Table Of Contents
Administering Cisco Secure ACS Solution Engine
Basic Command Line Administration Tasks
Logging In to the Solution Engine from a Serial Console
Shutting Down the Solution Engine from a Serial Console
Logging Off the Solution Engine from a Serial Console
Rebooting the Solution Engine from a Serial Console
Determining the Status of Solution Engine System and Services from a Serial Console
Tracing Routes
Stopping Solution Engine Services from a Serial Console
Starting Solution Engine Services from a Serial Console
Restarting Solution Engine Services from a Serial Console
Getting Command Help from the Serial Console
Working with System Data
Obtaining Support Logs from the Serial Console
Exporting Logs
Exporting a List of Groups
Exporting a List of Users
Backing Up ACS Data from the Serial Console
Restoring ACS Data from the Serial Console
Enabling RDBMS Synchronization
Enabling Remote Invocation for CSDBSync Functionality
Reconfiguring Solution Engine System Parameters
Resetting the Solution Engine Administrator Password
Resetting the Solution Engine CLI Administrator Name
Resetting the GUI Administrator Login and Password
Resetting the Solution Engine Database Password
Reconfiguring the Solution Engine IP Address
Setting the System Time and Date Manually
Setting the System Time and Date with NTP
Setting the System Timeout
Setting the Solution Engine System Domain
Setting the Solution Engine System Hostname
Patch Rollback
Removing Installed Patches
Understanding the CSAgent Patch
Recovery Management
Recovering from Loss of Administrator Credentials
Re-imaging the Solution Engine Hard Drive
Administering Cisco Secure ACS Solution Engine
This section describes the major ACS SE system administration tasks that you can perform using the CLI in the serial console connection. For all other ACS SE configuration and administration tasks, that is, those performed from the ACS web interface, see the User Guide for Cisco Secure Access Control Server 4.2.
Serial console service starts automatically when the ACS SE boots and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.
This chapter contains:
•Basic Command Line Administration Tasks
•Working with System Data
•Reconfiguring Solution Engine System Parameters
•Patch Rollback
•Recovery Management
Basic Command Line Administration Tasks
This section details basic administrative tasks you can perform from a serial console connected to the ACS SE. This section contains:
•Logging In to the Solution Engine from a Serial Console
•Shutting Down the Solution Engine from a Serial Console
•Logging Off the Solution Engine from a Serial Console
•Rebooting the Solution Engine from a Serial Console
•Determining the Status of Solution Engine System and Services from a Serial Console
•Tracing Routes
•Stopping Solution Engine Services from a Serial Console
•Starting Solution Engine Services from a Serial Console
•Restarting Solution Engine Services from a Serial Console
•Getting Command Help from the Serial Console
Logging In to the Solution Engine from a Serial Console
To log in to the ACS SE from a serial console:
Step 1 Establish a serial console connection to the ACS SE. For details, see Establishing a Serial Console Connection.
Step 2 At the login:
prompt, enter the ACS SE administrator name, and press Enter.
Step 3 At the password:
prompt, enter the password, and press Enter.
Result: The system prompt appears:
ACS SE name
Note Only one set of ACS SE login credentials (administrator name and password) has the serial connection privilege.
Shutting Down the Solution Engine from a Serial Console
You can use the serial console to shut down the ACS SE.
Caution Powering off the ACS SE by using only the power switch might cause the loss or corruption of data.
To use the serial console to shut down the ACS SE:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter shutdown, and press Enter.
Step 3 At the Are you sure you want to shut down? (Y/N):
prompt, enter Y for yes, and press Enter.
Result: The console displays:
It is now safe to turn off the computer
Step 4 Press the power switch and hold it down for 4 seconds to turn off the ACS SE.
For the location of the power switch see Figure 1-2.
Result: The ACS SE powers OFF.
Logging Off the Solution Engine from a Serial Console
To log off the ACS SE from a serial console:
At the system prompt, enter exit,It is now safe to turn off the computer
and press Enter.
Result: The serial console connection closes, and the
prompt appears.
Rebooting the Solution Engine from a Serial Console
To reboot the ACS SE from the serial console:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter reboot, and press Enter.
Step 3 At the login
prompt,Are you sure you want to reboot? (Y/N):
enter Y for yes, and press Enter.
Result: The ACS SE reboots. When the reboot is finished, the
prompt appears.
