Installation Guide for Cisco Secure ACS Solution Engine 4.1 - Administering Cisco Secure ACS Solution Engine [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

Administering Cisco Secure ACS Solution Engine

Basic Command Line Administration Tasks

Logging In to the Solution Engine From a Serial Console

Shutting Down the Solution Engine From a Serial Console

Logging Off the Solution Engine From a Serial Console

Rebooting the Solution Engine From a Serial Console

Determining the Status of Solution Engine System and Services From a Serial Console

Tracing Routes

Stopping Solution Engine Services From a Serial Console

Starting Solution Engine Services From a Serial Console

Restarting Solution Engine Services From a Serial Console

Getting Command Help From the Serial Console

Working with System Data

Obtaining Support Logs From the Serial Console

Exporting Logs

Exporting a List of Groups

Exporting a List of Users

Backing Up ACS Data From the Serial Console

Restoring ACS Data From the Serial Console

Reconfiguring Solution Engine System Parameters

Resetting the Solution Engine Administrator Password

Resetting the Solution Engine CLI Administrator Name

Setting the GUI Administrator Logon and Password

Resetting the Solution Engine Database Password

Reconfiguring the Solution Engine IP Address

Setting the System Time and Date Manually

Setting the System Time and Date with NTP

Setting the System Timeout

Setting the Solution Engine System Domain

Setting the Solution Engine System Hostname

Patch Rollback

Removing Installed Patches

Understanding the CSAgent Patch

Recovery Management

Recovering from Loss of Administrator Credentials

Re-imaging the Solution Engine Hard Drive

Administering Cisco Secure ACS Solution Engine

This section describes the major Cisco Secure ACS Solution Engine (ACS SE) system administration tasks that you can perform by using the command line interface (CLI) in the serial console connection. For all other ACS SE configuration and administration tasks, that is, those performed from the ACS web interface, see the User Guide for Cisco Secure Access Control Server.

Serial console service starts automatically when the ACS SE boots and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.

This section contains:

•Basic Command Line Administration Tasks

•Working with System Data

•Reconfiguring Solution Engine System Parameters

•Patch Rollback

•Recovery Management

Basic Command Line Administration Tasks

This section details basic administrative tasks performed from a serial console connected to the ACS SE. This section contains:

•Logging In to the Solution Engine From a Serial Console

•Shutting Down the Solution Engine From a Serial Console

•Logging Off the Solution Engine From a Serial Console

•Rebooting the Solution Engine From a Serial Console

•Determining the Status of Solution Engine System and Services From a Serial Console

•Tracing Routes

•Stopping Solution Engine Services From a Serial Console

•Starting Solution Engine Services From a Serial Console

•Restarting Solution Engine Services From a Serial Console

•Getting Command Help From the Serial Console

Logging In to the Solution Engine From a Serial Console

To log in to the ACS SE from a serial console:

Step 1 Establish a serial console connection to the ACS SE. For details, see Establishing a Serial Console Connection, page 3-10.

Step 2 At the login: prompt, enter the ACS SE administrator name.

Step 3 At the password: prompt, enter the ACS SE password.

Result: The system prompt appears:
ACS SE name 
Note Only one set of ACS SE login credentials (administrator name and password) has the serial connection privilege.

Shutting Down the Solution Engine From a Serial Console

You use the serial console to shut down the ACS SE.

Caution Powering off the ACS SE by using only the power switch may cause the loss or corruption of data.

To use the serial console to shut down the ACS SE:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type shutdown, and then press Enter.

Step 3 At the Are you sure you want to shut down? (Y/N) prompt, type Y for yes and then press Enter.

Result: The ACS SE displays the message:
It is now safe to turn off the computer
Step 4 Press the power switch and hold it down for 4 seconds to turn off the ACS SE. For the location of the power switch see Figure 1-1 on page 1-3.

Result: The ACS SE powers OFF.

Logging Off the Solution Engine From a Serial Console

To log off the ACS SE from the serial console:

Step 1 At the system prompt, type exit.

