Installation Guide for Cisco Secure ACS Solution Engine 4.2.1
Administering Cisco Secure ACS Solution Engine

Table Of Contents

Administering Cisco Secure ACS Solution Engine

Basic Command Line Administration Tasks

Logging In to the Solution Engine from a Serial Console

Shutting Down the Solution Engine from a Serial Console

Logging Off the Solution Engine from a Serial Console

Rebooting the Solution Engine from a Serial Console

Determining the Status of Solution Engine System and Services from a Serial Console

Tracing Routes

Stopping Solution Engine Services from a Serial Console

Starting Solution Engine Services from a Serial Console

Restarting Solution Engine Services from a Serial Console

Getting Command Help from the Serial Console

Working with System Data

Obtaining Support Logs from the Serial Console

Exporting Logs

Exporting a List of Groups

Exporting a List of Users

Backing Up ACS Data from the Serial Console

Restoring ACS Data from the Serial Console

Enabling RDBMS Synchronization

Enabling Remote Invocation for CSDBSync Functionality

Reconfiguring Solution Engine System Parameters

Resetting the Solution Engine Administrator Password

Resetting the Solution Engine CLI Administrator Name

Resetting the GUI Administrator Login and Password

Resetting the Solution Engine Database Password

Reconfiguring the Solution Engine IP Address

Setting the System Time and Date Manually

Setting the System Time and Date with NTP

Setting the System Timeout

Setting the Solution Engine System Domain

Setting the Solution Engine System Hostname

Patch Rollback

Removing Installed Patches

Understanding the CSAgent Patch

Recovery Management

Recovering from Loss of Administrator Credentials

Re-imaging the Solution Engine Hard Drive


Administering Cisco Secure ACS Solution Engine


This section describes the major ACS SE system administration tasks that you can perform using the CLI in the serial console connection. For all other ACS SE configuration and administration tasks, that is, those performed from the ACS web interface, see the User Guide for Cisco Secure Access Control Server 4.2.

Serial console service starts automatically when the ACS SE boots and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.

This chapter contains:

Basic Command Line Administration Tasks

Working with System Data

Reconfiguring Solution Engine System Parameters

Patch Rollback

Recovery Management

Basic Command Line Administration Tasks

This section details basic administrative tasks you can perform from a serial console connected to the ACS SE. This section contains:

Logging In to the Solution Engine from a Serial Console

Shutting Down the Solution Engine from a Serial Console

Logging Off the Solution Engine from a Serial Console

Rebooting the Solution Engine from a Serial Console

Determining the Status of Solution Engine System and Services from a Serial Console

Tracing Routes

Stopping Solution Engine Services from a Serial Console

Starting Solution Engine Services from a Serial Console

Restarting Solution Engine Services from a Serial Console

Getting Command Help from the Serial Console

Logging In to the Solution Engine from a Serial Console

To log in to the ACS SE from a serial console:


Step 1 Establish a serial console connection to the ACS SE. For details, see Establishing a Serial Console Connection.

Step 2 At the login: prompt, enter the ACS SE administrator name, and press Enter.

Step 3 At the password: prompt, enter the password, and press Enter.

Result: The system prompt appears:

ACS SE name


Note Only one set of ACS SE login credentials (administrator name and password) has the serial connection privilege.



Shutting Down the Solution Engine from a Serial Console

You can use the serial console to shut down the ACS SE.


Caution Powering off the ACS SE by using only the power switch might cause the loss or corruption of data.

To use the serial console to shut down the ACS SE:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter shutdown, and press Enter.

Step 3 At the Are you sure you want to shut down? (Y/N): prompt, enter Y for yes, and press Enter.

Result: The console displays:

It is now safe to turn off the computer

Step 4 Press the power switch and hold it down for 4 seconds to turn off the ACS SE.

For the location of the power switch see Figure 1-2.

Result: The ACS SE powers OFF.


Logging Off the Solution Engine from a Serial Console

To log off the ACS SE from a serial console:

At the system prompt, enter exit,It is now safe to turn off the computer and press Enter.

Result: The serial console connection closes, and the prompt appears.


Rebooting the Solution Engine from a Serial Console

To reboot the ACS SE from the serial console:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter reboot, and press Enter.

