Cisco Prime Network Analysis Module Software 5.1 User Guide
Administration
Downloads: This chapterpdf (PDF - 532.0KB) The complete bookPDF (PDF - 7.15MB) | Feedback

User and System Administration

Table Of Contents

User and System Administration

System Administration

Resources

Network Parameters

SNMP Agent

Working with NAM Community Strings

System Time

Synchronizing the NAM System Time with the Switch or Router

Synchronizing the NAM System Time Locally

Configuring the NAM System Time with an NTP Server

E-Mail Setting

Web Data Publication

Capture Data Storage

Creating NFS Storage Locations

Editing NFS Storage Locations

Creating iSCSI Storage Locations

Editing iSCSI Storage Locations

Syslog Setting

SNMP Trap Setting

Creating a NAM Trap Destination

Editing a NAM Trap Destination

Deleting a NAM Trap Destination

Preferences

Diagnostics

System Alerts

Audit Trail

Tech Support

User Administration

Local Database

Recovering Passwords

Changing Predefined NAM User Accounts on the Switch or Router

Creating a New User

Editing a User

Deleting a User

Establishing TACACS+ Authentication and Authorization

Configuring a TACACS+ Server to Support NAM Authentication and Authorization

Configuring a Cisco ACS TACACS+ Server

Current User Sessions


User and System Administration


This chapter provides information about performing user and system administration tasks in Cisco Prime Network Analysis Module 5.1and generating diagnostic information for obtaining technical assistance.

This chapter contains the following sections:

System Administration describes menu options that enable you to perform system administrative tasks and manage the NAM.

Diagnostics describes menu options that help you diagnose and troubleshoot problems.

User Administration describes how you configure either a local database or provide information for a TACACS+ database for user authentication and authorization. This section also describes the current user session window.

System Administration

The System option of the Administration menu provides access to the following functions:

Resources

Network Parameters

SNMP Agent

System Time

E-Mail Setting

Web Data Publication

Capture Data Storage

Syslog Setting

SNMP Trap Setting

Preferences

Resources

Choose Administration > System > Resources to view the System Overview window. Table 5-1 describes the fields of the System Overview window for a NAM with multiple CPUs such as the Cisco NAM 2220 appliance.

Table 5-1 System Overview 

Field
Description
Date

Current date and time synchronized with the switch, router, or NTP server.

Hostname

NAM hostname.

IP Address

NAM IP address.

System Uptime

Length of time the host has been running uninterrupted.

CPU Utilization

Percentage of CPU resources being consumed by the NAM. Average, at top, indicates the average CPU usage of all CPUs. Each individual CPU in a multi-CPU platform is listed separately.

Memory Utilization

Percentage of memory resources being consumed by the NAM.

Memory Total

Total amount of system memory.

Disk Usage

Shows root, config, and data partitions with their total and free space.

Data Files

Shows the amount of disk space used up by the performance data base files ("DB") and the packet capture to disk ("capture" files).

NIC Statistics

Shows the health and usage information on the data ports, where the NAM receives most of the traffic to be analyzed. It shows the number of packets received (rx pkts), number of bytes received (rx bytes) and number of packets lost or dropped (rx lost). The first number shows cumulative counts since the start of the NAM, and the second one shows the same counters for the last ten seconds.



Network Parameters

To view and set network parameters:


Step 1 Choose Administration > System > Network Parameters.

The Network Parameters window displays.

Step 2 Enter or change the information detailed in Table 5-2.


Note NAM 5.1 does not support using IPv6 for the network parameter IP address.


Table 5-2 Network Parameters Dialog Box 

Field
Description
IP Address

NAM IP address.

IP Broadcast

NAM broadcast address.

Subnet Mask

NAM subnet mask.

IP Gateway

NAM IP gateway address.

Host Name

NAM hostname.

Domain name

NAM domain name.

Nameservers

NAM nameserver address or addresses.


Step 3 Do one of the following:

To save the changes, click Submit.

To cancel the changes, click Reset.


SNMP Agent

An SNMP Agent is a network management software module that resides in a managed device. It has local knowledge of management information and translates that information into a form compatible with SNMP.

