Table Of Contents
Managing System Administration Configurations
Configuring Global System Options
Configuring TACACS+ Settings
Configuring EAP-TLS Settings
Configuring PEAP Settings
Configuring EAP FAST Settings
Generating EAP-FAST PAC
Configuring Dictionaries
Viewing RADIUS and TACACS+ Attributes
Configuring Identity Dictionaries
Creating, Duplicating, and Editing an Internal User Identity Attribute
Deleting an Internal User Identity Attribute
Configuring User Authentication Options
Creating, Duplicating, and Editing an Internal Host Identity Attribute
Deleting an Internal Host Identity Attribute
Configuring Local Server Certificates
Adding Local Certificates
Importing Server Certificates
Generating Self-Signed Certificates
Generating a Certificate Signing Request
Binding CA Signed Certificates
Editing Certificates
Deleting Certificates
Exporting Certificates
Viewing Outstanding Signing Requests
Configuring Logs
Configuring Remote Log Targets
Deleting a Remote Log Target
Configuring the Local Log
Deleting Local Log Data
Configuring Logging Categories
Configuring Global Logging Categories
Configuring Per-Instance Logging Categories
Configuring Per-Instance Security and Log Settings
Configuring Per-Instance Remote Syslog Targets
Displaying Logging Categories
Configuring the Log Collector
Viewing the Log Message Catalog
Configuring Licenses
Licensing Overview
Types of Licenses
Installing a License File
Viewing the Base License
Upgrading the Base Server License
Viewing License Feature Options
Adding Deployment License Files
Deleting Deployment License Files
Managing System Administration Configurations
When you select System Administration > Configuration you can access pages that allow you do the following:
•
Global system options, including settings for TACACS+, EAP-TTLS, PEAP, and EAP-FAST. See Configuring Global System Options.
•Configure protocol dictionaries. See Configuring Dictionaries.
•Manage local sever certificates. See Configuring Local Server Certificates.
•Manage log configurations. See Configuring Logs.
•Manage licensing. See Configuring Licenses.
Configuring Global System Options
From the System Administration > Configuration > Global System Options pages, you can view these options:
•Configuring TACACS+ Settings
•Configuring EAP-TLS Settings
•Configuring PEAP Settings
•Configuring EAP FAST Settings
•Generating EAP-FAST PAC
Configuring TACACS+ Settings
Use the TACACS+ Settings page to configure TACACS+ runtime characteristics.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Select System Administration > Configuration > Global System Options > TACACS+ Settings.
The TACACS+ Settings page appears as described in Table 16-1:
Table 16-1 TACACS+ Settings
Option
|
Description
|
Port to Listen
|
The port number on which to listen.
|
Connection Timeout
|
Number of minutes before the connection times out.
|
Session Timeout
|
Number of minutes before the session times out.
|
Maximum Packet Size
|
Maximum packet size (in bytes).
|
Single Connect Support
|
Check to enable single connect support.
|
Username Prompt
|
A text string to use as the username prompt.
|
Password Prompt
|
A text string to use as the password prompt.
|
Configuring EAP-TLS Settings
Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics.
Select System Administration > Configuration > Global System Options > EAP-TLS Settings.
The EAP-TLS Settings page appears as described in Table 16-2:
Table 16-2 EAP-TLS Settings
Option
|
Description
|
Enable EAP-TLS Session Resume
|
Check this box to support abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only an SSL handshake and without the application of certificates. EAP-TLS session resume works only within the EAP-TLS session timeout value.
|
EAP-TLS session timeout
|
Enter the number of seconds before the EAP-TLS session times out.
|
Configuring PEAP Settings
Use the PEAP Settings page to configure PEAP runtime characteristics.
Select System Administration > Configuration > Global System Options > PEAP Settings.
The PEAP Settings page appears as described in Table 16-3:
Table 16-3 PEAP Settings
Option
|
Description
|
Enable PEAP Session Resume
|
When checked, ACS caches the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, resulting in faster PEAP performance and a lessened AAA server load.
You must specify a PEAP session timeout value for the PEAP session resume features to work.
|
PEAP Session Timeout
|
Enter the number of seconds before the PEAP session times out. The default value is 7200 seconds.
|
Enable Fast Reconnect
|
Check to allow a PEAP session to resume in ACS without checking user credentials when the session resume feature is enabled.
|
Related Topic
•Generating EAP-FAST PAC
Configuring EAP FAST Settings
Use the EAP-FAST Settings page to configure EAP-FAST runtime characteristics.
Step 1 Select System Administration > Configuration > Global System Options > EAP-FAST > Settings.
The EAP-FAST Settings page appears as described in Table 16-4:
Table 16-4 EAP-FAST Settings
Option
|
Description
|
General
|
Authority Identity Info Description
|
A user-friendly string that describes the ACS server that sends credentials to a client. The client can discover this string in the Protected Access Credentials Information (PAC-Info) Type-Length-Value (TLV). The default value is Cisco Secure ACS.
|
Master Key Generation Period
|
The value is used to encrypt or decrypt and sign or authenticate PACs. The default is one month.
|
Revoke
|
Revoke All Master Keys and PACs
|
Click Revoke to revoke all previous master keys and PACs. This operation should be used with caution.
