Authentication Considerations | Cisco Systems OL-24201-01 instruction

A P P E N D I X B

Authentication in ACS 5.3

Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols. ACS supports a variety of these authentication methods.

A fundamental implicit relationship exists between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. ACS supports this relationship by providing various methods of authentication.

Authentication Considerations

Username and password is the most popular, simplest, and least-expensive method of authentication. The disadvantage is that this information can be told to someone else, guessed, or captured. Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

You should use encryption to reduce the risk of password capture on the network. Client and server access-control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network.

However, TACACS+ and RADIUS operate only between the AAA client and ACS. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords; for example, in the following setups:

•The communication between an end-user client dialing up over a phone line

•An Integrated Services Digital Network (ISDN) line terminating at a network-access server

•Over a TELNET session between an end-user client and the hosting device

Authentication and User Databases

ACS supports a variety of user databases. It supports the ACS internal database and several external user databases, including:

•Windows Active Directory

•LDAP

•RSA SecurID Servers

•RADIUS Identity Servers

User Guide for Cisco Secure Access Control System 5.3

	OL-24201-01	B-1

Image 581

Cisco Systems OL-24201-01 manual Authentication Considerations, Authentication and User Databases

Contents

Americas Headquarters User Guide for Cisco Secure Access Control SystemPage Iii N T E N T S Rules-Based Service Selection Configuring an Authorization Policy for Host Lookup Requests My Account Vii Exporting Network Devices and AAA Clients Viii Failover Radius Identity Store in Identity Sequence Managing Access Policies Maximum User Session in Distributed Environment Xii Creating and Editing Alarm Schedules Xiii Exporting Report Data Xiv Adding Groups Filtering Chart Data Xvi Managing System Administrators Xvii Activating a Secondary Instance Xviii Configuring Logs Xix Using Log Targets PKI Usage Xxi EAP-MSCHAPv2 B-30 Xxii Revised April 17 AudienceDocument Conventions Related Documentation Documentation UpdatesDate Description Store Obtaining Documentation and Submitting a Service Request Preface User Guide for Cisco Secure Access Control System Overview of ACS Introducing ACS ACS 4.x and 5.3 Replication ACS Distributed DeploymentRelated Topics Related Topic ACS ACS Licensing ModelACS Management Interfaces ACS Web-based Interface ACS Command Line Interface Hardware Models Supported by ACS ConfigACS Programmatic Interfaces ACS Web-based Interface, OL-24201-01 Migrating from ACS 4.x to ACS Migration Requirements Overview of the Migration ProcessSupported Migration Versions Migration Requirements, Supported Migration Versions, Before You Begin Select System Administration Downloads Migration UtilityDownloading Migration Files Migrating from ACS 4.x to ACS Migrating from ACS 4.x to ACS Functionality Mapping from ACS 4.x to ACS Radius Migrating from ACS 4.2 on Csacs 1120 to ACS Common Scenarios in MigrationRadius VSA VSA Migrating Data from Other AAA Servers to ACS Migrating from ACS 3.x to ACS Migrating from ACS 4.x to ACS Common Scenarios in Migration OL-24201-01 Overview of the ACS 5.x Policy Model ACS 5.x Policy Model Information in ACS 5.3 Policy Element Term Description Policy Terminology Types of Policies, Simple PoliciesRule-Based Policies Types of Policies Policy Type Access Services For Device Administration Hosts Wireless Devices Access Service B Access Service C Access Service aAccess Service Templates Radius and TACACS+ Proxy Services Feature ACS Identity Policy Failure Options Group Mapping Policy Authorization Policy for Device AdministrationProcessing Rules with Multiple Command Sets Simple Service Selection Service Selection PolicyException Authorization Policy Rules Simple Service Selection, Rules-Based Service Selection, Access Services and Service Selection Scenarios Rules-Based Service Selection Example Policy Rule Table First-Match Rule Tables Column Description Policy Results Authorization Profiles for Network AccessPolicy Conditions Policies and Identity Attributes Processing Rules with Multiple Authorization Profiles Example of