Determining the Status of Solution Engine System and Services from a Serial Console
You can use the serial console connection to obtain system and service status information.
Note You typically perform status determination in the ACS SE web interface. For more information, see "Determining the Status of Cisco Secure ACS Services" in the User Guide for Cisco Secure Access Control Server 4.2.
To determine the status of the ACS SE and it's services:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter show, and press Enter.
Result: The console displays:
Appliance Management Software Version
Appliance Base Image Version
CSA build XXXX: (Patch: x_x_x_xxx)
Session Timeout (in minutes)
Free Disk (amount of hard drive space available)
Appliance IP Configuration
ACS Services (running/stopped)
Tracing Routes
If you are unfamiliar with the trace route command or want information on the command's optional arguments, see the Command Reference entry tracert.
To trace the network route that the ACS SE takes to a given destination:
At the system prompt, enter tracert, followed by zero (0) or more optional arguments, and the IP address of the target destination, and press Enter.
Result: The console displays the route tracing information followed by the message:
Stopping Solution Engine Services from a Serial Console
Note You typically stop solution engine services in the web interface.
You can stop any of the ACS SE services from the serial console. The ACS SE services include:
•CSAdmin
•CSAgent
•CSAuth
•CSDbSync
•CSLog
•CSMon
•CSRadius
•CSTacacs
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.
Note When you stop the CSAgent service, the service remains disabled until you explicitly start it again because the CSAgent service does not automatically restart when the system is rebooted.
To stop an SE service:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter stop followed by a single space and the name of the ACS service that you want to stop, and press Enter.
Tip You can list more than one service to stop; enter a single space between each.
Result: The console displays:
Stopping service: [service name]. . . .
[service name] is not running
Starting Solution Engine Services from a Serial Console
Note You typically start solution engine services in the web interface.
You can start any of the ACS services from the serial console. The ACS SE services include:
•CSAdmin
•CSAgent
•CSAuth
•CSDbSync
•CSLog
•CSMon
•CSRadius
•CSTacacs
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.
To start an SE service:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter start followed by a single space and the name of the ACS service that you want to start, and press Enter.
Tip You can list more than one service to start; enter a single space between each.
Result: The console displays:
Starting service: [service name].s. . . .
[service name] is starting
[service name] is running
Restarting Solution Engine Services from a Serial Console
Note You typically restart solution engine services in the web interface.
You can restart any ACS SE service from the serial console. ACS SE services include:
•CSAdmin
•CSAgent
•CSAuth
•CSDbSync
•CSLog
•CSMon
•CSRadius
•CSTacacs
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Solution Engine System and Services from a Serial Console.
To restart an SE service:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter restart followed by a single space and the name of the ACS service that you want to restart, and press Enter.
Tip You can list more than one service to restart; enter a single space between each.
Result: The console displays:
[service name] is stopping. . .
[service name] is not running
[service name] is starting
[service name] is running
Getting Command Help from the Serial Console
To obtain a list and description of commands on the ACS SE from the serial console:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter help, and press Enter.
Tip Press Enter again to scroll through the list of commands, as necessary.
Result: The ACS SE displays the list of commands and their descriptions, as shown in Table 4-1.
Table 4-1 ACS SE Commands
Command
|
Description
|
guilogon
|
Enable or Disable GUI
|
?
|
List commands
|
unlock guiadmin
|
Unlock GUI administrator
|
remove guiadmin
|
Remove GUI administrator
|
add guiadmin
|
Adds a GUI administrator account that allows access to the SE using the ACS web GUI.
|
backup
|
Back up appliance
|
download
|
Download ACS Install Package
|
exit
|
Log off
|
exportgroups
|
Export group information to an FTP server
|
exportlogs
|
Export appliance diagnostic logs to FTP server
|
exportusers
|
Export user information to an FTP server
|
help
|
List commands
|
ntpsync
|
Perform Network Time Protocol synchronization with predefined NTP servers
|
ping
|
Verify connections to remote computers
|
reboot
|
Soft reboot appliance
|
restart
|
Restart ACS services
|
restore
|
Restore appliance
|
rollback
|
Rollback patched package
|
set
|
Set commands
|
set admin
|
Set administrator's name
|
set domain
|
Set DNS domain
|
set hostname
|
Set appliance's hostname
|
set ip
|
Set IP configuration
|
set password
|
Set administrator's password
|
set dbpassword
|
Set database encryption password
|
set time
|
Set timezone, enable NTP synch, or set date and time
|
set timeout
|
Set the timeout for serial console with no activity
|
show
|
Show appliance status
|
shutdown
|
Shut down appliance
|
start
|
Start ACS services
|
stop
|
Stop ACS services
|
support
|
Collect logs, registry, and other useful information
|
tracert
|
Determine the route taken to a destination
|
upgrade
|
Upgrade appliance (stage II)
|
For more information on ACS SE commands, see "Command Reference."
