-
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
-
Preface
-
Overview of Cisco Secure ACS
-
Deploying Cisco Secure ACS
-
Setting Up the Cisco Secure ACS HTML Interface
-
Setting Up and Managing Network Configuration
-
Setting Up and Managing Shared Profile Components
-
Setting Up and Managing User Groups
-
Setting Up and Managing User Accounts
-
Establishing Cisco Secure ACS System Configuration
-
Working with Logging and Reports
-
Setting Up and Managing Administrators and Policy
-
Working with User Databases
-
Administering External User Databases
-
Troubleshooting Information for Cisco Secure ACS
-
System Messages
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Cisco Secure ACS Command-Line Database Utility
-
Cisco Secure ACS and Virtual Private Dial-up Networks
-
ODBC Import Definitions
-
Cisco Secure ACS Internal Architecture
-
Table of Contents
Working with Logging and ReportsLogging Formats
Special Logging Attributes
Update Packets In Accounting Logs
About Cisco Secure ACS Logs and Reports
TACACS+ Administration Log
RADIUS Accounting Log
VoIP Accounting Log
Failed Attempts Log
Passed Authentications Log
Cisco Secure ACS System Logs
Working with ODBC Logs
Configuring a System Data Source Name for ODBC Logging
Configuring an ODBC Log
Remote Logging Options
Configuring a Central Logging Server
Enabling and Configuring Remote Logging
Disabling Remote Logging
Working with Logging and Reports
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) produces a wide variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports. This chapter contains the following topics about logging:
Logging Formats
Cisco Secure ACS logs a variety of user and system activities. Depending on the log, and how you have configured Cisco Secure ACS, logs can be recorded in one of two formats:
- Comma-separated value (CSV) files—The CSV format records data in columns separated by commas. This format is easily imported into a variety of third-party applications, such as Microsoft Excel or Microsoft Access. After data from a CSV file is imported into such applications, you can prepare charts or perform queries, such as determining how many hours a user was logged in to the network during a given period. For information about how to use a CSV file in a third-party application such as Microsoft Excel, please see the documentation supplied by the third-party vendor. You can access the CSV files either on the Cisco Secure ACS server hard drive or by downloading the CSV file from the HTML interface. For more information about downloading the CSV file from the HTML interface, see the "Viewing a CSV Report" section.
- ODBC-compliant database tables—ODBC logging enables you to configure Cisco Secure ACS to log directly in an ODBC-compliant relational database, where it is stored in tables, one table per log. After the data is exported to the relational database, you can use the data however you need. For more information about querying the data in your relational database, refer to the documentation supplied by the relational database vendor.
For information about the formats available for a specific log, see the "About Cisco Secure ACS Logs and Reports" section.
Special Logging Attributes
Among the many attributes that Cisco Secure ACS can record in its CSV or ODBC logs, a few are of special importance. The following list explains the special logging attributes provided by Cisco Secure ACS.
- User-defined attributes—These logging attributes appear in the Attributes list for any log configuration page. Cisco Secure ACS lists them using their default names: Real Name, Description, User Field 3, User Field 4, and User Field 5. If you change the name of a user-defined attribute, the default name still appears in the Attributes list rather than the new name.
The content of these attributes is determined by the values entered in the corresponding fields in the user account. For more information about user-defined attributes, see the "User Data Configuration Options" section.
For more information about configuring the content of CSV logs, see the "Configuring a CSV Log" section. For more information about configuring the content of an ODBC log, see the "Configuring an ODBC Log" section.
- Access Device—The name of the AAA client sending the logging data to Cisco Secure ACS.
- Network Device Group—The network device group to which the access device (AAA client) belongs.
- Filter Information—The result of network access restrictions (NARs) applied to the user, if any. The message in this field indicates whether all applicable NARs permitted the user access, all applicable NARs denied the user access, or more specific information about which NAR denied the user access. If no NARs apply to the user, this logging attribute notes that no NARs were applied.
The Filter Information attribute is available for Passed Authentication and Failed Attempts logs.
The Device Command Set attribute is available for Passed Authentication and Failed Attempts logs.