a Rule-Based Policy Policies and Network Device Groups Prerequisites Flows for Configuring Services and Policies Customizing a Policy, Configuring Access Service Policies, Editing Access Services,Step Action Drawer in Web Interface Editing a Custom Session Condition, Related Topics OL-24201-01 Common Scenarios Using ACS Overview of Device Administration Session Administration Command Authorization Overview of Password-Based Network Access Password-Based Network AccessTACACS+ Custom Services and Attributes EAP-FAST-GTC EAP-MD5 Leap RADIUS-PAP RADIUS-CHAPPEAP-GTC Protocol Action Password-Based Network Access Configuration FlowMAB Radius PAP Radius Chap EAP-FAST PeapEAP-MSCHAPv2 or EAP-GTC or both Overview of Certificate-Based Network Access Certificate-Based Network Access Certificate-Based Network Access for EAP-TLS Using Certificates in ACSBefore you Begin EAP-TLS User Guide for Cisco Secure Access Control System Validating an Ldap Secure Authentication Connection Agentless Network AccessOverview of Agentless Network Access 802.1x Host LookupUse Cases Attribute Authentication with Call Check Process Service-Type Call Check PAP/EAP-MD5 Authentication For more information, see , Managing Policy Elements Agentless Network Access Flow Adding a Host to an Internal Identity Store Configuring an Ldap External Identity Store for Host LookupPrevious Step Next Step Creating an Access Service for Host Lookup, Creating an Access Service for Host LookupPrevious Steps Managing Identity Attributes, Click Save Changes Configuring an Identity Policy for Host Lookup RequestsSee Viewing Identity Policies, page 10-21, for details Select Host Lookup and click OK VPN Remote Network AccessSee Customizing a Policy, page 10-4, for more information Supported Identity Stores Supported Authentication ProtocolsRADIUS/PAP RADIUS/CHAP LDAP-RADIUS/PAP Supported VPN Clients Supported VPN Network Access ServersConfiguring VPN Remote Access Service ACS and Cisco Security Group Access Creating Security Groups Adding Devices for Security Group Access Creating SGACLs Configuring an Ndac Policy Select Network Access, and check Identity and Authorization Configuring EAP-FAST Settings for Security Group AccessCreating an Access Service for Security Group Access Creating an Egress Policy Creating an Endpoint Admission Control Policy Creating a Default Policy Radius and TACACS+ Proxy Requests Tacplusacct Supported ProtocolsTacplusauthor Tacplusauthen TACACS+ Body Encryption Supported Radius AttributesConnection to TACACS+ Server PAP Ascii Chap Configuring Proxy Service Field Description WelcomeMy Workspace Welcome My Account Task Guides Logging In, Logging Out, Using the Web InterfaceAccessing the Web Interface Logging Logging Out Understanding the Web Interface Navigation Pane, Content Area, Header, Navigation Pane, Content Area,Web Interface Design Header Drawer Function Navigation Pane Header, Content Area, Content Area Web Interface Location Deleted item Button or Field Description Sorting Filtering Secondary Windows Secondary Window Transfer Boxes Transfer Box Fields and Buttons Schedule Boxes Rule Table Pages See Displaying Hit Counts, page 10-10for more information Option Description Supported ACS Objects, Creating Import Files, Supported ACS ObjectsACS 5.x Policy Model Property Name Property Data Type Uments Creating Import Files Understanding the CSV Templates Downloading the Template from the Web InterfaceClick File Operations Click Download Add Template Header Field Description Creating the Import File Updating the Records in the ACS Internal Store Deleting Records from the ACS Internal Store Concurrency Conflict Errors Common Errors Deletion Errors Display and Readability Features AccessibilitySystem Failure Errors Obtaining Additional Accessibility Information Keyboard and Mouse Features Step No Task Drawer Refer to Configuring Minimal System Setup Configuring Authentication Configuring Local ServerSettings for Administrators Configuring Administrator Step No Task Drawer Refer to Task Drawer Refer to Configuring ACS to Manage Access Policies Settings, Configuring System AlarmUnderstanding Alarm Duplicating Alarm OL-24201-01 External Servers Managing Network Resources Choose Network Resources Network Device Groups Network Device GroupsCreating, Duplicating, and Editing Network Device Groups Deleting Network Device Groups Field Description Deleting Network Device Groups from a Hierarchy Network Devices and AAA Clients See Displaying Network Device Properties, Viewing