Working with System Data
This section explains basic data-manipulation tasks performed from a serial console connected to the ACS SE:
•Obtaining Support Logs from the Serial Console
•Exporting Logs
•Exporting a List of Groups
•Exporting a List of Users
•Backing Up ACS Data from the Serial Console
•Restoring ACS Data from the Serial Console
•Enabling RDBMS Synchronization
•Enabling Remote Invocation for CSDBSync Functionality
Obtaining Support Logs from the Serial Console
This section details the procedure for running the support tool. The support tool first collects logs, system Registry information, and other ancillary data, and then compresses the collected information into a single file with the extension .cab. This file is then sent to support personnel for analysis.
Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.
Note You typically perform this procedure in the ACS SE web interface.
This procedure uses the support command. For more information on this command, see support. The arguments for the support command include:
Argument
|
Description
|
-d n
|
Collect the previous n days logs
|
-u
|
Collect user database information
|
server
|
Hostname for the FTP server to which the file is to be sent
|
filepath
|
Location under the FTP root for the server into which the package.cab is to be sent
|
username
|
Account used to authenticate the FTP session
|
To generate a .cab file of log and system registry information:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter support and the necessary arguments, and press Enter.
Step 3 To collect user database information, at the Collect User Data? <Y or N>: prompt, enter Y and press Enter.
Step 4 At the Collect Previous days logs? <N or Number of days><1>: prompt, enter the number of days for which you want to collect information (from 1 to 9999), and press Enter.
Step 5 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server hostname or IP address, and press Enter.
Step 6 At the Enter FTP Server Directory: prompt, enter the pathname to the location on your FTP server to which you want to send the file, and press Enter.
Step 7 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.
Caution Performing this next step begins the procedure that stops and restarts all services, and will interrupt use of the ACS SE.
Step 8 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.
Result: The ACS SE displays a series of messages detailing the writing and dumping of the files, and the stopping and starting of services. At file transfer conclusion the system displays the following message on the console:
Transferring `Package.cab' completed
This message indicates that ACS SE has packaged and transferred the .cab file as specified, and restarts services.
Result: The system returns to the system prompt.
Exporting Logs
This section details the procedure for exporting ACS SE log files to an FTP server for further examination and processing. Using the exportlogs command, you can enter the name of the log(s) or to export, or select log names from a list.
Before You Begin
You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).
Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.
To export log files to an FTP server:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter exportlogs logname, and press Enter.
Where logname is the name of the log you want to export.
Tip You can enter more than one log name and separate each with a space. If you enter no log name, and press Enter, the system displays the names of the log files available for export.
Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.
Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the IP address or hostname of the FTP server, and press Enter.
Step 4 At the Enter FTP Server Directorylogin
prompt, enter the FTP server directory pathname, and press Enter.
Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.
Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.
Result: The ACS SE exports the specified files to the specified location.
Exporting a List of Groups
This section details the procedure for exporting a list of ACS SE user groups to an FTP server for further examination and processing.
Before You Begin
You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).
Caution Performing this procedure stops and restarts the
CSAuth service, and will interrupt use of the ACS SE.
To export a user group list to an FTP server:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter exportgroups, and press Enter.
Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]
Result: The console displays:
Command will restart CSAuth. Are you sure you want to continue? <Y/N>:
Caution Performing this procedure stops and restarts the
CSAuth service, and will interrupt use of the ACS SE.
Step 3 To proceed, enter Y, and press Enter.
Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.
Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.
Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.
Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.
Result: The ACS SE exports the group list file to the specified location. When completed the system displays the message:
Transferring `groups.txt' completed
The system prompt returns.
Exporting a List of Users
This section details the procedure for exporting a list of ACS SE users to an FTP server for further examination and processing.