Step 3 At the login prompt,Are you sure you want to reboot? (Y/N):enter Y for yes, and press Enter.

Result: The ACS SE reboots. When the reboot is finished, the prompt appears.


Determining the Status of Solution Engine System and Services from a Serial Console

You can use the serial console connection to obtain system and service status information.


Note You typically perform status determination in the ACS SE web interface. For more information, see "Determining the Status of Cisco Secure ACS Services" in the User Guide for Cisco Secure Access Control Server 4.2.


To determine the status of the ACS SE and it's services:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter show, and press Enter.

Result: The console displays:

ACS SE Name
ACS SE Version
Appliance Management Software Version
Appliance Base Image Version
CSA build XXXX: (Patch: x_x_x_xxx)
Session Timeout (in minutes)
Last Reboot Time
Current Date & Time
Time Zone
NTP Server(s)
CPU Load (percentage)
Free Disk (amount of hard drive space available)
Free Physical Memory
Appliance IP Configuration
DHCP Enabled (Yes/No)
IP Address
Subnet Mask 
Default Gateway
DNS Servers 
ACS Services (running/stopped)
CSAdmin
CSAgent
CSAuth
CSDbSync
CSLog 
CSMon
CSRadius 
CSTacacs

Tracing Routes

If you are unfamiliar with the trace route command or want information on the command's optional arguments, see the Command Reference entry tracert.

To trace the network route that the ACS SE takes to a given destination:

At the system prompt, enter tracert, followed by zero (0) or more optional arguments, and the IP address of the target destination, and press Enter.

Result: The console displays the route tracing information followed by the message:

Trace complete

Stopping Solution Engine Services from a Serial Console


Note You typically stop solution engine services in the web interface.


You can stop any of the ACS SE services from the serial console. The ACS SE services include:

CSAdmin

CSAgent

CSAuth

CSDbSync

CSLog

CSMon

CSRadius

CSTacacs


Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.



Note When you stop the CSAgent service, the service remains disabled until you explicitly start it again because the CSAgent service does not automatically restart when the system is rebooted.


To stop an SE service:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter stop followed by a single space and the name of the ACS service that you want to stop, and press Enter.


Tip You can list more than one service to stop; enter a single space between each.


Result: The console displays:

Stopping service: [service name]. . . .
[service name] is not running

Starting Solution Engine Services from a Serial Console


Note You typically start solution engine services in the web interface.


You can start any of the ACS services from the serial console. The ACS SE services include:

CSAdmin

CSAgent

CSAuth

CSDbSync

CSLog

CSMon

CSRadius

CSTacacs


Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.


To start an SE service:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter start followed by a single space and the name of the ACS service that you want to start, and press Enter.


Tip You can list more than one service to start; enter a single space between each.


Result: The console displays:

Starting service: [service name].s. . . .
[service name] is starting
[service name] is running

Restarting Solution Engine Services from a Serial Console


Note You typically restart solution engine services in the web interface.


You can restart any ACS SE service from the serial console. ACS SE services include:

CSAdmin

CSAgent

CSAuth

CSDbSync

CSLog

CSMon

CSRadius

CSTacacs


Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.


To restart an SE service:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter restart followed by a single space and the name of the ACS service that you want to restart, and press Enter.


Tip You can list more than one service to restart; enter a single space between each.


Result: The console displays:

[service name] is stopping. . .
[service name] is not running
[service name] is starting
[service name] is running

Getting Command Help from the Serial Console

To obtain a list and description of commands on the ACS SE from the serial console:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter help, and press Enter.


Tip Press Enter again to scroll through the list of commands, as necessary.


Result: The ACS SE displays the list of commands and their descriptions, as shown in Table 4-1.

Table 4-1 ACS SE Commands 

Command
Description

guilogon

Enable or Disable GUI

?