Step 2 Press Enter.

Result: The serial console connection closes, and the login: prompt reappears.

Rebooting the Solution Engine From a Serial Console

To reboot the ACS SE from the serial console:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, enter reboot.

Result: The ACS SE displays the message:
Are you sure you want to reboot? (Y/N)
Step 3 Enter Y for yes.

Result: The ACS SE reboots. When the reboot is finished, the login: prompt reappears.

Determining the Status of Solution Engine System and Services From a Serial Console

You can use the serial console connection to obtain system and service status information.

Note You typically perform status determination in the ACS SE web interface. For more information, see "Determining the Status of Cisco Secure ACS Services" in the User Guide for Cisco Secure Access Control Server.

To determine the status of the ACS SE and ACS Services:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type show, and then press Enter.

Result: The system displays the following status information:
ACS SE Name
ACS SE Version
Appliance Management Software Version
Appliance Base Image Version
CSA build XXXX: (Patch: x_x_x_xxx)
Session Timeout (in minutes)
Last Reboot Time
Current Date & Time
Time Zone
NTP Server(s)
CPU Load (percentage)
Free Disk (amount of hard drive space available)
Free Physical Memory
Appliance IP Configuration
DHCP Enabled (Yes/No)
IP Address
Subnet Mask 
Default Gateway
DNS Servers 
ACS Services (running/stopped)
CSAdmin
CSAgent
CSAuth
CSDbSync
CSLog 
CSMon
CSRadius 
CSTacacs
Tracing Routes

If you are unfamiliar with the trace route command or want information on the command's optional arguments, see the Command Reference entry tracert, page C-16.

To trace the network route that the ACS SE takes to a given destination:

Step 1 At the system prompt, type tracert, followed by zero (0) or more optional arguments, and then the IP address of the target destination.

Step 2 Press Enter.

Result: The system displays the route tracing information followed by the message:
Trace complete
Stopping Solution Engine Services From a Serial Console

Note You typically stop solution engine services in the web interface.

You can stop any of the ACS SE services from the serial console. The ACS SE services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services From a Serial Console.

Note When you stop the CSAgent service, that service remains disabled until you explicitly start it again. That is, if you stop the CSAgent service it does not automatically restart when the system is rebooted.

To stop a service on the ACS SE:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type stop followed by a single space and the name of the ACS service that you want to stop.

Tip You can list more than one service to stop; type a single space between each.

Step 3 Press Enter.

Result: The system immediately displays the message:
[service name] is stopping. . . 
Followed by the message:
[service name] is not running
Starting Solution Engine Services From a Serial Console

Note You typically start solution engine services in the web interface.

You can start any of the ACS services from the serial console. The ACS SE services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services From a Serial Console.

To start an ACS service:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type start followed by a single space and the name of the ACS service that you want to start.

Tip You can list more than one service to start; type a single space between each.

Step 3 Press Enter.

Result: The system immediately displays the message:
[service name] is starting. . . 
Followed by the message:
[service name] is running
Restarting Solution Engine Services From a Serial Console

Note You typically restart solution engine services in the web interface.

You can restart any ACS SE service from the serial console. ACS SE services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services From a Serial Console.

To restart an ACS service:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type restart followed by a single space and the name of the ACS service that you want to restart.

Tip You can list more than one service to restart; type a single space between each.

Step 3 Press Enter.

Result: The system immediately displays the message:
service name is stopping. . .
Followed by the messages:
service name is not running
service name is starting
service name is running
Getting Command Help From the Serial Console

To obtain a list and description of commands on the ACS SE from the serial console:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type help, and then press Enter.

Tip Press Enter again to scroll through the list of commands, as necessary.

Result: The ACS SE displays the list of commands and their descriptions, as shown in Table 4-1.

Table 4-1 ACS SE Commands

Command

Description

?

