User Guide for the Cisco Secure Access Control System 5.1
Managing System Administration Configurations
Downloads: This chapterpdf (PDF - 439.0KB) The complete bookPDF (PDF - 18.54MB) | Feedback

Managing System Administration Configurations

Table Of Contents

Managing System Administration Configurations

Configuring Global System Options

Configuring TACACS+ Settings

Configuring EAP-TLS Settings

Configuring PEAP Settings

Configuring EAP-FAST Settings

Generating EAP-FAST PAC

Configuring RSA SecurID Prompts

Managing Dictionaries

Viewing RADIUS and TACACS+ Attributes

Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes

Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes

Viewing RADIUS Vendor-Specific Subattributes

Configuring Identity Dictionaries

Creating, Duplicating, and Editing an Internal User Identity Attribute

Configuring Internal Identity Attributes

Deleting an Internal User Identity Attribute

Creating, Duplicating, and Editing an Internal Host Identity Attribute

Deleting an Internal Host Identity Attribute

Configuring Local Server Certificates

Adding Local Server Certificates

Importing Server Certificates and Associating Certificates to Protocols

Generating Self-Signed Certificates

Generating a Certificate Signing Request

Binding CA Signed Certificates

Editing and Renewing Certificates

Deleting Certificates

Exporting Certificates

Viewing Outstanding Signing Requests

Configuring Logs

Configuring Remote Log Targets

Deleting a Remote Log Target

Configuring the Local Log

Deleting Local Log Data

Configuring Logging Categories

Configuring Global Logging Categories

Configuring Per-Instance Logging Categories

Configuring Per-Instance Security and Log Settings

Configuring Per-Instance Remote Syslog Targets

Displaying Logging Categories

Configuring the Log Collector

Viewing the Log Message Catalog

Licensing Overview

Types of Licenses

Installing a License File

Viewing the Base License

Upgrading the Base Server License

Viewing License Feature Options

Adding Deployment License Files

Deleting Deployment License Files

Available Downloads

Downloading Migration Utility Files

Downloading UCP WSDL Files

Downloading Sample Python Scripts


Managing System Administration Configurations


After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS web interface allows you to easily configure ACS to perform various operations. For a list of post-installation configuration tasks to get started with ACS, see Chapter 6 "Post-Installation Configuration Tasks".

When you select System Administration > Configuration you can access pages that allow you do the following:

Configure global system options, including settings for TACACS+, EAP-TTLS, PEAP, and EAP-FAST. See Configuring Global System Options.

Configure protocol dictionaries. See Managing Dictionaries.

Manage local sever certificates. See Configuring Local Server Certificates.

Manage log configurations. See Configuring Logs.

Manage licensing. See Licensing Overview.

Configuring Global System Options

From the System Administration > Configuration > Global System Options pages, you can view these options:

Configuring TACACS+ Settings

Configuring EAP-TLS Settings

Configuring PEAP Settings

Configuring EAP-FAST Settings

Generating EAP-FAST PAC

Configuring TACACS+ Settings

Use the TACACS+ Settings page to configure TACACS+ runtime characteristics.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Select System Administration > Configuration > Global System Options > TACACS+ Settings.

The TACACS+ Settings page appears as described in Table 18-1:

Table 18-1 TACACS+ Settings   

Option
Description

Port to Listen

The port number on which to listen.

Connection Timeout

Number of minutes before the connection times out.

Session Timeout

Number of minutes before the session times out.

Maximum Packet Size

Maximum packet size (in bytes).

Single Connect Support

Check to enable single connect support.

Login Prompts

Username Prompt

A text string to use as the username prompt.

Password Prompt

A text string to use as the password prompt.

Password Change Control

Enable TELNET Change Password

Choose this option if you want to provide an option to change password during a TELNET session.

Prompt for Old Password:

A text string to use as the old password prompt.

Prompt for New Password

A text string to use as the new password prompt.

Prompt for Confirm Password

A text string to use as the confirm password prompt.

Disable TELNET Change Password

Choose this option if you do not want change password during a TELNET session.

Message when Disabled

The message that is displayed when you choose the Disable TELNET Change Password option.


Configuring EAP-TLS Settings

Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics.

Select System Administration > Configuration > Global System Options > EAP-TLS Settings.

The EAP-TLS Settings page appears as described in Table 18-2:

Table 18-2 EAP-TLS Settings   

Option
Description

Enable EAP-TLS Session Resume

Check this box to support abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only an SSL handshake and without the application of certificates. EAP-TLS session resume works only within the EAP-TLS session timeout value.

EAP-TLS session timeout

Enter the number of seconds before the EAP-TLS session times out.


Configuring PEAP Settings

Use the PEAP Settings page to configure PEAP runtime characteristics.

Select System Administration > Configuration > Global System Options > PEAP Settings.

The PEAP Settings page appears as described in Table 18-3:

Table 18-3 PEAP Settings  

Option
Description

Enable PEAP Session Resume

When checked, ACS caches the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, resulting in faster PEAP performance and a lessened AAA server load.

You must specify a PEAP session timeout value for the PEAP session resume features to work.

PEAP Session Timeout

Enter the number of seconds before the PEAP session times out. The default value is 7200 seconds.

Enable Fast Reconnect

Check to allow a PEAP session to resume in ACS without checking user credentials when the session resume feature is enabled.


Related Topic

Generating EAP-FAST PAC

Configuring EAP-FAST Settings

Use the EAP-FAST Settings page to configure EAP-FAST runtime characteristics.

Select System Administration > Configuration > Global System Options > EAP-FAST > Settings.

The EAP-FAST Settings page appears as described in Table 18-4:

Table 18-4 EAP-FAST Settings   

Option
Description
General

Authority Identity Info Description

A user-friendly string that describes the ACS server that sends credentials to a client. The client can discover this string in the Protected Access Credentials Information (PAC-Info) Type-Length-Value (TLV). The default value is Cisco Secure ACS.

Master Key Generation Period

The value is used to encrypt or decrypt and sign or authenticate PACs. The default is one week.

Revoke

Revoke

Click Revoke to revoke all previous master keys and PACs. This operation should be used with caution.

Note If the ACS node is a secondary node, the Revoke option is disabled.


Generating EAP-FAST PAC

Use the EAP-FAST Generate PAC page to generate a user or machine PAC.


Step 1 Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC.

The Generate PAC page appears as described in Table 18-5:

Table 18-5 Generate PAC  

Option
Description

Tunnel PAC

Select to generate a tunnel PAC.

Machine PAC

Select to generate a machine PAC.

Identity

Specifies the username or machine name presented as the "inner username" by the EAP-FAST protocol. If the Identity string does not match that username, authentication will fail.

PAC Time To Live

Enter the equivalent maximum value in days, weeks, months and years, and enter a positive integer.

Password

Enter the password.


