User Guide for the Cisco Application Networking Manager 2.0
Administering the Cisco Application Networking Manager
Downloads: This chapterpdf (PDF - 612.0KB) The complete bookPDF (PDF - 17.97MB) | Feedback

Administering the Cisco Application Networking Manager

Table Of Contents

Administering the Cisco Application Networking Manager

Overview of the Admin Function

Controlling Access to the Cisco ANM

Types of Users

Understanding Roles

Understanding Operations Privileges

Understanding Domains

Understanding Organizations

How ANM Handles Role-Based Access Control

Configuring User Authentication

Guidelines for Managing Organizations

Changing Authentication Server Passwords

Changing the Admin Password

Modifying Organizations

Duplicating an Organization

Displaying Authentication Server Organizations

Deleting Organizations

Managing User Accounts

Guidelines for Managing User Accounts

Displaying a List of Users

Creating User Accounts

Duplicating a User Account

Modifying User Accounts

Deleting User Accounts

Displaying or Terminating Current User Sessions

Managing User Roles

Guidelines for Managing User Roles

Understanding Predefined Roles

Displaying User Role Relationships

Displaying User Roles

Creating User Roles

Duplicating a User Role

Modifying User Roles

Deleting User Roles

Managing Domains

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Duplicating a Domain

Modifying a Domain

Deleting a Domain

Managing ANM

Checking the Status of the ANM Server

Managing ANM Licenses

Understanding ANM License Information

Adding Licenses into License Management

Viewing Licenses in License Management

Checking on License Compliance

Ordering ANM Licenses

Removing Licenses Files

Viewing ANM Server Statistics

Configuring ANM Statistics Collection

Configuring Audit Log Settings

Viewing Change Audit Logs

Configuring Auto Sync Settings

Lifeline Management


Administering the Cisco Application Networking Manager


Revised: 3/12/09

The following topics describe how to administer, maintain, and manage the ANM management system. Previous topics described how to manage your network devices on ANM, while this topic describes how to perform procedures on the system itself.

Overview of the Admin Function

Controlling Access to the Cisco ANM

How ANM Handles Role-Based Access Control

Configuring User Authentication

Managing User Accounts

Displaying or Terminating Current User Sessions

Managing User Roles

Managing Domains

Managing ANM

Lifeline Management

Overview of the Admin Function


Note Some of the Admin options might not be visible to some users; the roles assigned to your login determine which options are available.


Table 15-1 describes the options that are displayed when you click Admin.

Table 15-1 Admin Menu Options

Menu
Option
Description
Reference

Role-Based Access Control

Organizations

Manage organizations, configure external authentication mechanisms

See Configuring User Authentication

Users

Manage users

See Managing User Accounts

Active Users

Display active users

See Displaying or Terminating Current User Sessions

Roles

Manage user roles

See Managing User Roles

Domains

Manage domains

See Managing Domains

ANM Management

ANM

Checks the status of the ANM server.

See Checking the Status of the ANM Server

License Management

Views ANM license state, add more licenses, and tracks license information on your ACE

See Managing ANM Licenses

Statistics

Displays ACE statistics (for example, CPU, disk, and memory usage).

See Viewing ANM Server Statistics

Statistics Collection

Enables ACE server statistics polling.

See Configuring ANM Statistics Collection

Lifeline Management

Use this tool to report a problem to the Cisco support line and generate a diagnostic package

See Lifeline Management


Controlling Access to the Cisco ANM

Access to ANM is based on usernames and passwords, which can be authenticated to a local database on the ANM system or to an external RADIUS, Active Directory/Lightweight Directory Access Protocol (AD/LDAPS), or TACACS+ server. For detailed procedures on remote authentication, see the "Configuring Authentication and Accounting Services" chapter of the Cisco ACE 4700 Series Appliance Security Configuration Guide on cisco.com at http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html.


Note ANM supports LDAPS is only through Active Directory (AD).


When a user logs into the system, the specific tasks they can perform and areas of the system they can use are controlled by organizations, roles, and domains.

An organization is a virtual group of users, their roles, and domains managed by a specific server that provides authentication to its users. Each organization has its own set of users. See Understanding Organizations for information on organizations.

The role assigned to a user defines the tasks a user can perform and the items in the hierarchy that they can see. Roles are either pre-defined or set up by the system administrator. See Understanding Roles for more information.

A domain is a collection of managed objects. When a user is given access to a domain, this acts as a filter for a sub-set of objects on the network which are displayed as a virtual context. The types of objects in the system that are domain controlled are:

Chassis (with VLANs)

Virtual contexts

Building Blocks

Resource classes

Real servers

Virtual servers

Thus, role-based access control ensures that a user or organization can view only the devices or services or perform the actions that are included in the domains to which they have been given access.

Figure 15-1 Role-Based Access Control Containment Overview

The following is an example of RBAC containment.

Organization

Webmasters

Domains

East Coast servers

Central servers

West Coast servers

Role

Web server administrator

Users

User A

User B

User C

Note Each association is one-to-many. Because the organization itself is a collection, it is possible for a role to be used in many organizations.


All other user interfaces, such as configuration and monitoring, respect this role-based access control policy:

Roles limit the screens (or functions on those screens) that a user can see.

Domains limit the objects that are listed on any screen that the roles allow.

Users (other than the system administrator) can only create subdomains of the domains to which they are assigned.

The system administrator user can see and modify all objects. All other users are subject to the role-based access controls illustrated in Figure 15-1.

Related Topics

Types of Users

Understanding Roles

Understanding Operations Privileges

Understanding Domains

Understanding Organizations

Managing User Accounts

Types of Users

Two types of users configure and monitor the ANM system:

Default users—individuals associated with the data center or IT department where the ANM system is installed. The default administrative account (user ID admin) is a system user account that is preconfigured on the system. The default administrative password (admin) is also set on the system. You can change the password for the admin user account in the same manner as any user password (see Managing User Accounts).

System roles are defined by the system administrator when the system is first set up. System roles are specified in terms of resource types and operations privileges. For each system role, the system administrator specifies which resource types a role can work with and what operations a role can perform on each resource type.

Organization users—users who work for the customer of a service provider or AAA server that segments your users and to whom you want to grant access to ANM. Organization users automatically have their access limited to the organization to which they belong.

Related Topics

Configuring User Authentication

Managing User Accounts

Understanding Roles

Roles in the Cisco ANM system are defined by the system administrator. Roles are specified in terms of resource types and operations privileges. For each role, the system administrator specifies which resource types a role can work with and what operations a role can perform on each resource type.

When users are created, they are assigned at least one system role and inherit the operations privileges specified for each of the resource types assigned to that role.

The options a user sees in the menu are filtered according to that user's role. See Table 15-2.

Roles can be applied to both default and organization users. All users are strictly limited by the combination of their operations privileges and user access. For example, a user cannot create another user who has greater privileges or access.

Related Topics

Configuring User Authentication

Managing User Accounts

Managing User Roles

Understanding Operations Privileges

Operations privileges define what users can do in the designated resource types. For example, each command and function on ANM has an assigned privilege. If a user's privileges are not sufficient, the command or function will not be available to them. The following operations privileges can be granted:

No Access—The user has no access to this command or function.


Note If a user is configured with no access to virtual contexts, it means absolutely no access to them. The most a user with this access can do is activate or suspend real servers.


View—Allows the user to view statistics and specify parameter collection and threshold settings. Gives the user read-only or view access to system objects and information.

Modify—Allows the user to change the persistent information associated with system objects, such as an organization record, or configuration.

Debug—Gives the user read-only or view access to system objects and information.

Create—Allows the user to control system objects, for example, creating them, enabling them, or powering up. Also allows the user to control system objects, for example, deleting them, disabling them, or powering down.

Privileges are hierarchical. If a user has Modify privileges, they have View privileges as well. If a user has Create or Debug privileges, they have View privileges as well.


Note The ability to create automatically contains the modify function, but the reverse is not true (a user with modify privileges cannot automatically create items).


Related Topics

How ANM Handles Role-Based Access Control

Managing User Roles

Guidelines for Managing User Roles

Understanding Predefined Roles

Understanding Domains

Domains in the Cisco ANM system are defined by the system administrator. A domain is a collection of managed objects to which a user is given access. By setting up a domain, you are filtering for a subset of objects on the network. The user is then given access to this virtual context.

The rows a user sees in any table are filtered according to the domain to which that user has access.

Understanding Organizations

An organization allows you to configure AAA server lookup for your users or set up users who work for a service provider customer. Organizations in the Cisco ANM system are defined by the system administrator.

When you use a ACE device as a AAA Server you may want to segment them for customer, business, or security reasons. If you use more than one authentication server, then you can use organizations to configure them to authenticate your users.

For example, if your company has four servers, one each for local, RADIUS, TACACS+, and LDAP authentication, then organizations could reflect that. The Default organization in ANM is set up to act as the local server.

ANM supports different device types that have unique ways of configuring authentication access (which helps with future device support). ANM can configure which users are authenticated by which authentication servers, but does not act as a AAA server itself since this would be in conflict of its role as a RBAC administrator. This allows for the separation of authority that is needed to perform RBAC successfully.

How ANM Handles Role-Based Access Control

This section describes how and why a system administrator might want to use the ANM role-based access control (RBAC) features.