With NAM 5.1, you have the ability to manage devices with SNMPv3. The NAM polls the managed device to get its basic health and interface stats. For NAM blades (WS-SVC-NAM-1, WS-SVC-NAM-2 platforms), the managed device is the switch in which the NAM is inserted, and the NAM software negotiates with the switch to use SNMPv2c and a community string to do the polling. This community string is only valid for use with the NAM. For security purposes, the switch associates the community string with the NAM's IP address only, and no other SNMP application can use this community string to communicate with the switch. For more information about community strings, see Working with NAM Community Strings.

Also, to further alleviate any security concerns, the SNMP exchanges between WS-SVC-NAM-1 or WS-SVC-NAM-2 and the switch take place on an internal backplane bus. These SNMP packets are not visible on any network, nor any interface outside of the switch. It is a completely secure out-of-band channel inside the switch.

For other platforms, such as Cisco 2200 Series appliances, you can type in any IP address and use it as the managed device. In this case, the managed device may only want to use SNMPv3 since it is more secure.


Note For a WAAS appliance, SNMPv3 is not required. It is contained within the same chassis, and the NAM uses an internal communications channel, so security is not an issue and the SNMPv3 option is not needed.


To view and set the NAM SNMP Agent:


Step 1 Choose Administration > System > SNMP Agent.

Step 2 Enter or change the information in the NAM SNMP window. The fields are detailed in Table 5-3.

Table 5-3 System SNMP Dialog Box 

Field
Description
Contact

The name of the person responsible for the NAM.

Name

The name of the NAM.

Location

The physical location of the switch or router in which the NAM is installed.


Step 3 Do one of the following:

To save the changes, click Submit.

To cancel the changes, click Reset.


Working with NAM Community Strings

You use community strings so that other applications can send SNMP get and set requests to the NAM, set up collections, poll data, and so on.

Creating NAM Community Strings

To create the NAM community strings:


Step 1 Choose Administration > System > SNMP Agent.

At the bottom of the window, the NAM Community Strings Dialog Box displays.

Step 2 Click Create.

The SNMP Agent Dialog Box displays.

Step 3 Enter the community string (use a meaningful name).

Step 4 Enter the community string again in the Verify Community field.

Step 5 Assign read-only or read-write permissions using the following criteria:

Read-only allows only read access to SNMP MIB variables (get).

Read-write allows full read and write access to SNMP MIB variables (get and set).

Step 6 Do one of the following:

To make the changes, click Submit.

To cancel, click Reset.


Deleting NAM Community Strings

To delete the NAM community strings:


Step 1 Choose Administration > System > SNMP Agent.

At the bottom of the window, the NAM Community Strings Dialog Box displays.

Step 2 Select an entry, then click Delete.


Caution Deleting the NAM community strings blocks SNMP requests to the NAM from outside SNMP agents.

The community string is deleted.


Testing the Router Community Strings

Before the router can send information to the NAM using SNMP, the router community strings set in the NAM must match the community strings set on the actual router. The Router Parameters dialog box displays the router name, hardware, Supervisor engine software version, system uptime, location, and contact information.

The local router IP address and the SNMP community string must be configured so that the NAM can communicate with the local router.

To set the community strings on the router, use the router CLI. For information on using the CLI, see the documentation that accompanied your device.


Caution The router community string you enter must match the read-write community strings on the router. Otherwise you cannot communicate with the router.

To test router community strings:


Step 1 Choose Setup > Managed Device > Device Information.

The Device Information dialog box displays.

Step 2 Enter the Device's Community String.

Step 3 Click Test Connectivity.

Step 4 Wait for a while for NAM to communicate with the Device. If it comes back OK, then click on Submit.


System Time

The NAM gets the UTC (GMT) time from one of two sources, depending on its the NAM type. All NAMs can be set up to get their time from an external NTP server. Following is the second option per NAM type:

WS-SVC-NAM-1 and WS-SVC-NAM-2 can get their time from the switch.

NME-NAMs can get their time from the router.

Cisco 2200 Series appliances can get their time from a local CLI clock set command.


