Feature ACS, Radius | Cisco Systems OL-24201-01 manual

Chapter 3 ACS 5.x Policy Model

Access Services

ACS accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS and TACACS+ servers in ACS for ACS to forward requests to them. You can define the timeout period and the number of connection attempts.

The ACS proxy remote target is a list of remote RADIUS and TACACS+ servers that contain the following parameters:

•IP

•Authentication port

•Accounting port

•Shared secret

•Reply timeout

•Number of retries

•Connection port

•Network timeout

The following information is available in the proxy service:

•Remote RADIUS or TACACS+ servers list

•Accounting proxy local/remote/both

•Strip username prefix/suffix

When a RADIUS proxy server receives a request, it forwards it to the first remote RADIUS or TACACS+ server in the list. If the proxy server does not receive a response within the specified timeout interval and the specified number of retries, it forwards the request to the next RADIUS or TACACS+ server in the list.

When the first response arrives from any of the remote RADIUS or TACACS+ servers in the list, the proxy service processes it. If the response is valid, ACS sends the response back to the NAS.

Table 3-7lists the differences in RADIUS proxy service between ACS 4.2 and 5.3 releases.

Table 3-7	Differences in RADIUS and TACACS+ Proxy Service Between ACS 4.2 and 5.3

Feature		ACS 5.3	ACS 4.2

Configurable timeout (RADIUS)		Yes	No

Configurable retry count (RADIUS)		Yes	No

Network timeout (TACACS+)		Yes	No

Authentication and accounting ports		Yes	Yes
(RADIUS)