ANM supports two distinct, but related RBAC capabilities:

1. Where ANM acts as a system and network device overseer allowing it to implement its use of RBAC, referred to as ANM RBAC.

2. That which the device enforces, referred to as device RBAC.

Understanding ANM RBAC

ANM is a central place where you can globally set the RBAC for users, roles, and domains (as well as for virtual contexts or device types using device RBAC).

As an system administrator you may need to delegate authority to allow another administrators to perform specific tasks on specific devices; such as activating, suspending, and monitoring traffic flow to specific real servers, but disabling any other capabilities. ANM interface enables you to accomplish this delegation with more control. For a description of how the roles map to the functions, see Table 15-2.

Understanding Device RBAC

ANM's device RBAC allows you to set up device permission levels of a more granular nature. You no longer have to provide "all-or-nothing" roles-based access of devices and device modules. Without ANM, some devices may be open to users who can perform every task on that device or module, regardless of their authorization due to permission level requirements on modules and or switches. ANM provides a central place to grant special access to users you specify. Device users, roles, and domain data are not part of, nor can they be used by ANM. Device RBAC is only for CLI access directly to the context.

For example, there may be a small number of users that need level 3 access when direct troubleshooting of ACE hardware is required. You can set up these users with or without ANM, but ANM centralizes the capability to do so. If you want to configure a network engineer with a special role, for example either ACE-Admin or Network-Admin, to provide the level 3 access. ANM accesses the ACE as a level 15 user and an admin supervisor and uses the RBAC to determine the level of access (to device types, segments, elements, subelements, and so on).

Some Cisco devices have the ability to configure RBAC directly on the device, for example the ACE. An example of a device that does not have the capability to have its own RBAC is the CSS or a CSM.

When you configure remote authentication (AAA, RADIUS, LDAP, or TACACs+) for the ACE via ANM, users no longer have to log out to access their device via Telnet. When you manually log into a CSS, the CSS performs user authentication in a Telnet session. Telnet does not provide any domain enforcement so is less secure.

If you are an admin using a CSS module outside of the ANM program, then you might have permission to do anything on this switch. If you are using ANM, you can set up better authorization for your administrators for specific devices. Better authorization controls are one of the advantages of using the ANM versus using only the CLI on the ACE hardware. You can now configure separate access for one function for this user in this domain only. ANM allows this high level of granularity and with it, more control over who does what to your devices.

You can access device RBAC using Config > Devices or Config > Global >All Building Blocks.


Note When configuring device RBAC via Config > Devices, an message displays reminding you that you are configuring RBAC outside of ANM for direct access. Be aware that this may contradict your ANM settings.


For more information on centralizing direct access to devices through RBAC on individual devices, see Configuring Device Role-Based Access Controls, page 2-40.

Case Example

In this example, a CSM device must have a level 15 access which by default makes the admin a supervisor on everything in the switch (and everything in the module). Another way of looking at this is providing read-only access to everything or configuration access to everything.

ACE hardware can be configured on a virtual context to perform that task on a subset domain for every individual module, on every context, but this type of configuration must be configured individually.

A system administrator might need to configure a network admin to manage two CSM modules, one out of six virtual contexts, and all East Coast web servers. With ANM, the admin could create one configuration set that includes a user account with a Network-Admin role and a domain that includes these objects. ANM then becomes the security window through which this user passes to get to their destination for that domain and for that virtual context.

If there were six users, nine domains, and three virtual contexts, there would be 54 entries required into a AAA Server and ACE module. In ANM there is one entry completed for each of the six users.

Table 15-2 Role Mapping in ANM

Role Tasks/Permissions 
Resulting Menus Available 
ACE-Admin Predefined Role

Threshold/View

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups /Edit

Monitor / Settings / SMTP Configuration

Device Events/Create

Monitor / Events / Events

Virtual Contexts/Create

Config / Deploy

Config / Deploy / Deploy Now

Config / Deploy / Edit

Config / Devices / Device RBAC / Domains

Config / Devices / Device RBAC / Roles

Config / Devices / Device RBAC / Users

Config / Devices / Expert / Action List

Config / Devices / Expert / Building Block Audit

Config / Devices / Expert / Class Map

Config / Devices / Expert / Policy Map

Config / Devices / HA Tracking and Failure Detection / Hosts

Config / Devices / HA Tracking and Failure Detection / HSRP Groups

Config / Devices / HA Tracking and Failure Detection / Interfaces

Config / Devices / High Availability (HA) / Setup

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

ACE-Admin Predefined Role (continued)

Virtual Contexts/Create (continued)

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Config / Devices / Load Balancing / Virtual Servers / Add

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / GigabitEthernet Interfaces

Config / Devices / Network / Global IP DHCP

Config / Devices / Network / Port Channel Interfaces

Config / Devices / Network / Static Routes

Config / Devices / Network / Static VLAN

Config / Devices / Network / VLAN Interfaces

Config / Devices / Security / ACLs

Config / Devices / Security / Object Groups

Config / Devices / SSL / Auth Group Parameters

Config / Devices / SSL / Certificate Revocation List

Config / Devices / SSL / Certificates

Config / Devices / SSL / Chain Group Parameters

Config / Devices / SSL / CSR Parameters

Config / Devices / SSL / Keys

Config / Devices / SSL / Parameter Map

Config / Devices / SSL / Proxy Service

Config / Devices / System / Application Acceleration and Optimization

Config / Devices / System / Global Policy

Config / Devices / System / Licenses

Config / Devices / System / Primary Attributes

Config / Devices / System / Resource Classes

Config / Devices / System / Resource Classes / Add

Config / Devices / System / Resource Classes / Edit

ACE-Admin Predefined Role (continued)

Virtual Contexts/Create (continued)

Config / Devices / System / SNMP

Config / Devices / System / Syslog

Config / Devices / Virtual Context Management

Config / Devices / Virtual Context Management / Add

Config / Devices / Virtual Context Management / Edit

Config / Devices / Virtual Context Management / Extract building block

Config / Devices / Virtual Context Management / Restart Polling

Config / Devices / Virtual Context Management / Sync

Config / Global / Building Blocks

Config / Global / Building Blocks / Add

Config / Global / Building Blocks / Tag

Config / Global / Expert / Action List

Config / Global / Expert / Class Map

Config / Global / Expert / Policy Map

Config / Global / Load Balancing / Health Monitoring

Config / Global / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Global / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Global / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Global / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Global / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Global / Load Balancing / Real Servers

Config / Global / Load Balancing / Server Farms

Config / Global / Load Balancing / Stickiness

ACE-Admin Predefined Role (continued)

Virtual Contexts/Create (continued)

Config / Global / Network / BVI Interfaces

Config / Global / Network / Global IP DHCP

Config / Global / Network / Static Routes

Config / Global / Network / Static VLAN

Config / Global / Network / VLAN Interfaces

Config / Global / Resource Classes

Config / Global / Resource Classes / Add

Config / Global / Resource Classes / Audit

Config / Global / Resource Classes / Edit

Config / Global / Role-Based Access Control / Domains

Config / Global / Role-Based Access Control / Roles

Config / Global / Role-Based Access Control / Users

Config / Global / Security / ACLs

Config / Global / Security / Object Groups

Config / Global / SSL / Auth Group Parameters

Config / Global / SSL / Certificate Revocation List

Config / Global / SSL / CSR Parameters

Config / Global / SSL / Keys

Config / Global / SSL / Parameter Map

Config / Global / System / Global Policy

Config / Global / System / Primary Attributes

Config / Global / System / SNMP

Config / Global / System / Syslog

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Activate

Config / Operations / Virtual Servers / Details

Config / Operations / Virtual Servers / Suspend

Monitor / Devices / Application Acceleration

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Virtual Servers

ACE-Admin Predefined Role (continued)

Virtual Contexts/Create (continued)

Monitor / Devices / Polling Settings

Monitor / Devices / Resource Usage

Monitor / Devices / Resource Usage

Monitor / Devices / Resource Usage / Connections

Monitor / Devices / Resource Usage / Features

Monitor / Devices / System View

Monitor / Devices / Traffic Summary

Monitor / Devices / Virtual Context Management

Monitor / Devices / Virtual Servers

Monitor / Events /Virtual Context Management

Monitor / Tools / Ping

Change Password

Copy License

Export

Generate CSR

Import

Install

Resequence

Status

Uninstall

Update

ANM-Admin Predefined Role

All Options

All menus (ANM System, ANM User Access, and ANM Inventory)

Network-Admin Predefined Role

Threshold/View

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups / Edit

Monitor / Settings / SMTP Configuration

Network-Admin Predefined Role (continued)

Switch/Create

Config / Devices / Device Management / Change Password

Config / Devices / Device Management / Edit

Config / Devices / Device Management / Sync

Config / Devices / Interfaces / Access Ports

Config / Devices / Interfaces / Routed Ports

Config / Devices / Interfaces / Summary

Config / Devices / Interfaces / Switched Virtual Interfaces

Config / Devices / Interfaces / Trunk Ports

Config / Devices / System / Primary Attributes

Config / Devices / System / Static Routes

Config / Devices / VLANs / Groups

Config / Devices / VLANs / Layer 2

Config / Devices / VLANs / Layer 2 / Add

Config / Devices / VLANs / Layer 2 / Edit

Config / Devices / VLANs / Layer 3

Config / Devices / VLANs / Layer 3 / Add

Config / Devices / VLANs / Layer 3 / Edit

Config / Devices / VLANs / Summary

Monitor / Events / Modules

Routing/Create

Config / Devices / Network / GigabitEthernet Interfaces

Config / Devices / Network / Global IP DHCP

Config / Devices / Network / Port Channel Interfaces

Config / Devices / Network / Static Routes

Config / Devices / Network / Static VLAN

Interface/Create

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / VLAN Interfaces

Monitor / Devices / Traffic Summary

Monitor / Tools / Ping

NAT/Create

No specific menus

Network-Admin Predefined Role (continued)