Before You Begin
You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).
Caution Performing this procedure stops and restarts the
CSAuth service, and will interrupt use of the ACS SE.
To export a list of users to an FTP server:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter exportusers, and press Enter.
Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]
Result: The console displays:
Command will restart CSAuth. Are you sure you want to continue? <Y/N>:
Caution Performing this procedure stops and restarts the
CSAuth service, and will interrupt use of the ACS SE.
Step 3 To proceed, enter Y, and press Enter.
Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.
Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.
Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.
Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.
Result: ACS SE exports the file of the list of users to the specified location, and then displays the message:
Transferring `users.txt' completed
The system prompt reappears.
Backing Up ACS Data from the Serial Console
This section details how to use the serial console to back up ACS SE data to an FTP server.
Note You typically perform this procedure in the web interface.
During back up, AAA services are interrupted, and ACS SE data is packaged and sent in a file to an FTP server. You might choose to encrypt this file package. For information on how to restore the backup data to the system, see Restoring ACS Data from the Serial Console.
Before You Begin
You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).
Caution This procedure interrupts the use of the ACS SE for AAA services.
To export ACS SE data to an FTP server:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter backup and press Enter.
Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]
Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.
Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.
Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username and. press Enter.
Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password and, press Enter.
Step 7 At the File: prompt, enter the name that you want to give the backup file, and press Enter.
Step 8 At the Encrypt Backup file? <Y or N>: prompt, enter Y to encrypt the backup file or N not to encrypt it, and press Enter.
Caution This procedure interrupts the use of the ACS SE for AAA services.
Step 9 If you entered Y to encrypt the backup file, at the Encryption Password: prompt, enter a password and then press Enter.
Result: The console displays:
All running services will be stopped and restarted automatically.
Are you sure you want to proceed? <Y or N>
Step 10 To proceed, enter Y and press Enter.
Result: The ACS SE exports the backup file to the specified location and displays messages regarding the progress of the back up.
The system displays the following message on the console when the backup process is complete:
Transferring xxx completed.
The system prompt reappears.
Restoring ACS Data from the Serial Console
This section details how to use the serial console to restore ACS SE data from an FTP server after you perform a back up. For more information on backing up ACS SE data, see Backing Up ACS Data from the Serial Console.
Note You typically perform this procedure in the web interface.
Before You Begin
You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password). You also need the name of the backup file and, the decryption password, if the backup was encrypted.
Caution This procedure interrupts the use of the ACS SE for AAA services.
Caution This procedure overwrites current system data and replaces it with the backup data.
To restore ACS SE data from an FTP server:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter restore, and press Enter.
Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]
Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.
Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname and, press Enter.
Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.
Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.
Step 7 At the File: prompt, enter the name of the backup file, and press Enter.
Step 8 At the Select Components to Restore: User and Group Database: <Y or N> prompt, enter Y to restore the user and group database, and press Enter.
Step 9 At the CiscoSecure ACS System Configuration: <Y or N> prompt, enter Y to restore the system configuration data, and press Enter.
Step 10 At the Decrypt Backup file? <Y or N>: prompt, enter Y, if you previously encrypted the backup file, and press Enter.
Step 11 If you entered Y to decrypt the backup file, at the Encryption Password: prompt, enter the FTP password, and press Enter.
Note The system displays a warning message on the console:
Reloading a system backup will overwrite ALL current configuration information. All services will be stopped and started automatically
Step 12 At the Are you sure you want to proceed? <Y or N>: prompt, enter Y and press Enter.
Result: The ACS SE receives the backup file from the specified location and displays messages regarding the restoration. You might see warnings about components not included in the backup file. For example, if ACS SE has no shared profile components configured, you see a message about Device Command Sets (DCS) not on the backup, which is normal.
When completed, the system displays the following message on the console:
Note You cannot restore ACS 4.1 data from the serial console. You can perform this procedure only through the web interface.
Enabling RDBMS Synchronization
RDBMS Sycnchronisation supports the manipulation and updation of ACS internal database objects. You can Create, Read, Update, and Delete all data items that RDBMS Synchronization can access. This section details the procedure for invoking RDBMS Synchronization on the ACS SE.
For more information about RDBMS Synchronization, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/
4.1/user/user.html
Note You must upload and use the accountActions.csv file to perform RDBMS Synchronization on ACS SE.