Caution Both the client computer and the NAM server must have the time set accurately for their respective time zones. If either the client or the server time is wrong, then the data shown in the GUI will be wrong.

After the NAM acquires the time, you can set the local time zone using the NAM System Time configuration window. You can configure the NAM system time by using one of the following methods:

Synchronizing the NAM System Time with the Switch or Router

This option is valid only for WS-SVC-NAM-1, WS-SVC-NAM-2, and NME-NAMs.

Synchronizing the NAM System Time Locally

This option is valid only for Cisco NAM 2200 Series appliances.

Configuring the NAM System Time with an NTP Server

Synchronizing the NAM System Time with the Switch or Router


Note This section is valid only for WS-SVC-NAM-1, WS-SVC-NAM-2, and NME-NAMs.


To configure the NAM system time from the switch or router:


Step 1 Choose Administration > System > System Time.

Step 2 Choose the Switch or Router radio button.

Step 3 Select the Region and local time zone from the lists.

Step 4 Do one of the following:

To save the changes click Submit.

To leave the configuration unchanged, click Reset.


Synchronizing the NAM System Time Locally


Note This section is valid only for Cisco NAM 2200 Series appliances.


To configure the NAM system time locally using the NAM appliance command line:


Step 1 Log into the NAM appliance command line interface.

Step 2 Set the clock using the CLI clock set command.

clock set <hh:mm:ss:> <mm/dd/yyyy>

Step 3 On the NAM appliance GUI, choose Administration > System > System Time.

Step 4 Click the Local radio button.

Step 5 Select the Region and local time zone from the lists.

Step 6 Do one of the following:

To save the changes click Submit.

To leave the configuration unchanged, choose Reset.


Configuring the NAM System Time with an NTP Server

To configure the NAM system time with an NTP server:


Step 1 On the NAM appliance GUI, choose Administration > System > System Time.

Step 2 Choose the NTP Server radio button.

Step 3 Enter one or two NTP server names or IP address in the NTP server name/IP Address text boxes.

Step 4 Select the Region and local time zone from the lists.

Step 5 Do one of the following:

To save the changes, click Submit.

To leave the configuration unchanged, click Reset.


E-Mail Setting

You can configure the NAM to provide e-mail notification of alarms and to e-mail reports. To configure the NAM for e-mail notifications:


Step 1 Choose Administration > System > E-Mail Setting.

Step 2 The Mail Configuration Window displays. Table 5-4 describes the Mail Configuration Options.

Table 5-4 Mail Configuration Options 

Field
Description
Enable Mail

Enables e-mail of reports and notification of alarms

External Mail Server

Distinguished name of external mail server

Send Test Mail

List e-mail addresses for up to three e-mail recipients

Mail Alarm to

This recipient will receive alarm notifications and scheduled exports.


Step 3 Check the Enable Mail check box.

Step 4 Enter the distinguished name of the External Mail Server.

Step 5 Put an e-mail address in the Send Test Mail to field (optional). A test e-mail will be sent to this recipient.

Step 6 Put an e-mail address in the Mail Alarm to field. Alarm notifications and Exports will be sent to this recipient.

Step 7 Click Submit to save your modifications, or click Reset to clear the dialog of any characters you entered or restore the previous settings.


Web Data Publication

Web Data Publication allows general web users and websites to access (or link to) selected NAM monitor and report windows without a login session.

Web Data Publication can be open or restricted using Access Control List (ACL) and/or publication code. The publication code, if required, must be present in the URL address or cookie to enable access to published data. Figure 5-1 shows the Web Data Publication Window.

Figure 5-1 Web Data Publication Window

To enable Web Data Publishing:


Step 1 Choose Administration > System > Web Data Publication.

Step 2 Check the Enable Web Data Publication check box.

Step 3 Enter a Publication Code (Optional). This is the pass code required in a URL's cookie to access the published page. For example, a publication code set to abc123 would be able to access the following published window:

http://<nam-hostname>/application-analysis/index?publicationcode=abc123

Step 4 Enter an ACL Permit IP Address/Subnets to permit only those IP addresses or subnets access to web publications. No entry provides open access to all.