List commands

add-guiadmin

Adds a GUI account that allows access to the SE using the ACS web GUI.

backup

Backup Appliance

download

Download ACS Install Package

exit

Log off

exportgroups

Export group information to an FTP server

exportlogs

Export appliance diagnostic logs to FTP server

exportusers

Export user information to an FTP server

help

List commands

ntpsync

Perform Network Time Protocol synchronization

ping

Verify connections to remote computers

reboot

Soft reboot appliance

restart

Restart ACS services

restore

Restore Appliance

rollback

Rollback patched package

set admin

Set administrator's name

set dbpassword

Set database password

set domain

Set DNS domain

set hostname

Set appliance's hostname

set ip

Set IP configuration

set password

Set administrator's password

set time

Set timezone, enable NTP synch, or set date and time

set timeout

Set the timeout for serial console with no activity

show

Show appliance status

shutdown

Shut down appliance

start

Start ACS services

stop

Stop ACS services

support

Collect logs, registry, and other useful information

tracert

Determine the route take to a destination

upgrade

Upgrade appliance (stage II)

For more information on ACS SE commands, see Appendix C, "Command Reference."

Working with System Data

This section explains basic data-manipulation tasks performed from a serial console connected to the ACS SE:

•Obtaining Support Logs From the Serial Console

•Exporting Logs

•Exporting a List of Groups

•Exporting a List of Users

•Backing Up ACS Data From the Serial Console

•Restoring ACS Data From the Serial Console

Obtaining Support Logs From the Serial Console

This section details the procedure for running the support tool. The support tool first collects logs, system Registry information, and other ancillary data, and then compresses the collected information into a single file with the extension .cab. This file can then be sent to support personnel for analysis.

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

Note You typically perform this procedure in the ACS SE web interface.

This procedure uses the support command. For more information on this command, see support, page C-16. The arguments for the support command include:

Argument

Description

-d n

Collect the previous n days logs

-u

Collect user database information

server

Hostname for the FTP server to which the file is to be sent

filepath

Location under the FTP root for the server into which the package.cab is to be sent

username

Account used to authenticate the FTP session

To generate a .cab file of log and system registry information:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type support and the arguments necessary to your purpose.

Step 3 Press Enter.

Step 4 To collect user database information, at the Collect User Data? prompt, type Y and then press Enter.

Step 5 At the Enter FTP Server directory prompt, enter the pathname to the location on your FTP server to which you want to send the file and then press Enter.

Step 6 At the Collect Previous days logs? prompt, type the number of days for which you want to collect information (from 1 to 9999) and press Enter.

Step 7 At the Enter FTP Server Hostname or IP address prompt, enter your FTP server hostname or IP address and press Enter.

Step 8 At the Enter FTP Server Username prompt, enter your FTP server user account name and press Enter.

Caution Performing this next step begins the procedure that stops and restarts all services, and will interrupt use of the ACS SE.

Step 9 At the Enter FTP Server Password prompt, enter your FTP server password and press Enter.

Result: The ACS SE displays a series of messages detailing the writing and dumping of the files, and the stopping and starting of services. At file transfer conclusion the system displays the following messages:
Transferring `Package.cab' completed
Press any key to finish.
This message indicates the ACS SE has packaged and transferred the .cab file as specified and restarts services.

Step 10 Press Enter.

Result: The system returns to the system prompt.

Exporting Logs

This section details the procedure for exporting ACS SE log files to an FTP server for further examination and processing. Using the exportlogs command, you can enter the name of the log or logs to export, or select log names from a list.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

To export log files to an FTP server:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type exportlogs logname, where logname is the name of the log you want to export.

Tip You can enter more than one log name and separate each with a space. If you enter no log name, after you press Enter, the system displays the names of the log files available for export.

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

Step 3 Press Enter.

Step 4 At the prompt, enter the IP address or hostname of the FTP server and press Enter.

Step 5 At the prompt, enter your FTP server username and press Enter.

Step 6 At the prompt, enter your FTP server password and press Enter.