Update Packets In Accounting Logs
Whenever you configure Cisco Secure ACS to record accounting data for user sessions, Cisco Secure ACS records start and stop packets. If you want, you can configure Cisco Secure ACS to record update packets, too. In addition to providing interim accounting information during a user session, update packets drive password expiry messages via CiscoSecure Authentication Agent. In this use, the update packets are referred to as watchdog packets.
 |
Note To record update packets in Cisco Secure ACS accounting logs, you must configure your AAA clients to send the update packets. For more information about configuring your AAA client to send update packets, refer to the documentation for your AAA clients. |
For more information on setting this option for a AAA client, see the "Adding and Configuring a AAA Client" section.
For more information on setting this option for a AAA server, see the "Adding and Configuring a AAA Server" section.
About Cisco Secure ACS Logs and Reports
The logs that Cisco Secure ACS provides can be divided into four groups:
This section contains information about the first three groups. For information about service logs, see the "Service Logs" section.
Accounting Logs
Accounting logs contain information about the use of remote access services by users. By default, these logs are available in CSV format. With the exception of the Passed Authentications log, you can also configure Cisco Secure ACS to export the data for these logs to an ODBC-compliant relational database that you configure to store the log data.
TACACS+ Accounting Log
The TACACS+ Accounting log contains the following information:
Topics regarding this log include the following:
- Enabling a TACACS+ Accounting Log—You can enable the TACACS+ Accounting log in either CSV or ODBC format.
-
- CSV—For instructions on how to enable the TACACS+ Accounting log in CSV format, see the "Enabling or Disabling a CSV Log" section.
- ODBC—For instructions on how to enable the ODBC TACACS+ Accounting log, see the "Configuring an ODBC Log" section.
- Viewing a TACACS+ Accounting Report—For instructions on viewing the TACACS+ Accounting report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a TACACS+ Accounting Log—The steps for configuring a TACACS+ Accounting log vary depending upon which format you want to use. For more information about log formats, see the "Logging Formats" section.
For instructions on configuring the CSV TACACS+ Accounting log, see the "Configuring a CSV Log" section.
- ODBC—For instructions on configuring the ODBC TACACS+ Accounting log, see the "Configuring an ODBC Log" section.
TACACS+ Administration Log
The TACACS+ Administration log lists configuration commands entered on a AAA client using TACACS+ (Cisco IOS). Particularly if you use Cisco Secure ACS to perform command authorization, we recommend that you use this log.
|
Note To use the TACACS+ Administration log, your TACACS+ AAA clients must be configured to perform command accounting with Cisco Secure ACS. |
Topics regarding this log include the following:
- Enabling a TACACS+ Administration Log—You can enable the TACACS+ Administration log in either CSV or ODBC format.
-
- CSV—For instructions on how to enable the TACACS+ Administration log in CSV format, see the "Enabling or Disabling a CSV Log" section.
- ODBC—For instructions on how to enable the ODBC TACACS+ Administration log, see the "Configuring an ODBC Log" section.
- Viewing a TACACS+ Administration Report—For instructions on viewing the TACACS+ Administration report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a TACACS+ Administration Log—The steps for configuring a TACACS+ Administration log vary depending upon which format you want to use. For more information about log formats, see the "Logging Formats" section.
For instructions on configuring the CSV TACACS+ Administration log, see the "Configuring a CSV Log" section.
- ODBC—For instructions on configuring the ODBC TACACS+ Administration log, see the "Configuring an ODBC Log" section.
RADIUS Accounting Log
The RADIUS Accounting log contains the following information:
You can configure Cisco Secure ACS to include accounting for Voice over IP (VoIP) in the RADIUS Accounting log, in a separate VoIP accounting log, or in both places.
Topics regarding this log include the following:
- Enabling a RADIUS Accounting Log—You can enable the RADIUS Administration log in either CSV or ODBC format.
-
- CSV—For instructions on how to enable the RADIUS Accounting log in CSV format, see the "Enabling or Disabling a CSV Log" section.
- ODBC—For instructions on how to enable the ODBC RADIUS Accounting log, see the "Configuring an ODBC Log" section.
- Viewing a RADIUS Accounting Report—For instructions on viewing the RADIUS Accounting report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a RADIUS Accounting Log—The steps for configuring a RADIUS Accounting log vary depending upon which format you want to use. For more information about log formats, see the "Logging Formats" section.