Step 2 Click Generate PAC.


Configuring RSA SecurID Prompts

You can configure RSA prompts for an ACS deployment. The set of RSA prompts that you configure is used for all RSA realms and ACS instances in a deployment. To configure RSA SecurID Prompts:


Step 1 Choose System Administration > Configuration > Global System Options > RSA SecurID Prompts.

The RSA SecurID Prompts page appears.

Step 2 Modify the fields described in Table 18-6.

Table 18-6 RSA SecurID Prompts Page

Option
Description

Next Token Prompt

A text string to request for the next token. The default value is "Enter Next TOKENCODE:".

Choose PIN Type Prompt

A text string to request the PIN type. The default value is "Do you want to enter your own pin?".

Accept System PIN Prompt

A text string to accept the system-generated PIN. The default value is "ARE YOU PREPARED TO ACCEPT A SYSTEM-GENERATED PIN?".

Note: For the two PIN entry prompts below, if the prompt contains the following strings, they will be substituted as follows:
{MIN_LENGTH}- will be replaced by the minimum PIN length configured for the RSA Realm
{MAX_LENGTH}- will be replaced by the maximum PIN length configured for the RSA Realm

Alphanumeric PIN Prompt

A text string for requesting an alphanumeric PIN.

Numeric PIN Prompt

A text string for requesting a numeric PIN.

Re-Enter PIN Prompt

A text string to request the user to re-enter the PIN. The default value is "Reenter PIN:".


Step 3 Click Submit to configure the RSA SecurID Prompts.


Managing Dictionaries

The following tasks are available when you select System Administration > Configuration > Dictionaries:

Viewing RADIUS and TACACS+ Attributes

Configuring Identity Dictionaries

Viewing RADIUS and TACACS+ Attributes

The RADIUS and TACACS+ Dictionary pages display the available protocol attributes in these dictionaries:

RADIUS (IETF)

RADIUS (Cisco)

RADIUS (Microsoft)

RADIUS (Ascend)

RADIUS (Cisco Airespace)

RADIUS (Cisco Aironet)

RADIUS (Cisco BBSM)

RADIUS (Cisco VPN 3000)

RADIUS (Cisco VPN 5000)

RADIUS (Juniper)

RADIUS (Nortel [Bay Networks])

RADIUS (RedCreek)

RADIUS (US Robotics)

TACACS+


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary.

The Dictionary page appears with a list of available attributes as shown in Table 18-7:

Table 18-7 Protocols Dictionary Page   

Option
Description

Attribute

The name of the attribute.

ID

(RADIUS only) The VSA ID.

Type

The data type of the attribute.

Direction

(RADIUS only) Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication.

Multiple Allowed

(RADIUS only) Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response.


Use the arrows to scroll through the attribute list.

ACS 5.1 also supports RADIUS vendor-specific attributes (VSAs). A set of predefined RADIUS VSAs are available. You can define additional vendors and attributes from the ACS web interface. You can create, edit, or delete RADIUS VSAs. After you have defined new VSAs, you can use them in policies, authorization profiles, and RADIUS token servers in the same way as predefined VSAs. For more information, see:

RADIUS VSAs.

Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes

Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes

Vendor-Specific Attributes (VSAs) allow vendors to create extension to the RADIUS attributes. The vendors have a specific vendor number assigned to them. VSAs are attributes that contain subattributes. ACS 5.1 allows you to create, duplicate, or edit RADIUS VSA (VSAs). To do this:


Note Some of the internally used attributes cannot be modified.

Note You cannot modify an attribute's type if the attribute is used by any policy or policy element.

Step 1 Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA.

Step 2 Do one of the following:

Click Create.

Check the check box next to the RADIUS VSA that you want to duplicate, then click Duplicate.

Check the check box next to the RADIUS VSA that you want to edit, then click Edit.

The Create RADIUS VSA page appears. Modify the fields as described in Table 18-8.

Table 18-8 RADIUS VSA - Create, Duplicate, Edit Page

Option
Description

Attribute

Name of the RADIUS VSA.

Description

(Optional) A brief description of the RADIUS VSA.

Vendor ID

ID of the RADIUS vendor.

Attribute Prefix

(Optional) Prefix that you want to prepend to the RADIUS attribute so that all attributes for the vendor start with the same prefix.

Use Advanced Vendor Options

Vendor Length Field Size

A vendor length field of 8 bits for specifying the length of the VSA. Choose the vendor length of the VSA. Valid options are 0 and 1. The default value is 1.

Vendor Type Field Size

A vendor type field of 8 bits. Choose the vendor type of the VSA. Valid options are 1, 2, and 4. The default value is 1.


Step 3 Click Submit to save the changes.


Related Topics

Viewing RADIUS and TACACS+ Attributes

Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes

To create, duplicate, and edit RADIUS vendor-specific subattributes:


Step 1 Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA.

You can alternatively choose the RADIUS VSA from the navigation pane.

Step 2 Do one of the following:

Click Create to create a subattribute for this RADIUS VSA.

Check the check box next to the RADIUS VSA that you want to duplicate, then click Duplicate.

Check the check box next to the RADIUS VSA that you want to edit, then click Edit.

Step 3 The RADIUS VSA subattribute create page appears.

Step 4 Complete the fields described in Table 18-9.

Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes

Option
Description
General

Attribute

Name of the subattribute. The name must be unique.

Description

(Optional) A brief description of the subattribute.

RADIUS Configuration

Vendor Attribute ID

Enter the vendor ID field for the subattribute. This value must be unique for this vendor.

Direction

Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication.

Multiple Allowed

Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response.

Include attribute in the log

Check this check box to include the subattribute in the log. For sensitive attributes, you can uncheck this check box so to they are not logged.

Attribute Type

Attribute Type

Type of the attribute. Valid options are:

String

Unsigned Integer 32

IPv4 Address

HEX String

Enumeration—If you choose this option, you must enter the ID-Value pair

Note You cannot use attributes of type HEX String in policy conditions.

ID-Value

(Optional) For the Enumeration attribute type only.

ID—Enter a number from 0 to 999.

Value—Enter a value for the ID.

Click Add to add this ID-Value pair to the ID-Value table.

To edit, replace, and delete ID-Value pairs:

Select the ID-Value pair from the ID-Value table.

Click Edit to edit the ID and Value fields. Edit the fields as required.

Click Add to add a new entry after you modify the fields.

Click Replace to replace the same entry with different values.

Click Delete to delete the entry from the ID-Value table.

Attribute Configuration

Add Policy Condition

Check this check box to enter a policy condition in which this subattribute will be used.

Policy Condition Display Name

Enter the name of the policy condition that will use this subattribute.


Step 5 Click Submit to save the subattribute.


Viewing RADIUS Vendor-Specific Subattributes

To view the attributes that are supported by a particular RADIUS vendor:


Step 1 Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA.