and Performing Bulk Operations for Network DevicesChoose Network Resources Network Devices and AAA Clients Network Device page appears Exporting Network Devices and AAA Clients Performing Bulk Operations for Network Resources and Users Managing Network Resources Network Devices and AAA Clients Creating, Duplicating, and Editing Network Devices Exporting Network Resources and Users Configuring Network Device and AAA Clients TACACS+ SGT KEK Displaying Network Device Properties TACACS+ Security Group AccessAccess Advanced Settings Deleting Network Devices Configuring a Default Network Device About creating network device groups Choose Network Resources External Proxy Servers Working with External Proxy ServersCreating, Duplicating, and Editing External Proxy Servers Choose to create Radius proxy server Deleting External Proxy Servers OL-24201-01 Internal Identity Stores Overview Ldap External Identity Stores Identity Groups Certificate-Based AuthenticationIdentity Stores with Two-Factor Authentication Identity Sequences Managing Internal Identity Stores Authentication Information Click File Operations to Creating Identity GroupsSelect Users and Identity Stores Identity Groups Standard Attributes, User Attributes, Host Attributes, Managing Identity AttributesDeleting an Identity Group Attribute Description Standard AttributesUser Attributes Host Attributes Configuring Authentication Settings for UsersChoose System Administration Users Authentication Settings Options Description Password History Creating Internal Users Option Defined under System Administration Users AuthenticationResources and Users, Identity Stores Internal Identity Stores Users Administration Users Authentication Settings Mon dd hhmmss UTC YYYY, where Deleting Users from Internal Identity Stores Internal Users page appears without the deleted users Creating Hosts in Identity Stores Hhmmss UTC Yyyy , where Deleting Internal Hosts Configuring Users or Hosts for Management Hierarchy Configuring AAA Devices for Management HierarchyManagement Hierarchy Attributes of Management Hierarchy Configuring and Using UserIsInManagement Hierarchy Attribute Related Topics Ldap Overview Managing External Identity Stores Authentication Using Ldap Directory ServiceConfiguring Ldap Groups, Viewing Ldap Attributes, Multiple Ldap Instances Ldap Connection Management Authenticating a User Using a Bind ConnectionFailover Attributes Retrieval Group Membership Information Retrieval Creating External Ldap Identity Stores Certificate Retrieval Configuring an External Ldap Server Connection Ldap Server Connection Configuring External Ldap Directory Organization Schema If the tree containing subjects is the base DN, enter External identity store you created is saved Deleting External Ldap Identity Stores Configuring Ldap Groups Viewing Ldap Attributes Leveraging Cisco NAC Profiler as an External MAB Database Click Server Ldap Interface Configuration in NAC Profiler Advanced Options Active Response Delay Click Save Profile Configuring Endpoint Profiles in NAC Profiler Edit NAC Profiler Definition General Click the Server Connection tab Test Bind to Server Dialog Box Click Test Configuration Number of Subjects Number of Directory Groups Microsoft AD Supported Authentication Protocols User Guide for Cisco Secure Access Control System Protocol Port number Machine Authentication Group Retrieval for Authorization Attribute Retrieval for AuthorizationCertificate Retrieval for EAP-TLS Authentication Concurrent Connection Management Machine Access Restrictions Callback Options for Dial-in users Machine Authentication AD Group Required ATZ profileDial-in Permissions ACS Response Dial-in Support Attributes Joining ACS to an AD Domain Configuring an AD Identity StoreMachine Authentication, page B-34 Click Selecting an AD Group Selecting an AD Group, Configuring AD Attributes, Configuring AD Attributes Available from the Attributes secondary window only Joining ACS to Domain Controllers RSA SecurID Server Configuring RSA SecurID Agents PIN Creating and Editing RSA SecurID Token Servers RSA Realm Settings Tab Enable the RSA options file, Reset Agent Files, Configuring ACS Instance Settings Reset Agent Files Enable the RSA options file Check the Enable identity caching check box Configuring Advanced Options Radius PAP TACACS+ ASCII/PAP Supported Authentication ProtocolsRadius Identity Stores Groups and Attributes Mapping Password PromptUser Group Mapping Cause of Authentication Failure Failure Cases Authentication