Connection port (TACACS+)		Yes	No

Proxy cycles detection		Yes (For RADIUS only)	No

Username stripping		Yes	Yes

Accounting proxy (local, remote, or both)		Yes	Yes

Account delay timeout support (RADIUS)		No	No

User Guide for Cisco Secure Access Control System 5.3

3-8	OL-24201-01

Image 50

Cisco Systems OL-24201-01 manual Feature ACS, Radius

Contents

User Guide for Cisco Secure Access Control System Americas HeadquartersPage N T E N T S Iii Rules-Based Service Selection Configuring an Authorization Policy for Host Lookup Requests My Account Exporting Network Devices and AAA Clients Vii Failover Viii Radius Identity Store in Identity Sequence Managing Access Policies Maximum User Session in Distributed Environment Creating and Editing Alarm Schedules Xii Exporting Report Data Xiii Adding Groups Xiv Filtering Chart Data Managing System Administrators Xvi Activating a Secondary Instance Xvii Configuring Logs Xviii Using Log Targets Xix PKI Usage EAP-MSCHAPv2 B-30 Xxi Xxii Revised April 17 AudienceDocument Conventions Date Description Documentation UpdatesRelated Documentation Store Obtaining Documentation and Submitting a Service Request Preface User Guide for Cisco Secure Access Control System Introducing ACS Overview of ACS Related Topics ACS Distributed DeploymentACS 4.x and 5.3 Replication Related Topic ACS ACS Licensing ModelACS Management Interfaces ACS Command Line Interface ACS Web-based Interface ACS Programmatic Interfaces ConfigHardware Models Supported by ACS ACS Web-based Interface, OL-24201-01 Migrating from ACS 4.x to ACS Supported Migration Versions Overview of the Migration ProcessMigration Requirements Migration Requirements, Supported Migration Versions, Downloading Migration Files Select System Administration Downloads Migration UtilityBefore You Begin Migrating from ACS 4.x to ACS Migrating from ACS 4.x to ACS Functionality Mapping from ACS 4.x to ACS Radius Radius VSA Common Scenarios in MigrationMigrating from ACS 4.2 on Csacs 1120 to ACS VSA Migrating from ACS 3.x to ACS Migrating Data from Other AAA Servers to ACS Migrating from ACS 4.x to ACS Common Scenarios in Migration OL-24201-01 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Information in ACS 5.3 Policy Element Policy Terminology Term Description Types of Policies, Simple PoliciesRule-Based Policies Types of Policies Access Services Policy Type Access Service Templates Access Service B Access Service C Access Service aFor Device Administration Hosts Wireless Devices Radius and TACACS+ Proxy Services Feature ACS Identity Policy Failure Options Group Mapping Policy Authorization Policy for Device AdministrationProcessing Rules with Multiple Command Sets Exception Authorization Policy Rules Service Selection PolicySimple Service Selection Simple Service Selection, Rules-Based Service Selection, Rules-Based Service Selection Access Services and Service Selection Scenarios First-Match Rule Tables Example Policy Rule Table Column Description Policy Results Authorization Profiles for Network AccessPolicy Conditions Processing Rules with Multiple Authorization Profiles Policies and Identity Attributes Policies and Network Device Groups Example of a Rule-Based Policy Flows for Configuring Services and Policies Prerequisites Step Action Drawer in Web Interface Editing Access Services,Customizing a Policy, Configuring Access Service Policies, Editing a Custom Session Condition, Related Topics OL-24201-01 Common Scenarios Using ACS Overview of Device Administration Session Administration Command Authorization Overview of Password-Based Network Access Password-Based Network AccessTACACS+ Custom Services and Attributes EAP-FAST-GTC EAP-MD5 Leap RADIUS-PAP RADIUS-CHAPPEAP-GTC MAB Radius PAP Password-Based Network Access Configuration FlowProtocol Action Radius Chap EAP-FAST PeapEAP-MSCHAPv2 or EAP-GTC or both Certificate-Based Network Access Overview of Certificate-Based Network Access Before you Begin Using Certificates in ACSCertificate-Based Network Access for EAP-TLS EAP-TLS User Guide for Cisco Secure Access Control System Validating an Ldap Secure Authentication Connection Agentless Network AccessOverview of Agentless Network Access 802.1x Host LookupUse Cases Attribute Authentication with Call Check PAP/EAP-MD5 Authentication Process Service-Type Call Check Agentless Network Access Flow For more information, see , Managing Policy Elements Previous Step Configuring an Ldap External Identity Store for Host LookupAdding a Host to an Internal Identity Store Next Step Previous Steps Creating an Access Service for Host LookupCreating an Access Service for Host Lookup, Managing Identity Attributes, Click Save Changes Configuring an Identity Policy for Host Lookup RequestsSee Viewing Identity Policies, page 10-21, for details Select Host Lookup and click OK VPN Remote Network AccessSee Customizing a Policy, page 10-4, for more information RADIUS/PAP RADIUS/CHAP Supported Authentication ProtocolsSupported