For instructions on configuring the CSV RADIUS Accounting log, see the "Configuring a CSV Log" section.
- ODBC—For instructions on configuring the ODBC RADIUS Accounting log, see the "Configuring an ODBC Log" section.
VoIP Accounting Log
The VoIP Account log contains the following information:
You can configure Cisco Secure ACS to include accounting for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places.
Topics regarding this log include the following:
- Enabling a VoIP Accounting Log—You can enable the VoIP Accounting log in either CSV or ODBC format.
-
- CSV—For instructions on how to enable the VoIP Accounting log in CSV format, see the "Enabling or Disabling a CSV Log" section.
- ODBC—For instructions on how to enable the ODBC VoIP Accounting log, see the "Configuring an ODBC Log" section.
- Viewing a VoIP Accounting Report—For instructions on viewing the VoIP Accounting report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a VoIP Accounting Log—The steps for configuring a VoIP Accounting log vary depending upon which format you want to use. For more information about log formats, see the "Logging Formats" section.
For instructions on configuring the CSV VoIP Accounting log, see the "Configuring a CSV Log" section.
- ODBC—For instructions on configuring the ODBC VoIP Accounting log, see the "Configuring an ODBC Log" section.
Failed Attempts Log
The Failed Attempts log lists authentication and authorization failures with an indication of the cause.
Topics regarding this log include the following:
- Enabling a Failed Attempts Log—You can enable the Failed Attempts log in either CSV or ODBC format.
-
- CSV—For instructions on how to enable the Failed Attempts log in CSV format, see the "Enabling or Disabling a CSV Log" section.
- ODBC—For instructions on how to enable the ODBC Failed Attempts log, see the "Configuring an ODBC Log" section.
- Viewing a Failed Attempts Report—For instructions on viewing the Failed Attempts report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a Failed Attempts Log—The steps for configuring a Failed Attempts log vary depending upon which format you want to use. For more information about log formats, see the "Logging Formats" section.
For instructions on configuring the CSV Failed Attempts log, see the "Configuring a CSV Log" section.
- ODBC—For instructions on configuring the ODBC Failed Attempts log, see the "Configuring an ODBC Log" section.
Passed Authentications Log
The Passed Authentications log lists successful authentication requests. This log is not dependent upon accounting packets from your AAA clients, so it is available even if your AAA clients do not support RADIUS accounting or if you have disabled accounting on your AAA clients.
Topics regarding this log include the following:
- Enabling a Passed Authentications Log—For instructions on how to enable the Passed Authentications log, see the "Enabling or Disabling a CSV Log" section.
- Viewing a Passed Authentications Report—For instructions on viewing the Passed Authentications report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring a Passed Authentications Log—The Passed Authentications log is available as a CSV file, viewable in the HTML interface.
The default location for Passed Authentications files is Program Files\CiscoSecure ACS x.x\Logs\Passed Authentications.
For instructions on configuring the CSV Passed Authentications log, see the "Configuring a CSV Log" section.
Dynamic Cisco Secure ACS Administration Reports
These reports show the status of user accounts at the moment they are accessed. They are available only in the Cisco Secure ACS HTML interface.
The Dynamic Cisco Secure ACS Administration reports include:
Logged-In Users Report
The Logged-in Users report lists all users currently receiving services for a single AAA client or all AAA clients with access to Cisco Secure ACS.
|
Note To use the logged-in user list feature, your AAA client must perform authentication and accounting using the same protocol—either TACACS+ or RADIUS. |
Topics regarding this report include the following:
- Enabling a Logged-in Users Report—The Logged-in Users report is always enabled. You cannot disable this report.
- Viewing a Logged-in Users Report—For instructions on viewing the Logged-in User report in the HTML interface, see the "Viewing the Logged-in Users Report" section.
- Configuring a Logged-in Users Report—The Logged-in Users report is only available in the HTML interface. There are no configuration options for the Logged-in Users report.
- Deleting Logged-in Users—For instructions about deleting logged-in users from specific AAA clients or from all AAA clients, see the "Deleting Logged-in Users" section.
Viewing the Logged-in Users Report
To view the Logged-in Users report, follow these steps:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Logged-in Users.