The RADIUS VSA page appears.

Step 2 Check the check box next to the vendor whose attribute you want to view, then click Show Vendor Attributes.

The vendor-specific attributes and the fields listed in Table 18-7 are displayed. You can create additional VSAs, and duplicate or edit these attributes. For more information, see Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes.


Related Topic

Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes

Configuring Identity Dictionaries

This section contains the following topics:

Creating, Duplicating, and Editing an Internal User Identity Attribute

Deleting an Internal User Identity Attribute

Creating, Duplicating, and Editing an Internal Host Identity Attribute

Creating, Duplicating, and Editing an Internal Host Identity Attribute

Deleting an Internal Host Identity Attribute

Creating, Duplicating, and Editing an Internal User Identity Attribute


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To create, duplicate, and edit an internal user identity attribute:


Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Users.

The Attributes list for the Internal Users page appears.

Step 2 Perform one of these actions:

Click Create.

Check the check box next to the attribute that you want to duplicate and click Duplicate.

Click the attribute name that you want to modify; or, check the check box for the name and click Edit.

The Identity Attribute Properties page appears.

Step 3 Modify the fields in the Identity Attributes Properties page as required. See Configuring Internal Identity Attributes for field descriptions.

Step 4 Click Submit.

The internal user attribute configuration is saved. The Attributes list for the Internal Users page appears with the new attribute configuration.


Related Topics

Deleting an Internal User Identity Attribute

Creating, Duplicating, and Editing an Internal Host Identity Attribute

Policies and Identity Attributes

Configuring Internal Identity Attributes

Table 18-10 describes the fields in the internal <users | hosts> identity attributes.

Table 18-10 Identity Attribute Properties Page 

Option
Description
General

Attribute

The name of the attribute.

Description

A description of the attribute.

Attribute Type

Attribute Type

(Optional) Use the drop-down list box to choose an attribute type. Valid options are:

String—Populates the Maximum Length and Default Value fields in the page.

Unsigned Integer 32—Populates the Valid Range From and To fields in the page.

IPv4 Address—Populates the Default Value field in the page.

Boolean—Populates the Default Value check box in the page.

Date—Populates the Default Value field and calendar icon in the page.

Enumeration—Populates the ID and Value fields and the Add, Edit, Replace, and Delete buttons.

Maximum Length

(Optional) For the String attribute type only. Enter the maximum length of your attribute. The valid range is from 1 to 256. (Default = 32)

Value Range

(Optional) For the Unsigned Integer attribute type only.

From—Enter the lowest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be smaller than the Valid Range To value.

To—Enter the highest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be larger than the Valid Range From value.

Default Value

Enter the default value for the appropriate attribute:

String—Up to the maximum length. (Follow the UTF-8 standard.) You can use the letters a to z, A to Z, and the digits 0 to 9.

Unsigned Integer 32—An integer in the range from 0 to 2^31-1 (2147483647).

IPv4 Address—Enter IP address you want to associate with this attribute, in the format: x.x.x.x, where x.x.x.x is the IP address (no subnet mask).

Date—Click the calendar icon to display the calendar popup and select a date.

Boolean Value—Select True or False.

ID-Value

(Optional) For the Enumeration attribute type only.

ID—Enter a number from 0 to 999.

Value—Enter a value for the ID.

Click Add to add this ID-Value pair to the ID-Value table.

To edit, replace, and delete ID-Value pairs:

Select the ID-Value pair from the ID-Value table.

Click Edit to edit the ID and Value fields. Edit the fields as required.

Click Add to add a new entry after you modify the fields.

Click Replace to replace the same entry with different values.

Click Delete to delete the entry from the ID-Value table.

Attribute Configuration

Mandatory Fields

Check the check box to make this attribute a requirement in the User Properties page.

Add Policy Condition

Check the check box to create a custom condition from this attribute. When you check this option, you must enter a name in the Policy Condition Display Name field.

Policy Condition Display Name

Enter a name for the policy condition. After you submit this page, the condition appears in the Policy Elements > Session Conditions > Custom page.


Deleting an Internal User Identity Attribute

To delete an internal user identity attribute:


Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Users.

The Attributes list for the internal user page appears.

Step 2 Check the check box next to the attribute you want to delete. Because deleting an identity attribute can take a long time to process, you can delete only one attribute at a time.

Step 3 Click Delete.

Step 4 For confirmation, click OK or Cancel.

The Attributes list for the internal user page appears without the deleted attribute.


Related Topics

Creating, Duplicating, and Editing an Internal User Identity Attribute

Policies and Identity Attributes

Creating, Duplicating, and Editing an Internal Host Identity Attribute


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To create, duplicate, and edit an internal host identity attribute:


Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts.

The Attributes list for the Internal Hosts page appears.

Step 2 Perform one of these actions:

Click Create.

Check the check box next to the attribute that you want to duplicate and click Duplicate.

Click the attribute name that you want to modify; or, check the check box for the name and click Edit.

The Identity Attribute Properties page appears.

Step 3 Modify the fields in the Identity Attributes Properties page as required. See Table 18-10 for field descriptions.

Step 4 Click Submit.

The internal host attribute configuration is saved. The Attributes list for the Internal Hosts page appears with the new attribute configuration.


Related Topics

Deleting an Internal Host Identity Attribute

Policies and Identity Attributes

Deleting an Internal Host Identity Attribute


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To delete an internal host identity attribute:


Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal User.

The Attributes list for the Internal Hosts page appears.

Step 2 Check the check box next to the attribute you want to delete. Because deleting an attribute can take a long time to process, you can delete only one attribute at a time.

Step 3 Click Delete.

Step 4 For confirmation, click OK or Cancel.

The Attributes list for the Internal Hosts page appears without the deleted attribute.


Related Topics

Creating, Duplicating, and Editing an Internal Host Identity Attribute

Policies and Identity Attributes

Configuring Local Server Certificates

Local server certificates are also known as ACS server certificates. ACS uses the local server certificates to identify itself to the clients. The local server certificates are used by:

EAP protocols that use SSL/TLS tunneling.

Management interface to authenticate the web interface (GUI).

This section contains the following topics:

Adding Local Server Certificates

Importing Server Certificates and Associating Certificates to Protocols

Generating Self-Signed Certificates

Generating a Certificate Signing Request

Binding CA Signed Certificates

Editing and Renewing Certificates

Deleting Certificates

Exporting Certificates

Viewing Outstanding Signing Requests

Adding Local Server Certificates

You can add a local server certificate, also known as an ACS server certificate, to identify the ACS server to clients.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates. The Local Certificates page appears displaying the information in Table 18-11:

Table 18-11 Local Certificates Page   

Option
Description

Friendly Name

The name that is associated with the certificate.

Issued To

The entity to which the certificate is issued. The name that appears is from the certificate subject.

Issued By

Trusted party that issued the certificate.