Identity Stores LDAP-RADIUS/PAP Supported VPN Clients Supported VPN Network Access ServersConfiguring VPN Remote Access Service ACS and Cisco Security Group Access Adding Devices for Security Group Access Creating Security Groups Configuring an Ndac Policy Creating SGACLs Select Network Access, and check Identity and Authorization Configuring EAP-FAST Settings for Security Group AccessCreating an Access Service for Security Group Access Creating an Endpoint Admission Control Policy Creating an Egress Policy Creating a Default Policy Radius and TACACS+ Proxy Requests Tacplusacct Supported ProtocolsTacplusauthor Tacplusauthen Connection to TACACS+ Server Supported Radius AttributesTACACS+ Body Encryption PAP Ascii Chap Configuring Proxy Service Field Description WelcomeMy Workspace Welcome Task Guides My Account Logging In, Logging Out, Using the Web InterfaceAccessing the Web Interface Logging Understanding the Web Interface Logging Out Web Interface Design Header, Navigation Pane, Content Area,Navigation Pane, Content Area, Header Navigation Pane Drawer Function Content Area Header, Content Area, Web Interface Location Deleted item Button or Field Description Filtering Sorting Secondary Windows Transfer Boxes Secondary Window Transfer Box Fields and Buttons Rule Table Pages Schedule Boxes Option Description See Displaying Hit Counts, page 10-10for more information Supported ACS Objects, Creating Import Files, Supported ACS ObjectsACS 5.x Policy Model Property Name Property Data Type Creating Import Files Uments Click File Operations Downloading the Template from the Web InterfaceUnderstanding the CSV Templates Click Download Add Template Creating the Import File Header Field Description Updating the Records in the ACS Internal Store Deleting Records from the ACS Internal Store Common Errors Concurrency Conflict Errors Deletion Errors Display and Readability Features AccessibilitySystem Failure Errors Keyboard and Mouse Features Obtaining Additional Accessibility Information Configuring Minimal System Setup Step No Task Drawer Refer to Settings for Administrators Configuring Local ServerConfiguring Authentication Configuring Administrator Step No Task Drawer Refer to Configuring ACS to Manage Access Policies Task Drawer Refer to Understanding Alarm Configuring System AlarmSettings, Duplicating Alarm OL-24201-01 Managing Network Resources External Servers Choose Network Resources Network Device Groups Network Device GroupsCreating, Duplicating, and Editing Network Device Groups Deleting Network Device Groups Field Description Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy See Displaying Network Device Properties, Viewing and Performing Bulk Operations for Network DevicesChoose Network Resources Network Devices and AAA Clients Exporting Network Devices and AAA Clients Network Device page appears Performing Bulk Operations for Network Resources and Users Managing Network Resources Network Devices and AAA Clients Exporting Network Resources and Users Creating, Duplicating, and Editing Network Devices Configuring Network Device and AAA Clients TACACS+ KEK SGT Displaying Network Device Properties TACACS+ Security Group AccessAccess Advanced Settings Configuring a Default Network Device Deleting Network Devices About creating network device groups Choose Network Resources External Proxy Servers Working with External Proxy ServersCreating, Duplicating, and Editing External Proxy Servers Choose to create Radius proxy server Deleting External Proxy Servers OL-24201-01 Overview Internal Identity Stores External Identity Stores Ldap Identity Groups Certificate-Based AuthenticationIdentity Stores with Two-Factor Authentication Managing Internal Identity Stores Identity Sequences Authentication Information Click File Operations to Creating Identity GroupsSelect Users and Identity Stores Identity Groups Standard Attributes, User Attributes, Host Attributes, Managing Identity AttributesDeleting an Identity Group Attribute Description Standard AttributesUser Attributes Host Attributes Configuring Authentication Settings for UsersChoose System Administration Users Authentication Settings Password History Options Description Creating Internal Users Option Defined under System Administration Users AuthenticationResources and Users, Administration Users Authentication Settings Identity Stores Internal Identity Stores Users Deleting Users from Internal Identity Stores Mon dd hhmmss UTC YYYY, where Internal Users page appears without the deleted users Creating Hosts in Identity Stores Hhmmss UTC Yyyy , where Deleting Internal Hosts Management Hierarchy Configuring AAA Devices for Management HierarchyConfiguring Users or Hosts for Management Hierarchy Attributes of Management Hierarchy Configuring and Using UserIsInManagement Hierarchy Attribute Related Topics Managing External Identity Stores Ldap Overview Configuring Ldap Groups, Viewing Ldap Attributes, Directory ServiceAuthentication