Before You Begin
You must have the FTP server address and pathname, as well as write permissions to the FTP server directory.
To configure RDBMS Synchronization on the SE:
Step 1 Connect to the ACS SE via the SSH client. Check the connectivity between the SSH client and the SSH server.
Step 2 Log in to the GUI administrator account and enter the administrator name and password.
Step 3 In the navigation bar, click System Configuration.
Step 4 Click RDBMS Synchronization.
The RDBMS Synchronization setup page appears.
Step 5 In the FTP Setup For Account Actions Download Table, enter:
a. The name of the accountActions file that you want to use to update ACS.
b. The IP address or hostname of the FTP server from where ACS SE must download the accountActions file.
c. The directory path on the FTP server where the accountActions file resides.
d. The username for ACS to access the FTP server.
e. The password for the FTP server.
Step 6 Upload the CSVfile.
ACS SE will automatically create the DSN.
Note The uploaded CSV file must be in a valid format and the values given in the CSV file for RDBMS Synchronization must be valid.
Step 7 Log in to the CLI administrator account and enter the administrator username and password.
Step 8 At the system prompt, enter csdbsync -syncnow and press Enter.
Step 9 The console displays:
CSDbSync v4.2(0.113), Copyright 1997-2007, Cisco Systems Inc
Logging mode: FULL
Transaction processing invoked manually
Sync complete: 10 transaction(s) 0 parse error(s) 0 process error(s)
SL:Disconnect Start
DBConnectionPool: 2 Connecion(s) to delete
Going to sleep for 0.5 sec
Going to sleep for 0.5 sec
Going to sleep for 0.5 sec
Going to sleep for 0.5 sec
DBConnectionPool: Destructor Complete
SL:Disconnect Complete
ACS SE fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Sycnchronisation operations specified in the file.
Enabling Remote Invocation for CSDBSync Functionality
CSDBSync supports the configuring of ACS on the solution engine, via remote systems. The CSDBSync service reads each record from the accountActions file and updates the ACS internal database according to the action code specified in the record. Synchronization events fail if CSDBSync cannot access the accountActions file. In a distributed environment, a single ACS, known as the senior synchronization partner, accesses the accountActions table and sends synchronization commands to its synchronization partners.
For more information about CSDBSync, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/user.html
Reconfiguring Solution Engine System Parameters
This section details basic reconfiguration tasks performed from a serial console connected to the ACS SE. This section contains:
•Resetting the Solution Engine Administrator Password
•Resetting the Solution Engine CLI Administrator Name
•Resetting the GUI Administrator Login and Password
•Resetting the Solution Engine Database Password
•Reconfiguring the Solution Engine IP Address
•Setting the System Time and Date Manually
•Setting the System Time and Date with NTP
•Setting the System Timeout
•Setting the Solution Engine System Domain
•Setting the Solution Engine System Hostname
Resetting the Solution Engine Administrator Password
There is always a single ACS SE administrator username and password that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface. This account is called the CLI administrator account and allows access to the SE only through a serial console.
You can reset the ACS SE CLI administrator name, the administrator password, or both. This procedure details how to reset the password after you log in with the existing credentials. To reset the CLI administrator name see Resetting the Solution Engine CLI Administrator Name.
If you do not have the existing ACS SE CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging in, see Recovering from Loss of Administrator Credentials.
To reset the ACS SE administrator login credentials:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set password, and press Enter.
Step 3 At theACS SE Name
prompt, enter the old password, and press Enter.
Step 4 At theACS SE Version
prompt, enter the new account name, and press Enter.
Step 5 At the Appliance Management Software Version
prompt, enter the new password, and press Enter.
Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.
Step 6 At theAppliance Base Image Version
prompt, reenter the new password, and press Enter.
Result: The console displays:
Password is set successfully.
Administrator account name is set to _____
Resetting the Solution Engine CLI Administrator Name
There is always a single set of ACS SE CLI administrator credentials that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface.
You can reset the CLI administrator name, the administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the Solution Engine Administrator Password.
Note The CLI administrator login does not provide access to the SE using the web GUI. You must set up an initial web GUI password using the add guiadmin command. For information on setting up an initial web GUI account, see Resetting the GUI Administrator Login and Password.
If you do not have the existing CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials.