Connection/Create

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Network-Monitor Predefined Role

Inventory (which includes Threshold, UDG, Device Events, Switch, and all Virtual Context tasks)/View

Config / Deploy

Config / Deploy / Edit

Config / Devices / Device Management

Config / Devices / Device Management / Edit

Config / Devices / Device Management / Modules

Config / Devices / Device RBAC / Domains

Config / Devices / Device RBAC / Roles

Config / Devices / Device RBAC / Users

Config / Devices / Expert / Action List

Config / Devices / Expert / Action List

Config / Devices / Expert / Building Block Audit

Config / Devices / Expert / Class Map

Config / Devices / Expert / Policy Map

Config / Devices / Groups

Config / Devices / Groups / Edit

Config / Devices / HA Tracking and Failure Detection / Hosts

Config / Devices / HA Tracking and Failure Detection / HSRP Groups

Network-Monitor Predefined Role

Inventory/View (continued)

Config / Devices / HA Tracking and Failure Detection / Interfaces

Config / Devices / High Availability (HA) / Setup

Config / Devices / Interfaces / Access Ports

Config / Devices / Interfaces / Routed Ports

Config / Devices / Interfaces / Summary

Config / Devices / Interfaces / Switched Virtual Interfaces

Config / Devices / Interfaces / Trunk Ports

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / GigabitEthernet Interfaces

Config / Devices / Network / Global IP DHCP

Config / Devices / Network / Port Channel Interfaces

Config / Devices / Network / Static Routes

Config / Devices / Network / Static VLAN

Network-Monitor Predefined Role (continued)

Inventory/View (continued)

Config / Devices / Network / VLAN Interfaces

Config / Devices / Security / ACLs

Config / Devices / Security / Object Groups

Config / Devices / SSL / Auth Group Parameters

Config / Devices / SSL / Certificate Revocation List

Config / Devices / SSL / Certificates

Config / Devices / SSL / Chain Group Parameters

Config / Devices / SSL / CSR Parameters

Config / Devices / SSL / Keys

Config / Devices / SSL / Parameter Map

Config / Devices / SSL / Proxy Service

Config / Devices / System / Application Acceleration and Optimization

Config / Devices / System / Global Policy

Config / Devices / System / Licenses

Config / Devices / System / Primary Attributes

Config / Devices / System / Primary Attributes

Config / Devices / System / Resource Classes

Config / Devices / System / Resource Classes / Edit

Config / Devices / System / SNMP

Config / Devices / System / Static Routes

Config / Devices / System / Syslog

Config / Devices / Virtual Context Management

Config / Devices / Virtual Context Management / Edit

Config / Devices / VLANs / Groups

Config / Devices / VLANs / Layer 2

Config / Devices / VLANs / Layer 2 / Edit

Config / Devices / VLANs / Layer 3

Config / Devices / VLANs / Layer 3 / Edit

Config / Devices / VLANs / Summary

Config / Global / Building Blocks

Config / Global / Expert / Action List

Config / Global / Expert / Class Map

Network-Monitor Predefined Role (continued)

Inventory/View (continued)

Config / Global / Expert / Policy Map

Config / Global / Load Balancing / Health Monitoring

Config / Global / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Global / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Global / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Global / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Global / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Global / Load Balancing / Real Servers

Config / Global / Load Balancing / Server Farms

Config / Global / Load Balancing / Stickiness

Config / Global / Network / BVI Interfaces

Config / Global / Network / Global IP DHCP

Config / Global / Network / Static Routes

Config / Global / Network / Static VLAN

Config / Global / Network / VLAN Interfaces

Config / Global / Resource Classes

Config / Global / Resource Classes / Audit

Config / Global / Resource Classes / Edit

Config / Global / Role-Based Access Control / Domains

Config / Global / Role-Based Access Control / Roles

Config / Global / Role-Based Access Control / Users

Config / Global / Security / ACLs

Config / Global / Security / Object Groups

Config / Global / SSL / Auth Group Parameters

Config / Global / SSL / Certificate Revocation List

Network-Monitor Predefined Role (continued)

Inventory/View (continued)

Config / Global / SSL / CSR Parameters

Config / Global / SSL / Keys

Config / Global / SSL / Parameter Map

Config / Global / System / Global Policy

Config / Global / System / Primary Attributes

Config / Global / System / SNMP

Config / Global / System / Syslog

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Details

Config / Tools / Credential Pool Management

Config / Tools / IP Discovery

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups / Edit

Monitor / Devices / Application Acceleration

Monitor / Devices / Device Management

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Virtual Servers

Monitor / Devices / Polling Settings

Monitor / Devices / Resource Usage

Monitor / Devices / Resource Usage

Monitor / Devices / Resource Usage / Connections

Monitor / Devices / Resource Usage / Features

Monitor / Devices / System View

Monitor / Devices / Traffic Summary

Monitor / Devices / Virtual Context Management

Monitor / Devices / Virtual Servers

Monitor / Events / Events

Monitor / Events / Modules

Monitor / Events / Virtual Context Management

Monitor / Settings / Global Polling Configuration

Network-Monitor Predefined Role (continued)

Inventory/View (continued)

Monitor / Settings / SMTP Configuration

Monitor / Tools / Ping

Export

Status

Org-Admin Predefined Role

ANM User Access/Create

Admin / Role-Based Access Control / Domains

Admin / Role-Based Access Control / Domains / Add

Admin / Role-Based Access Control / Domains / Edit

Admin / Role-Based Access Control / Roles

Admin / Role-Based Access Control / Roles / Add

Admin / Role-Based Access Control / Roles / Edit

Admin / Role-Based Access Control / Roles / Users

Admin / Role-Based Access Control / Users

Admin / Role-Based Access Control / Users / Add

Admin / Role-Based Access Control / Users / Edit

ANM Inventory/Create

Config / Deploy

Config / Deploy / Deploy Now

Config / Deploy / Edit

Config / Devices / Device Management

Config / Devices / Device Management / Add

Config / Devices / Device Management / Change Password

Config / Devices / Device Management / Edit

Config / Devices / Device Management / Modules

Config / Devices / Device Management / Modules / Sync

Config / Devices / Device Management / Restart Polling

Config / Devices / Device Management / Sync

Config / Devices / Device RBAC / Domains

Config / Devices / Device RBAC / Roles

Config / Devices / Device RBAC / Users

Config / Devices / Expert / Action List

Config / Devices / Expert / Building Block Audit

Config / Devices / Expert / Class Map

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Config / Devices / Expert / Policy Map

Config / Devices / Groups

Config / Devices / Groups / Add

Config / Devices / Groups / Edit

Config / Devices / HA Tracking and Failure Detection / Hosts

Config / Devices / HA Tracking and Failure Detection / HSRP Groups

Config / Devices / HA Tracking and Failure Detection / Interfaces

Config / Devices / High Availability (HA) / Setup

Config / Devices / Interfaces / Access Ports

Config / Devices / Interfaces / Routed Ports

Config / Devices / Interfaces / Summary

Config / Devices / Interfaces / Switched Virtual Interfaces

Config / Devices / Interfaces / Trunk Ports

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Config / Devices / Load Balancing / Virtual Servers / Add

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / GigabitEthernet Interfaces

Config / Devices / Network / Global IP DHCP

Config / Devices / Network / Port Channel Interfaces

Config / Devices / Network / Static Routes

Config / Devices / Network / Static VLAN

Config / Devices / Network / VLAN Interfaces

Config / Devices / Security / ACLs

Config / Devices / Security / Object Groups

Config / Devices / SSL / Auth Group Parameters

Config / Devices / SSL / Certificate Revocation List

Config / Devices / SSL / Certificates

Config / Devices / SSL / Chain Group Parameters

Config / Devices / SSL / CSR Parameters

Config / Devices / SSL / Keys

Config / Devices / SSL / Parameter Map

Config / Devices / SSL / Proxy Service

Config / Devices / System / Application Acceleration and Optimization

Config / Devices / System / Global Policy

Config / Devices / System / Licenses

Config / Devices / System / Primary Attributes

Config / Devices / System / Primary Attributes

Config / Devices / System / Resource Classes

Config / Devices / System / Resource Classes / Add

Config / Devices / System / Resource Classes / Edit

Config / Devices / System / SNMP

Config / Devices / System / Static Routes

Config / Devices / System / Syslog

Config / Devices / Virtual Context Management

Config / Devices / Virtual Context Management / Add

Config / Devices / Virtual Context Management / Edit

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Config / Devices / Virtual Context Management / Extract building block