List commands

unlock guiadmin

Unlock GUI administrator

remove guiadmin

Remove GUI administrator

add guiadmin

Adds a GUI administrator account that allows access to the SE using the ACS web GUI.

backup

Back up appliance

download

Download ACS Install Package

exit

Log off

exportgroups

Export group information to an FTP server

exportlogs

Export appliance diagnostic logs to FTP server

exportusers

Export user information to an FTP server

help

List commands

ntpsync

Perform Network Time Protocol synchronization with predefined NTP servers

ping

Verify connections to remote computers

reboot

Soft reboot appliance

restart

Restart ACS services

restore

Restore appliance

rollback

Rollback patched package

set

Set commands

set admin

Set administrator's name

set domain

Set DNS domain

set hostname

Set appliance's hostname

set ip

Set IP configuration

set password

Set administrator's password

set dbpassword

Set database encryption password

set time

Set timezone, enable NTP synch, or set date and time

set timeout

Set the timeout for serial console with no activity

show

Show appliance status

shutdown

Shut down appliance

start

Start ACS services

stop

Stop ACS services

support

Collect logs, registry, and other useful information

tracert

Determine the route taken to a destination

upgrade

Upgrade appliance (stage II)


For more information on ACS SE commands, see "Command Reference."


Working with System Data

This section explains basic data-manipulation tasks performed from a serial console connected to the ACS SE:

Obtaining Support Logs from the Serial Console

Exporting Logs

Exporting a List of Groups

Exporting a List of Users

Backing Up ACS Data from the Serial Console

Restoring ACS Data from the Serial Console

Enabling RDBMS Synchronization

Enabling Remote Invocation for CSDBSync Functionality

Obtaining Support Logs from the Serial Console

This section details the procedure for running the support tool. The support tool first collects logs, system Registry information, and other ancillary data, and then compresses the collected information into a single file with the extension .cab. This file is then sent to support personnel for analysis.


Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.


Note You typically perform this procedure in the ACS SE web interface.


This procedure uses the support command. For more information on this command, see support. The arguments for the support command include:

Argument
Description

-d n

Collect the previous n days logs

-u

Collect user database information

server

Hostname for the FTP server to which the file is to be sent

filepath

Location under the FTP root for the server into which the package.cab is to be sent

username

Account used to authenticate the FTP session


To generate a .cab file of log and system registry information:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter support and the necessary arguments, and press Enter.

Step 3 To collect user database information, at the Collect User Data? <Y or N>: prompt, enter Y and press Enter.

Step 4 At the Collect Previous days logs? <N or Number of days><1>: prompt, enter the number of days for which you want to collect information (from 1 to 9999), and press Enter.

Step 5 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server hostname or IP address, and press Enter.

Step 6 At the Enter FTP Server Directory: prompt, enter the pathname to the location on your FTP server to which you want to send the file, and press Enter.

Step 7 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.


Caution Performing this next step begins the procedure that stops and restarts all services, and will interrupt use of the ACS SE.

Step 8 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: The ACS SE displays a series of messages detailing the writing and dumping of the files, and the stopping and starting of services. At file transfer conclusion the system displays the following message on the console:

Transferring `Package.cab' completed
Press any key to finish.

This message indicates that ACS SE has packaged and transferred the .cab file as specified, and restarts services.

Result: The system returns to the system prompt.


Exporting Logs

This section details the procedure for exporting ACS SE log files to an FTP server for further examination and processing. Using the exportlogs command, you can enter the name of the log(s) or to export, or select log names from a list.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).


Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

To export log files to an FTP server:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter exportlogs logname, and press Enter.

Where logname is the name of the log you want to export.


Tip You can enter more than one log name and separate each with a space. If you enter no log name, and press Enter, the system displays the names of the log files available for export.



Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the IP address or hostname of the FTP server, and press Enter.

Step 4 At the Enter FTP Server Directorylogin prompt, enter the FTP server directory pathname, and press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: The ACS SE exports the specified files to the specified location.


Exporting a List of Groups

This section details the procedure for exporting a list of ACS SE user groups to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).


Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

To export a user group list to an FTP server:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter exportgroups, and press Enter.


Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]


Result: The console displays:

Command will restart CSAuth. Are you sure you want to continue? <Y/N>:

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

Step 3 To proceed, enter Y, and press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: The ACS SE exports the group list file to the specified location. When completed the system displays the message:

Transferring `groups.txt' completed

The system prompt returns.


Exporting a List of Users

This section details the procedure for exporting a list of ACS SE users to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).


Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

To export a list of users to an FTP server:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter exportusers, and press Enter.


Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]


Result: The console displays:

Command will restart CSAuth. Are you sure you want to continue? <Y/N>:

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS SE.

Step 3 To proceed, enter Y, and press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: ACS SE exports the file of the list of users to the specified location, and then displays the message:

Transferring `users.txt' completed

The system prompt reappears.


Backing Up ACS Data from the Serial Console

This section details how to use the serial console to back up ACS SE data to an FTP server.


Note You typically perform this procedure in the web interface.


During back up, AAA services are interrupted, and ACS SE data is packaged and sent in a file to an FTP server. You might choose to encrypt this file package. For information on how to restore the backup data to the system, see Restoring ACS Data from the Serial Console.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).


Caution This procedure interrupts the use of the ACS SE for AAA services.

To export ACS SE data to an FTP server:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter backup and press Enter.


Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]


Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username and. press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password and, press Enter.

Step 7 At the File: prompt, enter the name that you want to give the backup file, and press Enter.

Step 8 At the Encrypt Backup file? <Y or N>: prompt, enter Y to encrypt the backup file or N not to encrypt it, and press Enter.


Caution This procedure interrupts the use of the ACS SE for AAA services.

Step 9 If you entered Y to encrypt the backup file, at the Encryption Password: prompt, enter a password and then press Enter.

Result: The console displays:

Backing up now . . .
All running services will be stopped and restarted automatically.
Are you sure you want to proceed? <Y or N>

Step 10 To proceed, enter Y and press Enter.

Result: The ACS SE exports the backup file to the specified location and displays messages regarding the progress of the back up.

The system displays the following message on the console when the backup process is complete:

Transferring xxx completed.

The system prompt reappears.


Restoring ACS Data from the Serial Console

This section details how to use the serial console to restore ACS SE data from an FTP server after you perform a back up. For more information on backing up ACS SE data, see Backing Up ACS Data from the Serial Console.


Note You typically perform this procedure in the web interface.


Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password). You also need the name of the backup file and, the decryption password, if the backup was encrypted.


Caution This procedure interrupts the use of the ACS SE for AAA services.


Caution This procedure overwrites current system data and replaces it with the backup data.

To restore ACS SE data from an FTP server:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter restore, and press Enter.


Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]


Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname and, press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Step 7 At the File: prompt, enter the name of the backup file, and press Enter.

Step 8 At the Select Components to Restore: User and Group Database: <Y or N> prompt, enter Y to restore the user and group database, and press Enter.

Step 9 At the CiscoSecure ACS System Configuration: <Y or N> prompt, enter Y to restore the system configuration data, and press Enter.

Step 10 At the Decrypt Backup file? <Y or N>: prompt, enter Y, if you previously encrypted the backup file, and press Enter.

Step 11 If you entered Y to decrypt the backup file, at the Encryption Password: prompt, enter the FTP password, and press Enter.


Note The system displays a warning message on the console:
Reloading a system backup will overwrite ALL current configuration information. All services will be stopped and started automatically


Step 12 At the Are you sure you want to proceed? <Y or N>: prompt, enter Y and press Enter.

Result: The ACS SE receives the backup file from the specified location and displays messages regarding the restoration. You might see warnings about components not included in the backup file. For example, if ACS SE has no shared profile components configured, you see a message about Device Command Sets (DCS) not on the backup, which is normal.

When completed, the system displays the following message on the console:

Done

Note You cannot restore ACS 4.1 data from the serial console. You can perform this procedure only through the web interface.



Enabling RDBMS Synchronization

RDBMS Sycnchronisation supports the manipulation and updation of ACS internal database objects. You can Create, Read, Update, and Delete all data items that RDBMS Synchronization can access. This section details the procedure for invoking RDBMS Synchronization on the ACS SE.

For more information about RDBMS Synchronization, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/
4.1/user/user.html


Note You must upload and use the accountActions.csv file to perform RDBMS Synchronization on ACS SE.


Before You Begin

You must have the FTP server address and pathname, as well as write permissions to the FTP server directory.

To configure RDBMS Synchronization on the SE:


Step 1 Connect to the ACS SE via the SSH client. Check the connectivity between the SSH client and the SSH server.