To reset the ACS SE CLI administrator name:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set admin, and press Enter.
Step 3 At the CSA build XXXX: (Patch: x_x_x_xxx)
prompt, enter the new administrator name, and press Enter.
Step 4 At the Session Timeout (in minutes)
prompt, enter the administrator name again, and press Enter.
Result: The console displays:
Administrator name is set successfully.
Resetting the GUI Administrator Login and Password
You can reset the SE GUI administrator name, administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the Solution Engine Administrator Password.
After initial installation of the SE, the only password that exists is the CLI administrator password. This password allows access only through a serial console login and CLI commands.
To enable an initial administrator account that can access the SE through the web GUI, you must set up a GUI administration account using the add guiadmin command.
To set up an initial web GUI account:
Step 1 Log in as the CLI administrator.
Step 2 At the command prompt, enter:
add guiadmin <admin> <password>
where admin is the name of the GUI administrator account and password is the password is the password for the GUI administrator.
Step 3 At the Enter new GUI administrator name: prompt, enter the new GUI administrator name and press Enter.
Step 4 At the Enter new password: prompt, enter the new password and press Enter.
Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.
Step 5 At the Enter new password again: prompt, enter the new password again, and press Enter.
Result: The console displays:
GUI Administrator added successfully.
Now, you can use the GUI administrator account to remotely access the ACS GUI running on the ACS SE.
Resetting the Solution Engine Database Password
You should change the ACS SE database password from time to time, to ensure database security. This procedure details how to reset the password after you have logged on with the existing credentials.
To reset the ACS SE database password:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set dbpassword, and press Enter.
Step 3 At the Last Reboot Time
prompt, enter the old database password, and press Enter.
Step 4 At the Current Date & Time
prompt, enter the new password, and press Enter.
Note The new password must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.
Step 5 At the Reenter new password: prompt, enter the new password again, and press Enter.
Result: The console displays:
Password is set successfully.
Reconfiguring the Solution Engine IP Address
Typically, you configure the IP address only once, during initial configuration. See Configuring ACS SE.
Caution Reconfiguring the IP address might cause other network devices to fail to recognize the ACS SE.
Caution Reconfiguring the IP address causes services to restart. AAA services to users will be interrupted.
Note To set or change the IP address of your ACS SE, the SE must be connected to a working Ethernet connection.
To reconfigure the IP address:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set ip, and press Enter.
Step 3 At the Use Static IP Address [Yes]: prompt, enter Y for yes or N for No, and press Enter.
Step 4 If you entered No, the system displays a confirmation of DHCP and the message IP Address is reconfigured appears on the console. Continue the procedure with Step 5.
If you entered Yes, to specify the ACS SE IP address:
a. At the IP Address [xx.xx.xx.xx]: prompt, enter the IP address, and press Enter.
b. At the Subnet Mask [xx.xx.xx.xx]: prompt, enter the subnet mask, and press Enter.
c. At the Default Gateway [xx.xx.xx.xx]: prompt, enter the default gateway, and press Enter.
d. At the DNS Servers [xx.xx.xx.xx]: prompt, enter the address of any DNS servers you intend to use (separate each by a single space), and press Enter.
Result: The console displays the new configuration information and the following message:
IP Address is reconfigured.
Step 5 Review the information displayed, and at the Confirm the changes? [Y]: prompt, enter Y, and press Enter.
Result: The ACS SE restarts. The console displays:
Step 6 At the Test network connectivity [Yes]: prompt, enter Y, and press Enter.
Tip This step executes a ping command to ensure the connectivity of the ACS SE.
Step 7 At the Enter hostname or IP address: prompt, enter the IP address or hostname of a device connected to the ACS SE, and press Enter.
Result: If successful, the system displays the ping statistics. Once again the system displays the Test network connectivity [Yes]: prompt.
Step 8 If network connectivity is successful in the previous two steps, at the Test network connectivity [Yes]: prompt, enter N, and press Enter.
Tip The system will continue to provide you with the opportunity to test network connectivity until you answer N. This procedure gives you an opportunity, if required, to correct network connections or retype the IP address.
Result: The ACS SE restarts services, and displays the system prompt.
Setting the System Time and Date Manually
You can set and maintain the system date and time by using one of two methods:
•Set the time and date manually.
•Assign a network time protocol (NTP) server with which the system synchronizes its date and time.
