ACS and Cisco Security Group Access | Cisco Systems OL-24201-01

Chapter 4 Common Scenarios Using ACS

ACS and Cisco Security Group Access

Related Topics

•VPN Remote Network Access, page 4-20

•Supported Authentication Protocols, page 4-21

•Supported Identity Stores, page 4-21

•Supported VPN Network Access Servers, page 4-22

•Supported VPN Clients, page 4-22

•Configuring VPN Remote Access Service, page 4-22

ACS and Cisco Security Group Access

Note ACS requires an additional feature license to enable Security Group Access capabilities.

Cisco Security Group Access, hereafter referred to as Security Group Access, is a new security architecture for Cisco products. You can use Security Group Access to create a trustworthy network fabric that provides confidentiality, message authentication, integrity, and antireplay protection on network traffic.

Security Group Access requires that all network devices have an established identity, and must be authenticated and authorized before they start operating in the network. This precaution prevents the attachment of rogue network devices in a secure network.

Until now, ACS authenticated only users and hosts to grant them access to the network. With Security Group Access, ACS also authenticates devices such as routers and switches by using a name and password. Any device with a Network Interface Card (NIC) must authenticate itself or stay out of the trusted network.

Security is improved and device management is simplified since devices can be identified by their name rather than IP address.

Note The Cisco Catalyst 6500 running Cisco IOS 12.2(33) SXI and DataCenter 3.0 (Nexus 7000) NX-OS

4.0.3devices support Security Group Access. The Cisco Catalyst 6500 supports Security Group Tags (SGTs); however, it does not support Security Group Access Control Lists (SGACLs) in this release.

To configure ACS for Security Group Access:

1.Add users.

This is the general task to add users in ACS and is not specific to Security Group Access. Choose Users and Identity Stores > Internal Identity Store > Users and click Create. See Creating Internal Users, page 8-11, for more information.

2.Adding Devices for Security Group Access.

3.Creating Security Groups.

4.Creating SGACLs.

5.Configuring an NDAC Policy.

		User Guide for Cisco Secure Access Control System 5.3
		User Guide for Cisco Secure Access Control System 5.3
	OL-24201-01			4-23
	OL-24201-01			4-23