Using Ldap Multiple Ldap Instances Ldap Connection Management Authenticating a User Using a Bind ConnectionFailover Group Membership Information Retrieval Attributes Retrieval Certificate Retrieval Creating External Ldap Identity Stores Configuring an External Ldap Server Connection Ldap Server Connection Configuring External Ldap Directory Organization Schema If the tree containing subjects is the base DN, enter External identity store you created is saved Configuring Ldap Groups Deleting External Ldap Identity Stores Leveraging Cisco NAC Profiler as an External MAB Database Viewing Ldap Attributes Click Server Advanced Options Active Response Delay Ldap Interface Configuration in NAC Profiler Configuring Endpoint Profiles in NAC Profiler Click Save Profile Click the Server Connection tab Edit NAC Profiler Definition General Click Test Configuration Test Bind to Server Dialog Box Number of Subjects Number of Directory Groups Supported Authentication Protocols Microsoft AD User Guide for Cisco Secure Access Control System Machine Authentication Protocol Port number Certificate Retrieval for EAP-TLS Authentication Attribute Retrieval for AuthorizationGroup Retrieval for Authorization Concurrent Connection Management Machine Access Restrictions Callback Options for Dial-in users Machine Authentication AD Group Required ATZ profileDial-in Permissions Dial-in Support Attributes ACS Response Joining ACS to an AD Domain Configuring an AD Identity StoreMachine Authentication, page B-34 Click Selecting an AD Group, Configuring AD Attributes, Selecting an AD Group Configuring AD Attributes Available from the Attributes secondary window only Joining ACS to Domain Controllers Configuring RSA SecurID Agents RSA SecurID Server Creating and Editing RSA SecurID Token Servers PIN RSA Realm Settings Tab Configuring ACS Instance Settings Enable the RSA options file, Reset Agent Files, Enable the RSA options file Reset Agent Files Configuring Advanced Options Check the Enable identity caching check box Radius PAP TACACS+ ASCII/PAP Supported Authentication ProtocolsRadius Identity Stores Groups and Attributes Mapping Password PromptUser Group Mapping Radius Identity Store in Identity Sequence Authentication Failure MessagesCause of Authentication Failure Failure Cases Username Special Format with Safeword Server Radius PAP TACACS+ ASCII\PAP User Attribute CacheCreating, Duplicating, and Editing Radius Identity Servers Configuring General Settings Server Connection Configuring Shell Prompts Configuring Directory Attributes Cisco-av-pair.some-avpair Configuring CA Certificates Configuring Shell Prompts, Configuring Advanced Options, Adding a Certificate Authority Select Users and Identity Stores Certificate Authorities Description of the certificate Deleting a Certificate Authority Configuring Certificate Authentication Profiles Exporting a Certificate Authority Certificate Authentication Profile page reappears Creating, Duplicating, and Editing Identity Store Sequences Configuring Identity Store SequencesAuthentication Sequence Attribute Retrieval Sequence 22 Identity Store Sequence Properties Deleting Identity Store Sequences OL-24201-01 OL-24201-01 Managing Policy Elements Managing Policy Conditions Managing Policy Elements Managing Policy Conditions Deleting a Session Condition, Managing Network Conditions, Select Policy Elements Session Conditions Date and Time Policy, Select Policy Elements Session Conditions Custom Deleting a Session Condition Managing Network Conditions Managing Policy Elements Managing Policy Conditions Importing Network Conditions Exporting Network Conditions Creating, Duplicating, and Editing End Station Filters Defining IP Address-Based End Station Filters Defining MAC Address-Based End Station Filters Defining CLI or DNIS-Based End Station Filters Creating, Duplicating, and Editing Device Filters Defining IP Address-Based Device Filters Defining Name-Based Device Filters Creating, Duplicating, and Editing Device Port Filters Defining NDG-Based Device Filters Defining IP Address-Based Device Port Filters Defining Name-Based Device Port Filters Managing Authorizations and Permissions Defining NDG-Based Device Port Filters Authorization Profiles Specifying Authorization Profiles Specifying Common Attributes in Authorization Profiles Vlan ID/Name Includes a Vlan assignment Specifying Radius Attributes in Authorization Profiles Attribute, its name, value, and type appear in the table. To Dictionary Creating and Editing Security Groups Creating Security Groups, Related Topics Defining Common Tasks, Defining Custom Attributes, Defining General Shell Profile PropertiesDefining Common Tasks Privilege Level Shell Profile Common Tasks Defining Custom Attributes Replace OL-24201-01 Show Duplicated Creating, Duplicating, and Editing Downloadable ACLs Deleting an Authorizations and Permissions Policy Element Appears without the deleted object Configuring Security Group Access