Valid From

The date the certificate is valid from.

Valid To (Expiration)

The date the certificate is valid to.

Protocol

The protocol associated with the certificate.


Step 2 Click Add.

Step 3 Enter the information in the Local Certificate Store Properties page as described in Table 18-12:

Table 18-12 Local Certificate Store Properties Page  

Option
Description

Import Server Certificate

Select to browse the client machine for the Local Certificate file and import the private key and private key password. See Importing Server Certificates and Associating Certificates to Protocols.

Note Supported certificate formats include, DER, PEM, or Microsoft private key proprietary format.

Generate Self Signed Certificate

Select to generate a self-signed certificate. See Generating Self-Signed Certificates.

Generate Certificate Signing Request

Select to generate a certificate signing request. See Generating a Certificate Signing Request.

Bind CA Signed Certificate

Select to bind the CA certificate. After the RA signs the request, you can install the returned signed certificate on ACS and bind the certificate with its corresponding private key. See Binding CA Signed Certificates.



Importing Server Certificates and Associating Certificates to Protocols


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Note The supported certificate formats are either DER or PEM.

Step 1 Select System Administration > Configuration > Local Server Certificates > Certificate Installations >Add, then select Import Server Certificate > Next.

Step 2 Enter the information in the ACS Import Server Certificate as described in Table 18-13:

Table 18-13 Import Server Certificate Page  

Option
Description

Certificate File

Select to browse the client machine for the local certificate file.

Private Key File

Select to browse to the location of the private key.

Private Key Password

Enter the private key password. The value may be minimum length = 0 and maximum length = 256.

Protocol

EAP

Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

Management Interface

Check to associate the certificate with the management interface.

Override Policy

Replace Certificate

Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections.


Step 3 Click Finish.

The new certificate is saved. The Local Certificate Store page appears with the new certificate.


Generating Self-Signed Certificates


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Generate Self Signed Certificate> Next.

Step 2 Enter the information in the ACS Import Server Certificate as described in Table 18-14:

Table 18-14 Generate Self Signed Certificate Step 2

Option
Description

Certificate Subject

Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with "cn=".

Key Length

Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.

Digest to Sign with

This field is populated with the value SHA1 for ACS 5.1.

Expiration TTL

Select the equivalent maximum value in days, weeks, months, and years, and enter a positive integer.

Protocol

EAP

Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

Management Interface

Check to associate the certificate with the management interface.

Override Policy

Replace Certificate

Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections.


Step 3 Click Finish.

The new certificate is saved. The Local Certificate Store page appears with the new certificate.


Generating a Certificate Signing Request


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Generate Certificate Signing Request > Next.

Step 2 Enter the information in the ACS Import Server Certificate as described in Table 18-15:

Table 18-15 Generate Signing Requests  Step 2

Option
Description

Certificate Subject

Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with "cn=".

Key Length

Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.

Digest to Sign with

This field is populated with the value SHA1 for ACS 5.1.


Step 3 Click Finish.

The new certificate is saved. The Local Certificate Store page appears with the new certificate.


Binding CA Signed Certificates

Use this page to bind a CA signed certificate to the request that was used to obtain the certificate from the CA.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Bind CA Signed Certificate > Next.

Step 2 Enter the information in the ACS Import Server Certificate as described in Table 18-16:

Table 18-16 Bind CA Signed Certificate Step 2  

Option
Description

Certificate File

Browse to the client machine and select the certificate file to be imported.

Protocol

EAP

Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

Management Interface

Check to associate the certificate with the management interface.

Override Policy

Replace Certificate

Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections.


Step 3 Click Finish.

The new certificate is saved. The Local Certificate Store page appears with the new certificate.


Related Topics

Configuring Local Server Certificates

Certificate-Based Network Access for EAP-TLS

Editing and Renewing Certificates


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

You can renew an existing self-signed certificate without having to remove it and adding a new certificate. This ensures that any service that uses the local certificate continues without any interruption. To renew or extend a local server certificate:


Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.

Step 2 Click the name that you want to modify; or, check the check box for the Name, and click Edit.

Step 3 Enter the certificate properties as described in Table 18-17:

Table 18-17 Edit Certificate Store Properties Page  

Option
Description
Issuer

Friendly Name

The name that is associated with the certificate.

Description

A description of the certificate.

Issued To

Display only. The entity to which the certificate is issued. The name that appears is from the certificate subject.

Issued By

Display only. The certification authority that issued the certificate.

Valid From

Display only. The start date of the certificate's validity. An X509 certificate is valid only from the start date to the end date (inclusive).

Valid To (Expiration)

Display only. The last date of the certificate's validity.

Serial Number

Display only. The serial number of the certificate.

Protocol

EAP

Check for ACS to use the local certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

Management Interface

Check for ACS to use the local certificate for SSL client authentication.

Renew Self Signed Certificate

Certificate Expires On

Display only. Date the certificate expires.

Renew Self Signed Certificate

Check to allow the renewal of a self signed certificate that expired.

Expiration TTL

Expiration TTL is the number of days, months, weeks, or years that you want to extend the existing certificate for. Valid options are: one day, one month, one week, and one year.

Note At a maximum, you can extend the certificate for a period of one year.


Step 4 Click Submit to extend the existing certificate's validity.

The Local Certificate Store page appears with the edited certificate.


Related Topic

Configuring Local Server Certificates

Deleting Certificates

To delete a certificate:


Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.

Step 2 Check one or more check boxes next to the certificates that you want to delete.

Step 3 Click Delete.

Step 4 For confirmation, click Yes or Cancel.

The Certificate Store page appears without the deleted certificate(s).


Related Topic

Configuring Local Server Certificates

Exporting Certificates


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To export a certificate:


Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.

Step 2 Check the box next to the certificates that you want to export, then click Export.

The Export Certificate dialog box appears.

Step 3 Select one of the following options:

Export Certificate Only

Export Certificate and Private Key

Step 4 Enter your private key password in the Private Key Password field.

Step 5 Enter the same password in the Confirm Password field.


Note Exporting the private key is not a secure operation and could lead to possible exposure of the private key.

Step 6 Click OK or Cancel.


Related Topic

Configuring Local Server Certificates

Viewing Outstanding Signing Requests


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Select System Administration > Configurations > Local Server Certificates > Outstanding Signing Request.

The Certificate Signing Request page appears displaying the information described in Table 18-18:

Table 18-18 Certificate Signing Request Page  

Option
Description

Name

Name of the certificate.

Certificate Subject

Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field should automatically prefixed with "cn=".

Key Length

Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.

Timestamp

Date certificate was created.

Friendly Name

The name that is associated with the certificate.


Click Export to export the local certificate to a client machine.

Configuring Logs

Log records are generated for:

Accounting messages

AAA audit and diagnostics messages

System diagnostics messages

Administrative and operational audit messages

The messages are arranged in tree hierarchy structure within the logging categories (see Configuring Logging Categories for more information).