Image 87

Cisco Systems OL-24201-01 manual ACS and Cisco Security Group Access

Contents

Americas Headquarters User Guide for Cisco Secure Access Control SystemPage Iii N T E N T S Rules-Based Service Selection Configuring an Authorization Policy for Host Lookup Requests My Account Vii Exporting Network Devices and AAA Clients Viii Failover Radius Identity Store in Identity Sequence Managing Access Policies Maximum User Session in Distributed Environment Xii Creating and Editing Alarm Schedules Xiii Exporting Report Data Xiv Adding Groups Filtering Chart Data Xvi Managing System Administrators Xvii Activating a Secondary Instance Xviii Configuring Logs Xix Using Log Targets PKI Usage Xxi EAP-MSCHAPv2 B-30 Xxii Audience Document ConventionsRevised April 17 Store Documentation UpdatesRelated Documentation Date Description Obtaining Documentation and Submitting a Service Request Preface User Guide for Cisco Secure Access Control System Overview of ACS Introducing ACS Related Topic ACS Distributed DeploymentACS 4.x and 5.3 Replication Related Topics ACS Licensing Model ACS Management InterfacesACS ACS Web-based Interface ACS Command Line Interface ACS Web-based Interface, ConfigHardware Models Supported by ACS ACS Programmatic Interfaces OL-24201-01 Migrating from ACS 4.x to ACS Migration Requirements, Supported Migration Versions, Overview of the Migration ProcessMigration Requirements Supported Migration Versions Migrating from ACS 4.x to ACS Select System Administration Downloads Migration UtilityBefore You Begin Downloading Migration Files Migrating from ACS 4.x to ACS Functionality Mapping from ACS 4.x to ACS Radius VSA Common Scenarios in MigrationMigrating from ACS 4.2 on Csacs 1120 to ACS Radius VSA Migrating Data from Other AAA Servers to ACS Migrating from ACS 3.x to ACS Migrating from ACS 4.x to ACS Common Scenarios in Migration OL-24201-01 Overview of the ACS 5.x Policy Model ACS 5.x Policy Model Information in ACS 5.3 Policy Element Term Description Policy Terminology Simple Policies Rule-Based PoliciesTypes of Policies, Types of Policies Policy Type Access Services Radius and TACACS+ Proxy Services Access Service B Access Service C Access Service aFor Device Administration Hosts Wireless Devices Access Service Templates Feature ACS Identity Policy Failure Options Authorization Policy for Device Administration Processing Rules with Multiple Command SetsGroup Mapping Policy Simple Service Selection, Rules-Based Service Selection, Service Selection PolicySimple Service Selection Exception Authorization Policy Rules Access Services and Service Selection Scenarios Rules-Based Service Selection Example Policy Rule Table First-Match Rule Tables Column Description Authorization Profiles for Network Access Policy ConditionsPolicy Results Policies and Identity Attributes Processing Rules with Multiple Authorization Profiles Example of a Rule-Based Policy Policies and Network Device Groups Prerequisites Flows for Configuring Services and Policies Editing a Custom Session Condition, Editing Access Services,Customizing a Policy, Configuring Access Service Policies, Step Action Drawer in Web Interface Related Topics OL-24201-01 Common Scenarios Using ACS Overview of Device Administration Session Administration Command Authorization Password-Based Network Access TACACS+ Custom Services and AttributesOverview of Password-Based Network Access RADIUS-PAP RADIUS-CHAP PEAP-GTCEAP-FAST-GTC EAP-MD5 Leap Radius Chap Password-Based Network Access Configuration FlowProtocol Action MAB Radius PAP Peap EAP-MSCHAPv2 or EAP-GTC or bothEAP-FAST Overview of Certificate-Based Network Access Certificate-Based Network Access EAP-TLS Using Certificates in ACSCertificate-Based Network Access for EAP-TLS Before you Begin User Guide for Cisco Secure Access Control System Agentless Network Access Overview of Agentless Network AccessValidating an Ldap Secure Authentication Connection Host Lookup Use Cases Attribute802.1x Authentication with Call Check Process Service-Type Call Check PAP/EAP-MD5 Authentication For more information, see , Managing Policy Elements Agentless Network Access Flow Next Step Configuring an Ldap External Identity Store for Host LookupAdding a Host to an Internal Identity Store Previous Step Managing Identity Attributes, Creating an Access Service for Host LookupCreating an Access Service for Host Lookup, Previous Steps Configuring an Identity Policy for Host Lookup Requests See Viewing Identity Policies, page 10-21, for detailsClick Save Changes VPN Remote Network Access See Customizing a Policy, page 10-4, for more informationSelect Host Lookup and click OK LDAP-RADIUS/PAP Supported Authentication ProtocolsSupported Identity Stores RADIUS/PAP RADIUS/CHAP Supported VPN Network Access Servers Configuring VPN Remote Access ServiceSupported VPN Clients ACS and Cisco Security Group Access Creating Security Groups Adding Devices for Security