Control Lists OL-24201-01 Policy Creation Flow 10-1 10-2 Network Definition and Policy GoalsPolicy Creation Flow-Next Steps Network Definition and Policy Goals, Policy Elements in the Policy Creation FlowPolicy Creation Flow-Previous Step 10-3 Customizing a Policy Access Service Policy CreationService Selection Policy Creation 10-4 10-5 Configuring the Service Selection PolicyConfiguring a Policy-Next Steps Select Access Policies Service Selection Policy Configuring a Simple Service Selection PolicyService Selection Policy 10-6 See Displaying Hit Counts, 10-7 10-8 Creating, Duplicating, and Editing Service Selection RulesSelect Access Policies Service Selection Policy. If you Conditions 10-9 10-10 Deleting Service Selection RulesDisplaying Hit Counts 10-11 Configuring Access ServicesEditing Default Access Services 10-12 Creating, Duplicating, and Editing Access ServicesSelect Access Policies Access Services Configuring General Access Service Properties 10-13 10-14 10-15 Configuring Access Service Allowed ProtocolsSelect Access Policies Access Services, then click Server Certificates, page 18-14for more information 10-16 10-17 10-18 Configuring Access Services Templates 10-19 Type Protocols Policies Conditions Results Deleting an Access ServiceAccess Service 10-20 10-21 Configuring Access Service PoliciesViewing Identity Policies 10-22 Viewing Rules-Based Identity Policies 10-23 Configuring Identity Policy Rule Properties 10-24 10-25 Configuring a Group Mapping Policy 10-26 Displaying Hit Counts, 10-27 Configuring Group Mapping Policy Rule Properties 10-28 Select Access Policies Access Services service Authorization 10-29 10-30 Configuring Network Access Authorization Rule Properties 10-31 Configuring Device Administration Authorization Policies 10-32 10-33 Condition 10-34 Configuring Authorization Exception Policies 10-35 Condition Name 10-36 Creating Policy Rules 10-37 10-38 Duplicating a RuleEditing Policy Rules Deleting Policy Rules 10-39 10-40 Configuring Compound ConditionsCompound Condition Building Blocks Atomic Condition Types of Compound ConditionsOperand1 Operand2 Example 10-41 10-42 Single Nested Compound ConditionMultiple Nested Compound Condition Compound Expression with Dynamic value 10-43 Using the Compound Expression Builder 10-44 Policy Matrix, Security Group Access Control PagesEgress Policy Matrix Policy Page, Editing a Cell in the Egress Policy Matrix Defining a Default Policy for Egress PolicyCreating an Egress Policy, Creating a Default Policy, Creating an Egress Policy, Rule-Based Policy Ndac PolicySimple Policy 10-47 10-48 Configuring an Ndac Policy, Ndac Policy Properties Page,Ndac Policy Properties Configuring an Ndac Policy, Ndac Policy Page, 10-49 10-50 Network Device Access EAP-FAST SettingsMaximum User Sessions 10-51 Max Session User SettingsMax Session Group Settings 10-52 Max Session Global SettingMax User Session Global Settings 10-53 Go to System Administration Users Purge User SessionsPurging User Sessions 10-54 Maximum User Session in Distributed EnvironmentClick Get Logged-in User List Maximum User Session in Proxy Scenario 10-55 10-56 11-1 Logging monitor informational Logging origin-id ipEpm logging Dashboard Pages Authentication Records and DetailsAuthentication Records and Details, 11-2 11-3 Working with Portlets 11-4 Working with Authentication Lookup Portlet 11-5 Dashboard Pages, Running Authentication Lookup Report, Configuring Tabs in the DashboardRunning Authentication Lookup Report Adding Tabs to the Dashboard 11-7 Renaming Tabs in the DashboardAdding Applications to Tabs Click Manage Pages Changing the Dashboard LayoutDeleting Tabs from the Dashboard 11-8 Threshold Alarms Understanding AlarmsThreshold Alarms, System Alarms, 12-1 Evaluating Alarm Thresholds, Notifying Users of Events, Evaluating Alarm ThresholdsSystem Alarms Evaluation Cycle1 12-3 Viewing and Editing Alarms in Your InboxNotifying Users of Events Alarm Severity 12-4 12-5 12-6 12-7 Select Monitoring and Reports Alarms Inbox 12-8 Choose Monitoring and Reports Alarms Schedules Understanding Alarm SchedulesCreating and Editing Alarm Schedules 12-9 12-10 Assigning Alarm Schedules to ThresholdsChoose Monitoring and Reports Alarms Thresholds Select Monitoring and Reports Alarms Thresholds Creating, Editing, and Duplicating Alarm ThresholdsDeleting Alarm Schedules 12-11 12-12 Configuring General Threshold Information 12-13 Passed Authentication Count Configuring Threshold CriteriaPassed Authentications ACS Instance 12-15 Device IP Failed AuthenticationsFailed Authentication Count 12-16 12-17 Authentication Inactivity 12-18 Tacacs Command Accounting 12-19 Tacacs Command Authorization 12-20 ACS Configuration Changes 12-21 ACS System Diagnostics 12-22 ACS Process Status 12-23 12-24 ACS System HealthCPU ACS AAA Health 12-25 Radius Sessions 12-26 12-27 Count of Unknown NAD Authentication RecordsUnknown NAD External DB Unavailable 12-28 Rbacl Drops 12-29 Dstip NADDGT 12-30 