AppendixH Cisco Secure ACS Internal Architecture
CSMon
H-8
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Available space on CiscoSecure ACS installation drive
Processor utilization
Physical memory utilization
All events related to generic host system state are categorized as "warning
events".
Application-specific performance
Application viabilityCSMon periodically performs a test login using a
special built-in test account (the default period is one minute). Problems
with this authentication can be used to determine if the ACS service has
been compromised.
Application performance thresholdsCSMon monitors and records the
latency of each test authentication request (the time it takes to receive a
positive response). Each time this is performed, CSMon updates a
variable containing the average response time value. Additionally, it
records whether retries were necessary to achieve a successful response.
By tracking the average time for each test authentication, CSMon can
build up a ���picture of expected response time on the system in question.
CSMon can therefore detect whether excess re-tries are required for each
authentication or if response times for a single authentication exceed a
percentage threshold over the average.
System resource consumption by Cisco Secure ACSCSMon periodically
monitors and records the usage by Cisco Secure ACS of a small set of key
system resources and compares it against predetermined thresholds for
indications of atypical behavior. The parameters monitored include the
following:
Handle counts
Memory utilization
Processor utilization
Thread used
Failed log-on attempts
CSMon cooperates with CSAuth to keep a track of user accounts being disabled
by exceeding their failed attempts count maximum. This feature is more oriented
to security and user support than system viability. If configured, it provides