Note If the ACS node is a secondary node, the Revoke option is disabled.
|
Generating EAP-FAST PAC
Use the EAP-FAST Generate PAC page to generate a user or machine PAC.
Step 1 Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC.
The Generate PAC page appears as described in Table 16-5:
Table 16-5 Generate PAC
Option
|
Description
|
Tunnel PAC
|
Select to generate a tunnel PAC.
|
Machine PAC
|
Select to generate a machine PAC.
|
Identity
|
Specifies the username or machine name presented as the "inner username" by the EAP-FAST protocol. If the Identity string does not match that username, authentication will fail.
|
PAC Time To Live
|
Enter the equivalent maximum value in days, weeks, months and years, and enter a positive integer.
|
Password
|
Enter the password.
|
Step 2 Click Generate PAC.
Configuring Dictionaries
The following tasks are available when you select System Administration > Configuration > Dictionaries:
•Viewing RADIUS and TACACS+ Attributes
•Configuring Identity Dictionaries
Viewing RADIUS and TACACS+ Attributes
The RADIUS and TACACS+ Dictionary pages display the available protocol attributes in these dictionaries:
•RADIUS (IETF)
•RADIUS (Cisco)
•RADIUS (Microsoft)
•RADIUS (Ascend)
•RADIUS (Cisco Airespace)
•RADIUS (Cisco Aironet)
•RADIUS (Cisco BBSM)
•RADIUS (Cisco VPN 3000)
•RADIUS (Cisco VPN 5000)
•RADIUS (Juniper)
•RADIUS (Nortel [Bay Networks])
•RADIUS (RedCreek)
•RADIUS (US Robotics)
•TACACS+
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary.
The Dictionary page appears with a list of available attributes as shown in Table 16-6:
Table 16-6 Protocols Dictionary Page
Option
|
Description
|
Attribute
|
The name of the attribute.
|
ID
|
(RADIUS only) The VSA ID.
|
Type
|
The data type of the attribute.
|
Direction
|
(RADIUS only) Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication.
|
Multiple Allowed
|
(RADIUS only) Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response.
|
Use the arrows to scroll through the attribute list.
Configuring Identity Dictionaries
This section contains the following topics:
•Creating, Duplicating, and Editing an Internal User Identity Attribute
•Deleting an Internal User Identity Attribute
•Configuring User Authentication Options
•Creating, Duplicating, and Editing an Internal Host Identity Attribute
•Deleting an Internal Host Identity Attribute
Creating, Duplicating, and Editing an Internal User Identity Attribute
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To create, duplicate, and edit an internal user identity attribute:
Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Users.
The Attributes list for the Internal Users page appears.
Step 2 Perform one of these actions:
•Click Create.
•Check the check box next to the attribute that you want to duplicate and click Duplicate.
•Click the attribute name that you want to modify; or, check the check box for the name and click Edit.
The Identity Attribute Properties page appears.
Step 3 Modify the fields in the Identity Attributes Properties page as required. See Table 16-7 for field descriptions.
Table 16-7 Identity Attribute Properties Page
Option
|
Description
|
General
|
Attribute
|
The name of the attribute.
|
Description
|
A description of the attribute.
|
Attribute Type
|
Attribute Type
|
(Optional) Use the drop-down list box to choose an attribute type. Valid options are:
•String—Populates the Maximum Length and Default Value fields in the page.
•Unsigned Integer 32—Populates the Valid Range From and To fields in the page.
•IPv4 Address—Populates the Default Value field in the page.
•Boolean—Populates the Default Value check box in the page.
•Date—Populates the Default Value field and calendar icon in the page.
|
Maximum Length
|
(Optional) For the String attribute type only. Enter the maximum length of your attribute. The valid range is from 1 to 256. (Default = 32)
|
Value Range
|
(Optional) For the Unsigned Integer attribute type only.
•From—Enter the lowest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be smaller than the Valid Range To value.
•To—Enter the highest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be larger than the Valid Range From value.
|
Default Value
|
Enter the default value for the appropriate attribute:
•String—Up to the maximum length. (Follow the UTF-8 standard.) You can use the letters a to z, A to Z, and the digits 0 to 9.
•Unsigned Integer 32—An integer in the range from 0 to 2^31-1 (2147483647).
•IPv4 Address—Enter IP address you want to associate with this attribute, in the format: x.x.x.x, where x.x.x.x is the IP address (no subnet mask).
•Date—Click the calendar icon to display the calendar popup and select a date.
•Boolean Value—Select True or False.
|
Attribute Configuration
|
Mandatory Fields
|
Check the check box to make this attribute a requirement in the User Properties page.
|
Add Policy Condition
|
Check the check box to create a custom condition from this attribute. When you check this option, you must enter a name in the Policy Condition Display Name field.
|
Policy Condition Display Name
|
Enter a name for the policy condition. After you submit this page, the condition appears in the Policy Elements > Session Conditions > Custom page.
|
Step 4 Click Submit.
The internal user attribute configuration is saved. The Attributes list for the Internal Users page appears with the new attribute configuration.
Related Topics
•Deleting an Internal User Identity Attribute
•Configuring User Authentication Options
•Policies and Identity Attributes, page 3-11
Deleting an Internal User Identity Attribute
To delete an internal user identity attribute:
Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Users.