Step 7 At the prompt, enter the FTP server directory pathname and press Enter.

Result: The ACS SE exports the specified files to the specified location.

Exporting a List of Groups

This section details the procedure for exporting a list of ACS SE user groups to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

To export a user group list to an FTP server:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type exportgroups.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 Press Enter.

Result: The system displays the message:
Command with restart CSAuth. Are you sure you want to continue?
Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

Step 4 To proceed, type Y and press Enter.

Step 5 At the Enter FTP Server Hostname or IP Address prompt, enter the FTP server IP address or hostname and press Enter.

Step 6 At the Directory: prompt, enter the FTP server pathname and press Enter.

Step 7 At the Username: prompt, enter your FTP server username and press Enter.

Step 8 At the Password: prompt, enter your FTP server password and press Enter.

Result: The ACS SE exports the group list file to the specified location. When done the system displays the message:
Transferring `groups.txt' completed
The system prompt returns.

Exporting a List of Users

This section details the procedure for exporting a list of ACS SE users to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

To export a list of users to an FTP server:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type exportusers.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 Press Enter.

Result: The system displays the message:
Command with restart CSAuth. Are you sure you want to continue?
Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

Step 4 To proceed, type Y and press Enter.

Step 5 At the Enter FTP Server Hostname or IP Address prompt, enter the FTP server IP address or hostname and press Enter.

Step 6 At the Directory: prompt, enter the FTP server pathname and press Enter.

Step 7 At the Username: prompt, enter your FTP server username and press Enter.

Step 8 At the Password: prompt, enter your FTP server password and press Enter.

Result: ACS SE exports the file of the list of users to the specified location, and then displays the message:
Transferring `users.txt' completed
The system prompt reappears.

Backing Up ACS Data From the Serial Console

This section details how to use the serial console to back up ACS SE data to an FTP server.

Note You typically perform this procedure in the web interface.

During backup, AAA services are interrupted, and ACS SE data is packaged and sent in a file to an FTP server. You may choose to encrypt this file package. For information on how to restore the backup data to the system, see Restoring ACS Data From the Serial Console.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution This procedure interrupts the use of the ACS SE for AAA services.

To export ACS SE data to an FTP server:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type backup.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 Press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server pathname and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter your FTP server username and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter your FTP server password and press Enter.

Step 8 At the File: prompt, enter the name that you want to give the backup file and then press Enter.

Step 9 At the Encrypt Backup File? (Y or N) prompt, type Y to encrypt the backup file or N not to encrypt it, and then press Enter.

Caution This procedure interrupts the use of the ACS SE for AAA services.

Step 10 If you previously chose to encrypt the backup file, at the Encryption Enter FTP Server Password: prompt, type a password and then press Enter.

Result: The ACS SE displays the messages:
Backing up now . . .
All running services will be stopped and restarted automatically.
Are you sure you want to proceed? (y/Y = proceed)
Step 11 To proceed, type Y and press Enter.

Result: The ACS SE exports the backup file to the specified location and displays messages regarding the progress of the backup.

The following message signifies the completion of the backup process:
Transferring xxx completed.
The system prompt reappears.

Restoring ACS Data From the Serial Console

This section details how to use the serial console to restore ACS SE data from an FTP server after you perform a backup. For more information on backing up ACS SE data, see Backing Up ACS Data From the Serial Console.

Note You typically perform this procedure in the web interface.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password). You also need the name of the backup file and, if the backup was encrypted, the decryption password.

Caution This procedure interrupts the use of the ACS SE for AAA services.

Caution This procedure overwrites current system data and replaces it with the backup data.

To restore ACS SE data from an FTP server:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type restore.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 Press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server pathname and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter your FTP server username and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter your FTP server password and press Enter.

Step 8 At the File: prompt, enter the name of the backup file and then press Enter.

Step 9 At the Select Components to Restore: User and Group Database: prompt, to restore the user and group database type Y and then press Enter.