Group Access Creating SGACLs Configuring an Ndac Policy Configuring EAP-FAST Settings for Security Group Access Creating an Access Service for Security Group AccessSelect Network Access, and check Identity and Authorization Creating an Egress Policy Creating an Endpoint Admission Control Policy Creating a Default Policy Radius and TACACS+ Proxy Requests Supported Protocols Tacplusauthor TacplusauthenTacplusacct PAP Ascii Chap Supported Radius AttributesTACACS+ Body Encryption Connection to TACACS+ Server Configuring Proxy Service Welcome My Workspace WelcomeField Description My Account Task Guides Using the Web Interface Accessing the Web InterfaceLogging In, Logging Out, Logging Logging Out Understanding the Web Interface Header Header, Navigation Pane, Content Area,Navigation Pane, Content Area, Web Interface Design Drawer Function Navigation Pane Header, Content Area, Content Area Web Interface Location Deleted item Button or Field Description Sorting Filtering Secondary Windows Secondary Window Transfer Boxes Transfer Box Fields and Buttons Schedule Boxes Rule Table Pages See Displaying Hit Counts, page 10-10for more information Option Description Supported ACS Objects ACS 5.x Policy ModelSupported ACS Objects, Creating Import Files, Property Name Property Data Type Uments Creating Import Files Click Download Add Template Downloading the Template from the Web InterfaceUnderstanding the CSV Templates Click File Operations Header Field Description Creating the Import File Updating the Records in the ACS Internal Store Deleting Records from the ACS Internal Store Concurrency Conflict Errors Common Errors Deletion Errors Accessibility System Failure ErrorsDisplay and Readability Features Obtaining Additional Accessibility Information Keyboard and Mouse Features Step No Task Drawer Refer to Configuring Minimal System Setup Configuring Administrator Configuring Local ServerConfiguring Authentication Settings for Administrators Step No Task Drawer Refer to Task Drawer Refer to Configuring ACS to Manage Access Policies Duplicating Alarm Configuring System AlarmSettings, Understanding Alarm OL-24201-01 External Servers Managing Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device GroupsChoose Network Resources Network Device Groups Deleting Network Device Groups Field Description Deleting Network Device Groups from a Hierarchy Network Devices and AAA Clients Viewing and Performing Bulk Operations for Network Devices Choose Network Resources Network Devices and AAA ClientsSee Displaying Network Device Properties, Network Device page appears Exporting Network Devices and AAA Clients Performing Bulk Operations for Network Resources and Users Managing Network Resources Network Devices and AAA Clients Creating, Duplicating, and Editing Network Devices Exporting Network Resources and Users Configuring Network Device and AAA Clients TACACS+ SGT KEK Displaying Network Device Properties TACACS+ Access Access Advanced SettingsSecurity Group Deleting Network Devices Configuring a Default Network Device About creating network device groups Working with External Proxy Servers Creating, Duplicating, and Editing External Proxy ServersChoose Network Resources External Proxy Servers Choose to create Radius proxy server Deleting External Proxy Servers OL-24201-01 Internal Identity Stores Overview Ldap External Identity Stores Certificate-Based Authentication Identity Stores with Two-Factor AuthenticationIdentity Groups Identity Sequences Managing Internal Identity Stores Authentication Information Creating Identity Groups Select Users and Identity Stores Identity GroupsClick File Operations to Managing Identity Attributes Deleting an Identity GroupStandard Attributes, User Attributes, Host Attributes, Standard Attributes User AttributesAttribute Description Configuring Authentication Settings for Users Choose System Administration Users Authentication SettingsHost Attributes Options Description Password History Creating Internal Users Defined under System Administration Users Authentication Resources and Users,Option Identity Stores Internal Identity Stores Users Administration Users Authentication Settings Mon dd hhmmss UTC YYYY, where Deleting Users from Internal Identity Stores Internal Users page appears without the deleted users Creating Hosts in Identity Stores Hhmmss UTC Yyyy , where Deleting Internal Hosts Attributes of Management Hierarchy Configuring AAA Devices for Management HierarchyConfiguring Users or Hosts for Management Hierarchy Management Hierarchy Configuring and Using UserIsInManagement Hierarchy Attribute Related Topics Ldap Overview Managing External Identity Stores Multiple Ldap Instances Directory ServiceAuthentication Using Ldap Configuring Ldap Groups, Viewing Ldap Attributes, Authenticating a User Using a Bind Connection FailoverLdap Connection Management Attributes Retrieval Group Membership Information Retrieval Creating