Step 5 Click Submit to enable web publishing, or click Reset to clear the dialog of any characters you entered.


Capture Data Storage

Use the Capture Data Storage option to set up remote file systems to store capture data. You must set up the capture data storage locations prior to setting up data captures. Choose Administration > Capture Data Storage to open the Capture Data Storage window.

This section provides the following:

Creating NFS Storage Locations

Editing NFS Storage Locations

Creating iSCSI Storage Locations

Editing iSCSI Storage Locations

Creating NFS Storage Locations

The NFS server must be configured properly to allow NAM to write data to it. The NAM accesses the NFS directories with UID=80 (www) and UID=0 (root). The NFS directories must be fully accessible by these UIDs.

One way to do this is to use the NFS option all_squash to map these UIDs to anonuid=<userID>, where < userID> is a local user ID with full access rights to the NFS directories.

Configuring the NFS Server

The following example shows how to set up an NFS directory (/home/SomeUserName) in a Linux server for a NAM (at IP address 1.1.1.2) to store capture data. To set up an NFS server directory to store capture data:


Step 1 Locate a UID that has read and write access to the target NFS directory.

For example, if the target NFS directory is /home/SomeUserName, open the /etc/password file and search for a user entry that contains something like the following:

SomeUserName:x:503:503::/home/SomeUserName:/bin/tcsh

In this example, the UID is 503.

Step 2 Edit the /etc/exports file and add a line like the following:

/home/SomeUserName   1.1.1.2/255.255.255.255(rw,all_squash,anonuid=503)

Step 3 Activate the change:

/usr/bin/exportfs -a



Note If the NFS directory contains subdirectories that are not writable by the NAM, these subdirectories will not be listed in NAM capture windows.


Configuring the NFS Storage Location on the NAM

To create an NFS storage location by specifying a remote file system partition:


Step 1 Choose Administration > System > Capture Data Storage.

The Capture Data Storage window displays and lists any capture data storage locations already configured.

Step 2 Click Create NFS.

Step 3 Enter the requested parameters in the New NFS Storage window.

Table 5-5 describes the NFS Storage location parameters.

Table 5-5 NFS Storage Location Parameters 

Field
Description
Name

Name of the remote file system entry

Server

DNS name of the remote file system entry

Directory

Pathname of the remote file system partition

Basic NFS Options

Each fields shows a default value. If you need to use values other than those available in the menus, use Advanced NFS Options.

Protocol

Choose TCP or UDP

Timeout

You can set the timeout to a value from 0.1 seconds to 1.0 seconds

NFS Version

Choose from NFS versions 1-4

Retries

Choose from 1-5 retries

Advanced NFS Options

This field contains the default values for creating an NFS storage location. You can edit the text to use NFS options that are outside the ranges in the pull-down menus of the Basic NFS Options.


Step 4 Click Submit to create the NFS storage location. Otherwise click Reset to remove your entries or Cancel to cancel the change.


Editing NFS Storage Locations

To edit an existing NFS storage location:


Note If you have set up capture sessions that use the NFS file system entry you want to edit (or modify), you must delete those capture sessions before editing the NFS file system entry. You can find active capture sessions by chooseing Capture > Sessions, then choose each capture that is running and choose Status. If the capture is using the filesystem to be edited, click Clear.



Step 1 Choose Administration > System > Capture Data Storage.

The Capture Data Storage window displays and lists any capture data storage locations already configured.

Step 2 Click to select the NFS storage location you want to modify and click Edit.

The Edit Remote Storage Entry window displays the parameters of the select NFS storage location.

Step 3 Modify the parameters as desired.

Table 5-5 describes the NFS Storage location parameters.

Step 4 Click Submit to change the parameters of the NFS storage location. Otherwise click Reset to remove all of the entries, or click Cancel to cancel the change.


Creating iSCSI Storage Locations

To create an iSCSI storage location for storing NAM capture data:


Step 1 Choose Administration > System > Capture Data Storage.

The Capture Data Storage window displays and lists any capture data storage locations already configured.

Step 2 Click Create iSCSI.

Step 3 Enter the requested parameters in the New iSCSI Storage window.