Config / Devices / Virtual Context Management / Restart Polling

Config / Devices / Virtual Context Management / Sync

Config / Devices / VLANs / Groups

Config / Devices / VLANs / Layer 2

Config / Devices / VLANs / Layer 2 / Add

Config / Devices / VLANs / Layer 2 / Edit

Config / Devices / VLANs / Layer 3

Config / Devices / VLANs / Layer 3 / Add

Config / Devices / VLANs / Layer 3 / Edit

Config / Devices / VLANs / Summary

Config / Global / Building Blocks

Config / Global / Building Blocks / Add

Config / Global / Building Blocks / Tag

Config / Global / Expert / Action List

Config / Global / Expert / Action List

Config / Global / Expert / Class Map

Config / Global / Expert / Policy Map

Config / Global / Load Balancing / Health Monitoring

Config / Global / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Global / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Global / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Global / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Global / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Skinny Parameter Map

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Config / Global / Load Balancing / Real Servers

Config / Global / Load Balancing / Server Farms

Config / Global / Load Balancing / Stickiness

Config / Global / Network / BVI Interfaces

Config / Global / Network / Global IP DHCP

Config / Global / Network / Static Routes

Config / Global / Network / Static VLAN

Config / Global / Network / VLAN Interfaces

Config / Global / Resource Classes

Config / Global / Resource Classes / Add

Config / Global / Resource Classes / Audit

Config / Global / Resource Classes / Edit

Config / Global / Role-Based Access Control / Domains

Config / Global / Role-Based Access Control / Roles

Config / Global / Role-Based Access Control / Users

Config / Global / Security / ACLs

Config / Global / Security / Object Groups

Config / Global / SSL / Auth Group Parameters

Config / Global / SSL / Certificate Revocation List

Config / Global / SSL / CSR Parameters

Config / Global / SSL / Keys

Config / Global / SSL / Parameter Map

Config / Global / System / Global Policy

Config / Global / System / Primary Attributes

Config / Global / System / SNMP

Config / Global / System / Syslog

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Activate

Config / Operations / Virtual Servers / Details

Config / Operations / Virtual Servers / Suspend

Config / Tools / Credential Pool Management

Config / Tools / IP Discovery

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups / Add

Monitor / Alarm Notifications / Threshold Groups / Edit

Monitor / Devices / Application Acceleration

Monitor / Devices / Device Management

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Virtual Servers

Monitor / Devices / Polling Settings

Monitor / Devices / Resource Usage

Monitor / Devices / Resource Usage / Connections

Monitor / Devices / Resource Usage / Features

Monitor / Devices / System View

Monitor / Devices / Traffic Summary

Monitor / Devices / Virtual Context Management

Monitor / Devices / Virtual Servers

Monitor / Events / Events

Monitor / Events / Modules

Monitor / Events / Virtual Context Management

Monitor / Settings / Global Polling Configuration

Monitor / Settings / SMTP Configuration

Monitor / Tools / Ping

Change Password

Copy License

Export

Generate CSR

Import

Install

Resequence

Org-Admin Predefined Role (continued)

ANM Inventory/Create

(continued)

Status

Uninstall

Update

Security-Admin Predefined Role

AAA/Create

No specific menu items

Access List/

Config / Devices / Security / ACLs

Config / Devices / Security / Object Groups

Resequence

Interface/Modify

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / VLAN Interfaces

Monitor / Devices / Traffic Summary

Monitor / Tools / Ping

NAT/Create

No specific menu items

Inspect/Create

No specific menu items

Connection/Create

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Server-Appln Maintenance Predefined Role

Threshold/View

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups/ Edit

Monitor / Settings / SMTP Configuration

Security-Admin Predefined Role (continued)

VIP/View

Config / Deploy

Config / Deploy / Edit

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Details

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Virtual Servers

Monitor / Devices / Virtual Servers

Server-Maintenance Predefined Role

Threshold/View

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups /Edit

Monitor / Settings / SMTP Configuration

VIP/View

Config / Deploy

Config / Deploy / Edit

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Details

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Security-Admin Predefined Role (continued)

VIP/View

Monitor / Devices / Load Balancing / Virtual Servers

Monitor / Devices / Virtual Servers

SLB-Admin Predefined Role

Threshold/View

Monitor / Alarm Notifications / Alarms

Monitor / Alarm Notifications / Threshold Groups

Monitor / Alarm Notifications / Threshold Groups /Edit

Monitor / Settings / SMTP Configuration

Building Block/Create

Config / Global / Building Blocks

Config / Global / Building Blocks / Add

Config / Global / Building Blocks / Tag

Config / Global / Expert / Action List

Config / Global / Expert / Action List

Config / Global / Expert / Class Map

Config / Global / Expert / Policy Map

Config / Global / Load Balancing / Health Monitoring

Config / Global / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Global / Load Balancing / Parameter Maps / Generic Parameter Map

Config / Global / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Global / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Global / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Global / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Global / Load Balancing / Real Servers

Config / Global / Load Balancing / Server Farms

Config / Global / Load Balancing / Stickiness

Config / Global / Network / BVI Interfaces

Config / Global / Network / Global IP DHCP

Config / Global / Network / Static Routes

SLB-Admin Predefined Role (continued)

Building Block/Create (continued)

Config / Global / Network / Static VLAN

Config / Global / Network / VLAN Interfaces

Config / Global / Role-Based Access Control / Domains

Config / Global / Role-Based Access Control / Roles

Config / Global / Role-Based Access Control / Users

Config / Global / Security / ACLs

Config / Global / Security / Object Groups

Config / Global / SSL / Auth Group Parameters

Config / Global / SSL / Certificate Revocation List

Config / Global / SSL / CSR Parameters

Config / Global / SSL / Keys

Config / Global / SSL / Parameter Map

Config / Global / System / Global Policy

Config / Global / System / Primary Attributes

Config / Global / System / SNMP

Config / Global / System / Syslog

Interface/Modify

Config / Devices / Network / BVI Interfaces

Config / Devices / Network / VLAN Interfaces

Monitor / Devices / Traffic Summary

Monitor / Tools / Ping

Expert/Create

Config / Deploy

Config / Deploy / Deploy Now

Config / Deploy / Edit

Config / Devices / Expert / Action List

Config / Devices / Expert / Action List

Config / Devices / Expert / Class Map

Config / Devices / Expert / Policy Map

Config / Devices / Load Balancing / Health Monitoring

Config / Devices / Load Balancing / Parameter Maps / Connection Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Generic Parameter Map

Expert/Create (continued)

Config / Devices / Load Balancing / Parameter Maps / HTTP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Optimization Parameter Map

Config / Devices / Load Balancing / Parameter Maps / RTSP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / SIP Parameter Map

Config / Devices / Load Balancing / Parameter Maps / Skinny Parameter Map

Config / Devices / Load Balancing / Real Servers

Config / Devices / Load Balancing / Server Farms

Config / Devices / Load Balancing / Stickiness

Config / Devices / Load Balancing / Virtual Servers

Config / Devices / Load Balancing / Virtual Servers / Add

Config / Devices / Load Balancing / Virtual Servers / Edit

Config / Operations / Real Servers

Config / Operations / Virtual Servers

Config / Operations / Virtual Servers / Activate

Config / Operations / Virtual Servers / Details

Config / Operations / Virtual Servers / Suspend

Monitor / Devices / Load Balancing

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Statistics

Monitor / Devices / Load Balancing / Virtual Servers

Monitor / Devices / Virtual Servers

SSL-Admin

SSL/Create

Config / Devices / SSL / Auth Group Parameters

Config / Devices / SSL / Certificate Revocation List

Config / Devices / SSL / Certificates

Config / Devices / SSL / Chain Group Parameters

Config / Devices / SSL / CSR Parameters

Config / Devices / SSL / Keys

Config / Devices / SSL / Parameter Map

SSL/Create (continued)

Config / Devices / SSL / Proxy Service

Export

Generate CSR

Import


Configuring User Authentication

In ANM, you can configure authentication for your users by specifying which AAA servers are used for specific users. You do this through organizations. An organization allows you to configure your AAA server lookup for your users, then associate specific users, roles, and domains with those organizations.

The following sections describe the organization authentication tasks you can complete in the ANM interface:

Guidelines for Managing Organizations

Configuring AAA Server lookup for your users—See Guidelines for Managing Organizations

Changing server passwords—See Changing Authentication Server Passwords

Modifying Organizations

Duplicating an Organization

Displaying Authentication Server Organizations

Deleting Organizations

The Default organization (in which all users belong), authenticates users through the ANM internal mechanism, which is based on the RBAC security model. This mechanism authenticates users through the local authentication module and a local database of user IDs and passwords. If you choose to use an external authentication method, you must specify the authentication server and port.

Many organizations, however, already have an authentication service. To use your own authentication service instead of the local module, you can select one of the alternate modules:

TACACS+

RADIUS

AD/LDAP


Note For detailed procedures on remote authentication, see the "Configuring Authentication and Accounting Services" chapter of the Cisco ACE 4700 Series Appliance Security Configuration Guide on cisco.com at http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html.


After you configure an organization, all authentication transactions are performed by the authentication service associated with that organization. Users log in with the user ID and password associated with the current authentication module.

Related Topics

Managing User Accounts

Managing User Roles

Managing Domains

Guidelines for Managing Organizations

Organizations define the mechanism for authenticating users: RADIUS, TACACS+, AD/LDAP, or Local. When the authentication is remote, users within that organization will have their passwords validated externally.