External Ldap Identity Stores Certificate Retrieval Configuring an External Ldap Server Connection Ldap Server Connection Configuring External Ldap Directory Organization Schema If the tree containing subjects is the base DN, enter External identity store you created is saved Deleting External Ldap Identity Stores Configuring Ldap Groups Viewing Ldap Attributes Leveraging Cisco NAC Profiler as an External MAB Database Click Server Ldap Interface Configuration in NAC Profiler Advanced Options Active Response Delay Click Save Profile Configuring Endpoint Profiles in NAC Profiler Edit NAC Profiler Definition General Click the Server Connection tab Test Bind to Server Dialog Box Click Test Configuration Number of Subjects Number of Directory Groups Microsoft AD Supported Authentication Protocols User Guide for Cisco Secure Access Control System Protocol Port number Machine Authentication Concurrent Connection Management Attribute Retrieval for AuthorizationGroup Retrieval for Authorization Certificate Retrieval for EAP-TLS Authentication Machine Access Restrictions Machine Authentication AD Group Required ATZ profile Dial-in PermissionsCallback Options for Dial-in users ACS Response Dial-in Support Attributes Configuring an AD Identity Store Machine Authentication, page B-34Joining ACS to an AD Domain Click Selecting an AD Group Selecting an AD Group, Configuring AD Attributes, Configuring AD Attributes Available from the Attributes secondary window only Joining ACS to Domain Controllers RSA SecurID Server Configuring RSA SecurID Agents PIN Creating and Editing RSA SecurID Token Servers RSA Realm Settings Tab Enable the RSA options file, Reset Agent Files, Configuring ACS Instance Settings Reset Agent Files Enable the RSA options file Check the Enable identity caching check box Configuring Advanced Options Supported Authentication Protocols Radius Identity StoresRadius PAP TACACS+ ASCII/PAP Password Prompt User Group MappingGroups and Attributes Mapping Username Special Format with Safeword Server Authentication Failure MessagesCause of Authentication Failure Failure Cases Radius Identity Store in Identity Sequence User Attribute Cache Creating, Duplicating, and Editing Radius Identity ServersRadius PAP TACACS+ ASCII\PAP Configuring General Settings Server Connection Configuring Shell Prompts Cisco-av-pair.some-avpair Configuring Directory Attributes Configuring Shell Prompts, Configuring Advanced Options, Configuring CA Certificates Select Users and Identity Stores Certificate Authorities Adding a Certificate Authority Description of the certificate Deleting a Certificate Authority Exporting a Certificate Authority Configuring Certificate Authentication Profiles Certificate Authentication Profile page reappears Attribute Retrieval Sequence Configuring Identity Store SequencesAuthentication Sequence Creating, Duplicating, and Editing Identity Store Sequences 22 Identity Store Sequence Properties Deleting Identity Store Sequences OL-24201-01 OL-24201-01 Managing Policy Conditions Managing Policy Elements Managing Policy Elements Managing Policy Conditions Select Policy Elements Session Conditions Date and Time Deleting a Session Condition, Managing Network Conditions, Policy, Select Policy Elements Session Conditions Custom Managing Network Conditions Deleting a Session Condition Managing Policy Elements Managing Policy Conditions Importing Network Conditions Creating, Duplicating, and Editing End Station Filters Exporting Network Conditions Defining IP Address-Based End Station Filters Defining CLI or DNIS-Based End Station Filters Defining MAC Address-Based End Station Filters Creating, Duplicating, and Editing Device Filters Defining Name-Based Device Filters Defining IP Address-Based Device Filters Defining NDG-Based Device Filters Creating, Duplicating, and Editing Device Port Filters Defining IP Address-Based Device Port Filters Defining Name-Based Device Port Filters Defining NDG-Based Device Port Filters Managing Authorizations and Permissions Authorization Profiles Specifying Common Attributes in Authorization Profiles Specifying Authorization Profiles Vlan ID/Name Includes a Vlan assignment Attribute, its name, value, and type appear in the table. To Specifying Radius Attributes in Authorization Profiles Dictionary Creating Security Groups, Creating and Editing Security Groups Related Topics Defining General Shell Profile Properties Defining Common TasksDefining Common Tasks, Defining Custom Attributes, Privilege Level Shell Profile Common Tasks Replace Defining Custom Attributes OL-24201-01 Duplicated Show Creating, Duplicating, and Editing Downloadable ACLs Appears without the deleted object Deleting an Authorizations and Permissions Policy Element Configuring Security Group Access Control Lists OL-24201-01 10-1 Policy Creation Flow Network Definition and Policy Goals Policy Creation Flow-Next Steps10-2 10-3 Policy Elements in the