Configuring an Ndac Policy
Creating SGACLs
Creating an Access Service for Security Group Access
Configuring EAP-FAST Settings for Security Group Access
Select Network Access, and check Identity and Authorization
Creating an Endpoint Admission Control Policy
Creating an Egress Policy
Creating a Default Policy
Radius and TACACS+ Proxy Requests
Tacplusauthor Tacplusauthen
Supported Protocols
Tacplusacct
Supported Radius Attributes
TACACS+ Body Encryption
Connection to TACACS+ Server
PAP Ascii Chap
Configuring Proxy Service
My Workspace Welcome
Welcome
Field Description
Task Guides
My Account
Accessing the Web Interface
Using the Web Interface
Logging In, Logging Out,
Logging
Understanding the Web Interface
Logging Out
Header, Navigation Pane, Content Area,
Navigation Pane, Content Area,
Web Interface Design
Header
Navigation Pane
Drawer Function
Content Area
Header, Content Area,
Web Interface Location
Deleted item
Button or Field Description
Filtering
Sorting
Secondary Windows
Transfer Boxes
Secondary Window
Transfer Box Fields and Buttons
Rule Table Pages
Schedule Boxes
Option Description
See Displaying Hit Counts, page 10-10for more information
ACS 5.x Policy Model
Supported ACS Objects
Supported ACS Objects, Creating Import Files,
Property Name Property Data Type
Creating Import Files
Uments
Downloading the Template from the Web Interface
Understanding the CSV Templates
Click File Operations
Click Download Add Template
Creating the Import File
Header Field Description
Updating the Records in the ACS Internal Store
Deleting Records from the ACS Internal Store
Common Errors
Concurrency Conflict Errors
Deletion Errors
System Failure Errors
Accessibility
Display and Readability Features
Keyboard and Mouse Features
Obtaining Additional Accessibility Information
Configuring Minimal System Setup
Step No Task Drawer Refer to
Configuring Local Server
Configuring Authentication
Settings for Administrators
Configuring Administrator
Step No Task Drawer Refer to
Configuring ACS to Manage Access Policies
Task Drawer Refer to
Configuring System Alarm
Settings,
Understanding Alarm
Duplicating Alarm
OL-24201-01
Managing Network Resources
External Servers
Creating, Duplicating, and Editing Network Device Groups
Network Device Groups
Choose Network Resources Network Device Groups
Deleting Network Device Groups
Field Description
Network Devices and AAA Clients
Deleting Network Device Groups from a Hierarchy
Choose Network Resources Network Devices and AAA Clients
Viewing and Performing Bulk Operations for Network Devices
See Displaying Network Device Properties,
Exporting Network Devices and AAA Clients
Network Device page appears
Performing Bulk Operations for Network Resources and Users
Managing Network Resources Network Devices and AAA Clients
Exporting Network Resources and Users
Creating, Duplicating, and Editing Network Devices
Configuring Network Device and AAA Clients
TACACS+
KEK
SGT
Displaying Network Device Properties
TACACS+
Access Advanced Settings
Access
Security Group
Configuring a Default Network Device
Deleting Network Devices
About creating network device groups
Creating, Duplicating, and Editing External Proxy Servers
Working with External Proxy Servers
Choose Network Resources External Proxy Servers
Choose to create Radius proxy server
Deleting External Proxy Servers
OL-24201-01
Overview
Internal Identity Stores
External Identity Stores
Ldap
Identity Stores with Two-Factor Authentication
Certificate-Based Authentication
Identity Groups
Managing Internal Identity Stores
Identity Sequences
Authentication Information
Select Users and Identity Stores Identity Groups
Creating Identity Groups
Click File Operations to
Deleting an Identity Group
Managing Identity Attributes
Standard Attributes, User Attributes, Host Attributes,
User Attributes
Standard Attributes
Attribute Description
Choose System Administration Users Authentication Settings