The Attributes list for the internal user page appears.
Step 2 Check the check box next to the attribute you want to delete. Because deleting an identity attribute can take a long time to process, you can delete only one attribute at a time.
Step 3 Click Delete.
Step 4 For confirmation, click Yes or Cancel.
The Attributes list for the internal user page appears without the deleted attribute.
Related Topics
•Creating, Duplicating, and Editing an Internal User Identity Attribute
•Policies and Identity Attributes, page 3-11
Configuring User Authentication Options
You can determine whether to include the Enable Password field in the User Properties page. If you configure to display the Enable Password field in the User Properties page, the enable password is required input for the user.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To configure the TACACS+ Enable Password user authentication option:
Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Users, and click Users Authentication.
The Users Authentication page appears.
Step 2 Check the TACACS Enable Password check box if you want to enable TACACS+ password authentication. Uncheck to disable.
Step 3 Click Submit.
Related Topic
•Creating, Duplicating, and Editing an Internal Host Identity Attribute
Creating, Duplicating, and Editing an Internal Host Identity Attribute
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To create, duplicate, and edit an internal host identity attribute:
Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts.
The Attributes list for the Internal Hosts page appears.
Step 2 Perform one of these actions:
•Click Create.
•Check the check box next to the attribute that you want to duplicate and click Duplicate.
•Click the attribute name that you want to modify; or, check the check box for the name and click Edit.
The Identity Attribute Properties page appears.
Step 3 Modify the fields in the Identity Attributes Properties page as required. See Table 16-7 for field descriptions.
Step 4 Click Submit.
The internal host attribute configuration is saved. The Attributes list for the Internal Hosts page appears with the new attribute configuration.
Related Topics
•Deleting an Internal Host Identity Attribute
•Policies and Identity Attributes, page 3-11
Deleting an Internal Host Identity Attribute
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To delete an internal host identity attribute:
Step 1 Select System Administration > Configuration > Dictionaries > Identity > Internal User.
The Attributes list for the Internal Hosts page appears.
Step 2 Check the check box next to the attribute you want to delete. Because deleting an attribute can take a long time to process, you can delete only one attribute at a time.
Step 3 Click Delete.
Step 4 For confirmation, click Yes or Cancel.
The Attributes list for the Internal Hosts page appears without the deleted attribute.
Related Topics
•Creating, Duplicating, and Editing an Internal Host Identity Attribute
•Policies and Identity Attributes, page 3-11
Configuring Local Server Certificates
Local server certificates are also known as ACS server certificates. Local server certificates are used to identify the ACS server to clients.
This section contains the following topics:
•Adding Local Certificates
•Importing Server Certificates
•Generating Self-Signed Certificates
•Generating a Certificate Signing Request
•Binding CA Signed Certificates
•Editing Certificates
•Deleting Certificates
•Exporting Certificates
•Viewing Outstanding Signing Requests
Adding Local Certificates
You can add a local server certificate, also known as an ACS server certificate, to identify the ACS server to clients.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 5 Select System Administration > Configuration > Local Server Certificates > Local Certificates. The Local Certificates page appears displaying the information in Table 16-8:
Table 16-8 Local Certificates Page
Option
|
Description
|
Friendly Name
|
The name that is associated with the certificate.
|
Issued To
|
The entity to which the certificate is issued. The name that appears is from the certificate subject.
|
Issued By
|
Trusted party that issued the certificate.
|
Valid From
|
The date the certificate is valid from.
|
Valid To (Expiration)
|
The date the certificate is valid to.
|
Protocol
|
The protocol associated with the certificate.
|
Step 6 Click Add.
Step 7 Enter the information in the Local Certificate Store Properties page as described in Table 16-9:
Table 16-9 Local Certificate Store Properties Page
Option
|
Description
|
Import Server Certificate
|
Select to browse the client machine for the Local Certificate file and optionally import the private key and private key password. See Importing Server Certificates.
Note The supported certificate formats are either DER or PEM.
|
Generate Self Signed Certificate
|
Select to generate a self-signed certificate. See Generating Self-Signed Certificates.
|
Generate Certificate Signing Request
|
Select to generate a certificate signing request. See Generating a Certificate Signing Request.
|
Bind CA Signed Certificate
|
Select to bind the CA certificate. After the RA signs the request, you can install the returned signed certificate on ACS and bind the certificate with its corresponding private key. See Binding CA Signed Certificates.
|
Importing Server Certificates
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Note The supported certificate formats are either DER or PEM.
Step 1 Select System Administration > Configuration > Local Server Certificates > Certificate Installations >Add, then select Import Server Certificate > Next.
Step 2 Enter the information in the ACS Import Server Certificate as described in Table 16-10:
Table 16-10 Import Server Certificate Page
Option
|
Description
|
Certificate File
|
Select to browse the client machine for the local certificate file.
|
Private Key File
|
Select to browse to the location of the private key.
|
Private Key Password
|
Enter the private key password. The value may be minimum length = 0 and maximum length = 256.
|
Protocol
|
EAP
|
Check to associate the certificate with EAP.
|
EAP HTTPS
|
Check to associate the certificate with HTTPS.
|
Step 3 Click Finish.