Failure MessagesRadius Identity Store in Identity Sequence Username Special Format with Safeword Server Radius PAP TACACS+ ASCII\PAP User Attribute CacheCreating, Duplicating, and Editing Radius Identity Servers Configuring General Settings Server Connection Configuring Shell Prompts Cisco-av-pair.some-avpair Configuring Directory Attributes Configuring Shell Prompts, Configuring Advanced Options, Configuring CA Certificates Select Users and Identity Stores Certificate Authorities Adding a Certificate Authority Description of the certificate Deleting a Certificate Authority Exporting a Certificate Authority Configuring Certificate Authentication Profiles Certificate Authentication Profile page reappears Authentication Sequence Configuring Identity Store SequencesCreating, Duplicating, and Editing Identity Store Sequences Attribute Retrieval Sequence 22 Identity Store Sequence Properties Deleting Identity Store Sequences OL-24201-01 OL-24201-01 Managing Policy Conditions Managing Policy Elements Managing Policy Elements Managing Policy Conditions Select Policy Elements Session Conditions Date and Time Deleting a Session Condition, Managing Network Conditions, Policy, Select Policy Elements Session Conditions Custom Managing Network Conditions Deleting a Session Condition Managing Policy Elements Managing Policy Conditions Importing Network Conditions Creating, Duplicating, and Editing End Station Filters Exporting Network Conditions Defining IP Address-Based End Station Filters Defining CLI or DNIS-Based End Station Filters Defining MAC Address-Based End Station Filters Creating, Duplicating, and Editing Device Filters Defining Name-Based Device Filters Defining IP Address-Based Device Filters Defining NDG-Based Device Filters Creating, Duplicating, and Editing Device Port Filters Defining IP Address-Based Device Port Filters Defining Name-Based Device Port Filters Defining NDG-Based Device Port Filters Managing Authorizations and Permissions Authorization Profiles Specifying Common Attributes in Authorization Profiles Specifying Authorization Profiles Vlan ID/Name Includes a Vlan assignment Attribute, its name, value, and type appear in the table. To Specifying Radius Attributes in Authorization Profiles Dictionary Creating Security Groups, Creating and Editing Security Groups Related Topics Defining Common Tasks, Defining Custom Attributes, Defining General Shell Profile PropertiesDefining Common Tasks Privilege Level Shell Profile Common Tasks Replace Defining Custom Attributes OL-24201-01 Duplicated Show Creating, Duplicating, and Editing Downloadable ACLs Appears without the deleted object Deleting an Authorizations and Permissions Policy Element Configuring Security Group Access Control Lists OL-24201-01 10-1 Policy Creation Flow 10-2 Network Definition and Policy GoalsPolicy Creation Flow-Next Steps Policy Creation Flow-Previous Step Policy Elements in the Policy Creation FlowNetwork Definition and Policy Goals, 10-3 Service Selection Policy Creation Access Service Policy CreationCustomizing a Policy 10-4 10-5 Configuring the Service Selection PolicyConfiguring a Policy-Next Steps Service Selection Policy Configuring a Simple Service Selection PolicySelect Access Policies Service Selection Policy 10-6 10-7 See Displaying Hit Counts, 10-8 Creating, Duplicating, and Editing Service Selection RulesSelect Access Policies Service Selection Policy. If you 10-9 Conditions 10-10 Deleting Service Selection RulesDisplaying Hit Counts 10-11 Configuring Access ServicesEditing Default Access Services 10-12 Creating, Duplicating, and Editing Access ServicesSelect Access Policies Access Services 10-13 Configuring General Access Service Properties 10-14 10-15 Configuring Access Service Allowed ProtocolsSelect Access Policies Access Services, then click 10-16 Server Certificates, page 18-14for more information 10-17 10-18 10-19 Configuring Access Services Templates Access Service Deleting an Access ServiceType Protocols Policies Conditions Results 10-20 10-21 Configuring Access Service PoliciesViewing Identity Policies 10-22 10-23 Viewing Rules-Based Identity Policies 10-24 Configuring Identity Policy Rule Properties 10-25 10-26 Configuring a Group Mapping Policy 10-27 Displaying Hit Counts, 10-28 Configuring Group Mapping Policy Rule Properties 10-29 Select Access Policies Access Services service Authorization 10-30 10-31 Configuring Network Access Authorization Rule Properties 10-32 Configuring Device Administration Authorization Policies 10-33 