Configuring Authentication Settings for Users
Host Attributes
Password History
Options Description
Creating Internal Users
Resources and Users,
Defined under System Administration Users Authentication
Option
Administration Users Authentication Settings
Identity Stores Internal Identity Stores Users
Deleting Users from Internal Identity Stores
Mon dd hhmmss UTC YYYY, where
Internal Users page appears without the deleted users
Creating Hosts in Identity Stores
Hhmmss UTC Yyyy , where
Deleting Internal Hosts
Configuring AAA Devices for Management Hierarchy
Configuring Users or Hosts for Management Hierarchy
Management Hierarchy
Attributes of Management Hierarchy
Configuring and Using UserIsInManagement Hierarchy Attribute
Related Topics
Managing External Identity Stores
Ldap Overview
Directory Service
Authentication Using Ldap
Configuring Ldap Groups, Viewing Ldap Attributes,
Multiple Ldap Instances
Failover
Authenticating a User Using a Bind Connection
Ldap Connection Management
Group Membership Information Retrieval
Attributes Retrieval
Certificate Retrieval
Creating External Ldap Identity Stores
Configuring an External Ldap Server Connection
Ldap Server Connection
Configuring External Ldap Directory Organization
Schema
If the tree containing subjects is the base DN, enter
External identity store you created is saved
Configuring Ldap Groups
Deleting External Ldap Identity Stores
Leveraging Cisco NAC Profiler as an External MAB Database
Viewing Ldap Attributes
Click Server
Advanced Options Active Response Delay
Ldap Interface Configuration in NAC Profiler
Configuring Endpoint Profiles in NAC Profiler
Click Save Profile
Click the Server Connection tab
Edit NAC Profiler Definition General
Click Test Configuration
Test Bind to Server Dialog Box
Number of Subjects Number of Directory Groups
Supported Authentication Protocols
Microsoft AD
User Guide for Cisco Secure Access Control System
Machine Authentication
Protocol Port number
Attribute Retrieval for Authorization
Group Retrieval for Authorization
Certificate Retrieval for EAP-TLS Authentication
Concurrent Connection Management
Machine Access Restrictions
Dial-in Permissions
Machine Authentication AD Group Required ATZ profile
Callback Options for Dial-in users
Dial-in Support Attributes
ACS Response
Machine Authentication, page B-34
Configuring an AD Identity Store
Joining ACS to an AD Domain
Click
Selecting an AD Group, Configuring AD Attributes,
Selecting an AD Group
Configuring AD Attributes
Available from the Attributes secondary window only
Joining ACS to Domain Controllers
Configuring RSA SecurID Agents
RSA SecurID Server
Creating and Editing RSA SecurID Token Servers
PIN
RSA Realm Settings Tab
Configuring ACS Instance Settings
Enable the RSA options file, Reset Agent Files,
Enable the RSA options file
Reset Agent Files
Configuring Advanced Options
Check the Enable identity caching check box
Radius Identity Stores
Supported Authentication Protocols
Radius PAP TACACS+ ASCII/PAP
User Group Mapping
Password Prompt
Groups and Attributes Mapping
Authentication Failure Messages
Cause of Authentication Failure Failure Cases
Radius Identity Store in Identity Sequence
Username Special Format with Safeword Server
Creating, Duplicating, and Editing Radius Identity Servers
User Attribute Cache
Radius PAP TACACS+ ASCII\PAP
Configuring General Settings
Server Connection
Configuring Shell Prompts
Configuring Directory Attributes
Cisco-av-pair.some-avpair
Configuring CA Certificates
Configuring Shell Prompts, Configuring Advanced Options,
Adding a Certificate Authority
Select Users and Identity Stores Certificate Authorities
Description of the certificate
Deleting a Certificate Authority
Configuring Certificate Authentication Profiles
Exporting a Certificate Authority
Certificate Authentication Profile page reappears
Configuring Identity Store Sequences
Authentication Sequence
Creating, Duplicating, and Editing Identity Store Sequences