The new certificate is saved. The Local Certificate Store page appears with the new certificate.
Generating Self-Signed Certificates
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Generate Self Signed Certificate> Next.
Step 2 Enter the information in the ACS Import Server Certificate as described in Table 16-11:
Table 16-11 Generate Self Signed Certificate Step 2
Option
|
Description
|
Certificate Subject
|
Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with "cn=".
|
Key Length
|
Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.
|
Digest to Sign with
|
This field is populated with the value SHA1 for ACS 5.0.
|
Expiration TTL
|
Select the equivalent maximum value in days, weeks, months, and years, and enter a positive integer.
|
Protocol
|
EAP
|
Check to associate the certificate with the EAP.
|
HTTPS
|
Check to associate the certificate with the HTTPS.
|
Step 3 Click Finish.
The new certificate is saved. The Local Certificate Store page appears with the new certificate.
Generating a Certificate Signing Request
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Generate Certificate Signing Request > Next.
Step 2 Enter the information in the ACS Import Server Certificate as described in Table 16-12:
Table 16-12 Generate Signing Requests Step 2
Option
|
Description
|
Certificate Subject
|
Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with "cn=".
|
Key Length
|
Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.
|
Digest to Sign with
|
This field is populated with the value SHA1 for ACS 5.0.
|
Step 3 Click Finish.
The new certificate is saved. The Local Certificate Store page appears with the new certificate.
Binding CA Signed Certificates
Use this page to bind a CA signed certificate to the request that was used to obtain the certificate from the CA.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configurations > Local Server Certificates > Certificate Installations > Add and then select Bind CA Signed Certificate > Next.
Step 2 Enter the information in the ACS Import Server Certificate as described in Table 16-13:
Table 16-13 Bind CA Signed Certificate Step 2
Option
|
Description
|
Certificate File
|
Browse to the client machine and select the certificate file to be imported.
|
Protocol
|
EAP
|
Check to associate the certificate with the EAP.
|
HTTPS
|
Check to associate the certificate with the HTTPS.
|
Step 3 Click Finish.
The new certificate is saved. The Local Certificate Store page appears with the new certificate.
Related Topics
•Configuring Local Server Certificates
•Certificate-based Network Access for EAP-TLS, page 4-7
Editing Certificates
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To edit a certificate:
Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.
Step 2 Click the name that you want to modify; or, check the check box for the Name, and click Edit.
Step 3 Enter the certificate properties as described in Table 16-14:
Table 16-14 Edit Certificate Store Properties Page
Option
|
Description
|
Issuer
|
Friendly Name
|
The name that is associated with the certificate.
|
Description
|
A description of the certificate.
|
Issued To
|
Display only. The entity to which the certificate is issued. The name that appears is from the certificate subject.
|
Issued By
|
Display only. The certification authority that issued the certificate.
|
Valid From
|
Display only. The start date of the certificate's validity. An X509 certificate is valid only from the start date to the end date (inclusive).
|
Valid To (Expiration)
|
Display only. The last date of the certificate's validity.
|
Serial Number
|
Display only. The serial number of the certificate.
|
Protocol
|
EAP-TLS
|
Check so that ACS will use the Local Certificate for EAP.
|
HTTPS
|
Check so that ACS will use the Local Certificate for HTTPS.
|
Renew Self Signed Certificate
|
Certificate Expires On
|
Display only. Date the certificate expires.
|
Renew Self Signed Certificate
|
Check to allow the renewal of a self signed certificate that expired.
|
Expiration TTL
|
Select the equivalent maximum value in days, weeks, months, and years, and enter a positive integer.
|
Step 4 Click Submit.
The Local Certificate Store page appears with the edited certificate.
Related Topic
•Configuring Local Server Certificates
Deleting Certificates
To delete a certificate:
Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.
Step 2 Check one or more check boxes next to the certificates that you want to delete.
Step 3 Click Delete.
Step 4 For confirmation, click Yes or Cancel.
The Certificate Store page appears without the deleted certificate(s).
Related Topic
•Configuring Local Server Certificates
Exporting Certificates
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To export a certificate:
Step 1 Select System Administration > Configuration > Local Server Certificates > Local Certificates.
Step 2 Check the box next to the certificates that you want to export, then click Export.
The Export Certificate dialog box appears.
Step 3 Select one of the following options:
•Export Certificate Only
•Export Certificate and Private Key
Note Exporting the private key is not a secure operation and could lead to possible exposure f the private key.
Step 4 Click OK or Cancel.
Related Topic
•Configuring Local Server Certificates
Viewing Outstanding Signing Requests
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Select System Administration > Configurations > Local Server Certificates > Outstanding Signing Request.
The Certificate Signing Request page appears displaying the information described in Table 16-15:
Table 16-15 Certificate Signing Request Page
Option
|
Description
|
Name
|
Name of the certificate.
|
Certificate Subject
|
Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field should automatically prefixed with "cn=".
|
Key Length
|
Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096.
|
Timestamp
|
Date certificate was created.
|
Friendly Name
|
The name that is associated with the certificate.
|
Click Export to export the local certificate to a client machine.
Configuring Logs
Log records are generated for:
•Accounting messages
•AAA audit and diagnostics messages
•System diagnostics messages
•Administrative audit messages
The messages are arranged in tree hierarchy structure within the logging categories (see Configuring Logging Categories for more information).