10-34 Condition 10-35 Configuring Authorization Exception Policies 10-36 Condition Name 10-37 Creating Policy Rules 10-38 Duplicating a RuleEditing Policy Rules 10-39 Deleting Policy Rules 10-40 Configuring Compound ConditionsCompound Condition Building Blocks Operand1 Operand2 Example Types of Compound ConditionsAtomic Condition 10-41 10-42 Single Nested Compound ConditionMultiple Nested Compound Condition 10-43 Compound Expression with Dynamic value 10-44 Using the Compound Expression Builder Egress Policy Matrix Security Group Access Control PagesPolicy Matrix, Policy Page, Creating an Egress Policy, Creating a Default Policy, Defining a Default Policy for Egress PolicyEditing a Cell in the Egress Policy Matrix Creating an Egress Policy, Simple Policy Ndac PolicyRule-Based Policy 10-47 10-48 Configuring an Ndac Policy, Ndac Policy Properties Page,Ndac Policy Properties 10-49 Configuring an Ndac Policy, Ndac Policy Page, 10-50 Network Device Access EAP-FAST SettingsMaximum User Sessions 10-51 Max Session User SettingsMax Session Group Settings 10-52 Max Session Global SettingMax User Session Global Settings 10-53 Go to System Administration Users Purge User SessionsPurging User Sessions 10-54 Maximum User Session in Distributed EnvironmentClick Get Logged-in User List 10-55 Maximum User Session in Proxy Scenario 10-56 11-1 Logging monitor informational Logging origin-id ipEpm logging Authentication Records and Details, Authentication Records and DetailsDashboard Pages 11-2 11-3 11-4 Working with Portlets 11-5 Working with Authentication Lookup Portlet Running Authentication Lookup Report Configuring Tabs in the DashboardDashboard Pages, Running Authentication Lookup Report, Adding Tabs to the Dashboard 11-7 Renaming Tabs in the DashboardAdding Applications to Tabs Deleting Tabs from the Dashboard Changing the Dashboard LayoutClick Manage Pages 11-8 Threshold Alarms, System Alarms, Understanding AlarmsThreshold Alarms 12-1 System Alarms Evaluating Alarm ThresholdsEvaluating Alarm Thresholds, Notifying Users of Events, Evaluation Cycle1 12-3 Viewing and Editing Alarms in Your InboxNotifying Users of Events 12-4 Alarm Severity 12-5 12-6 12-7 12-8 Select Monitoring and Reports Alarms Inbox Creating and Editing Alarm Schedules Understanding Alarm SchedulesChoose Monitoring and Reports Alarms Schedules 12-9 12-10 Assigning Alarm Schedules to ThresholdsChoose Monitoring and Reports Alarms Thresholds Deleting Alarm Schedules Creating, Editing, and Duplicating Alarm ThresholdsSelect Monitoring and Reports Alarms Thresholds 12-11 12-12 12-13 Configuring General Threshold Information Passed Authentications Configuring Threshold CriteriaPassed Authentication Count ACS Instance 12-15 Failed Authentication Count Failed AuthenticationsDevice IP 12-16 12-17 12-18 Authentication Inactivity 12-19 Tacacs Command Accounting 12-20 Tacacs Command Authorization 12-21 ACS Configuration Changes 12-22 ACS System Diagnostics 12-23 ACS Process Status 12-24 ACS System HealthCPU 12-25 ACS AAA Health 12-26 Radius Sessions 12-27 Count of Unknown NAD Authentication RecordsUnknown NAD 12-28 External DB Unavailable 12-29 Rbacl Drops DGT NADDstip 12-30 12-31 NAD-Reported AAA DowntimeDevice IP Count of NAD-Reported AAA Down Events 12-32 Configuring Threshold Notifications 12-33 Deleting Alarm Thresholds 12-34 Configuring System Alarm Settings 12-35 Understanding Alarm Syslog TargetsCreating and Editing Alarm Syslog Targets 12-36 Deleting Alarm Syslog Targets 13-1 Managing Reports 13-2 Catalog-Monitoring & Reports Reports Catalog reporttype Adding Reports to Your Favorites Working with Favorite ReportsClick Add to Favorites 13-3 Click Add to Favorite Viewing Favorite-Report ParametersChoose Monitoring and Reports Reports Favorites 13-4 Running Favorite Reports Editing Favorite ReportsSelect Monitoring & Reports Reports Favorites 13-5 Deleting Reports from Favorites Sharing ReportsClick Launch Interactive Viewer for more options Reports Reports Catalog ACS Instance Available Reports in the Catalog Working with Catalog ReportsReport Name Description Logging Category 13-7 13-8 13-9 13-10 13-11 Running Catalog Reports 13-12 13-13 Deleting Catalog ReportsRunning Named Reports 13-14 Reporttype Reportname 13-15 Understanding the ReportName 13-16 13-17 13-18 Enabling Radius CoA Options on a Device Radius Active Session Report 13-19 Restoring Reports Customizing ReportsClick Launch Interactive Viewer 13-20 About Standard Viewer Viewing ReportsAbout Interactive Viewer About