Attribute Retrieval Sequence
22 Identity Store Sequence Properties
Deleting Identity Store Sequences
OL-24201-01
OL-24201-01
Managing Policy Elements
Managing Policy Conditions
Managing Policy Elements Managing Policy Conditions
Deleting a Session Condition, Managing Network Conditions,
Select Policy Elements Session Conditions Date and Time
Policy,
Select Policy Elements Session Conditions Custom
Deleting a Session Condition
Managing Network Conditions
Managing Policy Elements Managing Policy Conditions
Importing Network Conditions
Exporting Network Conditions
Creating, Duplicating, and Editing End Station Filters
Defining IP Address-Based End Station Filters
Defining MAC Address-Based End Station Filters
Defining CLI or DNIS-Based End Station Filters
Creating, Duplicating, and Editing Device Filters
Defining IP Address-Based Device Filters
Defining Name-Based Device Filters
Creating, Duplicating, and Editing Device Port Filters
Defining NDG-Based Device Filters
Defining IP Address-Based Device Port Filters
Defining Name-Based Device Port Filters
Managing Authorizations and Permissions
Defining NDG-Based Device Port Filters
Authorization Profiles
Specifying Authorization Profiles
Specifying Common Attributes in Authorization Profiles
Vlan ID/Name Includes a Vlan assignment
Specifying Radius Attributes in Authorization Profiles
Attribute, its name, value, and type appear in the table. To
Dictionary
Creating and Editing Security Groups
Creating Security Groups,
Related Topics
Defining Common Tasks
Defining General Shell Profile Properties
Defining Common Tasks, Defining Custom Attributes,
Privilege Level
Shell Profile Common Tasks
Defining Custom Attributes
Replace
OL-24201-01
Show
Duplicated
Creating, Duplicating, and Editing Downloadable ACLs
Deleting an Authorizations and Permissions Policy Element
Appears without the deleted object
Configuring Security Group Access Control Lists
OL-24201-01
Policy Creation Flow
10-1
Policy Creation Flow-Next Steps
Network Definition and Policy Goals
10-2
Policy Elements in the Policy Creation Flow
Policy Creation Flow-Previous Step
Network Definition and Policy Goals,
10-3
Access Service Policy Creation
Service Selection Policy Creation
Customizing a Policy
10-4
Configuring a Policy-Next Steps
Configuring the Service Selection Policy
10-5
Configuring a Simple Service Selection Policy
Service Selection Policy
Select Access Policies Service Selection Policy
10-6
See Displaying Hit Counts,
10-7
Select Access Policies Service Selection Policy. If you
Creating, Duplicating, and Editing Service Selection Rules
10-8
Conditions
10-9
Displaying Hit Counts
Deleting Service Selection Rules
10-10
Editing Default Access Services
Configuring Access Services
10-11
Select Access Policies Access Services
Creating, Duplicating, and Editing Access Services
10-12
Configuring General Access Service Properties
10-13
10-14
Select Access Policies Access Services, then click
Configuring Access Service Allowed Protocols
10-15
Server Certificates, page 18-14for more information
10-16
10-17
10-18
Configuring Access Services Templates
10-19
Deleting an Access Service
Access Service
Type Protocols Policies Conditions Results
10-20
Viewing Identity Policies
Configuring Access Service Policies
10-21
10-22
Viewing Rules-Based Identity Policies
10-23
Configuring Identity Policy Rule Properties
10-24
10-25
Configuring a Group Mapping Policy
10-26
Displaying Hit Counts,
10-27
Configuring Group Mapping Policy Rule Properties
10-28
Select Access Policies Access Services service Authorization
10-29
10-30
Configuring Network Access Authorization Rule Properties
10-31
Configuring Device Administration Authorization Policies
10-32
10-33
Condition
10-34
Configuring Authorization Exception Policies
10-35
Condition Name
10-36
Creating Policy Rules
10-37
Editing Policy Rules
Duplicating a Rule
10-38
Deleting Policy Rules
10-39
Compound Condition Building Blocks