You can store log messages locally or remotely, based on the logging categories and maintenance parameters.
This section contains the following topics:
•Configuring Remote Log Targets
•Configuring the Local Log
•Configuring Logging Categories
•Configuring Global Logging Categories
•Configuring Per-Instance Logging Categories
•Displaying Logging Categories
•Configuring the Log Collector
•Viewing the Log Message Catalog
See Chapter 17, "Understanding Logging" for a description of the preconfigured global ACS logging categories and the messages that each contains.
Configuring Remote Log Targets
You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 17, "Understanding Logging" for more information on remote log targets. See Configuring Logging Categories for more information on the preconfigured ACS logging categories.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To create a new remote log target:
Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets.
The Remote Log Targets page appears.
Step 2 Do one of the following:
•Click Create.
•Check the check box next to the remote log target that you want to duplicate and click Duplicate.
•Click the name of the remote log target that you want to modify; or check the check box next to the name of the remote log target that you want to modify and click Edit.
One of these pages appears:
•Remote Log Targets > Create, if you are creating a new remote log target.
•Remote Log Targets > Duplicate: "<log_target>", where <log_target> is the name of the remote log target you selected in Step 2, if you are duplicating a remote log target.
•Remote Log Targets > Edit: "<log_target>", where <log_target> is the name of the remote log target you selected in Step 2, if you are modifying a remote log target.
Step 3 Complete the required fields as described in Table 16-16:
Table 16-16 Remote Log Targets Configuration Page
Option
|
Description
|
General
|
Name
|
The name of the remote log target. Maximum name length is 32 characters.
|
Description
|
The description of the remote log target. Maximum description length is 1024 characters.
|
Type
|
The type of remove log target—Syslog (the only option).
|
Target Configuration
|
IP Address
|
IP address of the remote log target, in the format x.x.x.x.
|
Use Advanced Syslog Options
|
Click to enable the advanced syslog options—port number, facility code, and maximum length.
|
Port
|
The port number of the remote log target used as the communication channel between the ACS and the remote log target (default = 514). This option is only visible if you click Use Syslog Options.
|
Facility Code
|
The facility code. Valid options are:
•LOCAL0 (Code = 16)
•LOCAL1 (Code = 17)
•LOCAL2 (Code = 18)
•LOCAL3 (Code = 19)
•LOCAL4 (Code = 20)
•LOCAL5 (Code = 21)
•LOCAL6 (Code = 22; default)
•LOCAL7 (Code = 23)
This option is only visible if you click Use Advanced Syslog Options.
|
Maximum Length
|
The maximum length of the remote log target messages. Valid options are from 200 to 1024. This option is only visible if you click Use Advanced Syslog Options.
|
Step 4 Click Submit.
The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration.
Related Topic
•Deleting a Remote Log Target
Deleting a Remote Log Target
To delete a remote log target:
Step 1 Select System Administration > Configuration > Log Configuration > Remote Log Targets.
The Remote Log Targets page appears, with a list of configured remote log targets.
Step 2 Check one or more check boxes next to the remote log targets you want to delete.
Step 3 Click Delete.
The following error message appears:
Are you sure you want to delete the selected item/items?
Step 4 Click OK.
The Remote Log Targets page appears without the deleted remote log targets.
Related Topic
•Configuring Remote Log Targets
Configuring the Local Log
Use the Local Configuration page to configure the maximum days to retain your local log data.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configuration > Log Configuration > Local Configuration.
The Local Configuration page appears.
Step 2 In the Maximum log retention period box, enter the number of days for which you want to store local log message files, where <num> is the number of days you enter. Valid options are 1 to 365. (Default = 7.)
Note If you reduce the number of days for which to store the local log message files, the log message files older than the number of days you specify are deleted automatically.
You can click Delete Logs Now to delete the local logs, including all non-active log files, immediately. See Deleting Local Log Data for more information on deleting log data.
Step 3 Click Submit to save your changes. Your configuration is saved and the Local Configuration page is refreshed.
Deleting Local Log Data
Use the Local Configuration page to manually delete your local log data. You can use this option to free up space when the local store is full. See Local Store Target, page 17-4 for more information about the local store.
Step 1 Select System Administration > Configuration > Log Configuration > Local Configuration.
The Local Configuration page appears.
Step 2 Click Delete Logs Now to immediately delete all local log data files, except the log data in the currently active log data file.
The Local Configuration page is refreshed.
Configuring Logging Categories
This section contains the following topics:
•Configuring Global Logging Categories
•Configuring Per-Instance Logging Categories
All configuration performed for a parent logging category affects the children within the logging category. You can select a child of a parent logging category to configure it separately, and it does not affect the parent logging category or the other children.
Configuring Global Logging Categories
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To view and configure global logging categories:
Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Global.
The Logging Categories page appears; from here, you can view the logging categories.
Step 2 Click the name of the logging category you want to configure; or, click the radio button next to the name of the logging category you want to configure and click Edit.
Step 3 Complete the fields as described in Table 16-17.
Table 16-17 Global: General Page
Option
|
Descriptions
|
Configure Log Category
|
Log Severity
|
For diagnostic logging categories, use the drop-down list box to select the severity level. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are:
•FATAL—Emergency. ACS is not usable and you must take action immediately.