You can store log messages locally or remotely, based on the logging categories and maintenance parameters.

This section contains the following topics:

Configuring Remote Log Targets

Configuring the Local Log

Configuring Logging Categories

Configuring Global Logging Categories

Configuring Per-Instance Logging Categories

Displaying Logging Categories

Configuring the Log Collector

Viewing the Log Message Catalog

See Chapter 19 "Understanding Logging" for a description of the preconfigured global ACS logging categories and the messages that each contains.

Configuring Remote Log Targets

You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 19 "Understanding Logging" for more information on remote log targets. See Configuring Logging Categories for more information on the preconfigured ACS logging categories.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To create a new remote log target:


Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets.

The Remote Log Targets page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the remote log target that you want to duplicate and click Duplicate.

Click the name of the remote log target that you want to modify; or check the check box next to the name of the remote log target that you want to modify and click Edit.

One of these pages appears:

Remote Log Targets > Create, if you are creating a new remote log target.

Remote Log Targets > Duplicate: "<log_target>", where <log_target> is the name of the remote log target you selected in Step 2, if you are duplicating a remote log target.

Remote Log Targets > Edit: "<log_target>", where <log_target> is the name of the remote log target you selected in Step 2, if you are modifying a remote log target.

Step 3 Complete the required fields as described in Table 18-19:

Table 18-19 Remote Log Targets Configuration Page 

Option
Description

General

Name

The name of the remote log target. Maximum name length is 32 characters.

Description

The description of the remote log target. Maximum description length is 1024 characters.

Type

The type of remove log target—Syslog (the only option).

Target Configuration

IP Address

IP address of the remote log target, in the format x.x.x.x.

Use Advanced Syslog Options

Click to enable the advanced syslog options—port number, facility code, and maximum length.

Port

The port number of the remote log target used as the communication channel between the ACS and the remote log target (default = 514). This option is only visible if you click Use Syslog Options.

Facility Code

The facility code. Valid options are:

LOCAL0 (Code = 16)

LOCAL1 (Code = 17)

LOCAL2 (Code = 18)

LOCAL3 (Code = 19)

LOCAL4 (Code = 20)

LOCAL5 (Code = 21)

LOCAL6 (Code = 22; default)

LOCAL7 (Code = 23)

This option is only visible if you click Use Advanced Syslog Options.

Maximum Length

The maximum length of the remote log target messages. Valid options are from 200 to 1024. This option is only visible if you click Use Advanced Syslog Options.


Step 4 Click Submit.

The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration.


Related Topic

Deleting a Remote Log Target

Deleting a Remote Log Target

To delete a remote log target:


Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets.

The Remote Log Targets page appears, with a list of configured remote log targets.

Step 2 Check one or more check boxes next to the remote log targets you want to delete.

Step 3 Click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 4 Click OK.

The Remote Log Targets page appears without the deleted remote log targets.


Related Topic

Configuring Remote Log Targets

Configuring the Local Log

Use the Local Configuration page to configure the maximum days to retain your local log data.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configuration > Log Configuration > Local Log Target.

The Local Configuration page appears.

Step 2 In the Maximum log retention period box, enter the number of days for which you want to store local log message files, where <num> is the number of days you enter. Valid options are 1 to 365. (Default = 7.)


Note If you reduce the number of days for which to store the local log message files, the log message files older than the number of days you specify are deleted automatically.

You can click Delete Logs Now to delete the local logs, including all non-active log files, immediately. See Deleting Local Log Data for more information on deleting log data.

Step 3 Click Submit to save your changes. Your configuration is saved and the Local Configuration page is refreshed.


Deleting Local Log Data

Use the Local Configuration page to manually delete your local log data. You can use this option to free up space when the local store is full. See Local Store Target for more information about the local store.


Step 1 Select System Administration > Configuration > Log Configuration > Local Log Target.

The Local Configuration page appears.

Step 2 Click Delete Logs Now to immediately delete all local log data files, except the log data in the currently active log data file.

The Local Configuration page is refreshed.


Configuring Logging Categories

This section contains the following topics:

Configuring Global Logging Categories

Configuring Per-Instance Logging Categories

All configuration performed for a parent logging category affects the children within the logging category. You can select a child of a parent logging category to configure it separately, and it does not affect the parent logging category or the other children.

Configuring Global Logging Categories


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To view and configure global logging categories:


Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Global.

The Logging Categories page appears; from here, you can view the logging categories.

Step 2 Click the name of the logging category you want to configure; or, click the radio button next to the name of the logging category you want to configure and click Edit.

Step 3 Complete the fields as described in Table 18-20.

Table 18-20 Global: General Page 

Option
Descriptions
Configure Log Category

Log Severity

For diagnostic logging categories, use the drop-down list box to select the severity level. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are:

FATAL—Emergency. ACS is not usable and you must take action immediately.

ERROR—Critical or error condition.

WARN—Normal, but significant condition. (Default)

INFO—Informational message.

DEBUG—Diagnostic bug message.

Configure Local Setting for Category

Log to Local Target

Check to enable logging to the local target.

Note For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled.

Local Target is Critical

Usable for accounting and for AAA audit (passed authentication) logging category types only. Check the check box to make this local target the critical target.

Note For administrative and operational audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target.

Configure Logged Attributes

Display only. All attributes are logged to the local target.


If you have completed your configuration, proceed to Step 6.

Step 4 To configure a remote syslog target, click the Remote Syslog Target and proceed to Step 5.

Step 5 Complete the Remote Syslog Target fields as described in Table 18-21:

Table 18-21 Global: Remote Syslog Target Page 

Option
Description
Configure Syslog Targets

Available targets

List of available targets. You can select a target from this list and move it to the Selected Targets list.

Selected targets

List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.


Step 6 Click Submit.

The Logging Categories page appears, with your configured logging category.


Note Administrative and operational audit messages include audit messages of the following types:

Configuration changes

Internal user change password

Administrator access

Operational audit

Some of the operational audit messages are not logged in the local log target. See Table 18-22 for a list of administrative and operational logs that are not logged in the local target. See Viewing ADE-OS Logs for information on how you can view these logs from the ACS CLI.


Table 18-22 lists a set of administrative and operational logs under various categories that are not logged to the local target.