Configuring Compound Conditions
10-40
Types of Compound Conditions
Operand1 Operand2 Example
Atomic Condition
10-41
Multiple Nested Compound Condition
Single Nested Compound Condition
10-42
Compound Expression with Dynamic value
10-43
Using the Compound Expression Builder
10-44
Security Group Access Control Pages
Egress Policy Matrix
Policy Matrix,
Policy Page,
Defining a Default Policy for Egress Policy
Creating an Egress Policy, Creating a Default Policy,
Editing a Cell in the Egress Policy Matrix
Creating an Egress Policy,
Ndac Policy
Simple Policy
Rule-Based Policy
10-47
Ndac Policy Properties
Configuring an Ndac Policy, Ndac Policy Properties Page,
10-48
Configuring an Ndac Policy, Ndac Policy Page,
10-49
Maximum User Sessions
Network Device Access EAP-FAST Settings
10-50
Max Session Group Settings
Max Session User Settings
10-51
Max User Session Global Settings
Max Session Global Setting
10-52
Purging User Sessions
Go to System Administration Users Purge User Sessions
10-53
Click Get Logged-in User List
Maximum User Session in Distributed Environment
10-54
Maximum User Session in Proxy Scenario
10-55
10-56
Epm logging
Logging monitor informational Logging origin-id ip
11-1
Authentication Records and Details
Authentication Records and Details,
Dashboard Pages
11-2
11-3
Working with Portlets
11-4
Working with Authentication Lookup Portlet
11-5
Configuring Tabs in the Dashboard
Running Authentication Lookup Report
Dashboard Pages, Running Authentication Lookup Report,
Adding Tabs to the Dashboard
Adding Applications to Tabs
Renaming Tabs in the Dashboard
11-7
Changing the Dashboard Layout
Deleting Tabs from the Dashboard
Click Manage Pages
11-8
Understanding Alarms
Threshold Alarms, System Alarms,
Threshold Alarms
12-1
Evaluating Alarm Thresholds
System Alarms
Evaluating Alarm Thresholds, Notifying Users of Events,
Evaluation Cycle1
Notifying Users of Events
Viewing and Editing Alarms in Your Inbox
12-3
Alarm Severity
12-4
12-5
12-6
12-7
Select Monitoring and Reports Alarms Inbox
12-8
Understanding Alarm Schedules
Creating and Editing Alarm Schedules
Choose Monitoring and Reports Alarms Schedules
12-9
Choose Monitoring and Reports Alarms Thresholds
Assigning Alarm Schedules to Thresholds
12-10
Creating, Editing, and Duplicating Alarm Thresholds
Deleting Alarm Schedules
Select Monitoring and Reports Alarms Thresholds
12-11
12-12
Configuring General Threshold Information
12-13
Configuring Threshold Criteria
Passed Authentications
Passed Authentication Count
ACS Instance
12-15
Failed Authentications
Failed Authentication Count
Device IP
12-16
12-17
Authentication Inactivity
12-18
Tacacs Command Accounting
12-19
Tacacs Command Authorization
12-20
ACS Configuration Changes
12-21
ACS System Diagnostics
12-22
ACS Process Status
12-23
CPU
ACS System Health
12-24
ACS AAA Health
12-25
Radius Sessions
12-26
Unknown NAD
Count of Unknown NAD Authentication Records
12-27
External DB Unavailable
12-28
Rbacl Drops
12-29
NAD
DGT
Dstip
12-30
Device IP Count of NAD-Reported AAA Down Events
NAD-Reported AAA Downtime
12-31
Configuring Threshold Notifications
12-32
Deleting Alarm Thresholds
12-33
Configuring System Alarm Settings
12-34
Creating and Editing Alarm Syslog Targets
Understanding Alarm Syslog Targets
12-35
Deleting Alarm Syslog Targets
12-36
Managing Reports
13-1
Catalog-Monitoring & Reports Reports Catalog reporttype
13-2
Working with Favorite Reports
Adding Reports to Your Favorites
Click Add to Favorites
13-3
Viewing Favorite-Report Parameters
Click Add to Favorite
Choose Monitoring and Reports Reports Favorites
13-4
Editing Favorite Reports
Running Favorite Reports
Select Monitoring & Reports Reports Favorites
13-5
Sharing Reports
Deleting Reports from Favorites
Click Launch Interactive Viewer for more options
Reports Reports Catalog ACS Instance
Working with Catalog Reports
Available Reports in the Catalog
Report Name Description Logging Category
13-7
13-8
13-9
13-10