Policy Creation FlowPolicy Creation Flow-Previous Step Network Definition and Policy Goals, 10-4 Access Service Policy CreationService Selection Policy Creation Customizing a Policy Configuring the Service Selection Policy Configuring a Policy-Next Steps10-5 10-6 Configuring a Simple Service Selection PolicyService Selection Policy Select Access Policies Service Selection Policy 10-7 See Displaying Hit Counts, Creating, Duplicating, and Editing Service Selection Rules Select Access Policies Service Selection Policy. If you10-8 10-9 Conditions Deleting Service Selection Rules Displaying Hit Counts10-10 Configuring Access Services Editing Default Access Services10-11 Creating, Duplicating, and Editing Access Services Select Access Policies Access Services10-12 10-13 Configuring General Access Service Properties 10-14 Configuring Access Service Allowed Protocols Select Access Policies Access Services, then click10-15 10-16 Server Certificates, page 18-14for more information 10-17 10-18 10-19 Configuring Access Services Templates 10-20 Deleting an Access ServiceAccess Service Type Protocols Policies Conditions Results Configuring Access Service Policies Viewing Identity Policies10-21 10-22 10-23 Viewing Rules-Based Identity Policies 10-24 Configuring Identity Policy Rule Properties 10-25 10-26 Configuring a Group Mapping Policy 10-27 Displaying Hit Counts, 10-28 Configuring Group Mapping Policy Rule Properties 10-29 Select Access Policies Access Services service Authorization 10-30 10-31 Configuring Network Access Authorization Rule Properties 10-32 Configuring Device Administration Authorization Policies 10-33 10-34 Condition 10-35 Configuring Authorization Exception Policies 10-36 Condition Name 10-37 Creating Policy Rules Duplicating a Rule Editing Policy Rules10-38 10-39 Deleting Policy Rules Configuring Compound Conditions Compound Condition Building Blocks10-40 10-41 Types of Compound ConditionsOperand1 Operand2 Example Atomic Condition Single Nested Compound Condition Multiple Nested Compound Condition10-42 10-43 Compound Expression with Dynamic value 10-44 Using the Compound Expression Builder Policy Page, Security Group Access Control PagesEgress Policy Matrix Policy Matrix, Creating an Egress Policy, Defining a Default Policy for Egress PolicyCreating an Egress Policy, Creating a Default Policy, Editing a Cell in the Egress Policy Matrix 10-47 Ndac PolicySimple Policy Rule-Based Policy Configuring an Ndac Policy, Ndac Policy Properties Page, Ndac Policy Properties10-48 10-49 Configuring an Ndac Policy, Ndac Policy Page, Network Device Access EAP-FAST Settings Maximum User Sessions10-50 Max Session User Settings Max Session Group Settings10-51 Max Session Global Setting Max User Session Global Settings10-52 Go to System Administration Users Purge User Sessions Purging User Sessions10-53 Maximum User Session in Distributed Environment Click Get Logged-in User List10-54 10-55 Maximum User Session in Proxy Scenario 10-56 Logging monitor informational Logging origin-id ip Epm logging11-1 11-2 Authentication Records and DetailsAuthentication Records and Details, Dashboard Pages 11-3 11-4 Working with Portlets 11-5 Working with Authentication Lookup Portlet Adding Tabs to the Dashboard Configuring Tabs in the DashboardRunning Authentication Lookup Report Dashboard Pages, Running Authentication Lookup Report, Renaming Tabs in the Dashboard Adding Applications to Tabs11-7 11-8 Changing the Dashboard LayoutDeleting Tabs from the Dashboard Click Manage Pages 12-1 Understanding AlarmsThreshold Alarms, System Alarms, Threshold Alarms Evaluation Cycle1 Evaluating Alarm ThresholdsSystem Alarms Evaluating Alarm Thresholds, Notifying Users of Events, Viewing and Editing Alarms in Your Inbox Notifying Users of Events12-3 12-4 Alarm Severity 12-5 12-6 12-7 12-8 Select Monitoring and Reports Alarms Inbox 12-9 Understanding Alarm SchedulesCreating and Editing Alarm Schedules Choose Monitoring and Reports Alarms Schedules Assigning Alarm Schedules to Thresholds Choose Monitoring and Reports Alarms Thresholds12-10 12-11 Creating, Editing, and Duplicating Alarm ThresholdsDeleting Alarm Schedules Select Monitoring and Reports Alarms Thresholds 12-12 12-13 Configuring General Threshold Information ACS Instance Configuring Threshold CriteriaPassed Authentications Passed Authentication Count 12-15 12-16 Failed AuthenticationsFailed Authentication Count Device IP 12-17 12-18 Authentication Inactivity 12-19 Tacacs Command Accounting 12-20 Tacacs Command Authorization 12-21 ACS Configuration Changes 12-22 ACS System Diagnostics 12-23 ACS Process Status ACS System Health CPU12-24 12-25 ACS AAA Health 12-26 Radius Sessions Count of Unknown NAD Authentication Records Unknown NAD12-27 12-28 External DB Unavailable 12-29 Rbacl Drops 12-30 NADDGT Dstip NAD-Reported AAA Downtime Device IP Count of NAD-Reported AAA Down Events12-31 12-32 Configuring Threshold Notifications 