Step 10 At the CiscoSecure ACS System Configuration: (Y or N) prompt, to restore the system configuration data type Y and then press Enter.

Step 11 At the Decrypt Backup file? (Y or N) prompt, if you previously encrypted the backup file, type Y and then press Enter.

Step 12 If you previously chose to decrypt the backup file, at the Encryption Password: prompt, type the FTP password, and then press Enter.

Note The system displays a warning message:
Reloading a system backup will overwrite ALL current configuration information. All services will be stopped and started automatically

Step 13 At the Are you sure you want to proceed? (Y or N) prompt, type Y and then press Enter.

Result: The ACS SE receives the backup file from the specified location and displays messages regarding the restoration. You may see warnings about components not included in the backup file. For example, if ACS SE has no shared profile components configured, you see a message about DCS (device command sets) not on the backup, which is normal.

When completed the system displays the message:
Done
Reconfiguring Solution Engine System Parameters

This section details basic reconfiguration tasks performed from a serial console connected the ACS SE. This section contains:

•Resetting the Solution Engine Administrator Password

•Resetting the Solution Engine CLI Administrator Name

•Resetting the Solution Engine Database Password

•Reconfiguring the Solution Engine IP Address

•Setting the System Time and Date Manually

•Setting the System Time and Date with NTP

•Setting the System Timeout

•Setting the Solution Engine System Domain

•Setting the Solution Engine System Hostname

Resetting the Solution Engine Administrator Password

There is always a single ACS SE administrator username and password that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface. This account is called the CLI administrator account and allows access to the SE only through a serial console.

You can reset the ACS SE CLI administrator name, the administrator password, or both. This procedure details how to reset the password after you log in with the existing credentials. To reset the CLI administrator name see Resetting the Solution Engine CLI Administrator Name.

If you do not have the existing ACS SE CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging in, see Recovering from Loss of Administrator Credentials.

To reset the ACS SE administrator login credentials:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set password and then press Enter.

Result: The ACS SE displays the prompt:
Enter old password:
Step 3 Type the password, and then press Enter.

Result: The ACS SE displays the prompt:
Enter new account name:
Step 4 Type the new account name, and then press Enter.

Result: The ACS SE displays the prompt:
Enter new password
Step 5 Type the new password, and then press Enter.

Note The new password must not contain the administrator account name, must contain a minimum of 6 characters, and it must include a mix of at least 3 character types (numerals, special characters, uppercase letters, and lowercase letters). Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Result: The ACS SE displays the prompt:
Reenter new password
Step 6 Type the new password again, and then press Enter.

Result: The ACS SE displays the prompt:
Password is set successfully.  
Administrator account name is set to _____
Resetting the Solution Engine CLI Administrator Name

There is always a single set of ACS SE CLI administrator credentials that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface.

You can reset the ACS SE CLI administrator name, the administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the Solution Engine Administrator Password.

Note The CLI administrator logon does not provide access to the ACS SE using the ACS web GUI. You must set up an initial web GUI password using the add-guiadmin command. For information on setting up an initial web GUI account, see Setting the GUI Administrator Logon and Password.

If you do not have the existing ACS SE CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials.

To reset the ACS SE CLI administrator name:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, enter:

set admin

Result: The ACS SE displays the Set administrator's name prompt.

Step 3 Type the new administrator name, and then press Enter.

Step 4 At the Set administrator name again prompt, type the administrator name again and then press Enter.

Result: The system displays the message:
Administrator name is set successfully.
Setting the GUI Administrator Logon and Password

After initial installation of the ACS SE, the only password that exists is the CLI administrator password. This password allows access only through a serial console logon and CLI commands.

To enable an initial administrator account that can access the ACS SE through the ACS web GUI, you must set up a GUI administration account using the add-guiadmin command.

To set up an initial web GUI account:

Step 1 Log in as the CLI administrator.

Step 2 At the command prompt, issue the following command:

add-guiadmin <admin> <password>
where admin is the name of the GUI administrator account and password is the password is the password for the GUI administrator.