Running Catalog Reports
13-11
13-12
Running Named Reports
Deleting Catalog Reports
13-13
Reporttype Reportname
13-14
Understanding the ReportName
13-15
13-16
13-17
Enabling Radius CoA Options on a Device
13-18
13-19
Radius Active Session Report
Customizing Reports
Restoring Reports
Click Launch Interactive Viewer
13-20
Viewing Reports
About Standard Viewer
About Interactive Viewer
About Interactive Viewer’s Context Menus
13-22
Context Menu for Column Data in Interactive Viewer
Using the Table of Contents
Navigating Reports
Exporting Report Data
13-24
13-25
12 The Export Data Dialog Box
Saving Report Designs in Interactive Viewer
Printing Reports
13-26
Editing Labels
Formatting Reports in Interactive Viewer
13-27
Formatting Labels
Formatting Data
Resizing Columns
Select Change Text
Changing Column Data Alignment
Formatting Data in Columns
Formatting Data in Aggregate Rows
Select Style Font
Data type Option Description
Formatting Data Types
13-30
Formatting Numeric Data
13-31
Formatting Fixed or Scientific Numbers or Percentages
Formatting Custom Numeric Data
Data in the data set Result of formatting
13-32
Symbol
Formatting String Data
Formatting Custom String Data
13-33
Data in the data source Results of formatting
Formatting Date and Time
13-34
Formatting Custom Date and Time
Format Result of formatting
Mmmm
13-35
Applying Conditional Formats
Formatting Boolean Data
13-36
Select Style Conditional Formatting
Setting Conditional Formatting for Columns
13-37
13-38
19 Comparison Value Field
Deleting Conditional Formatting
13-39
Setting and Removing Page Breaks in a Group Column
Setting and Removing Page Breaks in Detail Columns
13-40
Displaying and Organizing Report Data
Organizing Report Data
13-41
Select Column Move to Group Header
Reordering Columns in Interactive Viewer
13-42
Removing Columns
13-43
Hiding or Displaying Report Items
Hiding Columns
Select Hide or Show Items
Select Column Hide Column
Displaying Hidden Columns
Merging Columns
Select Column Show Columns
13-45
Select Column Merge Columns
Selecting a Column from a Merged Column
13-46
Sorting Data
Sorting a Single Column
Sorting Multiple Columns
Sorting a Single Column, Sorting Multiple Columns,
Grouping Data
13-48
13-49
Grouping Data Based on Date or Time
Adding Groups
13-50
Creating Report Calculations
Removing an Inner Group
13-51
13-52
37 Calculated Column
Function Description Example of use
Understanding Supported Calculation Functions
13-53
Countdistinct
Count
13-54
Isbottomnpercent
13-55
13-56
Movingaverage
13-57
Today
13-58
Weightedaverage
13-59
Using Numbers and Dates in an Expression
Understanding Supported Operators
Operator Description
13-60
Using Multiply Values in Calculated Columns
Adding Days to an Existing Date Value
Select Add Calculation
13-61
Subtracting Date Values in a Calculated Column
Working with Aggregate Data
13-62
Aggregate functions Description
13-63
Creating an Aggregate Data Row
13-64
Click Add aggregation
Adding Additional Aggregate Rows
13-65
Hiding and Filtering Report Data
Deleting Aggregate Rows
Hiding or Displaying Column Data
13-66
Hiding or Displaying Detail Rows in Groups or Sections
Displaying Repeated Values
13-67
Condition Description
Working with Filters
13-68
Types of Filter Conditions
13-69
Setting Filter Values
13-70
Creating Filters
13-71
Creating a Filter with Multiple Conditions
Modifying or Clearing a Filter
13-72
Click Add Condition
Click Advanced Filter
13-73
Filtering Highest or Lowest Values in Columns
13-74
Understanding Charts
13-75
Filtering Chart Data
Modifying Charts
13-76
Changing Chart Subtype
Changing Chart Formatting
Select Chart Subtype
13-77
50 Chart Formatting Options
13-78
Available Diagnostic and Troubleshooting Tools
Connectivity Tests
ACS Support Bundle
14-1
Expert Troubleshooter
14-2
Diagnostic Tool Description
Performing Connectivity Tests
See Comparing Sgacl Policy Between a Network Device and ACS
ACS-Assigned SGT Records, page 14-14for more information