Interactive Viewer’s Context Menus Context Menu for Column Data in Interactive Viewer 13-22 Navigating Reports Using the Table of Contents 13-24 Exporting Report Data 12 The Export Data Dialog Box 13-25 13-26 Printing ReportsSaving Report Designs in Interactive Viewer 13-27 Formatting Reports in Interactive ViewerEditing Labels Formatting Data Formatting LabelsResizing Columns Select Change Text Formatting Data in Columns Changing Column Data AlignmentFormatting Data in Aggregate Rows Select Style Font 13-30 Formatting Data TypesData type Option Description 13-31 Formatting Numeric Data Formatting Custom Numeric Data Formatting Fixed or Scientific Numbers or PercentagesData in the data set Result of formatting 13-32 Formatting String Data SymbolFormatting Custom String Data 13-33 13-34 Formatting Date and TimeData in the data source Results of formatting Format Result of formatting Formatting Custom Date and TimeMmmm 13-35 13-36 Formatting Boolean DataApplying Conditional Formats 13-37 Setting Conditional Formatting for ColumnsSelect Style Conditional Formatting 19 Comparison Value Field 13-38 13-39 Deleting Conditional Formatting 13-40 Setting and Removing Page Breaks in Detail ColumnsSetting and Removing Page Breaks in a Group Column 13-41 Organizing Report DataDisplaying and Organizing Report Data 13-42 Reordering Columns in Interactive ViewerSelect Column Move to Group Header 13-43 Removing Columns Hiding Columns Hiding or Displaying Report ItemsSelect Hide or Show Items Select Column Hide Column Merging Columns Displaying Hidden ColumnsSelect Column Show Columns 13-45 13-46 Selecting a Column from a Merged ColumnSelect Column Merge Columns Sorting a Single Column Sorting DataSorting Multiple Columns Sorting a Single Column, Sorting Multiple Columns, 13-48 Grouping Data 13-49 13-50 Adding GroupsGrouping Data Based on Date or Time 13-51 Removing an Inner GroupCreating Report Calculations 37 Calculated Column 13-52 13-53 Understanding Supported Calculation FunctionsFunction Description Example of use 13-54 CountCountdistinct 13-55 Isbottomnpercent 13-56 13-57 Movingaverage 13-58 Today 13-59 Weightedaverage Understanding Supported Operators Using Numbers and Dates in an ExpressionOperator Description 13-60 Adding Days to an Existing Date Value Using Multiply Values in Calculated ColumnsSelect Add Calculation 13-61 13-62 Working with Aggregate DataSubtracting Date Values in a Calculated Column 13-63 Aggregate functions Description 13-64 Creating an Aggregate Data Row 13-65 Adding Additional Aggregate RowsClick Add aggregation Deleting Aggregate Rows Hiding and Filtering Report DataHiding or Displaying Column Data 13-66 13-67 Displaying Repeated ValuesHiding or Displaying Detail Rows in Groups or Sections 13-68 Working with FiltersCondition Description 13-69 Types of Filter Conditions 13-70 Setting Filter Values 13-71 Creating Filters 13-72 Modifying or Clearing a FilterCreating a Filter with Multiple Conditions 13-73 Click Advanced FilterClick Add Condition 13-74 Filtering Highest or Lowest Values in Columns 13-75 Understanding Charts 13-76 Modifying ChartsFiltering Chart Data Changing Chart Formatting Changing Chart SubtypeSelect Chart Subtype 13-77 13-78 50 Chart Formatting Options Connectivity Tests Available Diagnostic and Troubleshooting ToolsACS Support Bundle 14-1 14-2 Expert Troubleshooter Performing Connectivity Tests Diagnostic Tool DescriptionSee Comparing Sgacl Policy Between a Network Device and ACS ACS-Assigned SGT Records, page 14-14for more information 14-4 Downloading ACS Support Bundles for Diagnostic Information 14-5 Working with Expert Troubleshooter 14-6 Troubleshooting Radius AuthenticationsNAS IP 14-7 14-8 Click Show Results Summary 14-9 Executing the Show Command on a Network Device 14-10 Evaluating the Configuration of a Network DeviceAAA 14-11 Comparing Sgacl Policy Between a Network Device and ACSSGA 14-12 Comparing the SXP-IP Mappings Between a Device and its Peers 14-13 Click the User Input Required buttonVRF 14-14 14-15 Comparing Device SGT with ACS-Assigned Device SGT 14-16 15-1 15-2 15-3 Configuring Data Purging and Incremental Backup 15-4 15-5 15-6 Configuring NFS stagging Configuring Data Purging and Incremental Backup, Restoring Data from a BackupViewing Log Collections 15-7 15-8 Log Collection Details Page, 15-9 Log Collection Details 15-10 15-11 Recovering Log MessagesViewing Scheduled Jobs 15-12 15-13 Viewing Process Status Viewing Failure Reasons Viewing Data Upgrade StatusEditing Failure Reasons