Step 2 Log in to the GUI administrator account and enter the administrator name and password.

Step 3 In the navigation bar, click System Configuration.

Step 4 Click RDBMS Synchronization.

The RDBMS Synchronization setup page appears.

Step 5 In the FTP Setup For Account Actions Download Table, enter:

a. The name of the accountActions file that you want to use to update ACS.

b. The IP address or hostname of the FTP server from where ACS SE must download the accountActions file.

c. The directory path on the FTP server where the accountActions file resides.

d. The username for ACS to access the FTP server.

e. The password for the FTP server.

Step 6 Upload the CSVfile.

ACS SE will automatically create the DSN.


Note The uploaded CSV file must be in a valid format and the values given in the CSV file for RDBMS Synchronization must be valid.


Step 7 Log in to the CLI administrator account and enter the administrator username and password.

Step 8 At the system prompt, enter csdbsync -syncnow and press Enter.

Step 9 The console displays:

CSDbSync v4.2(0.113), Copyright 1997-2007, Cisco Systems Inc 
Logging mode: FULL 
Transaction processing invoked manually 
 
Sync complete: 10 transaction(s) 0 parse error(s) 0 process error(s) 
SL:Disconnect Start 
DBConnectionPool: 2 Connecion(s) to delete 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
DBConnectionPool: Destructor Complete 
SL:Disconnect Complete 

ACS SE fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Sycnchronisation operations specified in the file.


Enabling Remote Invocation for CSDBSync Functionality

CSDBSync supports the configuring of ACS on the solution engine, via remote systems. The CSDBSync service reads each record from the accountActions file and updates the ACS internal database according to the action code specified in the record. Synchronization events fail if CSDBSync cannot access the accountActions file. In a distributed environment, a single ACS, known as the senior synchronization partner, accesses the accountActions table and sends synchronization commands to its synchronization partners.

For more information about CSDBSync, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/user.html

Reconfiguring Solution Engine System Parameters

This section details basic reconfiguration tasks performed from a serial console connected to the ACS SE. This section contains:

Resetting the Solution Engine Administrator Password

Resetting the Solution Engine CLI Administrator Name

Resetting the GUI Administrator Login and Password

Resetting the Solution Engine Database Password

Reconfiguring the Solution Engine IP Address

Setting the System Time and Date Manually

Setting the System Time and Date with NTP

Setting the System Timeout

Setting the Solution Engine System Domain

Setting the Solution Engine System Hostname

Resetting the Solution Engine Administrator Password

There is always a single ACS SE administrator username and password that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface. This account is called the CLI administrator account and allows access to the SE only through a serial console.

You can reset the ACS SE CLI administrator name, the administrator password, or both. This procedure details how to reset the password after you log in with the existing credentials. To reset the CLI administrator name see Resetting the Solution Engine CLI Administrator Name.

If you do not have the existing ACS SE CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging in, see Recovering from Loss of Administrator Credentials.

To reset the ACS SE administrator login credentials:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set password, and press Enter.

Step 3 At theACS SE Name prompt, enter the old password, and press Enter.

Step 4 At theACS SE Version prompt, enter the new account name, and press Enter.

Step 5 At the Appliance Management Software Version prompt, enter the new password, and press Enter.


Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.


Step 6 At theAppliance Base Image Version prompt, reenter the new password, and press Enter.

Result: The console displays:

Password is set successfully.  
Administrator account name is set to _____

Resetting the Solution Engine CLI Administrator Name

There is always a single set of ACS SE CLI administrator credentials that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface.

You can reset the CLI administrator name, the administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the Solution Engine Administrator Password.


Note The CLI administrator login does not provide access to the SE using the web GUI. You must set up an initial web GUI password using the add guiadmin command. For information on setting up an initial web GUI account, see Resetting the GUI Administrator Login and Password.


If you do not have the existing CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials.

To reset the ACS SE CLI administrator name:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set admin, and press Enter.

Step 3 At the CSA build XXXX: (Patch: x_x_x_xxx) prompt, enter the new administrator name, and press Enter.

Step 4 At the Session Timeout (in minutes) prompt, enter the administrator name again, and press Enter.