Downloading ACS Support Bundles for Diagnostic Information
14-4
Working with Expert Troubleshooter
14-5
NAS IP
Troubleshooting Radius Authentications
14-6
14-7
Click Show Results Summary
14-8
Executing the Show Command on a Network Device
14-9
AAA
Evaluating the Configuration of a Network Device
14-10
SGA
Comparing Sgacl Policy Between a Network Device and ACS
14-11
Comparing the SXP-IP Mappings Between a Device and its Peers
14-12
VRF
Click the User Input Required button
14-13
14-14
Comparing Device SGT with ACS-Assigned Device SGT
14-15
14-16
15-1
15-2
Configuring Data Purging and Incremental Backup
15-3
15-4
15-5
Configuring NFS stagging
15-6
Restoring Data from a Backup
Configuring Data Purging and Incremental Backup,
Viewing Log Collections
15-7
Log Collection Details Page,
15-8
Log Collection Details
15-9
15-10
Viewing Scheduled Jobs
Recovering Log Messages
15-11
15-12
Viewing Process Status
15-13
Viewing Data Upgrade Status
Viewing Failure Reasons
Editing Failure Reasons
Failure Reasons Editor
Specifying E-Mail Settings
Configuring Snmp Preferences
Email Settings
15-15
Creating and Editing Collection Filters
Understanding Collection Filters
15-16
Configuring Alarm Syslog Targets
Configuring Remote Database Settings
Deleting Collection Filters
15-17
15-18
Managing System Administrators
16-1
Understanding Administrator Roles and Accounts
16-2
Configuring System Administrators and Accounts
Understanding Authentication
Understanding Roles
16-3
Permissions
Predefined Roles
Role Privileges
16-4
Changing Role Associations
16-5
Choose System Administration Administrators Accounts
Administrator Accounts and Role Association
16-6
16-7
Choose System Administration Administrators Roles
Viewing Predefined Roles
Viewing Role Properties
Button and click View
Configuring Authentication Settings for Administrators
16-9
16-10
Configuring Session Idle Timeout
Configuring Administrator Access Settings
Choose System Administration Administrators Settings Access
Allow All IP Addresses to Connect
Access-setting accept-all
Resetting the Administrator Password
16-12
Changing the Administrator Password
Changing Your Own Administrator Password
Choose My Workspace My Account
16-13
Resetting Another Administrator’s Password
16-14
Configuring System Operations
17-1
Service Port
Understanding Distributed Deployment
Aaa-server radius-authport
17-2
Activating Secondary Servers
Removing Secondary Servers
Activating Secondary Servers,
17-3
Understanding Local Mode
Promoting a Secondary Server
Understanding Distributed Deployment,
17-4
Understanding Full Replication
Specifying a Hardware Replacement
17-5
Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups,
Choose System Administration Operations Scheduled Backups
Backing Up Primary and Secondary Instances,
Backing Up Primary and Secondary Instances
17-7
Viewing and Editing a Primary Instance
Editing Instances
17-8
Ddmmyyyy
17-9
GUI
17-10
17-11
Viewing and Editing a Secondary Instance
Deleting a Secondary Instance
Editing Instances, Viewing and Editing a Primary Instance,
17-12
Activating a Secondary Instance
Registering a Secondary Instance to a Primary Instance
Click Activate
17-13
17-14
Click Register to Primary
17-15
Click Deregister from Primary
Click Deregister
17-16
17-17
Replicating a Secondary Instance from a Primary Instance
17-18
Click Full Replication
17-19
See Registering a Secondary Instance to a Primary Instance,
17-20
Failover
17-21
Click Request Local Mode
17-22
17-23
17-24
Configuring Global System Options
Configuring TACACS+ Settings
Manage licensing. See Licensing Overview,
18-1
Configuring EAP-TLS Settings
18-2
Configuring Peap Settings
Configuring EAP-FAST Settings
Generating EAP-FAST PAC,
18-3
Configuring RSA SecurID Prompts
Generating EAP-FAST PAC
Click Generate PAC
Tokencode
Managing Dictionaries
Viewing Radius and TACACS+ Attributes
YOU Prepared to Accept a SYSTEM-GENERATED PIN?