To set the ACS SE system time and date by using an NTP, see Setting the System Time and Date with NTP.
To set the ACS SE system time and date manually:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set time, and press Enter.
Result: The console displays:
Current Date/Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy hh/mm/ss
NTP Servers: ("Ntp Synchronization Disabled" - or -a list of NTP servers)
Change Date & Time Setting? [N]
Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.
Result: The console displays a list of indexed time zones and the following message:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 At theTime Zone
prompt, enter the desired time zone index number from the time zone setting list, and press Enter.
Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers.
Result: The console displays the new time zone.
Step 5 At the Synchronize with NTP Server? prompt, enter N, and press Enter.
Step 6 At the Enter date [mm/dd/yyyy]: prompt, enter the date, and press Enter.
Step 7 At the Enter time [hh:mm:ss]: prompt, enter the current time, and press Enter.
Result: The system time is reset.
Setting the System Time and Date with NTP
You can set and maintain the system date and time by using one of two methods:
•Set the time and date manually.
•Assign a NTP server with which the system synchronizes its date and time. (You can configure backup NTP servers if you desire.)
To set the ACS SE system time and date manually, see Setting the System Time and Date Manually.
To set the ACS SE system time and date with NTP:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set time, and press Enter.
Result: The console displays:
Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy hh/mm/ss
NTP Servers: ("Ntp Synchronization Disabled" - or - List of NTP servers)
Change Date & Time Setting? [N]
Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.
Result: The console display the indexed time zones:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 At theNTP Server(s)
prompt, enter the desired time zone index number from the time zone setting list, and press Enter.
Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers; or simply press Enter to accept the existing time zone.
Result: The console displays the time zone setting.
Step 5 At the Synchronize with NTP Server? prompt, enter Y, and press Enter.
Step 6 At the Enter NTP Server IP Address(es): prompt, enter the IP address of the NTP server that you want to use, and press Enter.
Tip If you want to configure multiple NTP servers, at the Enter NTP Server IP Address prompt, enter multiple IP addresses, each separated by a space.
Result: The console displays:
Successfully synchronized with NTP server
Current Date/Time Setting:
Setting the System Timeout
You can set a system timeout which, is the number of minutes that can pass with no activity on the serial console before the console login times out.
To set the ACS SE system timeout:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set timeout, and press Enter.
Step 3 At theCPU Load (percentage)
prompt, enter the timeout period in minutes followed by a single space, and press Enter.
Result: The system sets the new timeout period.
Setting the Solution Engine System Domain
You can set the system DNS domain from the serial console.
To set the ACS SE system domain:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set domain, and press Enter.
Step 3 At theFree Disk (amount of hard drive space available)
prompt, enter the domain name, and press Enter.
Result: The console displays:
You should reboot appliance for the change to take effect.
Setting the Solution Engine System Hostname
Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS SE.
You can set the system hostname. To set the ACS SE system hostname:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine from a Serial Console.
Step 2 At the system prompt, enter set hostname, and press Enter.
Step 3 At theFree Physical Memory
prompt, enter the hostname, and press Enter.
Tip You can use up to 15 letters and numbers; but no spaces.
Result: The console displays:
Stopping all ACS Services
Stopping service: CSAdmin.
Stopping service: CSAuth..
Stopping service: CSDbSync.
Stopping service: CSRadius..
Stopping service: CSTacacs.
Starting all ACS Services
Starting service: CSAdmin....
Starting service: CSAuth..
Starting service: CSDbSync.
Starting service: CSLog..
Starting service: CSRadius.
Starting service: CSTacacs..
You should reboot appliance for the change to take effect.
The system restarts all services, and the hostname is reset. The system then prompts you to reboot the appliance. The hostname is then reset after system reboot.
Patch Rollback
This section contains:
•Removing Installed Patches
•Understanding the CSAgent Patch
Removing Installed Patches
Use this procedure to uninstall one or more patches and to roll back the ACS SE to the version that existed before the patch installation.
To roll back an ACS SE system patch:
Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-2.
Step 2 At the system prompt, enter rollback and the name of the patch application that you want rolled back, and press Enter.
Tip If you do not include the specific patch application name as a parameter following the rollback command, the system displays the list of patches that can be rolled back. Use this list to identify the patch application name, enter rollback followed by the patch application name, and then press Enter.