12-31 NAD-Reported AAA DowntimeDevice IP Count of NAD-Reported AAA Down Events Configuring Threshold Notifications 12-32 Deleting Alarm Thresholds 12-33 Configuring System Alarm Settings 12-34 12-35 Understanding Alarm Syslog TargetsCreating and Editing Alarm Syslog Targets Deleting Alarm Syslog Targets 12-36 Managing Reports 13-1 Catalog-Monitoring & Reports Reports Catalog reporttype 13-2 Click Add to Favorites Working with Favorite ReportsAdding Reports to Your Favorites 13-3 Choose Monitoring and Reports Reports Favorites Viewing Favorite-Report ParametersClick Add to Favorite 13-4 Select Monitoring & Reports Reports Favorites Editing Favorite ReportsRunning Favorite Reports 13-5 Click Launch Interactive Viewer for more options Sharing ReportsDeleting Reports from Favorites Reports Reports Catalog ACS Instance Report Name Description Logging Category Working with Catalog ReportsAvailable Reports in the Catalog 13-7 13-8 13-9 13-10 Running Catalog Reports 13-11 13-12 13-13 Deleting Catalog ReportsRunning Named Reports Reporttype Reportname 13-14 Understanding the ReportName 13-15 13-16 13-17 Enabling Radius CoA Options on a Device 13-18 13-19 Radius Active Session Report Click Launch Interactive Viewer Customizing ReportsRestoring Reports 13-20 About Interactive Viewer Viewing ReportsAbout Standard Viewer About Interactive Viewer’s Context Menus 13-22 Context Menu for Column Data in Interactive Viewer Using the Table of Contents Navigating Reports Exporting Report Data 13-24 13-25 12 The Export Data Dialog Box 13-26 Printing ReportsSaving Report Designs in Interactive Viewer 13-27 Formatting Reports in Interactive ViewerEditing Labels Resizing Columns Formatting LabelsFormatting Data Select Change Text Formatting Data in Aggregate Rows Changing Column Data AlignmentFormatting Data in Columns Select Style Font 13-30 Formatting Data TypesData type Option Description Formatting Numeric Data 13-31 Data in the data set Result of formatting Formatting Fixed or Scientific Numbers or PercentagesFormatting Custom Numeric Data 13-32 Formatting Custom String Data SymbolFormatting String Data 13-33 13-34 Formatting Date and TimeData in the data source Results of formatting Mmmm Formatting Custom Date and TimeFormat Result of formatting 13-35 13-36 Formatting Boolean DataApplying Conditional Formats 13-37 Setting Conditional Formatting for ColumnsSelect Style Conditional Formatting 13-38 19 Comparison Value Field Deleting Conditional Formatting 13-39 13-40 Setting and Removing Page Breaks in Detail ColumnsSetting and Removing Page Breaks in a Group Column 13-41 Organizing Report DataDisplaying and Organizing Report Data 13-42 Reordering Columns in Interactive ViewerSelect Column Move to Group Header Removing Columns 13-43 Select Hide or Show Items Hiding or Displaying Report ItemsHiding Columns Select Column Hide Column Select Column Show Columns Displaying Hidden ColumnsMerging Columns 13-45 13-46 Selecting a Column from a Merged ColumnSelect Column Merge Columns Sorting Multiple Columns Sorting DataSorting a Single Column Sorting a Single Column, Sorting Multiple Columns, Grouping Data 13-48 13-49 13-50 Adding GroupsGrouping Data Based on Date or Time 13-51 Removing an Inner GroupCreating Report Calculations 13-52 37 Calculated Column 13-53 Understanding Supported Calculation FunctionsFunction Description Example of use 13-54 CountCountdistinct Isbottomnpercent 13-55 13-56 Movingaverage 13-57 Today 13-58 Weightedaverage 13-59 Operator Description Using Numbers and Dates in an ExpressionUnderstanding Supported Operators 13-60 Select Add Calculation Using Multiply Values in Calculated ColumnsAdding Days to an Existing Date Value 13-61 13-62 Working with Aggregate DataSubtracting Date Values in a Calculated Column Aggregate functions Description 13-63 Creating an Aggregate Data Row 13-64 13-65 Adding Additional Aggregate RowsClick Add aggregation Hiding or Displaying Column Data Hiding and Filtering Report DataDeleting Aggregate Rows 13-66 13-67 Displaying Repeated ValuesHiding or Displaying Detail Rows in Groups or Sections 13-68 Working with FiltersCondition Description Types of Filter Conditions 13-69 Setting Filter Values 13-70 Creating Filters 13-71 13-72 Modifying or Clearing a FilterCreating a Filter with Multiple Conditions 13-73 Click Advanced FilterClick Add Condition Filtering Highest or Lowest Values in Columns 13-74 Understanding Charts 13-75 13-76 Modifying ChartsFiltering Chart Data Select Chart Subtype Changing Chart SubtypeChanging Chart Formatting 13-77 50 Chart Formatting Options 13-78 ACS Support Bundle Available Diagnostic and Troubleshooting ToolsConnectivity Tests 14-1 Expert Troubleshooter 14-2 See Comparing Sgacl Policy Between a Network Device and ACS Diagnostic Tool DescriptionPerforming Connectivity Tests ACS-Assigned SGT Records, page 14-14for more information Downloading ACS Support Bundles for Diagnostic Information 14-4 Working with Expert Troubleshooter 