•ERROR—Critical or error condition. (Default)
•WARN—Normal, but significant condition.
•INFO—Informational message.
•DEBUG—Diagnostic bug message.
|
Configure Local Setting for Category
|
Log to Local Target
|
Check to enable logging to the local target.
Note For administrative audit logging category types, logging to local target is enabled by default and cannot be disabled.
|
Local Target is Critical
|
Usable for accounting and for AAA audit (passed authentication) logging category types only. Check the check box to make this local target the critical target.
Note For administrative audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target.
|
Configure Logged Attributes
|
—
|
Display only. All attributes are logged to the local target.
|
If you have completed your configuration, proceed to Step 6.
Step 4 To configure a remote syslog target, click the Remote Syslog Target and proceed to Step 5.
Step 5 Complete the Remote Syslog Target fields as described in Table 16-18:
Table 16-18 Global: Remote Syslog Target Page
Option
|
Description
|
Configure Syslog Targets
|
Available targets
|
List of available targets. You can select a target from this list and move it to the Selected Targets list.
|
Selected targets
|
List of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
|
Step 6 Click Submit.
The Logging Categories page appears, with your configured logging category.
Related Topic
•Configuring Per-Instance Logging Categories
Configuring Per-Instance Logging Categories
You can define a custom logging category configuration for specific, overridden ACS instances, or return all instances to the default global logging category configuration.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To view and configure per-instance logging categories:
Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance.
The Per-Instance page appears; from here, you can view the individual ACS instances of your deployment.
Step 2 Click the radio button associated with the name of the ACS instance you want to configure, and choose one of these options:
•Click Override to override the current logging category configuration for selected ACS instances.
•Click Configure to display the Logging Categories page associated with the ACS instance. You can then edit the logging categories for the ACS instance. See Displaying Logging Categories for field descriptions.
•Click Restore to Global to restore selected ACS instances to the default global logging category configuration.
Your configuration is saved and the Per-Instance page is refreshed.
Related Topic
•Configuring Per-Instance Security and Log Settings
Configuring Per-Instance Security and Log Settings
You can configure the severity level and local log settings in a logging category configuration for a specific overridden or custom ACS instance. Use this page to:
•View a tree of configured logging categories for a specific ACS instance.
•Open a page to configure a logging category's severity level, log target, and logged attributes for a specific ACS instance.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.
The Per-Instance: Configuration page appears as described in Table 16-19:
Table 16-19 Per-Instance: Configuration Page
Option
|
Description
|
Name
|
Expandable tree structure of AAA service logging categories.
|
Edit
|
Click to display a selected Logging Categories > Edit: "<lc_name>" page, where <lc_name> is the name of the logging category.
|
Step 2 Perform one of the following:
•Click the name of the logging category you want to configure.
•Select the radio button associated with the name of the logging category you want to configure, and click Edit.
The Per-Instance: General page appears; from here, you can configure the security level and local log settings in a logging category configuration for a specific ACS instance. See Table 16-20:
Table 16-20 Per-Instance: General Page
Option
|
Description
|
Configure Log Category
|
Log Severity
|
Use the list box to select the severity level for diagnostic logging categories. (For audit and accounting categories, there is only one severity, NOTICE, which cannot be modified.) Valid options are:
•FATAL—Emergency. The ACS is not usable and you must take action immediately.
•ERROR—Critical or error condition. (Default)
•WARN—Normal, but significant condition.
•INFO—Informational message.
•DEBUG—Diagnostic bug message.
|
Configure Local Setting for Category
|
Log to Local Target
|
Check to enable logging to the local target.
Note For administrative audit logging category types, logging to local target is enabled by default and cannot be disabled.
|
Local Target is Critical
|
Usable for accounting and for passed authentication logging category types only. Check the check box to make this local target the critical target.
Note For administrative audit logging category types, the check box is checked by default and cannot be unchecked; the local target is the critical target.
|
Configure Logged Attributes
|
—
|
Display only. All attributes are logged to the local target.
|
Configuring Per-Instance Remote Syslog Targets
Use this page to configure remote syslog targets for logging categories.
Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.
The Per-Instance: Configuration page appears as described in Table 16-19.
Step 2 Perform one of the following actions:
•Click the name of the logging category you want to configure.
•Select the radio button associated with the name of the logging category you want to configure, and click Edit.
Step 3 Click the Remote Syslog Target tab. The Per-Instance: Remote Syslog Targets page appears as described in Table 16-21:
Table 16-21 Per-Instance: Remote Syslog Targets Page
Option
|
Description
|
Configure Syslog Targets
|
Available targets
|
A list of available targets. You can select a target from this list and move it to the Selected Targets list.
|
Selected targets
|
A list of selected targets. You can select a target from this list and move it to the Available Targets list to remove it from your configuration.
|
Displaying Logging Categories
You can view a tree of configured logging categories for a specific ACS instance. In addition, you can configure a logging category's severity level, log target, and logged attributes for a specific ACS instance.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configuration > Log Configuration > Logging Categories > Per-Instance, then click Configure.