Result: The console displays:

Administrator name is set successfully.

Resetting the GUI Administrator Login and Password

You can reset the SE GUI administrator name, administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the Solution Engine Administrator Password.

After initial installation of the SE, the only password that exists is the CLI administrator password. This password allows access only through a serial console login and CLI commands.

To enable an initial administrator account that can access the SE through the web GUI, you must set up a GUI administration account using the add guiadmin command.

To set up an initial web GUI account:


Step 1 Log in as the CLI administrator.

Step 2 At the command prompt, enter:

add guiadmin <admin> <password>

where admin is the name of the GUI administrator account and password is the password is the password for the GUI administrator.

Step 3 At the Enter new GUI administrator name: prompt, enter the new GUI administrator name and press Enter.

Step 4 At the Enter new password: prompt, enter the new password and press Enter.


Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.


Step 5 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays:

GUI Administrator added successfully.

Now, you can use the GUI administrator account to remotely access the ACS GUI running on the ACS SE.


Resetting the Solution Engine Database Password

You should change the ACS SE database password from time to time, to ensure database security. This procedure details how to reset the password after you have logged on with the existing credentials.

To reset the ACS SE database password:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set dbpassword, and press Enter.

Step 3 At the Last Reboot Time prompt, enter the old database password, and press Enter.

Step 4 At the Current Date & Time prompt, enter the new password, and press Enter.


Note The new password must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.


Step 5 At the Reenter new password: prompt, enter the new password again, and press Enter.

Result: The console displays:

Password is set successfully.  


Reconfiguring the Solution Engine IP Address

Typically, you configure the IP address only once, during initial configuration. See Configuring ACS SE.


Caution Reconfiguring the IP address might cause other network devices to fail to recognize the ACS SE.


Caution Reconfiguring the IP address causes services to restart. AAA services to users will be interrupted.


Note To set or change the IP address of your ACS SE, the SE must be connected to a working Ethernet connection.


To reconfigure the IP address:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set ip, and press Enter.

Step 3 At the Use Static IP Address [Yes]: prompt, enter Y for yes or N for No, and press Enter.

Step 4 If you entered No, the system displays a confirmation of DHCP and the message IP Address is reconfigured appears on the console. Continue the procedure with Step 5.

If you entered Yes, to specify the ACS SE IP address:

a. At the IP Address [xx.xx.xx.xx]: prompt, enter the IP address, and press Enter.

b. At the Subnet Mask [xx.xx.xx.xx]: prompt, enter the subnet mask, and press Enter.

c. At the Default Gateway [xx.xx.xx.xx]: prompt, enter the default gateway, and press Enter.

d. At the DNS Servers [xx.xx.xx.xx]: prompt, enter the address of any DNS servers you intend to use (separate each by a single space), and press Enter.

Result: The console displays the new configuration information and the following message:

IP Address is reconfigured.

Step 5 Review the information displayed, and at the Confirm the changes? [Y]: prompt, enter Y, and press Enter.

Result: The ACS SE restarts. The console displays:

New ip address is set.

Step 6 At the Test network connectivity [Yes]: prompt, enter Y, and press Enter.


Tip This step executes a ping command to ensure the connectivity of the ACS SE.


Step 7 At the Enter hostname or IP address: prompt, enter the IP address or hostname of a device connected to the ACS SE, and press Enter.

Result: If successful, the system displays the ping statistics. Once again the system displays the Test network connectivity [Yes]: prompt.

Step 8 If network connectivity is successful in the previous two steps, at the Test network connectivity [Yes]: prompt, enter N, and press Enter.


Tip The system will continue to provide you with the opportunity to test network connectivity until you answer N. This procedure gives you an opportunity, if required, to correct network connections or retype the IP address.


Result: The ACS SE restarts services, and displays the system prompt.


Setting the System Time and Date Manually

You can set and maintain the system date and time by using one of two methods:

Set the time and date manually.

Assign a network time protocol (NTP) server with which the system synchronizes its date and time.

To set the ACS SE system time and date by using an NTP, see Setting the System Time and Date with NTP.

To set the ACS SE system time and date manually:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set time, and press Enter.