14-5 14-6 Troubleshooting Radius AuthenticationsNAS IP 14-7 Click Show Results Summary 14-8 Executing the Show Command on a Network Device 14-9 14-10 Evaluating the Configuration of a Network DeviceAAA 14-11 Comparing Sgacl Policy Between a Network Device and ACSSGA Comparing the SXP-IP Mappings Between a Device and its Peers 14-12 14-13 Click the User Input Required buttonVRF 14-14 Comparing Device SGT with ACS-Assigned Device SGT 14-15 14-16 15-1 15-2 Configuring Data Purging and Incremental Backup 15-3 15-4 15-5 Configuring NFS stagging 15-6 Viewing Log Collections Restoring Data from a BackupConfiguring Data Purging and Incremental Backup, 15-7 Log Collection Details Page, 15-8 Log Collection Details 15-9 15-10 15-11 Recovering Log MessagesViewing Scheduled Jobs 15-12 Viewing Process Status 15-13 Editing Failure Reasons Viewing Data Upgrade StatusViewing Failure Reasons Failure Reasons Editor Email Settings Specifying E-Mail SettingsConfiguring Snmp Preferences 15-15 15-16 Understanding Collection FiltersCreating and Editing Collection Filters Deleting Collection Filters Configuring Alarm Syslog TargetsConfiguring Remote Database Settings 15-17 15-18 Managing System Administrators 16-1 Understanding Administrator Roles and Accounts 16-2 Understanding Roles Configuring System Administrators and AccountsUnderstanding Authentication 16-3 Role Privileges PermissionsPredefined Roles 16-4 Changing Role Associations 16-5 16-6 Administrator Accounts and Role AssociationChoose System Administration Administrators Accounts 16-7 Viewing Role Properties Choose System Administration Administrators RolesViewing Predefined Roles Button and click View Configuring Authentication Settings for Administrators 16-9 16-10 Choose System Administration Administrators Settings Access Configuring Session Idle TimeoutConfiguring Administrator Access Settings Allow All IP Addresses to Connect 16-12 Resetting the Administrator PasswordAccess-setting accept-all Choose My Workspace My Account Changing the Administrator PasswordChanging Your Own Administrator Password 16-13 Resetting Another Administrator’s Password 16-14 Configuring System Operations 17-1 Aaa-server radius-authport Service PortUnderstanding Distributed Deployment 17-2 Activating Secondary Servers, Activating Secondary ServersRemoving Secondary Servers 17-3 Understanding Distributed Deployment, Understanding Local ModePromoting a Secondary Server 17-4 17-5 Specifying a Hardware ReplacementUnderstanding Full Replication Creating, Duplicating, and Editing Scheduled Backups, Scheduled BackupsCreating, Duplicating, and Editing Scheduled Backups Choose System Administration Operations Scheduled Backups 17-7 Backing Up Primary and Secondary InstancesBacking Up Primary and Secondary Instances, 17-8 Editing InstancesViewing and Editing a Primary Instance Ddmmyyyy 17-9 GUI 17-10 17-11 Editing Instances, Viewing and Editing a Primary Instance, Viewing and Editing a Secondary InstanceDeleting a Secondary Instance 17-12 Click Activate Activating a Secondary InstanceRegistering a Secondary Instance to a Primary Instance 17-13 17-14 Click Register to Primary 17-15 17-16 Click DeregisterClick Deregister from Primary 17-17 Replicating a Secondary Instance from a Primary Instance 17-18 Click Full Replication 17-19 See Registering a Secondary Instance to a Primary Instance, 17-20 Failover 17-21 Click Request Local Mode 17-22 17-23 17-24 Manage licensing. See Licensing Overview, Configuring Global System OptionsConfiguring TACACS+ Settings 18-1 Configuring EAP-TLS Settings 18-2 Generating EAP-FAST PAC, Configuring Peap SettingsConfiguring EAP-FAST Settings 18-3 Click Generate PAC Configuring RSA SecurID PromptsGenerating EAP-FAST PAC Tokencode YOU Prepared to Accept a SYSTEM-GENERATED PIN? Managing DictionariesViewing Radius and TACACS+ Attributes Radius Ietf Radius VSAs, page A-6 18-6 Viewing Radius and TACACS+ Attributes, 18-7 18-8 Viewing Radius Vendor-Specific Subattributes 18-9 Configuring Identity Dictionaries 18-10 Configuring Internal Identity Attributes 18-11 18-12 Deleting an Internal User Identity AttributePolicy Elements Session Conditions Custom Deleting an Internal Host Identity Attribute 18-13 18-14 Configuring Local Server CertificatesAdding Local Server Certificates 18-15 Associating Certificates to Protocols,Signing Request, Select Generate Self Signed Certificate Next Generating Self-Signed CertificatesEAP 18-16 Select Generate Certificate Signing Request Next Generating a Certificate Signing RequestBinding CA Signed Certificates Click Finish 18-18 Editing and Renewing CertificatesSelect Bind CA Signed Certificate Next Deleting Certificates 18-19 18-20 Exporting CertificatesViewing Outstanding Signing Requests 18-21 Configuring LogsConfiguring Remote Log Targets Deleting a Remote Log Target, Target ConfigurationGeneral 18-22 Deleting a Remote Log Target Configuring the Local LogConfiguring Remote Log Targets, Deleting Local Log Data