Table 18-22 Administrative and Operational Logs Not Logged in the Local Target 

Category
Log and Description

Process-Management

ACS_START_PROCESS—ACS process started

ACS_STOP_PROCESS—ACS process stopped

ACS_START—All ACS processes started

ACS_STOP—All ACS processes stopped

WD_RESTART_PROCESS—ACS process restarted by watchdog

WD_CONFIG_CHANGE—Watchdog configuration reloaded

ACS_START_STOP_ERROR—ACS process reported start/stop error

DB-Management

CARS_BACKUP—CARS backup complete

CARS_RESTORE—CARS restore complete

ACS_BACKUP—ACS DB backup complete

ACS_RESTORE—ACS DB restore complete

ACS_SUPPORT—ACS support bundle collected

ACS_RESET—ACS DB reset

File-Management

ACS_DELETE_CORE—ACS core files deleted

ACS_DELETE_LOG—ACS log files deleted

Software-Management

ACS_UPGRADE—ACS upgraded

ACS_PATCH—ACS patch installed

UPGRADE_SCHEMA_CHANGE—ACS schema upgrade complete

UPGRADE_DICTIONARY—ACS dictionary upgrade complete

UPGRADE_DATA_MANIPULATION—ACS upgrade - data manipulation stage complete

UPGRADE_AAC—ACS AAC upgrade complete

UPGRADE_PKI—ACS PKI upgrade complete

UPGRADE_VIEW—ACS View upgrade complete

CLI_ACS_UPGRADE—ACS upgrade started

CLI_ACS_INSTALL—ACS install started

System-Management

ACS_MIGRATION_INTERFACE—ACS migration interface enabled/disabled

ACS_ADMIN_PSWD_RESET—ACS administrator password reset

CLI_CLOCK_SET—Clock set

CLI_TZ_SET—Time zone set

CLI_NTP_SET—NTP Server set

CLI_HOSTNAME_SET—Hostname set

CLI_IPADDRESS_SET—IP address set

CLI_IPADDRESS_STATE—IP address state

CLI_DEFAULT_GATEWAY—Default gateway set

CLI_NAME_SERVER—Name server set

ADEOS_XFER_LIBERROR—ADE OS Xfer library error

ADEOS_INSTALL_LIBERROR—ADE OS install library error

AD_JOIN_ERROR—AD agent failed to join AD domain

AD_JOIN_DOMAIN—AD agent joined AD domain

AD_LEAVE_DOMAIN—AD agent left AD domain

IMPORT_EXPORT_PROCESS_ABORTED—Import/Export process aborted

IMPORT_EXPORT_PROCESS_STARTED—Import/Export process started

IMPORT_EXPORT_PROCESS_COMPLETED—Import/Export process completed

IMPORT_EXPORT_PROCESS_ERROR—Error while Import/Export process


Related Topic

Configuring Per-Instance Logging Categories

Viewing ADE-OS Logs

Viewing ADE-OS Logs

The logs listed in Table 18-22 are written to the ADE-OS logs. From the ACS CLI, you can use the following command to view the ADE-OS logs:

show logging system

This command lists all the ADE-OS logs and your output would be similar to the following example.

Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 
user=admin
Sep 29 23:24:34 cd-acs5-13-179 sshd(pam_unix)[20017]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 29 23:24:36 cd-acs5-13-179 sshd[20017]: Failed password for admin from 10.77.137.95 
port 3635 ssh2
Sep 30 00:47:44 cd-acs5-13-179 sshd(pam_unix)[20946]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:47:46 cd-acs5-13-179 sshd[20946]: Failed password for admin from 10.77.137.95 
port 3953 ssh2
Sep 30 00:54:59 cd-acs5-13-179 sshd(pam_unix)[21028]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:55:01 cd-acs5-13-179 sshd[21028]: Failed password for admin from 10.77.137.95 
port 3962 ssh2
Sep 30 00:55:35 cd-acs5-13-179 last message repeated 5 times
Sep 30 00:55:39 cd-acs5-13-179 sshd[21028]: Accepted password for admin from 10.77.137.95 
port 3962 ssh2
Sep 30 00:55:39 cd-acs5-13-179 sshd(pam_unix)[21038]: session opened for user admin by 
(uid=0)
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[118] [admin]: 
Invoked carsGetConsoleConfig 
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[135] [admin]: 
No Config file, returning defaults 
Sep 30 01:22:20 cd-acs5-13-179 sshd[21038]: Received disconnect from 10.77.137.95: 11: 
Connection discarded by broker
Sep 30 01:22:20 cd-acs5-13-179 sshd(pam_unix)[21038]: session closed for user admin
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 02:48:54 cd-acs5-13-179 sshd[22500]: Accepted password for admin from 10.77.137.58 
port 4527 ssh2
Sep 30 02:48:54 cd-acs5-13-179 sshd(pam_unix)[22504]: session opened for user admin by 
(uid=0)
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
 
   

You can view the logs grouped by the module that they belong to. For example, the monitoring and troubleshooting logs contain the string MSGCAT and the debug logs contain the string debug.

From the ACS CLI, you can enter the following two commands to view the monitoring and troubleshooting logs and the administrative logs respectively:

show logging system | include MSGCAT

show logging system | include debug

The output of the show logging system | include MSGCAT would be similar to:

Sep 27 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 28 13:00:03 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 06:28:17 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 8363
Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS
Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729
Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting
Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration enable
Sep 29 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 13:56:36 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration disable
Sep 29 13:57:02 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration disable
Sep 29 13:57:25 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration enable
Sep 30 10:57:10 cd-acs5-13-103 MSGCAT58010/admin: info:[ACS backup] ACS backup completed
 
   

For more information on the show logging command, refer to http://www.cisco.com/en/US/docs/net
_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1748398
.

Configuring Per-Instance Logging Categories

You can define a custom logging category configuration for specific, overridden ACS instances, or return all instances to the default global logging category configuration.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To view and configure per-instance logging categories:


Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance.

The Per-Instance page appears; from here, you can view the individual ACS instances of your deployment.

Step 2 Click the radio button associated with the name of the ACS instance you want to configure, and choose one of these options:

Click Override to override the current logging category configuration for selected ACS instances.

Click Configure to display the Logging Categories page associated with the ACS instance. You can then edit the logging categories for the ACS instance. See Displaying Logging Categories for field descriptions.

Click Restore to Global to restore selected ACS instances to the default global logging category configuration.

Your configuration is saved and the Per-Instance page is refreshed.


Related Topic

Configuring Per-Instance Security and Log Settings

Configuring Per-Instance Security and Log Settings

You can configure the severity level and local log settings in a logging category configuration for a specific overridden or custom ACS instance. Use this page to:

View a tree of configured logging categories for a specific ACS instance.

Open a page to configure a logging category's severity level, log target, and logged attributes for a specific ACS instance.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.

The Per-Instance: Configuration page appears as described in Table 18-23:

Table 18-23 Per-Instance: Configuration Page 

Option
Description

Name

Expandable tree structure of AAA service logging categories.

Edit

Click to display a selected Logging Categories > Edit: "<lc_name>" page, where <lc_name> is the name of the logging category.


Step 2 Perform one of the following:

Click the name of the logging category you want to configure.

Select the radio button associated with the name of the logging category you want to configure, and click Edit.