Result: The Select a AAA Client page displays the name of each AAA client, its IP address, and the number of users logged in through the AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users logged in.
 |
Tip You can sort the table by any column's entries, in either ascending or descending order. Click a column title once to sort the table by that column's entries in ascending order. Click the column a second time to sort the table by that column's entries in descending order. |
Step 3 Do one of the following:
a. To see a list of all users logged in, click All AAA Clients.
b. To see a list of users logged in through a particular AAA client, click the name of the AAA client.
Result: Cisco Secure ACS displays a table of users logged in, including the following information:
|
Tip You can sort the table by any column's entries, in either ascending or descending order. Click a column title once to sort the table by that column's entries in ascending order. Click the column a second time to sort the table by that column's entries in descending order. |
Deleting Logged-in Users
From a Logged-in Users Report, you can instruct Cisco Secure ACS to delete users logged into a specific AAA client. When a user session terminates without a AAA client sending an accounting stop packet to the Cisco Secure ACS server, the Logged-in Users Report continues to show the user. Deleting logged-in users from a AAA client ends the accounting for those user sessions.
|
Note Deleting logged-in users only ends the Cisco Secure ACS accounting record of users logged in to a particular AAA client. It does not terminate active user sessions, nor does it affect user records. |
To delete logged-in users, follow these steps:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Logged-in Users.
Result: The Select a AAA Client page displays the name of each AAA client, its IP address, and the number of users logged in through the AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users logged in.
Step 3 Click the name of the AAA client whose users you want to delete from the Logged-in Users report.
Result: Cisco Secure ACS displays a table of all users logged in through the AAA client. The Purge Logged in Users button appears below the table.
Step 4 Click Purge Logged in Users.
Result: Cisco Secure ACS displays a message, indicating the number of users purged from the report and the IP address of the AAA client.
Disabled Accounts Report
The Disabled Accounts report lists all user accounts that are currently disabled and the reason they were disabled.
Topics regarding this report include the following:
- Enabling a Disabled Accounts Report—The Disabled Accounts report is always enabled. You cannot disable this report.
- Viewing a Disabled Accounts Report—For instructions on viewing the Disabled Accounts report in the HTML interface, see the "Viewing the Disabled Accounts Report" section.
- Configuring a Disabled Accounts Report—The Disabled Accounts report is only available in the HTML interface. There are no configuration options for the Disabled Accounts report.
Viewing the Disabled Accounts Report
To view the Disabled Accounts report, follow these steps:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Disabled Accounts.
Result: The Select a user account to edit page displays disabled user accounts, the account status, and the group to which the user account is assigned.
Step 3 To edit a user account listed, in the User column, click the username.
Result: Cisco Secure ACS opens the user account for editing.
For more information about editing a user account, see the "Basic User Setup Options" section.
Cisco Secure ACS System Logs
The system logs are logs about the Cisco Secure ACS system and therefore record system-related events. These logs are primarily useful for troubleshooting or audits. They are only available in CSV format. The system logs include the following:
ACS Backup and Restore Log
The ACS Backup and Restore log lists Cisco Secure ACS backup and restore activity.
Topics regarding this log include the following:
- Enabling the ACS Backup and Restore Log—The ACS Backup and Restore log is always enabled. You cannot disable this log.
- Viewing an ACS Backup and Restore Report—For instructions on viewing the Failed Attempts report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring the ACS Backup and Restore Log—The ACS Backup and Restore log is available as a CSV file, viewable in the HTML interface. There are no configuration options for the ACS Backup and Restore log.
The default location for ACS Backup and Restore files is Program Files\CiscoSecure ACS vx.x\Logs\Backup and Restore.
RDBMS Synchronization Log
The RDBMS Synchronization log lists RDBMS Synchronization activity.
Topics regarding this log include the following:
- Enabling the RDBMS Synchronization Log—The RDBMS Synchronization log is always enabled. You cannot disable this log.
- Viewing an RDBMS Synchronization Report—For instructions on viewing the RDBMS Synchronization report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring the RDBMS Synchronization Log—The RDBMS Synchronization log is available as a CSV file, viewable in the HTML interface. There are no configuration options for the RDBMS Synchronization log.
The default location for RDBMS Synchronization files is Program Files\CiscoSecure ACS vx.x\Logs\DbSync.
Database Replication Log
The Database Replication log lists database replication activity.