Result: The console displays:

Current Date/Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy hh/mm/ss
NTP Servers: ("Ntp Synchronization Disabled" - or -a list of NTP servers)
Change Date & Time Setting? [N]

Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.

Result: The console displays a list of indexed time zones and the following message:

[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:

Step 4 At theTime Zone prompt, enter the desired time zone index number from the time zone setting list, and press Enter.


Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers.


Result: The console displays the new time zone.

Step 5 At the Synchronize with NTP Server? prompt, enter N, and press Enter.

Step 6 At the Enter date [mm/dd/yyyy]: prompt, enter the date, and press Enter.

Step 7 At the Enter time [hh:mm:ss]: prompt, enter the current time, and press Enter.

Result: The system time is reset.


Setting the System Time and Date with NTP

You can set and maintain the system date and time by using one of two methods:

Set the time and date manually.

Assign a NTP server with which the system synchronizes its date and time. (You can configure backup NTP servers if you desire.)

To set the ACS SE system time and date manually, see Setting the System Time and Date Manually.

To set the ACS SE system time and date with NTP:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set time, and press Enter.

Result: The console displays:

Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time 
Date and Time: mm/dd/yyyy hh/mm/ss 
NTP Servers: ("Ntp Synchronization Disabled" - or - List of NTP servers)
Change Date & Time Setting? [N]

Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.

Result: The console display the indexed time zones:

[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:

Step 4 At theNTP Server(s) prompt, enter the desired time zone index number from the time zone setting list, and press Enter.


Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers; or simply press Enter to accept the existing time zone.


Result: The console displays the time zone setting.

Step 5 At the Synchronize with NTP Server? prompt, enter Y, and press Enter.

Step 6 At the Enter NTP Server IP Address(es): prompt, enter the IP address of the NTP server that you want to use, and press Enter.


Tip If you want to configure multiple NTP servers, at the Enter NTP Server IP Address prompt, enter multiple IP addresses, each separated by a space.


Result: The console displays:

Successfully synchronized with NTP server
Current Date/Time Setting:
	Time Zone: XXX
Date & Time:
NTP servers:

Setting the System Timeout

You can set a system timeout which, is the number of minutes that can pass with no activity on the serial console before the console login times out.

To set the ACS SE system timeout:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set timeout, and press Enter.

Step 3 At theCPU Load (percentage) prompt, enter the timeout period in minutes followed by a single space, and press Enter.

Result: The system sets the new timeout period.


Setting the Solution Engine System Domain

You can set the system DNS domain from the serial console.

To set the ACS SE system domain:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set domain, and press Enter.

Step 3 At theFree Disk (amount of hard drive space available) prompt, enter the domain name, and press Enter.

Result: The console displays:

You should reboot appliance for the change to take effect.

Setting the Solution Engine System Hostname


Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.

You can set the system hostname. To set the ACS SE system hostname:


Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.

Step 2 At the system prompt, enter set hostname, and press Enter.

Step 3 At theFree Physical Memory prompt, enter the hostname, and press Enter.


Tip You can use up to 15 letters and numbers; but no spaces.


Result: The console displays:

Stopping all ACS Services
Stopping service: CSAdmin.
Stopping service: CSAuth..
Stopping service: CSDbSync.
Stopping service: CSLog.
Stopping service: CSMon.
Stopping service: CSRadius..
Stopping service: CSTacacs.
Starting all ACS Services
Starting service: CSAdmin....
Starting service: CSAuth..
Starting service: CSDbSync.
Starting service: CSLog..
Starting service: CSMon.
Starting service: CSRadius.
Starting service: CSTacacs..
You should reboot appliance for the change to take effect.

The system restarts all services, and the hostname is reset. The system then prompts you to reboot the appliance. The hostname is then reset after system reboot.


Patch Rollback

This section contains:

Removing Installed Patches

Understanding the CSAgent Patch

Removing Installed Patches

Use this procedure to uninstall one or more patches and to roll back the ACS SE to the version that existed before the patch installation.

To roll back an ACS SE system patch:


Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-2.

Step 2 At the system prompt, enter rollback and the name of the patch application that you want rolled back, and press Enter.