Option Descriptions Configuring Logging CategoriesConfiguring Global Logging Categories 18-24 18-25 Category Log and Description 18-26 18-27 Show logging system 18-28 18-29 Configuring Per-Instance Logging CategoriesConfiguring Per-Instance Security and Log Settings, Configuring Per-Instance Security and Log Settings 18-30 Click the Remote Syslog Target tab Configuring Per-Instance Remote Syslog TargetsConfigure Logged Attributes 18-31 Displaying Logging Categories 18-32 18-33 Configuring the Log CollectorViewing the Log Message Catalog License Description Licensing OverviewTypes of Licenses 18-34 Installing a License File 18-35 18-36 Viewing the Base LicensePAK 18-37 Upgrading the Base Server LicenseUpgrading the Base Server License, Viewing License Feature Options 18-38 Adding Deployment License Files 18-39 Click Delete to delete the license file Deleting Deployment License FilesAvailable Downloads 18-40 Downloading Sample Python Scripts Downloading UCP Web Service FilesDownloading Migration Utility Files 18-41 18-42 Downloading Rest ServicesChoose System Administration Downloads Rest Service 19-1 About LoggingAbout Logging, ACS 4.x Versus ACS 5.3 Logging, 19-2 Using Log TargetsLogging Categories 19-3 19-4 Global and Per-Instance Logging CategoriesLog Message Severity Levels 19-5 Local Store TargetACS Severity Syslog Severity Level Description 19-6 Critical Log Target 19-7 Remote Syslog Server Target 19-8 19-9 19-10 Monitoring and Reports Server TargetViewing Log Messages Debug Logs 19-11 19-12 ACS 4.x Versus ACS 5.3 LoggingCSV 19-13 Use the System Configuration LoggingUse the Reports and Activity pages 19-14 Device Administration TACACS+ Typical Use Cases Command Authorization Requests Network Access Radius With and Without EAPSession Access Requests Device Administration TACACS+ PAP Chap PEAP/EAP-GTC RADIUS-Based Flow Without EAP AuthenticationRADIUS-Based Flows with EAP Authentication EAP-FAST/EAP-GTC Figure A-3shows a RADIUS-based authentication with EAP Point of Comparison Access Protocols-TACACS+ and RadiusOverview of TACACS+ Overview of Radius Radius VSAs ACS 5.3 as the AAA Server Radius Attribute Support in ACS Address IP Integer Time Authorization Radius Access RequestsAuthentication Accounting OL-24201-01 Authentication Considerations Authentication and User Databases PAP, page B-2 CHAP, page B-31 EAP-MSCHAPv2, page B-30 Radius PAP Authentication EAP Information see EAP-MSCHAPv2, page B-30 EAP message type EAP codeEAP Method Description EAP-GTC EAP- MD5 Flow in ACS Host Lookup, Overview of Agentless Network Access,Overview of EAP-MD5 User Certificate Authentication Overview of EAP-TLS PKI Authentication PKI Credentials PKI Usage Importing Trust Certificates Acquiring Local CertificatesFixed Management Certificates Certificate Generation Importing the ACS Server CertificateInitial Self-Signed Certificate Generation Exporting Credentials Securing the Cryptographic Sensitive Material Hardware Replacement and CertificatesCredentials Distribution Private Keys and Passwords Backup EAP-TLS Flow in ACS PEAPv0/1 Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30 Supported Peap Features Overview of Peap Fast Reconnect Peap Flow in ACS Creating the TLS Tunnel Authenticating with MSCHAPv2 Overview of EAP-FAST EAP-FAST EAP-FAST in ACS EAP-FAST Benefits About Master-Keys About PACs Provisioning Modes Types of PACs Automatic In-Band PAC Provisioning Proactive PAC Update ACS-Supported Features for PACsMachine PAC Authentication PAC Type Tunnel v1/v1a/SGA Machine Authorization Accept Peer on Authenticated ProvisioningPAC-Less Authentication PAC EAP-FAST for Allow TLS Renegotiation EAP-FAST Flow in ACSMaster Key Generation and PAC TTLs EAP-FAST PAC Management Revocation Method Key Distribution AlgorithmEAP-FAST PAC-Opaque Packing and Unpacking EAP Authentication with Radius Key Wrap PAC Migration from ACS EAP-MSCHAPv2 MSCHAPv2 for User AuthenticationMSCHAPv2 for Change Password Overview of EAP-MSCHAPv2 Windows Machine Authentication Against AD EAP- MSCHAPv2 Flow in ACS SAN Certificate AttributesCertificate Binary Comparison SAN-DNS Certificate Revocation Rules Relating to Textual Attributes Machine Authentication Identity Store Authentication Protocol and Identity Store CompatibilityMicrosoft AD, Managing External Identity Stores, MSCHAPv1/MSCHAPv2 EAP-TLS EAP-MSCHAPv2 OpenSSL License License IssuesOpenSSL/Open SSL Project Original SSLeay License Appendix C Open Source License Acknowledgments OL-24201-01 O S S a R Y GL-1 Capability of ACS to record user sessions in a log file GL-2 Validity and conformance of the original information GL-3 GL-4 GL-5 GL-6 GL-7 GL-8 GL-9 FTP EAP-FAST PAC GL-10 GL-11 GL-12 Service providerISP GL-13 GL-14 Extension within certificate information GL-15 GL-16 GL-17 GL-18 GL-19 GL-20 Symbols IN-1 IN-2 Date expressions IN-3 Formatting symbols IN-4 Hide Detail command IN-5 IN-6 Or operator 13-60,13-74 IN-7 Summary values IN-8 Upper function IN-9 IN-10