Note For detailed procedures on remote authentication, see the "Configuring Authentication and Accounting Services" chapter of the Cisco ACE 4700 Series Appliance Security Configuration Guide on cisco.com at http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html.


Use this procedure to configure organizations.


Note All users logging into ANM must have a local account.


Procedure


Step 1 Select Admin > Role-Based Access Control > All Organizations.

Step 2 Click Add.

Step 3 Enter the name of the new organization, and notes if required. Click Save.

Step 4 Enter the attributes described in Table 15-3. Certain attributes will display when specific options are selected.

Table 15-3 Organization Attributes 

Attribute
Description

Notes

Description of the organization or notes to administrator.

Organization Name

This can be different from the organization name above. Specifies the company, department, or division of the organization that administers the ANM server. Default name entered appears.

Account Number

Specifies an account number for the organization.

Contact Name

Specifies the name of the individual who is the contact in the organization.

E-Mail

Specifies an address for the organization's contact person.

Telephone #

Specifies a telephone number for the organization's contact person. The format is free text with no embedded spaces.

Alternative Telephone #

Specifies an alternative telephone number for the organization's contact person.

Street Address

Specifies the street for the organization.

City

Specifies the city where the organization is located.

Zip Code

Specifies a zip code for the organization's address.

Country

Specifies the country where the organization is located.

Authentication

Specifies how users are to be authenticated by the system. The default authentication mechanism is ANM's internal mechanism, which is based on ANM's security model. If an external authentication method is chosen, the authentication server and port must be specified.

Options:

Local—Specifies the use of the local database.

RADIUS

TACACS+

AD/LDAP (ANM requires that a Domain Controller Server certificate be installed on the Active Directory Server. For a document containing the detailed instructions, see the "Configuring an LDAP Server" section in the "Configuring Authentication and Accounting Services" chapter of the Cisco ACE 4700 Series Appliance Security Configuration Guide on cisco.com at http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1537851.)


Note ANM itself does not perform authorization. ANM only provides authentication for users who are logging in to ANM.


authentication-port

(Optional) Specifies the UDP destination port for communicating authentication requests to the authentication server. Depending on your server, the following may be true:

By default, the RADIUS authentication port is 1812 (as defined in RFC 2138 and RFC 2139). The port_number argument specifies the RADIUS port number. Valid values are from 1 to 65535.

TACACS+

LDAP

secondary-authentication-port

(Optional) Specifies another UDP destination port for communicating authentication requests to the RADIUS server if the initial port is busy.

Note You will see the following fields if external authentication is used in the organization.

Authentication Server

Specifies the IP address of a RADIUS, TACACS+, or LDAP server for user authentication.

Specifies an external server when RADIUS, TACACS+, or LDAP is to be used to authenticate users.

Note Setting the server with this command is mandatory if the authentication mechanism is anything other than default.

If you select an external authentication method, you might need to specify a separate user ID for the authentication server.

For AD/LDAPS, you must provide the FQDN of the server (which must be in the users authenticating domain).


Note ANM supports LDAPS is only through Active Directory (AD).


Secondary Authentication Server

(Optional) Specifies a secondary external server when Radius or TACACS+ is to be used to authenticate users. If you specify a secondary authentication server, ANM uses this server to authenticate users if the primary authentication server is unavailable.

Authentication Secret

Encrypts the traffic between the Cisco ANM and the AAA server. This string needs to be identical on both.


Step 5 Click Save.


Related Topics

Managing User Accounts

Changing the Admin Password

Changing Authentication Server Passwords


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization.

Step 2 Select the organization you want to modify, then click Edit.

Step 3 Change the password attribute in the attributes table (see Table 15-4).

Step 4 Click Save.

Step 5 The Edit User Details screen appears. Make any changes and click Save. When all the details are correct, click Cancel. The User Management table is displayed.


Related Topics

Managing User Accounts

Changing the Admin Password

Changing the Admin Password

Each ANM has an admin user account built into the device. The root user ID is admin, and the password is set when the system is installed. For information about changing the Admin password, see Changing Your Account Password, page 1-4.

Modifying Organizations

Assumptions

ANM is installed and running.

The organization exists in the ANM database.

You have reviewed the guidelines for managing customer organizations (see Guidelines for Managing Organizations).


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organizations.

Step 2 Select the organization you want to modify.

Step 3 Click Edit.

Step 4 Modify any of the attributes in the attributes table (see Table 15-3).

Step 5 Click Save.


Related Topics

Configuring User Authentication

Duplicating an Organization

Use this option to create a new organization from an existing one.

Assumptions

ANM is installed and running.

The organization exists in the ANM database.

You have reviewed the guidelines for managing customer organizations (see Guidelines for Managing Organizations).


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organizations.

Step 2 Select the organization you want to copy.

Step 3 Click Duplicate.

Step 4 At the prompt, enter a name for the new organization.

Step 5 Click OK.

Step 6 Make any changes to the organization settings (see Table 15-3).

Step 7 Click Save.


Related Topics

Configuring User Authentication

Displaying Authentication Server Organizations


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > All Organizations.

The list of customer organizations appears in the All Organizations table.

Step 2 From this screen you can create a users, roles, and domains that are associated with this specific organization. You can also access organizations by selecting the organization from the object selector that displays in the top right portion of the content area.


Related Topics

Understanding Organizations

Configuring User Authentication

Deleting Organizations

Assumptions

ANM is installed and running.

The organization exists in the ANM database.

You have reviewed the guidelines for managing customer organizations (see Guidelines for Managing Organizations).


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organizations.

The Organizations list contains a list of the existing organizations.

Step 2 Select the organization to be deleted.

Step 3 Click Delete. All users, domains, and roles within that organization are removed.


Related Topics

Configuring User Authentication

Managing User Accounts

Use the User Management feature to specify the people that are allowed to log onto the system. The following sections describe how to manage user accounts:

Guidelines for Managing User Accounts

Displaying a List of Users

Creating User Accounts

Duplicating a User Account

Modifying User Accounts

Deleting User Accounts


Note You can create users in the organization in which you are a member. You will see users only in the organizations in which you are a member.


Guidelines for Managing User Accounts

User cannot log in until they have one domain and one user role associated via an organization. This can be the Default domain but a role must be specified.

Users cannot be moved from one organization to another. Organizations are designed to be separate and distinct.

Displaying a List of Users

Procedure


Step 1 Select Admin  > Role-Based Access Control > Organization > Users. A table of users, their role, and their domain appears.

Step 2 From this screen you can create a new user, duplicate, modify or delete any existing user to which you have access.


Related Topics

Managing User Accounts

Creating User Accounts


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Users. A list of users appears.

Step 2 Click Add.

Step 3 Complete the following required fields:

Table 15-4 User Attributes 

Field
Description

Login Name

Specifies the name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive.

Name

Specifies the full name of the user. The format is free text.

Password

Allows you to specify a password for this user account.

Confirm

Renter the password for this account.

E-Mail

Specifies an e-mail address for this user.

Telephone#

Specifies a telephone number for this user. The format is free text with no embedded spaces.

Role

Specifies a predefined role from the list.

Domains

Allows you to use the Add and Remove buttons to select domains to which this user belongs.

Allowed login IP

Defines an IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option, the user can log in from any IP address. When you enter an allowed single IP address or an allowed subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a specific subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0.


Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field.


Description

Enter any notes about the user.

firstmenu

Menu that displays when this user first logs in. Choose one from the pulldown menu.

Last login

Last time (local time) this user logged in.


Step 4 Click Save. The Users table is displayed.


Related Topics

Managing User Accounts

Duplicating a User Account

Use this option to create a new user account using settings from an existing user.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Users. A table of users, their role and domain appears.

Step 2 Select the user account you want to copy.

Step 3 Click Duplicate.

Step 4 At the prompt, enter a name for the new user account.

Step 5 Click OK.

The Users table appears with the new user account.

Step 6 To make changes to the user account settings as shown in Table 15-5.

Table 15-5 Duplicate User Attributes

Field
Description

Login Name

Name you specified when you created the user you want to duplicate. This is the name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive.

Name

Specifies the full name of the user. The format is free text.

E-Mail

Specifies an e-mail address for this user.

Telephone#

Specifies a telephone number for this user. The format is free text with no embedded spaces.

Role

Specifies a predefined role from the list.

Domains

Allows you to use the Add and Remove buttons to select domains to which this user belongs.

Allowed login IP

Defines an IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option, the user can log in from any IP address. When you enter an allowed single IP address or an allowed subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a specific subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0.


Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field.


Description

Enter any notes about the user.

firstmenu

Menu that is displayed when this user first logs in. Choose one from the pulldown menu.

Last login

Last time (local time) this user logged in and the IP address that was used.


.

Step 7 Click Save.

Step 8 The Edit Organization User screen appears. Make any changes and click Save. When all the details are correct, click Cancel. The table of users is displayed.


Related Topics

Managing User Accounts

Modifying User Accounts


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Users. A table of users, their role, and domain appears.

Step 2 Select the user account you want to modify.

Step 3 Click Edit.

Step 4 Modify any of the attributes in the attributes table (see Table 15-4).

Step 5 Click Save.

Step 6 The Edit User Details screen appears. Make any changes and click Save. When all the details are correct, click Cancel, the User Management table is displayed.