There is now a GUI administrator account that a remote user can use to access the ACS GUI running on the ACS SE.

Resetting the Solution Engine Database Password

You should change the ACS SE database password from time to time, to ensure database security. This procedure details how to reset the password after you have logged on with the existing credentials.

To reset the ACS SE database password:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set dbpassword and then press Enter.

Result: The ACS SE displays the prompt:
Enter old password:
Step 3 Type the password, and then press Enter.

Result: The ACS SE displays the prompt:
Enter new password
Step 4 Type the new password, and then press Enter.

Note The new password must not contain the administrator account name, must contain a minimum of 6 characters, and it must include a mix of at least 3 character types (numerals, special characters, uppercase letters, and lowercase letters). Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Result: The ACS SE displays the prompt:
Reenter new password
Step 5 Type the new password again, and then press Enter.

Result: The ACS SE displays the prompt:
Password is set successfully.  
Reconfiguring the Solution Engine IP Address

Typically, you configure the IP address only once, during initial configuration. See Configuring ACS SE, page 3-11.

Caution Reconfiguring the IP address may cause other network devices to fail to recognize the ACS SE.

Caution Reconfiguring the IP address causes services to restart. AAA services to users will be interrupted.

Note To set or change the IP address of your ACS SE, ACS SE must be connected to a working Ethernet connection.

To reconfigure the IP address:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 Type set ip, and then press Enter.

Step 3 At the Use Static IP Address [Y]: prompt, type Y for yes or N for No, and then press Enter.

Step 4 If you answered No to using a static IP address, the system displays a confirmation of DHCP and the message IP Address is reconfigured. Continue the procedure with Step 5.

If you responded Yes in the previous step to use a static IP address:

a. To specify the ACS SE IP address, at the IP Address [xx.xx.xx.xx]: prompt, type the IP address, and then press Enter.

b. At the Subnet Mask [xx.xx.xx.xx]: prompt, type the subnet mask, and then press Enter.

c. At the Default Gateway [xx.xx.xx.xx]: prompt, type the default gateway, and then press Enter.

d. At the DNS Servers [xx.xx.xx.xx]: prompt, type the address of any DNS servers you intend to use (separate each by a single space), and then press Enter.

Result: The system displays the new configuration information and the message:
IP Address is reconfigured.
Step 5 Review the information presented and, at the Confirm the changes? [Y]: prompt, press Enter.

Result: The ACS SE restarts. The system displays the message:
New ip address is set.
Step 6 At the prompt, Test network connectivity [Yes]:, type Y, and then press Enter.

Tip This step executes a ping command to ensure the connectivity of the ACS SE.

Step 7 At the prompt, Enter hostname or IP address:, type the IP address or hostname of a device connected to the ACS SE and then press Enter.

Result: If successful, the system displays the ping statistics. Once again the system displays the Test network connectivity [Yes]: prompt.

Step 8 If network connectivity is proven okay in the previous two steps, at the prompt, Test network connectivity [Yes]:, type N, and then press Enter.

Tip The system will continue to provide you with the opportunity to test network connectivity until you answer N. This procedure gives you an opportunity, if required, to correct network connections or retype the IP address.

Result: The ACS SE restarts services, and displays the system prompt.

Setting the System Time and Date Manually

You can set and maintain the system date and time by using one of two methods:

•Set the time and date manually.

•Assign a network time protocol (NTP) server with which the system synchronizes its date and time.

To set the ACS SE system time and date by using an NTP, see Setting the System Time and Date with NTP.

To set the ACS SE system time and date manually:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set time, and then press Enter.

Result: The system displays the message:
Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy hh/mm/ss
NTP Servers: ("Ntp Synchronization Disabled" - or -a list of NTP servers)
Change Date & Time Setting? [N]
Step 3 To set the time zone, time, or date type Y, and then press Enter.