Radius Ietf
Radius VSAs, page A-6
18-6
Viewing Radius and TACACS+ Attributes,
18-7
18-8
Viewing Radius Vendor-Specific Subattributes
18-9
Configuring Identity Dictionaries
18-10
Configuring Internal Identity Attributes
18-11
Policy Elements Session Conditions Custom
Deleting an Internal User Identity Attribute
18-12
Deleting an Internal Host Identity Attribute
18-13
Adding Local Server Certificates
Configuring Local Server Certificates
18-14
Signing Request,
Associating Certificates to Protocols,
18-15
Generating Self-Signed Certificates
EAP
Select Generate Self Signed Certificate Next
18-16
Generating a Certificate Signing Request
Binding CA Signed Certificates
Select Generate Certificate Signing Request Next
Click Finish
Select Bind CA Signed Certificate Next
Editing and Renewing Certificates
18-18
Deleting Certificates
18-19
Viewing Outstanding Signing Requests
Exporting Certificates
18-20
Configuring Remote Log Targets
Configuring Logs
18-21
Target Configuration
General
Deleting a Remote Log Target,
18-22
Configuring the Local Log
Configuring Remote Log Targets,
Deleting a Remote Log Target
Deleting Local Log Data
Configuring Logging Categories
Configuring Global Logging Categories
Option Descriptions
18-24
18-25
Category Log and Description
18-26
18-27
Show logging system
18-28
Configuring Per-Instance Security and Log Settings,
Configuring Per-Instance Logging Categories
18-29
Configuring Per-Instance Security and Log Settings
18-30
Configuring Per-Instance Remote Syslog Targets
Configure Logged Attributes
Click the Remote Syslog Target tab
18-31
Displaying Logging Categories
18-32
Viewing the Log Message Catalog
Configuring the Log Collector
18-33
Licensing Overview
Types of Licenses
License Description
18-34
Installing a License File
18-35
PAK
Viewing the Base License
18-36
Upgrading the Base Server License,
Upgrading the Base Server License
18-37
Viewing License Feature Options
18-38
Adding Deployment License Files
18-39
Deleting Deployment License Files
Available Downloads
Click Delete to delete the license file
18-40
Downloading UCP Web Service Files
Downloading Migration Utility Files
Downloading Sample Python Scripts
18-41
Choose System Administration Downloads Rest Service
Downloading Rest Services
18-42
About Logging, ACS 4.x Versus ACS 5.3 Logging,
About Logging
19-1
Logging Categories
Using Log Targets
19-2
19-3
Log Message Severity Levels
Global and Per-Instance Logging Categories
19-4
ACS Severity Syslog Severity Level Description
Local Store Target
19-5
19-6
Critical Log Target
19-7
Remote Syslog Server Target
19-8
19-9
Viewing Log Messages
Monitoring and Reports Server Target
19-10
Debug Logs
19-11
CSV
ACS 4.x Versus ACS 5.3 Logging
19-12
Use the Reports and Activity pages
Use the System Configuration Logging
19-13
19-14
Device Administration TACACS+
Typical Use Cases
Network Access Radius With and Without EAP
Session Access Requests Device Administration TACACS+
Command Authorization Requests
PAP Chap
RADIUS-Based Flow Without EAP Authentication
RADIUS-Based Flows with EAP Authentication