Failure Reasons Editor Configuring Snmp Preferences Specifying E-Mail SettingsEmail Settings 15-15 15-16 Understanding Collection FiltersCreating and Editing Collection Filters Configuring Remote Database Settings Configuring Alarm Syslog TargetsDeleting Collection Filters 15-17 15-18 16-1 Managing System Administrators 16-2 Understanding Administrator Roles and Accounts Understanding Authentication Configuring System Administrators and AccountsUnderstanding Roles 16-3 Predefined Roles PermissionsRole Privileges 16-4 16-5 Changing Role Associations 16-6 Administrator Accounts and Role AssociationChoose System Administration Administrators Accounts 16-7 Viewing Predefined Roles Choose System Administration Administrators RolesViewing Role Properties Button and click View 16-9 Configuring Authentication Settings for Administrators 16-10 Configuring Administrator Access Settings Configuring Session Idle TimeoutChoose System Administration Administrators Settings Access Allow All IP Addresses to Connect 16-12 Resetting the Administrator PasswordAccess-setting accept-all Changing Your Own Administrator Password Changing the Administrator PasswordChoose My Workspace My Account 16-13 16-14 Resetting Another Administrator’s Password 17-1 Configuring System Operations Understanding Distributed Deployment Service PortAaa-server radius-authport 17-2 Removing Secondary Servers Activating Secondary ServersActivating Secondary Servers, 17-3 Promoting a Secondary Server Understanding Local ModeUnderstanding Distributed Deployment, 17-4 17-5 Specifying a Hardware ReplacementUnderstanding Full Replication Creating, Duplicating, and Editing Scheduled Backups Scheduled BackupsCreating, Duplicating, and Editing Scheduled Backups, Choose System Administration Operations Scheduled Backups 17-7 Backing Up Primary and Secondary InstancesBacking Up Primary and Secondary Instances, 17-8 Editing InstancesViewing and Editing a Primary Instance 17-9 Ddmmyyyy 17-10 GUI 17-11 Deleting a Secondary Instance Viewing and Editing a Secondary InstanceEditing Instances, Viewing and Editing a Primary Instance, 17-12 Registering a Secondary Instance to a Primary Instance Activating a Secondary InstanceClick Activate 17-13 17-14 17-15 Click Register to Primary 17-16 Click DeregisterClick Deregister from Primary 17-17 17-18 Replicating a Secondary Instance from a Primary Instance 17-19 Click Full Replication 17-20 See Registering a Secondary Instance to a Primary Instance, 17-21 Failover 17-22 Click Request Local Mode 17-23 17-24 Configuring TACACS+ Settings Configuring Global System OptionsManage licensing. See Licensing Overview, 18-1 18-2 Configuring EAP-TLS Settings Configuring EAP-FAST Settings Configuring Peap SettingsGenerating EAP-FAST PAC, 18-3 Generating EAP-FAST PAC Configuring RSA SecurID PromptsClick Generate PAC Tokencode Viewing Radius and TACACS+ Attributes Managing DictionariesYOU Prepared to Accept a SYSTEM-GENERATED PIN? Radius Ietf 18-6 Radius VSAs, page A-6 18-7 Viewing Radius and TACACS+ Attributes, 18-8 18-9 Viewing Radius Vendor-Specific Subattributes 18-10 Configuring Identity Dictionaries 18-11 Configuring Internal Identity Attributes 18-12 Deleting an Internal User Identity AttributePolicy Elements Session Conditions Custom 18-13 Deleting an Internal Host Identity Attribute 18-14 Configuring Local Server CertificatesAdding Local Server Certificates 18-15 Associating Certificates to Protocols,Signing Request, EAP Generating Self-Signed CertificatesSelect Generate Self Signed Certificate Next 18-16 Binding CA Signed Certificates Generating a Certificate Signing RequestSelect Generate Certificate Signing Request Next Click Finish 18-18 Editing and Renewing CertificatesSelect Bind CA Signed Certificate Next 18-19 Deleting Certificates 18-20 Exporting CertificatesViewing Outstanding Signing Requests 18-21 Configuring LogsConfiguring Remote Log Targets General Target ConfigurationDeleting a Remote Log Target, 18-22 Configuring Remote Log Targets, Configuring the Local LogDeleting a Remote Log Target Deleting Local Log Data Configuring Global Logging Categories Configuring Logging CategoriesOption Descriptions 18-24 18-25 18-26 Category Log and Description 18-27 18-28 Show logging system 18-29 Configuring Per-Instance Logging CategoriesConfiguring Per-Instance Security and Log Settings, 18-30 Configuring Per-Instance Security and Log Settings Configure Logged Attributes Configuring Per-Instance Remote Syslog TargetsClick the Remote Syslog Target tab 18-31 18-32 