Table 5-6 describes the iSCSI Storage location parameters.

Table 5-6 iSCSI Storage Location Parameters 

Field
Description
Name

Name of the remote storage entry

Server

DNS hostnam or IP address of the iSCSI server.

Target Name

iSCSI target name configured on the remote iSCSI server


Step 4 Click Submit to create the iSCSI storage location. Otherwise click Reset to remove your entries or Cancel to cancel the change.


Note Before the new iSCSI storage entry takes effect, you must reboot the NAM system.



Editing iSCSI Storage Locations

To edit an existing iSCSI storage location:


Note If you have set up capture sessions that use the iSCSI file system entry you want to edit (or modify), you must delete those capture sessions before editing the iSCSI file system entry. You can find active capture sessions by clicking Capture > File, and then checking the State of each file to see if the capture is using the filesystem to be edited. If yes, click Clear.



Step 1 Choose Administration > System > Capture Data Storage.

The Capture Data Storage window displays and lists any capture data storage locations already configured.

Step 2 Click to select the iSCSI storage location you want to modify and click Edit.

The selected iSCSI storage location parameters window displays

Step 3 Modify the parameters as desired.

Table 5-6 describes the iSCSI storage location parameters.

Step 4 Click Submit to change the iSCSI storage location parameters. Otherwise click Reset to remove your entries or Cancel to cancel the change.


Note Before the changes to the iSCSI storage entry take effect, you must reboot the NAM system.



Syslog Setting

NAM syslogs are created for alarm threshold events, voice threshold events, or system alerts. You can specify whether syslog messages should be logged locally on the NAM, on a remote host, or both. You can use the NAM to view the local NAM syslogs.

If logging on a remote host, in most Unix-based systems, the syslog collector that handles the incoming syslog messages uses the facility field to determine what file to write the message to, and it will use a facility called "local2." Check the syslog collector configuration to ensure that "local2" is handled properly.

To set up the NAM syslog:


Step 1 Choose Administration > System > Syslog Setting.

The NAM Syslog Setting window displays.

Step 2 In the Remote Server Names field, enter the IP address or DNS name of up to five remote systems where syslog messages are logged. Each address you enter receives syslog messages from all three alarms (Alarm Thresholds, Voice Signaling Thresholds, and System).

Step 3 Click Submit to save your changes, or click Reset to cancel.


SNMP Trap Setting

Traps are used to store alarms triggered by threshold crossing events. When an alarm is triggered, you can trap the event and send it to a separate host. Trap-directed notifications can result in substantial savings of network and agent resources by eliminating the need for frivolous SNMP requests.

These topics help you set up and manage NAM traps:

Creating a NAM Trap Destination

Editing a NAM Trap Destination

Deleting a NAM Trap Destination

Creating a NAM Trap Destination

To create a NAM trap destination:


Step 1 Choose Administration > System > SNMP Trap Setting.

The SNMP Trap Setting window displays.

Step 2 Click the Create button.

Step 3 In the "Community" field, enter the community string set in the NAM Thresholds.

Step 4 In the "IP Address" field, enter the IP address to which the trap is sent if the alarm and trap community strings match.

Step 5 In the "UDP Port" field, enter the UDP port number.

Step 6 Click Submit to save your changes, or click Reset to cancel and leave the configuration unchanged.


Editing a NAM Trap Destination

To edit a NAM trap destination:


Step 1 Choose Administration > System > SNMP Trap Setting.

The NAM Trap Destinations page displays.

Step 2 Select the trap to edit, then click Edit.

The Edit Trap dialog box displays.

Step 3 Make the necessary changes.

Step 4 Click Submit to save your changes, or click Reset to remove any entry.


Deleting a NAM Trap Destination

To delete an existing trap, simply select it from the Traps table, then click Delete.

Preferences

Choose Administration > System > Preferences to configure characteristics for the NAM such as NAM display, audit trail, and file format preferences. Table 5-7 describes the fields of the Preferences window.

Table 5-7 Preferences 

Field
Description
Refresh Interval (60-3600 sec)

Amount of time between refresh of information on dashboards.