PEAP/EAP-GTC
EAP-FAST/EAP-GTC
Figure A-3shows a RADIUS-based authentication with EAP
Overview of TACACS+
Access Protocols-TACACS+ and Radius
Point of Comparison
Overview of Radius
Radius VSAs
ACS 5.3 as the AAA Server
Radius Attribute Support in ACS
Address IP Integer Time
Radius Access Requests
Authentication
Authorization
Accounting
OL-24201-01
Authentication Considerations
Authentication and User Databases
PAP, page B-2 CHAP, page B-31
EAP-MSCHAPv2, page B-30
Radius PAP Authentication
EAP
EAP message type EAP code
EAP Method Description
Information see EAP-MSCHAPv2, page B-30
EAP-GTC
Overview of EAP-MD5
Host Lookup, Overview of Agentless Network Access,
EAP- MD5 Flow in ACS
User Certificate Authentication
Overview of EAP-TLS
PKI Authentication
PKI Credentials
PKI Usage
Fixed Management Certificates
Acquiring Local Certificates
Importing Trust Certificates
Initial Self-Signed Certificate Generation
Importing the ACS Server Certificate
Certificate Generation
Exporting Credentials
Credentials Distribution
Hardware Replacement and Certificates
Securing the Cryptographic Sensitive Material
Private Keys and Passwords Backup
EAP-TLS Flow in ACS
PEAPv0/1
Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30
Supported Peap Features
Overview of Peap
Fast Reconnect
Peap Flow in ACS
Creating the TLS Tunnel
Authenticating with MSCHAPv2
Overview of EAP-FAST
EAP-FAST
EAP-FAST in ACS
EAP-FAST Benefits
About Master-Keys
About PACs
Provisioning Modes
Types of PACs
Automatic In-Band PAC Provisioning
Machine PAC Authentication
ACS-Supported Features for PACs
Proactive PAC Update
Accept Peer on Authenticated Provisioning
PAC-Less Authentication
PAC Type Tunnel v1/v1a/SGA Machine Authorization
PAC
Master Key Generation and PAC TTLs
EAP-FAST Flow in ACS
EAP-FAST for Allow TLS Renegotiation
EAP-FAST PAC Management
EAP-FAST PAC-Opaque Packing and Unpacking
Key Distribution Algorithm
Revocation Method
EAP Authentication with Radius Key Wrap
PAC Migration from ACS
MSCHAPv2 for User Authentication
MSCHAPv2 for Change Password
EAP-MSCHAPv2
Overview of EAP-MSCHAPv2
Windows Machine Authentication Against AD
EAP- MSCHAPv2 Flow in ACS
Certificate Attributes
Certificate Binary Comparison
SAN
SAN-DNS
Certificate Revocation
Rules Relating to Textual Attributes
Machine Authentication
Authentication Protocol and Identity Store Compatibility
Microsoft AD, Managing External Identity Stores,
Identity Store
MSCHAPv1/MSCHAPv2
EAP-TLS
EAP-MSCHAPv2
OpenSSL/Open SSL Project
License Issues
OpenSSL License
Original SSLeay License
Appendix C Open Source License Acknowledgments
OL-24201-01
O S S a R Y
GL-1
Capability of ACS to record user sessions in a log file
GL-2
Validity and conformance of the original information
GL-3
GL-4
GL-5
GL-6
GL-7
GL-8
GL-9
FTP
EAP-FAST PAC
GL-10
GL-11
GL-12
Service providerISP
GL-13
GL-14
Extension within certificate information
GL-15
GL-16
GL-17
GL-18
GL-19
GL-20
Symbols
IN-1
IN-2
Date expressions
IN-3
Formatting symbols
IN-4
Hide Detail command
IN-5
IN-6
Or operator 13-60,13-74
IN-7
Summary values
IN-8
Upper function
IN-9
IN-10