Step 2 Complete the fields as described in Table 16-22:
Table 16-22 Per-Instance: Configuration Page
Option
|
Description
|
Name
|
Expandable tree structure of AAA services logging categories.
|
Edit
|
Click to display a selected Logging Categories > Edit: "<lc_name>" page, where <lc_name> is the name of the logging category.
|
Configuring the Log Collector
Use the Log Collector page to select a log data collector and suspend or resume log data transmission.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Step 1 Select System Administration > Configuration > Log Configuration > Log Collector.
The Log Collector page appears.
Step 2 Complete the Log Collector fields as described in Table 16-23:
Table 16-23 Log Collector Page
Option
|
Description
|
Log Data Collector
|
Current Log Collector
|
Display only. Identifies the machine on which the local log messages are sent.
|
Select Log Collector
|
Use the drop-down list box to select the machine on which you want local log messages sent.
|
Set Log Collector
|
Click to configure the log collector according to the selection you make in the Select Log Collector option.
|
Step 3 (Optional) Do one of the following:
•Click Suspend to suspend the log data transmission to the configured log collector.
•Click Resume to resume the log data transmission to the configured log collector.
Your configuration is saved and the Log Collector page is refreshed.
Viewing the Log Message Catalog
Use the Log Message Catalog page to view all possible log messages.
Select System Administration > Configuration > Log Configuration > Log Message Catalog.
The Log Message Catalog page appears, with the fields described in Table 16-24, from which you can view all possible log messages that can appear in your log files.
Table 16-24 Log Messages Page
Option
|
Description
|
Message Code
|
Display only. A unique message code identification number associated with a message.
|
Severity
|
Display only. The severity level associated with a message.
|
Category
|
Display only. The logging category to which a message belongs.
|
Message Class
|
Display only. The group to which a message belongs.
|
Message Text
|
Display only. English language message text (name of the message).
|
Description
|
Display only. English language text that describes the associated message.
|
Configuring Licenses
This section contains the following topics:
•Licensing Overview
•Types of Licenses
•Installing a License File
•Viewing the Base License
•Adding Deployment License Files
•Deleting Deployment License Files
Licensing Overview
To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment requires a unique base license.
Note Each server requires a unique base license in a distributed deployment.
Types of Licenses
Table 16-25 shows the ACS 5.0 license support:
Table 16-25 ACS License Support
License
|
Description
|
Base License
|
The base license is required for all software instances deployed, as well as for all appliances. The base license enables you to use all the ACS functionality except license controlled features, and it enables standard centralized reporting features.
•Required for each ACS instance, primary and secondary.
•Required for all appliances.
•Does not have any expiration date.
•Supports deployments with up to 500 managed devices.
|
Add-on Licenses
|
•Advanced Monitoring and Reports license—Enables enhanced functionality including deployment-wide session monitoring, threshold-based notifications, and diagnostic tools. Requires an existing ACS base license.
•TrustSec Access Control License—Enables Cisco TrustSec (CTS) management functionality. Requires an existing ACS base license.
•Large Deployment license—Supports an unlimited number of managed devices. Requires an existing ACS base license.
There are also evaluation-type licenses for the add-on licenses.
|
Evaluation License (standard)
|
Enables standard centralized reporting features.
•Cannot be reused on the same platform.
•You can only install one evaluation license per platform. You cannot install additional evaluation licenses.
•Supports 50 managed devices.
•Expires 90 days from the time the license is installed.
|
.
Related Topics
•Licensing Overview
•Installing a License File
•Viewing the Base License
•Adding Deployment License Files
•Deleting Deployment License Files
Installing a License File
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. To install a license file:
Step 1 Log in to the ACS web interface.
The Initial Licenses page appears when you log in to the ACS machine for the first time.
Step 2 Click Cisco Secure ACS License Registration. This link directs you to Cisco.com to purchase a valid license file from a Cisco representative.
Step 3 Click Install to install the license file that you purchased.
The ACS web interface log in page reappears. You can now work with the ACS application.
Related Topics
•Licensing Overview
•Viewing the Base License
•Adding Deployment License Files
•Deleting Deployment License Files
Viewing the Base License
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To upgrade the base license:
Step 1 Select System Administration > Configuration > Licensing > Base Server License.
The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.
Table 16-26 describes the fields in the Base Server License page.
Table 16-26 Base Server License Page
Option
|
Description
|
ACS Deployment Configuration
|
Primary ACS Instance
|
The name of the primary instance created when you logged into the ACS 5.0 web interface.
|
Number of Instances
|
The current number of ACS instances (primary or secondary) in the ACS database.
|
Current Number of Managed Devices
|
The current number of managed devices in the ACS database.
|
Maximum Number of Managed Devices
|
The maximum number of devices that your license supports.
•Base License—Supports 500 devices.
•Evaluation License—Supports 50 devices.
•Large Deployment—Supports an unlimited number of managed devices.
|
Use this link to obtain a valid License File
|
Directs you to Cisco.com to generate a valid license file using the Product Activation Key (PAK)
|
Base License Configuration
|
ACS Instance
|
The name of the ACS instance, either primary or secondary.
|
Licensed to
|
The name of the company that this product is licensed to.
|
PAK
|
The name of the Product Activation Key (PAK) received from Cisco.
|
Base License
|
Specifies the base license type (permanent, evaluation).
|
Expiration
|
Specifies the expiration date for evaluation licenses. For permanent licenses, the expiration field indicates permanent.
|
Version
|
The current version of the ACS software.
|
Step 2 You can select one or more radio buttons next to the instance whose license you want to upgrade. Click Upgrade. See Upgrading the Base Server License for valid field options.