Step 3 At the Appliance IP Configuration
prompt, enter Y, and press Enter.
Result: The console displays:
Rollback process initiated successfully
Successfully rolled back `[patch name]' to 0.
Tip To obtain system information, including the current version, see Determining the Status of Solution Engine System and Services from a Serial Console.
Understanding the CSAgent Patch
In ACS SE the CSAgent service is implemented as a pre-installed patch. You must stop CSAgent before you can install any patch or upgrade. Although, as a patch, the CSAgent can be rolled back, the preferred method for disabling this service is simply to stop it. Once stopped, the CSAgent service does not restart when the system is restarted; you must explicitly restart the service for it to operate. For more information, see the User Guide for Cisco Secure Access Control Server 4.2.
Recovery Management
ACS SE functionality includes two procedures that the administrator can perform by using the ACS SE Recovery CD-ROM:
•Recovering from Loss of Administrator Credentials
•Re-imaging the Solution Engine Hard Drive
Recovering from Loss of Administrator Credentials
If you cannot log in to the system because you have lost the account name or password for the ACS SE administrator account, perform this procedure. In this procedure you use the ACS SE Recovery CD-ROM to access the system from the serial console and reset the administrator login credentials.
The ACS SE administrator login credentials:
•Consists of only one set of login credentials at one time.
•Are set (that is, changed from the default) during initial configuration.
•Can be reset at anytime. For more information, see Resetting the Solution Engine Administrator Password.
This recovery procedure entails replacing the administrator login credentials with a new account name and password.
To reset the administrator login credentials:
Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-3.
Step 2 Power on the console.
Step 3 Insert the ACS SE Recovery CD-ROM into the solution engine CD-ROM drive.
Step 4 Power on the ACS SE. (Or if already running, reboot the solution engine. For more information, see Rebooting the Solution Engine from a Serial Console.)
Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
Enter menu item number: [ ]
Step 5 At the Enter menu item number: [ ] prompt, enter 1, and press Enter.
Step 6 At the Hit the Return key to log in: prompt, enter Y, and press Enter.
Result: The console displays:
Please remove this recovery CD from the drive,
then hit RETURN to restart the system:
Step 7 Remove the recovery CD from the drive, and press Enter.
Result: The system reboots, and displays the system version information:
Status: The appliance is functioning properly.
Default administrator account can be reset now.
Press enter to change default administrator account and password.
Step 8 Press Enter to change the default administrator account and password.
Result: The console displays:
Step 9 At the Enter new account name: prompt, enter the name of the administrator, and press Enter.
Result: The console displays:
Enter new password:
Step 10 At the Enter new password: prompt, enter the new password, and press Enter.
Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.
Result: The console displays:
Enter new password again:
Step 11 At the Enter new password again: prompt, enter the new password again, and press Enter.
Result: The console displays:
Password is set successfully.
Re-imaging the Solution Engine Hard Drive
Use the ACS SE Recovery CD-ROM to re-image the appliance if necessary.
Caution Performing this procedure destroys all data stored on the ACS SE.
To re-image your ACS SE:
Step 1 Connect a console to the ACS SE console port. For the location of the console port, see Figure 1-3.
Step 2 Put the Recovery CD in the ACS SE CD-ROM drive. See Figure 1-2.
Step 3 Power on the ACS SE. (Or, if the solution engine is already running, reboot it.) For more information, see Rebooting the Solution Engine from a Serial Console.
Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
Enter menu item number: [ ]
Step 4 At the Enter menu item number: [ ] prompt, enter 2, and press Enter.
Result: The console displays:
This operation will completely erase the hard drive. Press `Y' to confirm, any other key
to cancel: __
Caution The next step erases the ACS SE hard drive. You will permanently lose all system data that you have not backed up.
Step 5 Enter Y, and press Enter.
Result: The appliance processes the new image (this might take more than 2 minutes) while displaying odd characters and then displays the following message on the console:
The system has been reimaged successfully. Please remove this recovery CD from the drive,
then hit RETURN to restart the system:
Step 6 Remove the Recovery CD from the ACS SE, and press Enter to restart the appliance.
Result: The ACS SE reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback. This is normal system behavior.
Note After re-imaging the solution engine hard drive, you must once again perform initial configuration of the ACS SE. For detailed instructions, see Configuring ACS SE.