AppendixH Cisco Secure ACS Internal Architecture
CSMon
H-8
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
•Available space on CiscoSecure ACS installation drive
•Processor utilization
•Physical memory utilization
All events related to generic host system state are categorized as "warning
events".
•Application-specific performance—
–
Application viability—CSMon periodically performs a test login using a
special built-in test account (the default period is one minute). Problems
with this authentication can be used to determine if the ACS service has
been compromised.
–
Application performance thresholds—CSMon monitors and records the
latency of each test authentication request (the time it takes to receive a
positive response). Each time this is performed, CSMon updates a
variable containing the average response time value. Additionally, it
records whether retries were necessary to achieve a successful response.
By tracking the average time for each test authentication, CSMon can
build up a ���picture” of expected response time on the system in question.
CSMon can therefore detect whether excess re-tries are required for each
authentication or if response times for a single authentication exceed a
percentage threshold over the average.
•System resource consumption by Cisco Secure ACS—CSMon periodically
monitors and records the usage by Cisco Secure ACS of a small set of key
system resources and compares it against predetermined thresholds for
indications of atypical behavior. The parameters monitored include the
following:
•Handle counts
•Memory utilization
•Processor utilization
•Thread used
•Failed log-on attempts
CSMon cooperates with CSAuth to keep a track of user accounts being disabled
by exceeding their failed attempts count maximum. This feature is more oriented
to security and user support than system viability. If configured, it provides