Related Topic
•Upgrading the Base Server License
Upgrading the Base Server License
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
You can upgrade the base server license.
Step 1 Select System Administration > Configuration > Licensing > Base Server License.
The Base Server License page appears with a description of the ACS deployment configuration and a list of the available deployment licenses. See Types of Licenses for a list of deployment licenses.
Step 2 Select a license, then click Upgrade.
The Base Server License Edit page appears.
Step 3 Complete the fields as described in Table 16-27:
Table 16-27 Base Server License Edit Page
Option
|
Description
|
ACS Instance License Configuration
|
Version
|
Displays the current version of the ACS software.
|
ACS Instance
|
Displays the name of the ACS instance, either primary or secondary.
|
Base License
|
Specifies that the base license is permanent.
|
Use this link to obtain a valid License File
|
Directs you to Cisco.com to purchase a valid license file from a Cisco representative.
|
License Location
|
License File
|
Enter the name of the license file you wish to use for the upgrade. Click Browse to navigate to the directory that contains the license file.
|
Step 4 Click Submit.
Related Topics
•Licensing Overview
•Types of Licenses
•Installing a License File
•Adding Deployment License Files
•Deleting Deployment License Files
Viewing License Feature Options
You can add or delete available existing deployment licenses. The configuration pane at the top of the page shows the deployment information.
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
Select System Administration > Configuration > Licensing > Feature Options.
The Feature Options Page appears as described in Table 16-28:
Table 16-28 Feature Options Page
Option
|
Description
|
ACS Deployment Configuration
|
Primary ACS Instance
|
The name of the primary instance created when you login into the ACS 5.0 web interface.
|
Number of Instances
|
The current number of ACS instances (primary or secondary) in the ACS database.
|
Current Number of Managed Devices
|
The current number of managed devices in the ACS database.
|
Maximum Number of Managed Devices
|
The maximum number of devices that your license supports.
•Base License—Supports 500 devices.
•Evaluation License—Supports 50 devices.
•Large Deployment—Supports an unlimited number of managed devices.
|
Use this link to obtain a valid License File
|
Directs you to Cisco.com to purchase a valid license file from a Cisco representative.
|
Installed Deployment License Options
|
Feature
|
•Advanced Monitoring and Report—Enables Advanced Monitoring and Reports functionality. This requires an existing ACS base license.
•Large Deployment—Supports an unlimited number of managed devices.
•CTS—Enables Cisco Trusted Server (CTS) management functionality. This requires an existing ACS base license.
|
Licensed to
|
The name of the company that this product is licensed to.
|
Expiration
|
The expiration date for the following features:
•Advanced Monitoring and Reports
•Large Deployment
•CTS
|
Add
|
Click Add to access the Viewing License Feature Options and add a license file.
|
Delete
|
Select the radio button next to the license feature you wish to delete and click Delete.
|
Adding Deployment License Files
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To add a new base deployment license file:
Step 1 Select System Administration > Configuration > Licensing > Feature Options.
The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See Viewing License Feature Options for field descriptions.
Step 2 Click Add.
The Feature Options Create page appears.
Step 3 Complete the fields as described in Table 16-29 to add a license:
Table 16-29 Feature Options Create Page
Option
|
Description
|
ACS Deployment Configuration
|
Primary ACS Instance
|
The name of the primary instance created when you login into the ACS 5.0 web interface.
|
Number of Instances
|
The current number of ACS instances (primary or secondary) in the ACS database.
|
Current Number of Managed Devices
|
The current number of managed devices in the ACS database.
|
Maximum Number of Managed Devices
|
The maximum number of devices that your license supports.
•Base License—Supports 500 devices.
•Evaluation License—Supports 50 devices.
•Large Deployment—Supports an unlimited number of managed devices.
|
Use this link to obtain a valid License File
|
Directs you to Cisco.com to purchase a valid license file from a Cisco representative.
|
License Location
|
License File
|
•Click Browse to browse to the location of the purchased license file you wish to install.
•Click Submit to download the license file.
|
Step 4 Click Browse to browse to the location of the license file.
Step 5 Click Submit to download the license file.
The Feature Options page appears with the additional license.
Related Topics
•Licensing Overview
•Types of Licenses
•Installing a License File
•Viewing the Base License
•Deleting Deployment License Files
Deleting Deployment License Files
Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.
To delete deployment license files:
Step 1 Select System Administration > Configuration > Licensing > Feature Options.
The Feature Options page appears with a description of the ACS deployment configuration and a list of the available deployment licenses and their configurations. See Add-on Licenses in Types of Licenses for a list of deployment licenses. See the Table 16-28 for field descriptions.
Step 2 Select the radio button next to the deployment you wish to delete.
Step 3 Click Delete to delete the license file.
Related Topics
•Licensing Overview
•Types of Licenses
•Installing a License File
•Viewing the Base License
•Adding Deployment License Files
Feedback