Displaying Logging Categories 18-33 Configuring the Log CollectorViewing the Log Message Catalog Types of Licenses Licensing OverviewLicense Description 18-34 18-35 Installing a License File 18-36 Viewing the Base LicensePAK 18-37 Upgrading the Base Server LicenseUpgrading the Base Server License, 18-38 Viewing License Feature Options 18-39 Adding Deployment License Files Available Downloads Deleting Deployment License FilesClick Delete to delete the license file 18-40 Downloading Migration Utility Files Downloading UCP Web Service FilesDownloading Sample Python Scripts 18-41 18-42 Downloading Rest ServicesChoose System Administration Downloads Rest Service 19-1 About LoggingAbout Logging, ACS 4.x Versus ACS 5.3 Logging, 19-2 Using Log TargetsLogging Categories 19-3 19-4 Global and Per-Instance Logging CategoriesLog Message Severity Levels 19-5 Local Store TargetACS Severity Syslog Severity Level Description 19-6 19-7 Critical Log Target 19-8 Remote Syslog Server Target 19-9 19-10 Monitoring and Reports Server TargetViewing Log Messages 19-11 Debug Logs 19-12 ACS 4.x Versus ACS 5.3 LoggingCSV 19-13 Use the System Configuration LoggingUse the Reports and Activity pages 19-14 Typical Use Cases Device Administration TACACS+ Session Access Requests Device Administration TACACS+ Network Access Radius With and Without EAPCommand Authorization Requests PAP Chap RADIUS-Based Flows with EAP Authentication RADIUS-Based Flow Without EAP AuthenticationPEAP/EAP-GTC EAP-FAST/EAP-GTC Figure A-3shows a RADIUS-based authentication with EAP Point of Comparison Access Protocols-TACACS+ and RadiusOverview of TACACS+ Radius VSAs Overview of Radius ACS 5.3 as the AAA Server Address IP Integer Time Radius Attribute Support in ACS Authentication Radius Access RequestsAuthorization Accounting OL-24201-01 Authentication and User Databases Authentication Considerations EAP-MSCHAPv2, page B-30 PAP, page B-2 CHAP, page B-31 EAP Radius PAP Authentication EAP Method Description EAP message type EAP codeInformation see EAP-MSCHAPv2, page B-30 EAP-GTC EAP- MD5 Flow in ACS Host Lookup, Overview of Agentless Network Access,Overview of EAP-MD5 Overview of EAP-TLS User Certificate Authentication PKI Authentication PKI Usage PKI Credentials Importing Trust Certificates Acquiring Local CertificatesFixed Management Certificates Certificate Generation Importing the ACS Server CertificateInitial Self-Signed Certificate Generation Exporting Credentials Securing the Cryptographic Sensitive Material Hardware Replacement and CertificatesCredentials Distribution EAP-TLS Flow in ACS Private Keys and Passwords Backup Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30 PEAPv0/1 Overview of Peap Supported Peap Features Fast Reconnect Creating the TLS Tunnel Peap Flow in ACS Overview of EAP-FAST Authenticating with MSCHAPv2 EAP-FAST EAP-FAST Benefits EAP-FAST in ACS About PACs About Master-Keys Types of PACs Provisioning Modes Automatic In-Band PAC Provisioning Proactive PAC Update ACS-Supported Features for PACsMachine PAC Authentication PAC-Less Authentication Accept Peer on Authenticated ProvisioningPAC Type Tunnel v1/v1a/SGA Machine Authorization PAC EAP-FAST for Allow TLS Renegotiation EAP-FAST Flow in ACSMaster Key Generation and PAC TTLs EAP-FAST PAC Management Revocation Method Key Distribution AlgorithmEAP-FAST PAC-Opaque Packing and Unpacking PAC Migration from ACS EAP Authentication with Radius Key Wrap MSCHAPv2 for Change Password MSCHAPv2 for User AuthenticationEAP-MSCHAPv2 Overview of EAP-MSCHAPv2 EAP- MSCHAPv2 Flow in ACS Windows Machine Authentication Against AD Certificate Binary Comparison Certificate AttributesSAN SAN-DNS Rules Relating to Textual Attributes Certificate Revocation Machine Authentication Microsoft AD, Managing External Identity Stores, Authentication Protocol and Identity Store CompatibilityIdentity Store MSCHAPv1/MSCHAPv2 EAP-MSCHAPv2 EAP-TLS OpenSSL License License IssuesOpenSSL/Open SSL Project Original SSLeay License Appendix C Open Source License Acknowledgments OL-24201-01 GL-1 O S S a R Y GL-2 Capability of ACS to record user sessions in a log file GL-3 Validity and conformance of the original information GL-4 GL-5 GL-6 GL-7 GL-8 FTP GL-9 GL-10 EAP-FAST PAC GL-11 GL-12 GL-13 Service providerISP GL-14 GL-15 Extension within certificate information GL-16 GL-17 GL-18 GL-19 GL-20 IN-1 Symbols IN-2 IN-3 Date expressions IN-4 Formatting symbols IN-5 Hide Detail command IN-6 IN-7 Or operator 13-60,13-74 IN-8 Summary values IN-9 Upper function IN-10