Top N Entries (1-10)

Number of colored bars on the Top N charts.

Perform IP Host Name Resolution

Wherever an IP address is displayed, it will get translated to a hostname via DNS lookup.

Data Displayed In

Data displayed in Bytes or Bits.

International Notation

Choose the way you would like numbers displayed.

Audit Trail

The Audit Trail option displays a listing of recent critical activities that have been recorded in an internal syslog log file. Syslog messages can also be sent to an external log.

Capture File Download Format

Choose ENC (.enc) or PCAP (.pcap) format for captured files.


Diagnostics

The Diagnostics option of the Administration menu provides tools to aid in troubleshooting. You can use these tools when you have a problem that might require assistance from the Cisco Technical Assistance Center (TAC). There are options for:

System Alerts

Audit Trail

Tech Support

System Alerts

You can view any failures or problems that the NAM has detected during normal operations. To view System Alerts, choose Administration > Diagnostics > System Alerts.

Each alert includes a date, the time the alert occurred, and a message describing the alert. The NAM displays up to one thousand (1,000) of the most-recent alerts. If more than 1,000 alerts have occurred, you need to use the NAM CLI command show tech support to see all of the alerts.

If you notice an alert condition and troubleshoot and attempt to solve the condition causing the alert, you might want to click Clear to remove the list of alerts to see if additional alerts occur.

Audit Trail

The Audit Trail option displays a listing of recent critical activities that have been recorded in an internal syslog log file. Syslog messages can also be sent to an external log.

The following user activities are logged in the audit trail:

All CLI commands

User logins (including failed attempts)

Unauthorized access attempts

SPAN changes

NDE data source changes

Enabling and disabling data collections

Starting and stopping captures

Adding and deleting users

Each log entry will contain the following:

User ID

Time stamp

IP address (in case of remote web access)

Activity description

To access the audit trail window:


Step 1 Choose Administration > Diagnostics > Audit Trail.

The Audit Trail Window displays.

The Audit Trail window provides a way to view the user access log and filter entries based on time, user, (IP address) from or activity. The internal log files are rotated after reaching certain size limit.


Tech Support

The NAM syslog records NAM system alerts that contain event descriptions and date and time stamps, indicating unexpected or potentially noteworthy conditions. This feature generates a potentially extensive display of the results of various internal system troubleshooting commands and system logs.

This information is unlikely to be meaningful to the average user. It is intended to be used by the Cisco TAC for debugging purposes. You are not expected to understand this information; instead, you should save the information and attach it to an email message to the Cisco TAC.

Before you can view the Tech-Support page, you must enable the System Config user privilege on the Administration > Users > Local Database page. For more information on editing user privileges, see Editing a User.


Note You can also view this information from the NAM CLI. For information on using the NAM CLI, see Cisco Network Analysis Module Command Reference, for NME-NAM devices, the Network Analysis Module (NME-NAM) feature module.


To view tech support:


Step 1 Choose Administration > Diagnostics > Tech Support.

After a few minutes, extensive diagnostic information is generated and displayed in the Diagnostics Tech Support Window.

Step 2 To save the information, either select File > Save As... from the browser menu, or scroll to the bottom, click on NAM-logs.tar.bz2, and save it to your local PC.


Downloading Core Files

To download core files from the Tech-Support page, scroll down to the Core Files section and click on the filename.

User Administration

The User Administration option of the Administration menu provides the following options:

Local Database

Establishing TACACS+ Authentication and Authorization

Configuring a TACACS+ Server to Support NAM Authentication and Authorization

Current User Sessions

Local Database

When you first install the NAM, you use the NAM command-line interface (CLI) to enable the HTTP server and establish a username and password to access the NAM for the first time.

After setting up the initial user accounts, you can create additional accounts, enabling or disabling different levels of access independently for each user.

Table 5-8 provides information about User Privileges and describes each privilege.

Table 5-8 User Privileges 

Privilege
Access Level
AccountMgmt

Enables a user to create, delete, and edit user accounts.

SystemConfig

Enables a user to edit basic NAM system parameters such as IP address, gateway, HTTP port, and so on.