Topics regarding this log include the following:
- Enabling the Database Replication Log—The Database Replication log is always enabled. You cannot disable this log.
- Viewing a Database Replication Report—For instructions on viewing the Database Replication report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring the Database Replication Log—The Database Replication log is available as a CSV file, viewable in the HTML interface. There are no configuration options for the Database Replication log.
The default location for RDBMS Synchronization files is Program Files\CiscoSecure ACS vx.x\Logs\DBReplicate.
Administration Audit Log
The Administration Audit log lists actions taken by each system administrator, such as adding users, editing groups, configuring a AAA client, or viewing reports.
Topics regarding this log include the following:
- Enabling the Administration Audit Log—The Administration Audit log is always enabled. You cannot disable this log.
- Viewing an Administration Audit Report—For instructions on viewing the Administration Audit report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring the Administration Audit Log—The Administration Audit log is available as a CSV file, viewable in the HTML interface.
The default location for Administration Audit files is Program Files\CiscoSecure ACS vx.x\Logs\AdminAudit.
For instructions on configuring the Administration Audit log, see the "Configuring the Administration Audit Log" section.
Configuring the Administration Audit Log
To configure the Administrative Audit log, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Step 2 Click Audit Policy.
Result: The Audit Policy Setup page appears.
Step 3 To generate a new Administrative Audit CSV file at a regular interval, select one of the following options:
- Every day—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each day.
- Every week—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each week.
- Every month—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each month.
Step 4 To generate a new Administrative Audit CSV file when the current file reaches a specific size, select the When size is greater than x KB option and type the file size threshold in kilobytes in the x box.
Step 5 To manage which Administrative Audit CSV files Cisco Secure ACS keeps, follow these steps:
a. Select the Manage Directory check box.
b. To limit the number of Administrative Audit CSV files Cisco Secure ACS retains, select the Keep only the last x files option and type the number of files you want Cisco Secure ACS to retain in the x box.
c. To limit how old Administrative Audit CSV files retained by Cisco Secure ACS can be, select the Delete files older than x days option and type the number of days for which Cisco Secure ACS should retain a Administrative Audit CSV file before deleting it.
Step 6 Click Submit.
Result: Cisco Secure ACS saves and implements the Administrative Audit log settings you specified.
ACS Service Monitoring Log
The ACS Service Monitoring log lists when ACS services start and stop.
Topics regarding this log include the following:
- Enabling the ACS Service Monitoring Log—The Administration Audit log is always enabled. You cannot disable this log.
- Viewing an ACS Service Monitoring Report—For instructions on viewing the Administration Audit report in the HTML interface, see the "Viewing a CSV Report" section.
- Configuring the ACS Service Monitoring Log—For information about configuring the ACS Service Monitoring log, see the "Cisco Secure ACS Active Service Management" section.
The default location for ACS Service Monitoring files is Program Files\CiscoSecure ACS vx.x\Logs\ServiceMonitoring.
Working with CSV Logs
This section contains the following topics:
CSV Log File Names
When you access a report in Reports and Activity, Cisco Secure ACS lists the CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.csv, where log is the name of the log.
Older files are named in the following format:
yyyy is the year the CSV file was started.
mm is the month the CSV file was started, in numeric characters.
dd is the date the CSV file was started.
For example, a Database Replication log file that was generated on October 13, 1999, would be named Database Replication 1999-10-13.csv.
If you have selected the day-month-year format under Interface Configuration: Date Format Control, this log file would be named Database Replication 1999-13-10.csv.
Enabling or Disabling a CSV Log
This procedure describes how to enable or disable a CSV log. For instructions about configuring the content of a CSV log, see the "Configuring a CSV Log" section.
The logs to which this procedure applies are:
To enable or disable a CSV log, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
Step 3 Click the name of the CSV log you want to enable.
Result: The CSV log Comma-Separated Values File Configuration page appears, where log is the name of the CSV log you selected.
Step 4 To enable the log, under Enable Logging, select the Log to CSV log report check box, where log is the name of the CSV log you selected in Step 3.
Step 5 To disable the log, under Enable Logging, clear the Log to CSV report log check box, where log is the name of the CSV log you selected in Step 3.
Step 6 Click Submit.