12-33 Deleting Alarm Thresholds 12-34 Configuring System Alarm Settings Understanding Alarm Syslog Targets Creating and Editing Alarm Syslog Targets12-35 12-36 Deleting Alarm Syslog Targets 13-1 Managing Reports 13-2 Catalog-Monitoring & Reports Reports Catalog reporttype 13-3 Working with Favorite ReportsAdding Reports to Your Favorites Click Add to Favorites 13-4 Viewing Favorite-Report ParametersClick Add to Favorite Choose Monitoring and Reports Reports Favorites 13-5 Editing Favorite ReportsRunning Favorite Reports Select Monitoring & Reports Reports Favorites Reports Reports Catalog ACS Instance Sharing ReportsDeleting Reports from Favorites Click Launch Interactive Viewer for more options 13-7 Working with Catalog ReportsAvailable Reports in the Catalog Report Name Description Logging Category 13-8 13-9 13-10 13-11 Running Catalog Reports 13-12 Deleting Catalog Reports Running Named Reports13-13 13-14 Reporttype Reportname 13-15 Understanding the ReportName 13-16 13-17 13-18 Enabling Radius CoA Options on a Device Radius Active Session Report 13-19 13-20 Customizing ReportsRestoring Reports Click Launch Interactive Viewer About Interactive Viewer’s Context Menus Viewing ReportsAbout Standard Viewer About Interactive Viewer Context Menu for Column Data in Interactive Viewer 13-22 Navigating Reports Using the Table of Contents 13-24 Exporting Report Data 12 The Export Data Dialog Box 13-25 Printing Reports Saving Report Designs in Interactive Viewer13-26 Formatting Reports in Interactive Viewer Editing Labels13-27 Select Change Text Formatting LabelsFormatting Data Resizing Columns Select Style Font Changing Column Data AlignmentFormatting Data in Columns Formatting Data in Aggregate Rows Formatting Data Types Data type Option Description13-30 13-31 Formatting Numeric Data 13-32 Formatting Fixed or Scientific Numbers or PercentagesFormatting Custom Numeric Data Data in the data set Result of formatting 13-33 SymbolFormatting String Data Formatting Custom String Data Formatting Date and Time Data in the data source Results of formatting13-34 13-35 Formatting Custom Date and TimeFormat Result of formatting Mmmm Formatting Boolean Data Applying Conditional Formats13-36 Setting Conditional Formatting for Columns Select Style Conditional Formatting13-37 19 Comparison Value Field 13-38 13-39 Deleting Conditional Formatting Setting and Removing Page Breaks in Detail Columns Setting and Removing Page Breaks in a Group Column13-40 Organizing Report Data Displaying and Organizing Report Data13-41 Reordering Columns in Interactive Viewer Select Column Move to Group Header13-42 13-43 Removing Columns Select Column Hide Column Hiding or Displaying Report ItemsHiding Columns Select Hide or Show Items 13-45 Displaying Hidden ColumnsMerging Columns Select Column Show Columns Selecting a Column from a Merged Column Select Column Merge Columns13-46 Sorting a Single Column, Sorting Multiple Columns, Sorting DataSorting a Single Column Sorting Multiple Columns 13-48 Grouping Data 13-49 Adding Groups Grouping Data Based on Date or Time13-50 Removing an Inner Group Creating Report Calculations13-51 37 Calculated Column 13-52 Understanding Supported Calculation Functions Function Description Example of use13-53 Count Countdistinct13-54 13-55 Isbottomnpercent 13-56 13-57 Movingaverage 13-58 Today 13-59 Weightedaverage 13-60 Using Numbers and Dates in an ExpressionUnderstanding Supported Operators Operator Description 13-61 Using Multiply Values in Calculated ColumnsAdding Days to an Existing Date Value Select Add Calculation Working with Aggregate Data Subtracting Date Values in a Calculated Column13-62 13-63 Aggregate functions Description 13-64 Creating an Aggregate Data Row Adding Additional Aggregate Rows Click Add aggregation13-65 13-66 Hiding and Filtering Report DataDeleting Aggregate Rows Hiding or Displaying Column Data Displaying Repeated Values Hiding or Displaying Detail Rows in Groups or Sections13-67 Working with Filters Condition Description13-68 13-69 Types of Filter Conditions 13-70 Setting Filter Values 13-71 Creating Filters Modifying or Clearing a Filter Creating a Filter with Multiple Conditions13-72 Click Advanced Filter Click Add Condition13-73 13-74 Filtering Highest or Lowest Values in Columns 13-75 Understanding Charts Modifying Charts Filtering Chart Data13-76 13-77 Changing Chart SubtypeChanging Chart Formatting Select Chart Subtype 13-78 50 Chart Formatting Options 14-1 Available Diagnostic and Troubleshooting ToolsConnectivity Tests ACS Support Bundle 14-2 Expert Troubleshooter ACS-Assigned SGT Records, page 14-14for more information Diagnostic Tool DescriptionPerforming Connectivity Tests See Comparing Sgacl Policy Between a Network Device and ACS 14-4 Downloading ACS Support Bundles for Diagnostic Information 14-5 Working with Expert Troubleshooter Troubleshooting Radius Authentications NAS IP14-6 14-7 14-8 Click Show