Result: The system displays a list of indexed time zones and the message:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 Enter the desired time zone index number from the time zone setting list, and then press Enter.

Tip You can also type 0 (zero) and press Enter to see more time zone index numbers.

Result: The system displays the new time zone.

Step 5 At the Synchronize with NTP Server? prompt, type N, and then press Enter.

Step 6 At the Enter date [mm/dd/yyyy]: prompt, type the date, and then press Enter.

Step 7 At the Enter time [hh:mm:ss]: prompt, type the current time, and then press Enter.

Result: The system time is reset.

Setting the System Time and Date with NTP

You can set and maintain the system date and time by using one of two methods:

•Set the time and date manually.

•Assign a network time protocol (NTP) server with which the system synchronizes its date and time. (You can configure backup NTP servers if you desire.)

To set the ACS SE system time and date manually, see Setting the System Time and Date Manually.

To set the ACS SE system time and date with NTP:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set time, and then press Enter.

Result: The system displays the message:
Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time 
Date and Time: mm/dd/yyyy hh/mm/ss 
NTP Servers: ("Ntp Synchronization Disabled" - or - List of NTP servers)
Change Date & Time Setting? [N]
Step 3 To set the time zone, time, or date type Y, and then press Enter.

Result: The system displays indexed time zones and the message:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 Enter the desired time zone index number from the time zone setting list, and then press Enter.

Tip You can also type 0 (zero) and press Enter to see more time zone index numbers; or simply press Enter to accept the existing time zone.

Result: The system displays the time zone setting.

Step 5 At the Synchronize with NTP Server? prompt, type Y, and then press Enter.

Step 6 At the Enter NTP Server IP Address(es): prompt, enter the IP address of the NTP server that you want to use, and then press Enter.

Tip If you want to configure multiple NTP servers, at the Enter NTP Server IP Address: prompt, enter multiple IP addresses, each separated by a space.

Result: The system displays the message:
Successfully synchronized with NTP server
Current Date/Time Setting:
	Time Zone: XXX
Date & Time:
NTP servers:
Setting the System Timeout

You can set a system timeout. This is the number of minutes that can pass with no activity on the serial console before the console login times out.

To set the ACS SE system timeout:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set timeout followed by a single space and the timeout period in minutes.

Step 3 Press Enter.

Result: The system sets the new timeout period.

Setting the Solution Engine System Domain

You can set the system DNS domain from the serial console. To set the ACS SE system domain:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set domain followed by a single space and the domain name.

Step 3 Press Enter.

Result: The system displays the confirmation message:
You should reboot appliance for the change to take effect.
Setting the Solution Engine System Hostname

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

You can set the system hostname. To set the ACS SE system hostname:

Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console.

Step 2 At the system prompt, type set hostname followed by a single space and the hostname.

Tip You can use up to 15 letters and numbers; but no spaces.

Step 3 Press Enter.

Result: The system restarts all services, and the hostname is reset. The system then displays the confirmation message:
You should reboot appliance for the change to take effect. 
(The hostname is then reset after system reboot.)

Patch Rollback

This section contains:

•Removing Installed Patches

•Understanding the CSAgent Patch

Removing Installed Patches

Use this procedure to uninstall one or more patches and to roll back the ACS SE to the version that existed before the patch installation.

To roll back a ACS SE system patch:

Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-2 on page 1-5.

Step 2 Type rollback and the name of the patch application that you want rolled back. Then press Enter.

Tip If you do not include the specific patch application name as a parameter following the rollback command, the system displays the list of patches that can be rolled back. Use this list to identify the patch application name, type rollback followed by the patch application name, and then press Enter.

Result: The system displays the confirmation message:
Are you sure you want to rollback [patch name]?)(Y/N):
Step 3 Type Y to continue.

Result: The system displays a series of messages that include:
Rolling patch back
Rollback process initiated successfully
Successfully rolled back `[patch name]' to 0.
Tip To obtain system information, including the current version, see Determining the Status of Solution Engine System and Services From a Serial Console.