Result: If you enabled the log, Cisco Secure ACS begins logging information for the log selected. If you disabled the log, Cisco Secure ACS stops logging information for the log selected.
Viewing a CSV Report
The reports to which this procedure applies are:
When you select Logged-in Users or Disabled Accounts, a list of logged-in users or disabled accounts appears in the display area, which is the frame on the right side of the web browser. For all other types of reports, a list of applicable reports appears. Files are listed in chronological order, with the most recent file at the top of the list. The reports are named and listed by the date on which they were created; for example, 1999-10-05.csv was created on October 5, 1999.
|
Note If you select Day/Month/Year format, a file created on 5 October 1999 is named 1999-05-10. For instructions, see the "Date Format Control" section on. |
Files in CSV format can be imported into spreadsheets using most popular spreadsheet application software. Refer to your spreadsheet software manufacturer's documentation for instructions.
You can download the CSV file for any CSV report you view in Cisco Secure ACS. The procedure below includes steps for doing so.
To view a CSV report, follow these steps:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click the name of the CSV report you want to view.
Result: On the right side of the browser, Cisco Secure ACS lists the current CSV report file name and the file names of any old CSV report files.
|
Tip You can configure how Cisco Secure ACS handles old CSV report files. For more information, see the "Configuring a CSV Log" section. |
Step 3 Click the CSV report file name whose contents you want to view.
Result: If the CSV report file contains information, the information appears in the display area.
|
Tip You can sort the table by any column's entries, in either ascending or descending order. Click a column title once to sort the table by that column's entries in ascending order. Click the column a second time to sort the table by that column's entries in descending order. |
|
Tip To check for newer information in the current CSV report, click Refresh. |
Step 4 If you want to download the CSV log file for the report you are viewing, follow these steps:
Result: Your browser displays a dialog box for accepting and saving the CSV file.
Configuring a CSV Log
This procedure describes how to configure the content of a CSV log. For instructions about enabling or disabling a CSV log, see the "Enabling or Disabling a CSV Log" section.
The logs to which this procedure applies are:
You can configure several aspects of a CSV log:
- Log content—You can select which data attributes are included in the log.
- Log generation frequency—You can determine whether a new log is started after a specific length of time or when the current CSV file reaches a particular size.
- CSV file location—You can specify where on the local hard drive Cisco Secure ACS writes the CSV file.
- CSV file retention—You can specify how many old CSV files Cisco Secure ACS maintains or set a maximum number of files it is to retain.
To configure a CSV log, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
Step 3 Click the name of the CSV log you want to enable.
Result: The CSV log Comma-Separated Values File Configuration page appears, where log is the name of the CSV log you selected.
The Select Columns To Log table contains two lists, Attributes and Logged Attributes. The attributes in the Logged Attributes list appear on the log selected.
Step 4 To add an attribute to the log, select the attribute in the Attributes list, and then click —> (right arrow button).
Result: The attribute moves to the Logged Attributes list.
|
Tip Use the vertical scroll bar to find attributes not visible in the list box. |
Step 5 To remove an attribute from the log, select the attribute in the Logged Attributes list, then click <— (left arrow button).
Result: The attribute moves to the Attributes list.
|
Tip Use the vertical scroll bar to find attributes not visible in the list. |
Step 6 To set the attributes in the Logged Attributes list back to the default selections, at the bottom of the browser window, click Reset Columns.
Step 7 To generate a new CSV file at a regular interval, select one of the following options:
Step 8 To generate a new CSV file when the current file reaches a specific size, select the When size is greater than x KB option and type the file size threshold, in kilobytes, in the x box.
Step 9 To manage which CSV files Cisco Secure ACS keeps, follow these steps:
a. Select the Manage Directory check box.
b. To limit the number of CSV files Cisco Secure ACS retains, select the Keep only the last x files option and type the number of files you want Cisco Secure ACS to retain in the x box.
c. To limit how old CSV files retained by Cisco Secure ACS can be, select the Delete files older than x days option and type the number of days for which Cisco Secure ACS should retain a CSV file before deleting it.
Step 10 Click Submit.
Result: Cisco Secure ACS implements the CSV log configuration that you specified.
Working with ODBC Logs
This section contains procedures for the following topics:
Preparing to Use ODBC Logging
If you plan to use ODBC logging, there are several steps you must complete before you configure an ODBC log.