Capture

Enables a user to perform packet captures and manage capture sessions

Use the NAM protocol decode.

AlarmConfig

Enables a user to create, delete, and edit alarms on the switch/router and NAM.

MonitorConfig

Enables a user to create, delete, and edit the following:

Collections and reports

Protocol directory entries

Protocol groups

URL-based applications

MonitorView

Enables a user to view monitoring data and reports (granted to all users).


For additional information about creating and editing users, see Creating a New User and Editing a User.

Recovering Passwords

You can recover passwords by using CLI commands on the switch or router. A user with appropriate privileges can reset the NAM CLI and passwords to the factory default state.

For information on resetting the NAM passwords on 6500 Series NAMs, see Catalyst 6500 Series Switch and Cisco 7600 Series Internet Router Network Analysis Module Installation and Configuration Note:

http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_software/5.0/switch/configuration/guide/switchcfg.html

For information on resetting the NAM passwords on Branch Routers (NME-NAM) devices, see the Network Analysis Module (NME-NAM) Installation and Configuration Note.

http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_software/5.0/branch_router/configuration/guide/BRincfg_50.html

For information on resetting the NAM passwords on a Cisco NAM 2200 Series Appliance, see the Cisco NAM Appliances Installation and Configuration Note(2220)

http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_appliance/5.0/2220/instcfg2220.html

or the Cisco NAM Appliances Installation and Configuration Note, 5.0 (2204)

http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_appliance/5.0/2204/instcfg2204.html

If you have forgotten the NAM administrator password, you can recover it using one of these methods:

If other users have account management permission, delete the user for whom you have forgotten the password; then create a new one by logging in as that other user by choosing Admin > Users > Local Database.

If no other local users are configured other than the user for whom you have forgotten the password, use the NAM rmwebusers CLI command; then enable http or https to prompt for the creation of a NAM user.

Changing Predefined NAM User Accounts on the Switch or Router

The predefined root and guest NAM user accounts (accessible through either a switch or router session command or a Telnet login to the NAM CLI) are static and independent of the NAM. You cannot change these static accounts nor can you add other CLI-based users with the NAM.

Creating a New User

To create a new user:


Step 1 Choose Administration > Users > Local Database.

The GUI displays the users in the local database. Checks indicate the privileges each user has for the functions listed.

Step 2 Click Create.

The GUI displays the New User Dialog Box.

Step 3 Enter the information required to create new user and select each privilege to grant to the user. See Table 5-8 for an explanation of user privileges. Table 5-9 describes the fields in the New User Dialog Box.

Table 5-9 New User Dialog Box 

Field
Description
Usage Notes
Name

The account name

Enter the user's account name.

Password
Verify Password

The account password

Enter a password that adheres to your site security policies.

Privileges

Privileges associated with this account

Select each privilege to grant to the user.


Usernames and passwords cannot exceed 32 characters and can be alphanumeric. The following special characters are not allowed:

'!' '@' '#' '$' '%' '^' '&' '*' '(' ')'

Greater than (<)

Less than (>)

Comma (,)

Period (.)

Double quote (")

Single quote (')

Left or right parentheses

Other special characters (!,@,$,%,^,&,*)

Step 4 Click Submit to create the user or Reset to clear the dialog of any characters you entered.


Editing a User

To edit a user's configuration:


Step 1 Choose Administration > Users > Local Database.

The Users table displays.

Step 2 Select the username.

Step 3 Click Edit.

Step 4 In the Modify Users dialog box, change whatever information is necessary.

Click Submit to save your changes, or click Reset to clear the dialog of any characters you entered and restore the previous settings.


Deleting a User

To delete a user:


Step 1 Choose the Administration > Users > Local Database.

The Users table displays.

Step 2 Select the username.

Step 3 Click Delete.



Note If you delete user accounts while users are logged in, they remain logged in and retain their privileges. The session remains in effect until they log out. Deleting an account or changing permissions in mid-session affects only future sessions. To force off a user who is logged in, restart the NAM.