Related Topics

Managing User Accounts

Deleting User Accounts


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Users. A table of users, their role and domain appears.

Step 2 Select the user account to be deleted, then click Delete.

Step 3 Confirm deletion of the user by clicking OK or Cancel to return to the Users table.

The user account is removed from the ANM database.


Related Topics

Managing User Accounts

Displaying or Terminating Current User Sessions

You can view a list of the users currently logged into the system and end their sessions, if required.

You can only see the users in your organization.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Active Users.

The Active User Sessions screen displays the following information for each active user who is logged in:

Table 15-6 Active User Session Information

Column
Description

Name

The name used to log into the Cisco ANM

Type of login

Method used to log in, for example WEB

Login from IP

IP address of host

Time of login

Time user logged in


Step 2 To terminate an active session, click Terminate.

When a user session is terminated, the user is logged out of the interface from which the user session was initiated. If the user was making changes to a configuration, the configuration lock is released and any uncommitted configuration change is discarded.

If a user session is terminated while an operation is in progress, the current operation is not stopped, but any subsequent operation is denied.

For more details on terminating active users, see Displaying or Terminating Current User Sessions.


Related Topics

Controlling Access to the Cisco ANM

Managing User Accounts

Managing User Roles

Use the Roles Management feature to add, modify, and delete user-defined roles and to modify predefined roles. You cannot delete predefined roles.

A user's role determines the tasks the user can access. Each role is associated with permissions or rules that define what feature access this role contains. For example, if you design a role that provides access to virtual servers, the role automatically includes access to all real servers that could be included in the virtual server.

The following sections describe how to manage user roles:

Guidelines for Managing User Roles

Displaying User Roles

Creating User Roles

Duplicating a User Role

Modifying User Roles

Deleting User Roles

Guidelines for Managing User Roles

System Administrators can view and modify all roles.

Organization administrator users can only see and modify the users, roles, and domains in their organization.

Other users can only view the user, roles, and domains assigned to them.

User-defined roles can be created but follow strict rules about which tasks can be selected or deselected. See the user interface for specific dependencies or Table 15-2 for role to task mapping information.

You must have the ability to create real servers in your role and at least one virtual context in your domain before you can create real servers.

You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts.

If you upgrade to ANM 1.2, any custom roles that are migrated retain their associations but have different role definitions. We encourage you to use the ANM 1.2 predefined default roles.

Understanding Predefined Roles

You must have one of the predefined roles in the Admin context in order to use the changeto command (which allows users to visit other contexts). Non-admin/user contexts do not have access to the changeto command; they can only visit their home context. Context administrators, who have access to multiple contexts, must explicitly log in to other contexts to which they have access.

The predefined roles and their default privileges are defined in Table 15-7. For detailed information on RBAC, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Table 15-7 ANM 1.2 Predefined Role Tasks

Predefined Role
Description
Role Tasks/Operation Privileges 1

ACE-Admin

Access to create virtual contexts and monitor threshold information.

View Threshold

Create Device Events

Create Virtual Context+

ANM-Admin

Access to create virtual contexts and monitor threshold information. Provides access to all features and functions.

Create ANM System

Create ANM User Access

Create ANM Inventory+

Network-Admin

Admin for L3 (IP and Routes) and L4 VIPs

View Threshold

Create Switch

Create Routing

Create Interface

Create NAT

Create Connection

Network-Monitor

Monitoring for all features

View ANM Inventory+

Org-Admin

Access to create role-based access control and import and update device data.

Create ANM User

Create ANM Inventory+

Security-Admin

Security features

Create AAA

Modify Interface

Create NAT

Create Inspect

Create Connection

Server-Appln-Maintenance

Server maintenance and L7 policy application

View Threshold

View VIP

View Virtual Inservice

Create LoadBalancer+

Server-Maintenance

Server maintenance, monitoring, and debugging

View Threshold

View VIP+

Modify Real Server

Debug Probe

Create Real Inservice

SLB-Admin

Load-balancing features

View Threshold

Create Building Block

Modify Interface

Create Expert+

SSL-Admin

SSL feature features

Create SSL+

1 Where the plus sign (+) is indicated, all permissions included in this folder are included at the same privilege level, unless otherwise noted. For example, Virtual Contexts tasks are comprised of tasks such as AAA, Building Blocks, and so on. These tasks are depicted as columns in the Roles table.


Displaying User Role Relationships

Use this procedure to display which users are associated to specific roles.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organizations > Roles. A table of the defined roles and their settings appears.

Step 2 Select a role and click Users. A screen displays a table containing the following:

Name—User name

Role—Role name

Domain—Domain access for this user

From this screen you can delete or duplicate a user.

Step 3 Click Close to return to the Roles table.


Related Topics

Duplicating a User Account

Managing User Roles

Displaying User Roles

Use this option to display the existing user roles.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organizations > Roles. A table of the defined roles and their settings appears.

Step 2 You can use the options in this screen to:

Create a new role (see Creating User Roles).

View the users assigned to a role (see Displaying User Role Relationships).

Modify any existing role to which you have access (see Modifying User Roles).

Duplicate any existing role to which you have access (see Duplicating a User Role).

Delete any existing role to which you have access (see Deleting User Roles).


Related Topics

Understanding Operations Privileges

Managing User Roles

Creating User Roles

You can edit the predefined roles, or you can create new, user-defined roles. When you create a new role, you specify a name and description of the new role, then select the privileges for each task. You can also assign this role to one or more users.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Roles. A table of the defined roles and their settings appears.

Step 2 Click Add. The New Role form appears.

Step 3 Enter the following attributes:

Table 15-8 Role Attributes 

Attribute
Description

Name

The name of the role.

Description

A brief description of the role.

Role Tasks

A role tree that defines the operation privileges and features available to this role.

Resulting Menu Items

Displays a synchronized list of features in the form of menus that this role is able to access after setting the role task operation privileges.


 

Step 4 Click Save. The new role is added to the list of user roles.

Step 5 To assign this new role to one or more users, go to Admin > Organizations > Users. For detailed steps, see Modifying User Accounts.


Related Topics

Understanding Operations Privileges

Managing User Roles

Duplicating a User Role

Use this option to create a new user-defined role from an existing one.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Roles. A table of the defined roles and their settings appears.

Step 2 Select the role you want to copy.

Step 3 Click Duplicate.

Step 4 At the prompt, enter a name for the new role.

Step 5 Click OK.

Step 6 Make any changes to the role settings.

Step 7 Click Save.


Related Topics

Understanding Operations Privileges

Managing User Roles

Modifying User Roles

You can modify any user-defined roles.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Roles. A table of the defined roles and their settings appears.

Step 2 Select the role you want to modify.

Step 3 Click Edit.

Step 4 Make the changes.

Step 5 Click Save.


Related Topics

Understanding Operations Privileges

Managing User Roles

Deleting User Roles

You can delete any user-defined roles.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Roles. A table of the defined roles and their settings appears.

Step 2 Select the role to be deleted.

Step 3 Click Delete.

Step 4 Click OK to confirm the deletion. Users that have the deleted role no longer have that access.


Related Topics

Managing User Roles

Managing Domains

Network domains provide a means for organizing the devices and their components (physical and logical) in your network and permitting access according to the way your site is organized. You can allow access to a domain by assigning it to an organization. Examples are specific virtual contexts, or specific servers within a context.

The following sections describe how to manage domains:

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Duplicating a Domain

Modifying a Domain

Deleting a Domain

Guidelines for Managing Domains

Domains are logical concepts. You do not delete a member of a domain when you delete the domain.

Domains can include supported Cisco chassis, ACE modules, ACE appliances, and CSS or CSM devices, as well as their virtual contexts, building blocks, resource classes, and real and virtual servers.

Select the Allow All setting to include current and future device objects in a domain.

Objects must already exist in ANM. To add objects, see Adding Network Devices into ANM, page 2-7.

You must have the ability to create real servers in your role and at least one virtual context in your domain before you can create real servers.

You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts.

Domains continue to display device information even after you remove that device from ANM. This allows the domain information to be easily reassociated if you reimport the device. The device name must remain the same for this to work properly.


Caution Domain objects are hierarchical. If you include a parent object in a domain, the child object is also included even though they do not display in the Object selector tree when you add or edit domains.

For example:

Inclusion of a Catalyst device includes all cards, virtual contexts, real servers and virtual servers

Inclusion of an ACE 4710 includes all cards, virtual contexts, real servers and virtual servers

Inclusion of a virtual context, CSM module or CSS device includes all associated objects

Related Topics

Creating a Domain

Modifying a Domain

Displaying Network Domains

Duplicating a Domain

Deleting a Domain

Displaying Network Domains


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Domains. The Domains table appears.

Step 2 Expand the table until you can see all the network domains.

Step 3 Select a domain from the Domains table to view the settings for that domain, then click Edit.


Related Topics

Managing Domains

Guidelines for Managing Domains

Creating a Domain

Duplicating a Domain

Modifying a Domain

Deleting a Domain

Creating a Domain

Use this option to create a new domain.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Domains. The Domains table appears.

Step 2 Click Add.

Step 3 For the new domain, enter the following information:

Table 15-9 Domain Attributes

Field
Description

Name

The name of the domain.

Description

The description of the domain.

Allow all check box

Enables all objects within this domain (current and future objects). If left empty, the Objects tree displays.