The Per-Instance: General page appears; from here, you can configure the security level and local log settings in a logging category configuration for a specific ACS instance. See Table 18-24:

Table 18-24 Per-Instance: General Page 

Option
Description
Configure Log Category

Log Severity

Use the list box to select the severity level for diagnostic logging categories. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are:

FATAL—Emergency. The ACS is not usable and you must take action immediately.

ERROR—Critical or error condition.

WARN—Normal, but significant condition. (Default)

INFO—Informational message.

DEBUG—Diagnostic bug message.

Configure Local Setting for Category

Log to Local Target

Check to enable logging to the local target.

Note For administrative and operational audit logging category types, logging to local target is enabled by default and cannot be disabled.

Local Target is Critical

Usable for accounting and for passed authentication logging category types only. Check the check box to make this local target the critical target.

Note For administrative and operational audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target.

Configure Logged Attributes

Display only. All attributes are logged to the local target.



Configuring Per-Instance Remote Syslog Targets

Use this page to configure remote syslog targets for logging categories.


Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.

The Per-Instance: Configuration page appears as described in Table 18-23.

Step 2 Perform one of the following actions:

Click the name of the logging category you want to configure.

Select the radio button associated with the name of the logging category you want to configure, and click Edit.

Step 3 Click the Remote Syslog Target tab. The Per-Instance: Remote Syslog Targets page appears as described in Table 18-25:

Table 18-25 Per-Instance: Remote Syslog Targets Page 

Option
Description
Configure Syslog Targets

Available targets

A list of available targets. You can select a target from this list and move it to the Selected Targets list.

Selected targets

A list of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.



Displaying Logging Categories

You can view a tree of configured logging categories for a specific ACS instance. In addition, you can configure a logging category's severity level, log target, and logged attributes for a specific ACS instance.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.

Step 2 Complete the fields as described in Table 18-26:

Table 18-26 Per-Instance: Configuration Page 

Option
Description

Name

Expandable tree structure of AAA services logging categories.

Edit

Click to display a selected Logging Categories > Edit: "<lc_name>" page, where <lc_name> is the name of the logging category.



Configuring the Log Collector

Use the Log Collector page to select a log data collector and suspend or resume log data transmission.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Step 1 Select System Administration > Configuration > Log Configuration > Log Collector.

The Log Collector page appears.

Step 2 Complete the Log Collector fields as described in Table 18-27:

Table 18-27 Log Collector Page 

Option
Description
Log Data Collector

Current Log Collector

Display only. Identifies the machine on which the local log messages are sent.

Select Log Collector

Use the drop-down list box to select the machine on which you want local log messages sent.

Set Log Collector

Click to configure the log collector according to the selection you make in the Select Log Collector option.


Step 3 (Optional) Do one of the following:

Click Suspend to suspend the log data transmission to the configured log collector.

Click Resume to resume the log data transmission to the configured log collector.

Your configuration is saved and the Log Collector page is refreshed.


Viewing the Log Message Catalog

Use the Log Message Catalog page to view all possible log messages.

Select System Administration > Configuration > Log Configuration > Log Message Catalog.

The Log Message Catalog page appears, with the fields described in Table 18-28, from which you can view all possible log messages that can appear in your log files.

Table 18-28 Log Messages Page 

Option
Description

Message Code

Display only. A unique message code identification number associated with a message.

Severity

Display only. The severity level associated with a message.

Category

Display only. The logging category to which a message belongs.

Message Class

Display only. The group to which a message belongs.

Message Text

Display only. English language message text (name of the message).

Description

Display only. English language text that describes the associated message.


Licensing Overview

To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.


Note Each server requires a unique base license in a distributed deployment.

Types of Licenses

Table 18-29 shows the ACS 5.1 license support:

Table 18-29 ACS License Support 

License
Description

Base License

The base license is required for all software instances deployed, as well as for all appliances. The base license enables you to use all the ACS functionality except license controlled features, and it enables all reporting features. Base license is:

Required for each ACS instance, primary and secondary.

Required for all appliances.

Supports deployments with up to 500 managed devices.

Base licenses are of two types:

Permanent—Supports up to 500 devices.

Eval—Supports up to 50 devices and expires in 90 days.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

If your evaluation license expires or is about to expire, you cannot use another evaluation license or extend your current license. Before your evaluation license expires, you must upgrade to a Permanent license.

Add-on Licenses

Supports an unlimited number of managed devices. Requires an existing ACS permanent base license. There are also evaluation-type licenses for add-on licenses.

The TrustSec feature licenses are of two types: Permanent, and Eval. However, the permanent TrustSec feature license can be used only with a permanent base license.

Also, the large deployment license can only be used only with a permanent base license.

Evaluation License (standard)

Enables standard centralized reporting features.

Cannot be reused on the same platform.

You can only install one evaluation license per platform. You cannot install additional evaluation licenses.

Supports 50 managed devices.

Expires 90 days from the time the license is installed.


.

Related Topics

Licensing Overview

Installing a License File

Viewing the Base License

Adding Deployment License Files

Deleting Deployment License Files

Installing a License File


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file:


Step 1 Log in to the ACS web interface.

The Initial Licenses page appears when you log in to the ACS machine for the first time.

Step 2 Click Cisco Secure ACS License Registration. This link directs you to Cisco.com to purchase a valid license file from a Cisco representative.

Step 3 Click Install to install the license file that you purchased.

The ACS web interface log in page reappears. You can now work with the ACS application.



Note You cannot upgrade a base permanent license. You can only upgrade a base evaluation license.

Related Topics

Licensing Overview

Viewing the Base License

Adding Deployment License Files

Deleting Deployment License Files

Viewing the Base License


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To upgrade the base license:


Step 1 Select System Administration > Configuration > Licensing > Base Server License.

The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.

Table 18-30 describes the fields in the Base Server License page.

Table 18-30 Base Server License Page   

Option
Description
ACS Deployment Configuration

Primary ACS Instance

The name of the primary instance created when you logged into the ACS 5.1 web interface.

Number of Instances

The current number of ACS instances (primary or secondary) in the ACS database.

Current Number of Configured IP Addresses in Network Devices

The total number of IP addresses in all the subnetworks that you have configured as part of network device configuration.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Maximum Number of IP Addresses in Network Devices

The maximum number of IP addresses that your license supports:

Base LicenseSupports 500 IP addresses.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Evaluation LicenseSupports 50 IP addresses.

Large DeploymentSupports an unlimited number of IP addresses.

Use this link to obtain a valid License File

Directs you to Cisco.com to generate a valid license file using the Product Activation Key (PAK)

Base License Configuration

ACS Instance

The name of the ACS instance, either primary or secondary.

Identifier

The name of the base license.

License Type

Specifies the base license type (permanent, evaluation).

Expiration

Specifies the expiration date for evaluation licenses. For permanent licenses, the expiration field indicates permanent.