To prepare to use ODBC logging, follow these steps:
Step 1 Set up the relational database to which you want to export logging data. For more information, refer to your relational database documentation.
Step 2 Set up a system data source name (DSN) on the Cisco Secure ACS server. For instructions, see the "Configuring a System Data Source Name for ODBC Logging" section.
Step 3 Enable ODBC logging in the Cisco Secure ACS HTML interface:
Result: Cisco Secure ACS enables the ODBC logging feature. On the Logging page, in the System Configuration section, Cisco Secure ACS displays links for configuring ODBC logs.
Result: You can now configure individual ODBC logs. For instructions, see the "Configuring an ODBC Log" section.
Configuring a System Data Source Name for ODBC Logging
On the Cisco Secure ACS server, you must create a system DSN for Cisco Secure ACS to communicate with the relational database that is to store your logging data.
To create a system DSN for use with ODBC logging, follow these steps:
Step 1 In Windows Control Panel, double-click ODBC Data Sources.
Step 2 In the ODBC Data Source Administrator page, click the System DSN tab.
Step 3 Click Add.
Step 4 Select the driver you need to use with your new DSN, and then click Finish.
Result: A dialog box displays fields requiring information specific to the ODBC driver you selected.
Step 5 Type a descriptive name for the DSN in the Data Source Name box.
Step 6 Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant relational database runs.
Step 7 Click OK.
Step 8 Close the ODBC window and Windows Control Panel.
Result: The System DSN to be used by Cisco Secure ACS for communication with the relational database is created on your Cisco Secure ACS server. The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page.
Configuring an ODBC Log
The logs to which this procedure applies are:
- TACACS+ Accounting
- TACACS+ Administration
- RADIUS Accounting
- VoIP Accounting
- Failed Attempts
|
Note Before you can configure an ODBC log, you must prepare for ODBC logging. For more information, see the "Preparing to Use ODBC Logging" section. |
To configure an ODBC log, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
Step 3 Click the name of the ODBC log you want to enable.
Result: The ODBC log Configuration page appears, where log is the name of the ODBC log you selected.
The Select Columns To Log table contains two lists: Attributes and Logged Attributes. When you first access the ODBC configuration page for a log, the Logged Attributes list contains the default set of attributes. Cisco Secure ACS includes in the log only those attributes that are in the Logged Attributes list.
Step 4 Specify the attributes that you want Cisco Secure ACS to send to the relational database:
a. To add an attribute to the log, select the attribute in the Attributes list, and then click —> (right arrow button).
Result: The attribute moves to the Logged Attributes list.
|
Tip Use the vertical scroll bar to find attributes not visible in the list box. |
b. To remove an attribute from the log, select the attribute in the Logged Attributes list, and then click <— (left arrow button).
Result: The attribute moves to the Attributes list.
|
Tip Use the vertical scroll bar to find attributes not visible in the list box. |
c. To set the attributes in the Logged Attributes list back to the default selections, click Reset Columns.
Step 5 In the ODBC Connection Settings table, follow these steps:
a. From the Data Source list, select the system DSN you created to allow Cisco Secure ACS to send ODBC logging data to your relational database.
b. In the Username box, type the username of a user account in your relational database.
|
Note The user must have sufficient privileges in the relational database to write the ODBC logging data to the appropriate table. |
c. In the Password box, type the password for the relational database user account you specified in Step B.
d. In the Table Name box, type the name of the table to which you want ODBC logging data appended.
Step 6 Click Submit.
Result: Cisco Secure ACS saves the log configuration.
Step 7 Click the name of the ODBC log you are configuring.
Result: Cisco Secure ACS displays the ODBC log configuration page again.
Step 8 Click Show Create Table.
Result: The right side of the browser displays an SQL create table statement for Microsoft SQL Server. The table name is the name specified in the Table Name box. The column names are the attributes specified in the Logged Attributes list.
|
Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table. |
Step 9 Using the information provided in the generated SQL, create a table in your relational database for this ODBC log.
|
Note In order for ODBC logging to work, the table name and the column names must match exactly the names in the generated SQL. |
Step 10 Continuing in Cisco Secure ACS, access the configuration page for the ODBC log you are configuring:
Result: The ODBC log Configuration page appears, where log is the name of the ODBC log you selected.