Objects

The collection of objects which comprise this domain. Select an object name and use the arrows to move it from the available to selected column.

For example, selecting a virtual context selects all real servers within that virtual context, or selecting a chassis selects the virtual contexts on that chassis. The interface does not explicitly display this in the table, but the objects are, in fact, selected.

See Guidelines for Managing Domains for domain rules about creating virtual contexts and real servers.


Step 4 Click Save.

The Domains Edit screen updates and displays the total object number next to the object name.


Related Topics

Managing Domains

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Duplicating a Domain

Modifying a Domain

Deleting a Domain

Duplicating a Domain

Use this option to create a new domain from an existing one.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Domains.

Step 2 Select the domain you want to copy.

Step 3 Click Duplicate.

Step 4 At the prompt, enter a name for the new domain, then click OK.

Step 5 Click Save.


Related Topics

Managing Domains

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Modifying a Domain

Deleting a Domain

Modifying a Domain

Use this option to change the settings in a domain.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Domains.

Step 2 Select the domain you want to change.

Step 3 Click Edit.

Step 4 Make the changes. For detailed domain attribute descriptions, see Table 15-9.

Step 5 Click Save.


Related Topics

Managing Domains

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Duplicating a Domain

Deleting a Domain

Deleting a Domain

Use this option to delete a network domain from the systems. You do not delete objects associated with that domain when you delete the domain.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > Role-Based Access Control > Organization > Domains.

The Domains list contains a list of the existing domains.

Step 2 Select the domain you want to delete.

Step 3 Click Delete. A prompt asks if you to confirm this action.

Step 4 Click OK. The domain is removed from the ANM database.


Related Topics

Managing Domains

Guidelines for Managing Domains

Displaying Network Domains

Creating a Domain

Duplicating a Domain

Modifying a Domain

Managing ANM

When you select Admin > ANM Management, you can view the following information:

ANM—Allows you to check the status of your ACE. See Checking the Status of the ANM Server.

License Management—Displays the license information stored in the ACE hardware. See Managing ANM Licenses.

Statistics—Displays the ANM server statistics. See Viewing ANM Server Statistics.

Statistics Collection—Allows you to enable or disable ANM server statistic collection. See Configuring ANM Statistics Collection.

Audit Log Settings—Allows you to determine how long audit log records are kept. See Configuring Audit Log Settings.

Change Audit Log—Displays ANM server logs. See Viewing Change Audit Logs.

Auto Sync Settings—Allows you to allow ANM to automatically sync with CLI when it detects out of band changes between itself and the ACE. See Configuring Auto Sync Settings.

Checking the Status of the ANM Server

The ANM server can be configured either as:

A non-HA ANM. The non-HA ANM consists of only one host and is referred to as a standalone ANM.

An HA (high availability or fault-tolerant) ANM, which consists of two hosts: an active ANM and a standby ANM. An HA ANM has a virtual IP address that is always assigned to the active ANM. Users log into this virtual IP address—they never log into the real IP addresses of the hosts. In addition, an HA ANM has a secondary NIC and IP address on each host over which "heartbeat" messages are used to arbitrate which host is active and which is standby.


Note Your user role determines whether you can use this option.


Use this option to check if ANM has a backup server and to view the server status.

Procedure


Step 1 Select Admin > ANM Management > ANM.

The ANM Server status screen appears. This screen contains the following information:

Table 15-10 ANM Server Status Information 

Field
Description

HA Replication State

Options:

OK—This is an HA ANM and it is running properly.

Standalone—This is a non-HA ANM, and therefore the HA attributes and operations are not meaningful.

Stopped—This is an HA ANM and database replication has stopped. Under normal circumstances this is a transitory state.

Failed—This is an HA ANM and database replication cannot proceed. Most likely this is because the standby ANM is not alive or is unreachable.

Version

The version of the ANM software.

Build Number and Build Timestamp

Build identification information.

Time Server Started

The date and time the ANM server started.

Virtual IP Address

Virtual IP address that associates with the active host. This IP address must be on the same subnet as the primary IP addresses of both Node 1 and Node 2.

Active Name

Name of Node 1, which can be displayed by issuing the uname -n command on the host.

Active IP

IP address used by Node 1 for normal (non-heartbeat related) communication. This IP address must be on the same subnet as the primary address for Node 2.

Active Heartbeat IP

IP address associated with the crossover network interface for Node 1. This IP address must be on the same subnet as the Heartbeat IP address for Node 2.

Standby Name

Name of Node 2, which can be returned by issuing the uname -n command on the host.

Standby IP

IP address used by Node 2 for normal (non-heartbeat related) communication. This IP address must be on the same subnet as the primary IP address for Node 1.

Standby Heartbeat IP

IP address associated with the crossover network interface for Node 2. This IP address must be on the same subnet as the Heartbeat IP address for Node 1.

License Server State

Options:

OK—There is a valid license on the host.

Invalid—The host either contains an invalid license or there is no license present.

Unknown—It is not possible to communicate with the host's license manager, therefore, the license state is unknown.

Note The Unknown and Invalid states will not display for the active (local) ANM. If the standby ANM has an Invalid license state, you should install a valid license. If the standby ANM has an Unknown license state, check that the standby ANM has been installed correctly.

DEMO—Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the issue day of the license. It allows you to use all features.

Standby License Server State

 


Related Topics

Managing ANM Licenses

Viewing ANM Server Statistics

Configuring ANM Statistics Collection

Managing ANM Licenses

Cisco Application Networking Manager manages software licenses for the ANM server as well as ACE devices. For information about managing ACE licenses, see Managing ACE Licenses, page 3-27. For a complete list of supported devices, see the Supported Devices Table for the Cisco Application Networking Manager 1.2.

Since ANM is licensed, it requires a software license key to work properly. You may be required to purchase another server license if you are using a backup server. ANM may also need additional software licenses to run large networks with many ACE devices and modules.


Note ANM uses TCP port 10444 for the ANM License Manager. For other port numbers, see Appendix A, "ANM Ports Reference."


Use this feature to view license state, add license files, and track license compliance information on your ANM.

This topic contains the following tasks:

Adding Licenses into License Management

Viewing Licenses in License Management

Checking on License Compliance

Ordering ANM Licenses

Removing Licenses Files

For more details on ANM licenses, see Understanding ANM License Information or the Installation Guide for the Cisco Application Networking Manager 1.2.

Related Topics

Understanding ANM License Information

Preparing Devices for Import, page 2-4

Managing ACE Licenses, page 3-27

Understanding ANM License Information

When you install ANM 1.2 for the first time you need to add a license from the command line before you can access ANM. See the Installation Guide for the Cisco Application Networking Manager 1.2 for instructions.

ANM requires licenses to manage virtual devices and to run the ANM server or servers.

Table 15-11 describes the various licenses and their purpose.

Table 15-11 ANM License Descriptions

License Name
Description

ANM-AD-<count>

ANM-AD-20

Where A stands for ACE and D stands for devices. This product ID allows <count> number of ACE devices/modules to be managed by ANM.

If you have purchased two ANM-AD-10, it means that ANM is allowed to manager 20 ACE devices.

The maximum number of ACE devices can be managed by one ANM server is no more than 50.

ANM-CD-<count>

ANM-CD-10

Where A stands for ACE and C stands for CSS or CSM devices/modules supported.

ANM-AV-<supported # of virtual contexts>

ANM-AV-100

Where A stands for ACE and V stands for virtual contexts. This license allows ANM to manage one ACE module/device which has an ACE license supporting <number of virtual context>.

If you have three ACE modules with two supporting 50 virtual contexts each (ACE-VIRT-050) and one ACE supporting 250 contexts (ACE-VIRT-250), then you are required to have either two ANM-AV-50 licenses or one ANM-AV-50 licenses with count of two and one ANM-AV-250.

The interpretation of <supported number of virtual contexts> in ANM-AV is different from <count> in ANM-AD.

ANM-DEMO or DEMO

Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the issue day of the license. It allows you to use all features.

ANM-SERVER-XX or

ANM-SERVER-XX-H

Used to allow access to the ANM server. Use ANM-SERVER-XX for standalone or primary servers and ANM-SERVER-XX-H for your backup server when running HA.


Related Topics

Managing ACE Licenses, page 3-27

Managing ANM Licenses

Viewing Licenses in License Management

Adding Licenses into License Management

Ordering ANM Licenses

Removing Licenses Files

Adding Licenses into License Management

Use this procedure to add new ANM licenses to expand the number of network devices you can manage.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Select Admin > ANM Management > License Management > Licenses. The Licenses table appears.

Step 2 Click Install. The New License screen appears.

Step 3 Click Browse to locate the new license name. Use the browser to select the license file.

Step 4 Click Upload to copy the license you entered onto the ANM Server or Cancel to exit.

The license file appears in the Licenses table as well as in the License Files table. From the Licenses table you can also filter, add more licenses, or alter table views. See Table 1-3 on page 1-9 for a description of the table buttons.

From the License Files table you can see the Install Status of the license file and if there are any errors. See Viewing Licenses in License Management for details on what steps to do next.


Related Topics

Managing ACE Licenses, page 3-27

Managing ANM Licenses

Viewing Licenses in License Management

Understanding ANM License Information

Ordering ANM Licenses

Removing Licenses Files

Viewing Licenses in License Management

Use this procedure to view ANM licenses that allow you to expand the number of network devices you can manage.