Understanding the CSAgent Patch

In ACS SE the CSAgent service is implemented as a pre-installed patch. You must stop CSAgent before you can install any patch or upgrade. Although, as a patch, the CSAgent can be rolled back, the preferred method for disabling this service is simply to stop it. Once stopped, the CSAgent service does not restart when the system is restarted; you must explicitly restart the service for it to operate. For more information, see the User Guide for Cisco Secure Access Control Server.

Recovery Management

ACS SE functionality includes two procedures that the administrator can perform by using the ACS SE Recovery CD-ROM:

•Recovering from Loss of Administrator Credentials

•Re-imaging the Solution Engine Hard Drive

Recovering from Loss of Administrator Credentials

If you cannot log in to the system because you have lost the account name or password for the ACS SE administrator account, perform this procedure. In this procedure you use the ACS SE Recovery CD-ROM to access the system from the serial console and reset the administrator login credentials.

You should understand the following regarding the ACS SE administrator login credentials:

•Only one set of administrator login credentials exists at one time.

•Administrator login credentials are set (that is, changed from the default) during initial configuration.

•Administrator login credentials may be reset. For more information, see Resetting the Solution Engine Administrator Password.

•This recovery procedure entails replacing the administrator login credentials with a new account name and password.

To reset the administrator login credentials:

Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-2 on page 1-5.

Step 2 Power on the console.

Step 3 Insert the ACS SE Recovery CD-ROM into the solution engine CD-ROM drive.

Step 4 Power on the ACS SE. (Or if already running, reboot the solution engine. For more information, see Rebooting the Solution Engine From a Serial Console.)

Result: The system displays the message:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 5 Type 1.

Result: The system displays the prompt:
Hit the Return key to log in.
Step 6 Type Y.

Result: The system displays the prompt:
Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:
Step 7 Remove the recovery CD from the drive, and then press Enter.

Result: The system reboots, and then displays the system version information followed by:
Status: The appliance is functioning properly
Login:
Step 8 Type Administrator, and then press Enter.

The password is case sensitive.

Step 9 At the password prompt, type setup, and then press Enter.

Result: The system displays the system prompt.

Step 10 At the Enter new account name: prompt, type the name of the ACS SE administrator. and then press Enter.

Step 11 At the Enter new password: prompt, enter the new ACS SE password. Press Enter.

Note The new password must contain a minimum of 6 characters, and it must include a mix of at least 3 character types (numerals, special characters, uppercase letters, and lowercase letters). Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Step 12 At the Enter new password again: prompt, type the new ACS SE password, and then press Enter.

Result: The system displays the message:
Password is set successfully.
Re-imaging the Solution Engine Hard Drive

Use the ACS SE Recovery CD-ROM to re-image the ACS SE if necessary.

Caution Performing this procedure destroys all data stored on the ACS SE.

To re-image your ACS SE:

Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-2 on page 1-5.

Step 2 Put the Recovery CD in the ACS SE CD-ROM drive. See Figure 1-2 on page 1-5.

Step 3 Power on the ACS SE. (Or, if the solution engine is already running, reboot it.) For more information, see Rebooting the Solution Engine From a Serial Console.

Result: The ACS SE displays the message:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 4 Type 2, and then press Enter.

Result: The ACS SE displays the message:
This operation will completely erase the hard drive. Press `Y' to confirm, any other key 
to cancel: __
Caution The next step erases the ACS SE hard drive. You will permanently lose all system data that you have not backed up.

Step 5 Type Y.

Result: The ACS SE processes the new image (this may take more than 2 minutes) while displaying odd characters and then displays the message:
The system has been reimaged successfully. Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:
Step 6 Remove the Recovery CD from the ACS SE.

Step 7 Press Enter to restart the ACS SE.

Result: The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback, which is normal system behavior.

Note After re-imaging the solution engine hard drive, you must once again perform initial configuration of the ACS SE. For detailed instructions, see Configuring ACS SE, page 3-11.