Results Summary 14-9 Executing the Show Command on a Network Device Evaluating the Configuration of a Network Device AAA14-10 Comparing Sgacl Policy Between a Network Device and ACS SGA14-11 14-12 Comparing the SXP-IP Mappings Between a Device and its Peers Click the User Input Required button VRF14-13 14-14 14-15 Comparing Device SGT with ACS-Assigned Device SGT 14-16 15-1 15-2 15-3 Configuring Data Purging and Incremental Backup 15-4 15-5 15-6 Configuring NFS stagging 15-7 Restoring Data from a BackupConfiguring Data Purging and Incremental Backup, Viewing Log Collections 15-8 Log Collection Details Page, 15-9 Log Collection Details 15-10 Recovering Log Messages Viewing Scheduled Jobs15-11 15-12 15-13 Viewing Process Status Failure Reasons Editor Viewing Data Upgrade StatusViewing Failure Reasons Editing Failure Reasons 15-15 Specifying E-Mail SettingsConfiguring Snmp Preferences Email Settings Understanding Collection Filters Creating and Editing Collection Filters15-16 15-17 Configuring Alarm Syslog TargetsConfiguring Remote Database Settings Deleting Collection Filters 15-18 16-1 Managing System Administrators 16-2 Understanding Administrator Roles and Accounts 16-3 Configuring System Administrators and AccountsUnderstanding Authentication Understanding Roles 16-4 PermissionsPredefined Roles Role Privileges 16-5 Changing Role Associations Administrator Accounts and Role Association Choose System Administration Administrators Accounts16-6 16-7 Button and click View Choose System Administration Administrators RolesViewing Predefined Roles Viewing Role Properties 16-9 Configuring Authentication Settings for Administrators 16-10 Allow All IP Addresses to Connect Configuring Session Idle TimeoutConfiguring Administrator Access Settings Choose System Administration Administrators Settings Access Resetting the Administrator Password Access-setting accept-all16-12 16-13 Changing the Administrator PasswordChanging Your Own Administrator Password Choose My Workspace My Account 16-14 Resetting Another Administrator’s Password 17-1 Configuring System Operations 17-2 Service PortUnderstanding Distributed Deployment Aaa-server radius-authport 17-3 Activating Secondary ServersRemoving Secondary Servers Activating Secondary Servers, 17-4 Understanding Local ModePromoting a Secondary Server Understanding Distributed Deployment, Specifying a Hardware Replacement Understanding Full Replication17-5 Choose System Administration Operations Scheduled Backups Scheduled BackupsCreating, Duplicating, and Editing Scheduled Backups Creating, Duplicating, and Editing Scheduled Backups, Backing Up Primary and Secondary Instances Backing Up Primary and Secondary Instances,17-7 Editing Instances Viewing and Editing a Primary Instance17-8 17-9 Ddmmyyyy 17-10 GUI 17-11 17-12 Viewing and Editing a Secondary InstanceDeleting a Secondary Instance Editing Instances, Viewing and Editing a Primary Instance, 17-13 Activating a Secondary InstanceRegistering a Secondary Instance to a Primary Instance Click Activate 17-14 17-15 Click Register to Primary Click Deregister Click Deregister from Primary17-16 17-17 17-18 Replicating a Secondary Instance from a Primary Instance 17-19 Click Full Replication 17-20 See Registering a Secondary Instance to a Primary Instance, 17-21 Failover 17-22 Click Request Local Mode 17-23 17-24 18-1 Configuring Global System OptionsConfiguring TACACS+ Settings Manage licensing. See Licensing Overview, 18-2 Configuring EAP-TLS Settings 18-3 Configuring Peap SettingsConfiguring EAP-FAST Settings Generating EAP-FAST PAC, Tokencode Configuring RSA SecurID PromptsGenerating EAP-FAST PAC Click Generate PAC Radius Ietf Managing DictionariesViewing Radius and TACACS+ Attributes YOU Prepared to Accept a SYSTEM-GENERATED PIN? 18-6 Radius VSAs, page A-6 18-7 Viewing Radius and TACACS+ Attributes, 18-8 18-9 Viewing Radius Vendor-Specific Subattributes 18-10 Configuring Identity Dictionaries 18-11 Configuring Internal Identity Attributes Deleting an Internal User Identity Attribute Policy Elements Session Conditions Custom18-12 18-13 Deleting an Internal Host Identity Attribute Configuring Local Server Certificates Adding Local Server Certificates18-14 Associating Certificates to Protocols, Signing Request,18-15 18-16 Generating Self-Signed CertificatesEAP Select Generate Self Signed Certificate Next Click Finish Generating a Certificate Signing RequestBinding CA Signed Certificates Select Generate Certificate Signing Request Next Editing and Renewing Certificates Select Bind CA Signed Certificate Next18-18 18-19 Deleting Certificates Exporting Certificates Viewing Outstanding Signing Requests18-20 Configuring Logs Configuring Remote Log Targets18-21 18-22 Target ConfigurationGeneral Deleting a Remote Log Target, Deleting Local Log Data Configuring the Local LogConfiguring Remote Log Targets, Deleting a Remote Log Target 18-24 Configuring Logging