Licensed to

The name of the company that this product is licensed to.

PAK

The name of the Product Activation Key (PAK) received from Cisco.

Version

The current version of the ACS software.


Step 2 You can select one or more radio buttons next to the instance whose license you want to upgrade. Click Upgrade. See Upgrading the Base Server License for valid field options.


Related Topic

Upgrading the Base Server License

Upgrading the Base Server License


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

You can upgrade the base server license.


Step 1 Select System Administration > Configuration > Licensing > Base Server License.

The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.

Step 2 Select a license, then click Upgrade.

The Base Server License Edit page appears.

Step 3 Complete the fields as described in Table 18-31:

Table 18-31 Base Server License Edit Page   

Option
Description
ACS Instance License Configuration

Version

Displays the current version of the ACS software.

ACS Instance

Displays the name of the ACS instance, either primary or secondary.

License Type

Specifies the license type.

Use this link to obtain a valid License File

Directs you to Cisco.com to purchase a valid license file from a Cisco representative.

License Location

License File

Click Browse to navigate to the directory that contains the license file and select it.


Step 4 Click Submit.


Related Topics

Licensing Overview

Types of Licenses

Installing a License File

Adding Deployment License Files

Deleting Deployment License Files

Viewing License Feature Options

You can add, upgrade, or delete existing deployment licenses. The configuration pane at the top of the page shows the deployment information.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

Select System Administration > Configuration > Licensing > Feature Options.

The Feature Options Page appears as described in Table 18-32:

Table 18-32 Feature Options Page   

Option
Description
ACS Deployment Configuration

Primary ACS Instance

The name of the primary instance created when you login into the ACS 5.1 web interface.

Number of Instances

The current number of ACS instances (primary or secondary) in the ACS database.

Current Number of Configured IP Addresses in Network Devices

The total number of IP addresses in all the subnetworks that you have configured as part of network device configuration.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Maximum Number of IP Addresses in Network Devices

The maximum number of IP addresses that your license supports:

Base LicenseSupports 500 IP addresses.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Evaluation LicenseSupports 50 IP addresses.

Large DeploymentSupports an unlimited number of IP addresses.

Use this link to obtain a valid License File

Directs you to Cisco.com to purchase a valid license file from a Cisco representative.

Installed Deployment License Options

Feature

Large DeploymentSupports an unlimited number of managed devices.

TrustSec Access Control—Enables Cisco Trusted Server (CTS) management functionality. This requires an existing ACS base license.

Licensed to

The name of the company that this product is licensed to.

License Type

Specifies the license type (permanent, evaluation).

Expiration

The expiration date for the following features:

Large Deployment

CTS

Add/Upgrade

Click Add/Upgrade to access the Viewing License Feature Options and add a license file.

Delete

Select the radio button next to the license feature you wish to delete and click Delete.


Adding Deployment License Files


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To add a new base deployment license file:


Step 1 Select System Administration > Configuration > Licensing > Feature Options.

The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See Viewing License Feature Options for field descriptions.

Step 2 Click Add.

The Feature Options Create page appears.

Step 3 Complete the fields as described in Table 18-33 to add a license:

Table 18-33 Feature Options Create Page   

Option
Description
ACS Deployment Configuration

Primary ACS Instance

The name of the primary instance created when you login into the ACS 5.1 web interface.

Number of Instances

The current number of ACS instances (primary or secondary) in the ACS database.

Current Number of Configured IP Addresses in Network Devices

The total number of IP addresses in all the subnetworks that you have configured as part of network device configuration.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Maximum Number of IP Addresses in Network Devices

The maximum number of IP addresses that your license supports:

Base LicenseSupports 500 IP addresses.

Note The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

Evaluation LicenseSupports 50 IP addresses.

Large DeploymentSupports an unlimited number of IP addresses.

Use this link to obtain a valid License File

Directs you to Cisco.com to purchase a valid license file from a Cisco representative.

License Location

License File

Click Browse to browse to the location of the purchased license file you wish to install and select it.


Step 4 Click Submit to download the license file.

The Feature Options page appears with the additional license.


Related Topics

Licensing Overview

Types of Licenses

Installing a License File

Viewing the Base License

Deleting Deployment License Files

Deleting Deployment License Files


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts to configure the appropriate administrator privileges.

To delete deployment license files:


Step 1 Select System Administration > Configuration > Licensing > Feature Options.

The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See the Table 18-32 for field descriptions.

Step 2 Select the radio button next to the deployment you wish to delete.

Step 3 Click Delete to delete the license file.


Related Topics

Licensing Overview

Types of Licenses

Installing a License File

Viewing the Base License

Adding Deployment License Files

Available Downloads

This section contains information about the utilities and files that are available for download from the ACS web interface:

Downloading Migration Utility Files

Downloading UCP WSDL Files

Downloading Sample Python Scripts

Downloading Migration Utility Files

To download migration application files and the migration guide for ACS 5.1:


Step 1 Choose System Administration > Downloads > Migration Utility.

The Migration from 4.x page appears.

Step 2 Click Migration application files, to download the application file you want to use to run the migration utility.

Step 3 Click Migration Guide, to download Migration Guide for the Cisco Secure Access Control System 5.1.


Downloading UCP WSDL Files

You can download the WSDL file from this page to integrate ACS with your in-house portals and allow ACS users configured in the ACS internal identity store to change their own passwords. The UCP web service allows only the users to change their passwords. They can do so on the primary or secondary ACS servers.

The UCP web service compares the new password that you provide with the password policy that is configured in ACS for users. If the new password conforms to the defined criteria, your new password takes effect. After your password is changed on the primary ACS server, ACS replicates it to all the secondary ACS servers.

To download the UCP WSDL Files:


Step 1 Choose System Administration > Downloads > User Change Password.

The User Change Password (UCP) web service page appears.

Step 2 Click one of the following:

UCP WSDL to download the WSDL file.

Python Script for Using the User Change Password Web Service to download a sample Python script.

For more information on how to use the UCP web service, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control
_system/5.1/sdk/ucp.html
.


Downloading Sample Python Scripts

The Scripts page contains sample Python scripts for:

Using the UCP web service.

Automating the bulk import and export operations.

To download these sample scripts:


Step 1 Choose System Administration > Downloads > Sample Python Scripts.

The Sample Python Scripts page appears.

Step 2 Click one of the following:

Python Script for Using the User Change Password Web Service—To download the sample script for the UCP web service.

Python Script for Performing CRUD Operations on ACS Objects—To download the sample script for the import and export process.

Step 3 Save the script to your local hard drive.

The scripts come with installation instructions. For more information on how to use the scripts, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/
sdk/sdkguide.html
.



Note The Cisco Technical Assistance Center (TAC) supports only the default Python Script. TAC does not offer any support for modified scripts.