Establishing TACACS+ Authentication and Authorization

Terminal Access Controller Access Control System (TACACS) is an authentication protocol that provides remote access authentication, authorization, and related services such as event logging. With TACACS, user passwords and privileges are administered in a central database instead of an individual switch or router to provide scalability.

TACACS+ is a Cisco Systems enhancement that provides additional support for authentication and authorization.

When a user logs into the NAM, TACACS+ determines if the username and password are valid and what the access privileges are.

To establish TACACS+ authentication and authorization:


Step 1 Choose Administration > Users > TACACS+. The TACACS+ Authentication and Authorization Dialog Box displays.

Step 2 Enter or select the appropriate information in the TACACS+ Authentication and Authorization Dialog Box (Table 5-10).

Table 5-10 TACACS+ Authentication and Authorization Dialog Box 

Field
Usage Notes
Enable TACACS+ Authentication and Authorization

Determines whether TACACS+ authentication and authorization is enabled.

To enable, check the check box.

To disable, uncheck the check box.

Primary TACACS+ Server

Enter the IP address of the primary server.

Backup TACACS+ Server

Enter the IP address of the backup server (optional).

Note If the primary server does not respond after 30 seconds, the backup server will be contacted.

Secret Key

Enter the TACACS+ secret key.

Verify Secret Key

Reenter the TACACS+ secret key.


Step 3 Do one of the following:

To save the changes, click Submit.

To cancel, click Reset.



Tip If you cannot log into the NAM with TACACS+ configured, verify that you entered the correct TACACS+ server name and secret key.


Configuring a TACACS+ Server to Support NAM Authentication and Authorization

In addition to enabling the TACACS+ option, you must configure your TACACS+ server so that it can authenticate and authorize NAM users.


Note Configuration methods vary depending on the type of TACACS+ server you use.


Continue to the next section, Configuring a Cisco ACS TACACS+ Server.

Configuring a Cisco ACS TACACS+ Server

For Windows NT and 2000 Systems

To configure a Cisco ACS TACACS+ server:


Step 1 Log into the ACS server.


Note NAM 5.1 supports ACS versions 5.1 and 4.2.


Step 2 Click Network Configuration.

Step 3 Click Add Entry.

Step 4 For the Network Access Server, enter the NAM hostname and IP address.

Step 5 Enter the secret key.


Note The secret key must be the same as the one configured on the NAM.


Step 6 In the Authenticate Using field, select TACACS+.

Step 7 Click Submit/Restart.


Adding a NAM User or User Group

To add a NAM user or user group:


Step 1 Click User Setup.

Step 2 Enter the user login name.

Step 3 Click Add/Edit.

Step 4 Enter the user data.

Step 5 Select User Setup.

Step 6 Enter a user password.

Step 7 If necessary, assign a user group.

Step 8 In the TACACS+ settings:

a. Select Shell.

b. Select IOS Command.

c. Select Permit.

d. Select Command.

e. Enter web.

f. In the Arguments field, enter:

permit capture 
permit system 
permit collection 
permit account 
permit alarm 
permit view 

Step 9 In Unlisted Arguments, select Deny.


Configuring a Generic TACACS+ Server

To configure a generic TACACS+ server:


Step 1 Specify the NAM IP address as a Remote Access Server.

Step 2 Configure a secret key for the TACACS+ server to communicate with the NAM.


Note The secret key must be the same as the one configured on the NAM.


Step 3 For each user or group to be allowed access to the NAM, configure the following TACACS+ parameters:

Parameter
Enter
service
shell
cmd
web
cmd-arg

One or more the following:

accountmgmt 
system 
capture 
alarm 
collection 
view
password authentication method—Password Authentication Protocol (PAP)
pap


Current User Sessions

The Current User Sessions table is a record of the users who are logged into the application. The user session times out after 30 minutes of inactivity. After a user session times out, that row is removed from the table.

To view the current user sessions table:


Step 1 Choose Administration > Users > Current Users.

The Current User Sessions Table (Table 5-11) displays.

Table 5-11 Current User Sessions Table 

Field
Description
User ID

The user ID used to log into the NAM.

From

The name of the machine the user logged in from.

Login Time

The time the user logged in.

Last Activity

The time stamp of the last user activity.