CategoriesConfiguring Global Logging Categories Option Descriptions 18-25 18-26 Category Log and Description 18-27 18-28 Show logging system Configuring Per-Instance Logging Categories Configuring Per-Instance Security and Log Settings,18-29 18-30 Configuring Per-Instance Security and Log Settings 18-31 Configuring Per-Instance Remote Syslog TargetsConfigure Logged Attributes Click the Remote Syslog Target tab 18-32 Displaying Logging Categories Configuring the Log Collector Viewing the Log Message Catalog18-33 18-34 Licensing OverviewTypes of Licenses License Description 18-35 Installing a License File Viewing the Base License PAK18-36 Upgrading the Base Server License Upgrading the Base Server License,18-37 18-38 Viewing License Feature Options 18-39 Adding Deployment License Files 18-40 Deleting Deployment License FilesAvailable Downloads Click Delete to delete the license file 18-41 Downloading UCP Web Service FilesDownloading Migration Utility Files Downloading Sample Python Scripts Downloading Rest Services Choose System Administration Downloads Rest Service18-42 About Logging About Logging, ACS 4.x Versus ACS 5.3 Logging,19-1 Using Log Targets Logging Categories19-2 19-3 Global and Per-Instance Logging Categories Log Message Severity Levels19-4 Local Store Target ACS Severity Syslog Severity Level Description19-5 19-6 19-7 Critical Log Target 19-8 Remote Syslog Server Target 19-9 Monitoring and Reports Server Target Viewing Log Messages19-10 19-11 Debug Logs ACS 4.x Versus ACS 5.3 Logging CSV19-12 Use the System Configuration Logging Use the Reports and Activity pages19-13 19-14 Typical Use Cases Device Administration TACACS+ PAP Chap Network Access Radius With and Without EAPSession Access Requests Device Administration TACACS+ Command Authorization Requests EAP-FAST/EAP-GTC RADIUS-Based Flow Without EAP AuthenticationRADIUS-Based Flows with EAP Authentication PEAP/EAP-GTC Figure A-3shows a RADIUS-based authentication with EAP Access Protocols-TACACS+ and Radius Overview of TACACS+Point of Comparison Radius VSAs Overview of Radius ACS 5.3 as the AAA Server Address IP Integer Time Radius Attribute Support in ACS Accounting Radius Access RequestsAuthentication Authorization OL-24201-01 Authentication and User Databases Authentication Considerations EAP-MSCHAPv2, page B-30 PAP, page B-2 CHAP, page B-31 EAP Radius PAP Authentication EAP-GTC EAP message type EAP codeEAP Method Description Information see EAP-MSCHAPv2, page B-30 Host Lookup, Overview of Agentless Network Access, Overview of EAP-MD5EAP- MD5 Flow in ACS Overview of EAP-TLS User Certificate Authentication PKI Authentication PKI Usage PKI Credentials Acquiring Local Certificates Fixed Management CertificatesImporting Trust Certificates Importing the ACS Server Certificate Initial Self-Signed Certificate GenerationCertificate Generation Exporting Credentials Hardware Replacement and Certificates Credentials DistributionSecuring the Cryptographic Sensitive Material EAP-TLS Flow in ACS Private Keys and Passwords Backup Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30 PEAPv0/1 Overview of Peap Supported Peap Features Fast Reconnect Creating the TLS Tunnel Peap Flow in ACS Overview of EAP-FAST Authenticating with MSCHAPv2 EAP-FAST EAP-FAST Benefits EAP-FAST in ACS About PACs About Master-Keys Types of PACs Provisioning Modes Automatic In-Band PAC Provisioning ACS-Supported Features for PACs Machine PAC AuthenticationProactive PAC Update PAC Accept Peer on Authenticated ProvisioningPAC-Less Authentication PAC Type Tunnel v1/v1a/SGA Machine Authorization EAP-FAST Flow in ACS Master Key Generation and PAC TTLsEAP-FAST for Allow TLS Renegotiation EAP-FAST PAC Management Key Distribution Algorithm EAP-FAST PAC-Opaque Packing and UnpackingRevocation Method PAC Migration from ACS EAP Authentication with Radius Key Wrap Overview of EAP-MSCHAPv2 MSCHAPv2 for User AuthenticationMSCHAPv2 for Change Password EAP-MSCHAPv2 EAP- MSCHAPv2 Flow in ACS Windows Machine Authentication Against AD SAN-DNS Certificate AttributesCertificate Binary Comparison SAN Rules Relating to Textual Attributes Certificate Revocation Machine Authentication MSCHAPv1/MSCHAPv2 Authentication Protocol and Identity Store CompatibilityMicrosoft AD, Managing External Identity Stores, Identity Store EAP-MSCHAPv2 EAP-TLS License Issues OpenSSL/Open SSL ProjectOpenSSL License Original SSLeay License Appendix C Open Source License Acknowledgments OL-24201-01 GL-1 O S S a R Y GL-2 Capability of ACS to record user sessions in a log file GL-3 Validity and conformance of the original information GL-4 GL-5 GL-6 GL-7 GL-8 FTP GL-9 GL-10 EAP-FAST PAC GL-11 GL-12 GL-13 Service providerISP GL-14 GL-15 Extension within certificate information GL-16 GL-17 GL-18 GL-19 GL-20 IN-1 Symbols IN-2 IN-3 Date expressions IN-4 Formatting symbols IN-5 Hide Detail command IN-6 IN-7 Or operator 13-60,13-74 IN-8 Summary values IN-9 Upper function IN-10