Tip If you do not include the specific patch application name as a parameter following the rollback command, the system displays the list of patches that can be rolled back. Use this list to identify the patch application name, enter rollback followed by the patch application name, and then press Enter.


Step 3 At the Appliance IP Configuration prompt, enter Y, and press Enter.

Result: The console displays:

Rolling patch back
Rollback process initiated successfully
Successfully rolled back `[patch name]' to 0.

Tip To obtain system information, including the current version, see Determining the Status of Solution Engine System and Services from a Serial Console.



Understanding the CSAgent Patch

In ACS SE the CSAgent service is implemented as a pre-installed patch. You must stop CSAgent before you can install any patch or upgrade. Although, as a patch, the CSAgent can be rolled back, the preferred method for disabling this service is simply to stop it. Once stopped, the CSAgent service does not restart when the system is restarted; you must explicitly restart the service for it to operate. For more information, see the User Guide for Cisco Secure Access Control Server 4.2.

Recovery Management

ACS SE functionality includes two procedures that the administrator can perform by using the ACS SE Recovery CD-ROM:

Recovering from Loss of Administrator Credentials

Re-imaging the Solution Engine Hard Drive

Recovering from Loss of Administrator Credentials

If you cannot log in to the system because you have lost the account name or password for the ACS SE administrator account, perform this procedure. In this procedure you use the ACS SE Recovery CD-ROM to access the system from the serial console and reset the administrator login credentials.

The ACS SE administrator login credentials:

Consists of only one set of login credentials at one time.

Are set (that is, changed from the default) during initial configuration.

Can be reset at anytime. For more information, see Resetting the Solution Engine Administrator Password.

This recovery procedure entails replacing the administrator login credentials with a new account name and password.

To reset the administrator login credentials:


Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-3.

Step 2 Power on the console.

Step 3 Insert the ACS SE Recovery CD-ROM into the solution engine CD-ROM drive.

Step 4 Power on the ACS SE. (Or if already running, reboot the solution engine. For more information, see Rebooting the Solution Engine from a Serial Console.)

Result: The console displays:

ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]

Step 5 At the Enter menu item number: [ ] prompt, enter 1, and press Enter.

Step 6 At the Hit the Return key to log in: prompt, enter Y, and press Enter.

Result: The console displays:

Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:

Step 7 Remove the recovery CD from the drive, and press Enter.

Result: The system reboots, and displays the system version information:

Status: The appliance is functioning properly. 
Default administrator account can be reset now.
Press enter to change default administrator account and password.
Login:

Step 8 Press Enter to change the default administrator account and password.

Result: The console displays:

Enter new account name:

Step 9 At the Enter new account name: prompt, enter the name of the administrator, and press Enter.

Result: The console displays:

Enter new password:

Step 10 At the Enter new password: prompt, enter the new password, and press Enter.


Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.


Result: The console displays:

Enter new password again:

Step 11 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays:

Password is set successfully.

Re-imaging the Solution Engine Hard Drive

Use the ACS SE Recovery CD-ROM to re-image the appliance if necessary.


Caution Performing this procedure destroys all data stored on the ACS SE.

To re-image your ACS SE:


Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-3.

Step 2 Put the Recovery CD in the ACS SE CD-ROM drive. See Figure 1-2.

Step 3 Power on the ACS SE. (Or, if the solution engine is already running, reboot it.) For more information, see Rebooting the Solution Engine from a Serial Console.

Result: The console displays:

ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]

Step 4 At the Enter menu item number: [ ] prompt, enter 2, and press Enter.

Result: The console displays:

This operation will completely erase the hard drive. Press `Y' to confirm, any other key 
to cancel: __

Caution The next step erases the ACS SE hard drive. You will permanently lose all system data that you have not backed up.

Step 5 Enter Y, and press Enter.

Result: The appliance processes the new image (this might take more than 2 minutes) while displaying odd characters and then displays the following message on the console:

The system has been reimaged successfully. Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:

Step 6 Remove the Recovery CD from the ACS SE, and press Enter to restart the appliance.

Result: The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback. This is normal system behavior.


Note After re-imaging the solution engine hard drive, you must once again perform initial configuration of the ACS SE. For detailed instructions, see Configuring ACS SE.