Procedure


Step 1 Select Admin > ANM Management > License Management > Licenses.

The License table appears. If there are license files, the License Files table also appears on the same page. This screen contains the following information (see Table 15-12 and Table 15-13):

Table 15-12 ANM License Information 

Field
Description

Name

Contains the license type name information about how many virtual contexts can be allocated on an ACE, as well as ANM license information.

ANM_DEMO—Temporary 30, 60, or 90 day licenses; three free demos allowed.

ANM_SERVER—Enables management of one ANM and two ACE devices; neither can have an ACE VIRT license (ACE_VIRT_100). Licenses contained a -H correspond to a standby ANM-SERVER node.

ANM_AD—Management of devices 5, 10, 20, 50 (ANM-AD-20).

ANM_CD—Enables management of CSS or CSM devices/modules.

ANM_AV_xxx—Enables management of 20, 50, 100, or 250 virtual contexts .

For details on how to understand license name acronyms, see Understanding ANM License Information.

Installed Server

Indicates whether the license is installed on an active or standby ANM server. This field displays only when ANM is in HA mode.

File Name

The name of the license file you installed on the ACE appliance.

Vendor

Name of vendor that supplied the license.

Expiry Date

Date license expires. If no expiration, permanent displays.

Maximum Count

Number of licenses available (purchased).


Table 15-13 License Files

Field
Description

File Name

The name of the license file you installed on the ANM host.

Install Status

Status of the license file. Any licensing errors display here. If errors display, see Removing Licenses Files for details on how to remove this file and import a working file.


From this table you can also filter, add, or alter table views. See Table 1-3 on page 1-9 for a description of the table buttons.

Related Topics

Managing ACE Appliance Licenses in Installation Guide for the Cisco Application Networking Manager 1.2

Understanding ANM License Information

Adding Licenses into License Management

Ordering ANM Licenses

Managing ANM Licenses

Removing Licenses Files

Managing ACE Licenses, page 3-27

Checking on License Compliance

Use this procedure to verify that the ANM licenses in your network are compliant with your ACE licenses.

Procedure


Step 1 Select Admin > ANM Management > License Management > Compliance.

The License Compliance table displays (see Table 15-14).

Table 15-14 License Compliance

Field
Description

License Type

Lists types of licenses found. See Understanding ANM License Information.

HA

Displays Active when in HA mode or non-HA mode. Disregard this column if you are running a standalone server.

Total

Number of licenses present. Corresponds to maximum count on the Licenses table.

Used

Number of licenses in use.

Remaining

Number of licenses available for use. A negative number displays in red if there are not enough licenses for the network devices you are managing. A number displays highlighted in yellow if the number of licenses used is equal to the total licenses you have purchased.

Expiration

Expiration date (if temporary license).


Step 2 Click Refresh to update the licenses in this window.


Related Topics

Understanding ANM License Information

Adding Licenses into License Management

Ordering ANM Licenses

Updating ACE Licenses, page 3-31

Managing ACE Licenses, page 3-27

Ordering ANM Licenses

If you need to purchase additional ANM licenses in order to be compliant with the number of ACE licenses you are managing, contact your sales team or use Cisco.com to place your order. After you receive your PAK information, you can then access the Cisco Product License Registration web site page at http://www.cisco.com/go/license. The Cisco Product License Registration web site provides you with license key/files that you can upload to ANM and ensure your compliance with software requirements.

If you already have your Product Activation Key (PAK), you can manually use the Cisco web site to obtain licenses or you can use the Cisco License Manager. Cisco License Manager performs license fulfillment for you and also deploys the licenses to network devices using a wizard-based GUI.

Related Topics

Managing ANM Licenses

Understanding ANM License Information

Adding Licenses into License Management

Viewing Licenses in License Management

Checking on License Compliance

Managing ACE Licenses, page 3-27

Removing Licenses Files

If your license files will not work in the ANM due to file errors, you need to remove them from the ANM host and request another license file from Cisco. There is no remove license command. You can remove the license from the operating system by deleting the file.

Procedure


Step 1 Log in as the root user.

Step 2 To remove the license file, enter:

rm /opt/CSCOanm/etc/license/<ANM_LICENSE_FILE>

The license file is removed from the ANM host only. The license on your managed device is still valid.

Step 3 Restart ANM to allow it to update the licenses table data. To restart ANM, see instructions in the Installation Guide for the Cisco Application Networking Manager 1.2.

To request another license from Cisco to replace the one that had errors, open a service request using the TAC Service Request Tool or call the Technical Assistance Center. Then add the license into ANM.


Related Topics

Managing ANM Licenses

Understanding ANM License Information

Adding Licenses into License Management

Viewing Licenses in License Management

Ordering ANM Licenses

Viewing ANM Server Statistics

Use this procedure to display ANM statistics (for example, CPU, disk, and memory usage on the ACE).

Procedure


Step 1 Select Admin > ANM Management > Statistics. The statistics viewer displays the fields in Table 15-15.

  

Table 15-15 ACE Server Statistics 

Name
Description

Owner

Process where statistics are collected.

Statistic

Includes the following statistics:

CPU Usage—Overall ACE CPU busy percentage in the last 5-minute period.

Disk Usage—Amount of disk space being used by the ANM server or ACE appliance.

Memory Usage—Amount of memory being used by the ANM server or ACE hardware.

Process Uptime—Amount of time since this system was last initialized, or the amount of time since the network management portion of the system was last reinitialized.

Value

Value of the statistic.

Description

Information the statistic gathered.



Related Topics

Checking the Status of the ANM Server

Configuring ANM Statistics Collection

Configuring ANM Statistics Collection

Use this procedure to enable ACE server statistics polling.

Procedure


Step 1 Select Admin > ANM Management > Statistics Collection. The Primary Attributes configuration screen appears.

Step 2 In the Polling Stats field, select Enable to start background polling or Disable to stop background polling.

Step 3 In the Background Polling Interval field, select the polling interval appropriate for your networking environment.

Step 4 Click Deploy Now to save your entries.


Related Topics

Viewing ANM Server Statistics

Checking the Status of the ANM Server

Configuring Audit Log Settings

Audit Log Purge Settings allow you to specify the following:

How many days the log records in the database will be kept (default is 31).

The maximum of log records that will be stored in the ANM database (default 100,000).

Audit Log File Purge Settings allows you to specify the following:

The number of days worth of log record files that will be stored in the ANM database (default 31 days).

The number of daily rolling files that will be stored in the ANM database (default 10 files each day, allowable file size is 2 Megabytes and is not configurable).

Use this procedure to determine how long audit logs are kept in the database.

Procedure


Step 1 Select Admin > ANM Management > Audit Log Settings. The Audit Log Settings configuration screen appears.

Audit Log Purge Settings fields let you determine whether audit log table entries will be deleted after a certain number of days (default is 31 days) or after the table entries reach a certain size (default is 100 entries).

Step 2 Enter the greatest number of days you would like entries to be retained in the Number of Days field.

Step 3 Enter the maximum amount of log records to be stored in the ANM database in the audit log tables in the Number of Entries (Thousand) field (default 100,000).

Audit Log File Purge Settings fields let you determine whether to retain log files according by age (default is 31 days) or by amount saved in a given day (default is 10 entries).

Step 4 Enter the greatest number of days you would like entries to be retained in Number of Days field.

Step 5 Enter the greatest number of log files you would like retained in Number of Daily Rolling Log Files field.

Step 6 Click:

Reset to Default to erase changes and restore the default values.

or

Save Now to save your entries.


Related Topics

Configuring Audit Log Settings

Viewing Change Audit Logs

Viewing Change Audit Logs

Any key or change related activities to the ANM server will be logged and viewed according to your role. Use this procedure to display ANM change audit logs for example, user login attempts, create/update/delete objects such as RBAC, Global Resource Class, Credential, device group, and threshold setting.

Procedure


Step 1 Select Admin > ANM Management > ANM Change Audit Log. The audit log displays the fields in Table 15-16.

  

Table 15-16 Server Audit Log 

Name
Description

Time

Server time stamp when user action is complete.

Client IP

IP address where action originated.

User

Email address in the following format: username@organization name for example, admin@cisco.com.

Message

Boilerplate text descriptive of action taken, usually self-explanatory (for example "User authentication succeeded."



Related Topics

Device Audit Trail Logging, page 14-23

Checking the Status of the ANM Server

Configuring Audit Log Settings

Configuring Auto Sync Settings

Use this procedure to configure ANM server auto sync settings.

Procedure


Step 1 Select Admin > ANM Management > ANM Auto Sync Settings. The Setup ANM auto-sync settings screen appears.

Step 2 In the ANM Auto sync field, select one of the following:

Enable to have the ANM server automatically sync with ACE CLI when it detects out of band changes.

or

Disable to have the ANM server warn but not take independent action when it detects out of band changes between the server and ACE CLI.

Step 3 In the Polling Interval field, select the polling interval you would like the ANM server to employ.

Step 4 Click OK to save your entries.


Related Topic

Synchronizing Virtual Context Configurations, page 3-66

Lifeline Management

Use the troubleshooting and diagnostics tools provided by the Lifeline feature to report a critical problem to the Cisco support line and generate a diagnostic package. For more information about this feature, see Using Lifeline, page 16-3.