Step 11 Select the Log to ODBC log report check box, where log is the name of the ODBC log you selected.
Step 12 Click Submit.
Result: Cisco Secure ACS begins sending logging data to the relational database table specified, using the system DSN you configured.
Remote Logging
This section discusses remote logging capabilities of Cisco Secure ACS. It contains the following topics:
About Remote Logging
The Remote Logging feature enables you to centralize accounting logs generated by multiple Cisco Secure ACS servers. You can configure each Cisco Secure ACS to point to a single Cisco Secure ACS that is to be used as the logging server. The logging Cisco Secure ACS server can still perform its AAA duties, but it also is the repository for accounting logs it receives. For more information about Cisco Secure ACS accounting logs, see the "Accounting Logs" section.
The Remote Logging feature sends accounting data received from AAA clients by the local Cisco Secure ACS server directly to the CSLOG service on the remote logging server, where the accounting data is written to the logs. The logging server generates the accounting logs in the formats it is configured to use—CSV and ODBC—regardless of the local logging configuration on the servers sending the data to the logging server.
|
Note The Remote Logging feature does not affect the forwarding of accounting data for proxied authentication requests. Cisco Secure ACS only applies Remote Logging settings to accounting data for sessions authenticated by proxy when accounting data for sessions authenticated by proxy is logged locally. For more information about proxied authentication requests and accounting data for sessions authenticated by proxy, see the "Proxy Distribution Table Configuration" section. |
Remote Logging Options
Cisco Secure ACS provides the remote logging options listed below. These options appear on the Remote Logging page, available from the Logging page in the System Configuration section.
- Do not Log Remotely—Cisco Secure ACS writes accounting data of locally authenticated sessions only to the local logs that are enabled.
- Log To All Selected Hosts—Cisco Secure ACS sends accounting data for locally authenticated sessions to all the AAA servers in the Log To list.
- Log to Subsequent Selected Hosts on Failure—Cisco Secure ACS sends accounting data for locally authenticated sessions to the first Cisco Secure ACS server in the Log To list that is operational. This behavior enables you to configure one or more backup central logging servers so that no accounting data is lost if the first central logging server fails or is otherwise unavailable to the local Cisco Secure ACS server.
- Log Servers—This list represents the AAA servers configured in the AAA Servers table in Network Configuration to which the Cisco Secure ACS server does not send accounting data for locally authenticated sessions.
- Log To—This list represents the AAA servers configured in the AAA Servers table in Network Configuration to which the Cisco Secure ACS server does send accounting data for locally authenticated sessions.
Configuring a Central Logging Server
A central logging server is a Cisco Secure ACS server that is to receive accounting data from Cisco Secure ACS servers configured to do remote logging. Configuring a central logging server consists entirely of making sure that all Cisco Secure ACS servers that are to send their accounting data are defined in the central logging server's AAA Servers table.
For each Cisco Secure ACS server that the central logging server is to log watchdog and update packets, be sure that the Log Update/Watchdog Packets from this remote AAA Server check box is selected in that server's entry in the central logging server's AAA Servers table.
For more information about the AAA Servers table, see the "AAA Server Configuration" section.
Enabling and Configuring Remote Logging
|
Note Before configuring the Remote Logging feature on a Cisco Secure ACS server, make sure that you have configured your central logging server. For more information, see the "Configuring a Central Logging Server" section. |
To enable and configure remote logging, follow these steps:
Step 1 To enable the Remote Logging feature in the HTML interface, follow these steps:
Result: Cisco Secure ACS displays the Remote Logging link on the Logging page in the System Configuration section.
Step 2 Click System Configuration.
Step 3 Click Logging.
Step 4 Click Remote Logging.
Step 5 Select the applicable remote logging option:
a. To disable remote logging, select the Do not Log Remotely option.
b. To send this Cisco Secure ACS server's accounting information to more than one Cisco Secure ACS server, select the Log to All Selected Hosts option.
c. To send this Cisco Secure ACS server's accounting information to a single Cisco Secure ACS server, select the Log to Subsequent Selected Hosts on Failure option.
|
Note Use the Log to Subsequent Selected Hosts on Failure option when you want to configure Cisco Secure ACS to send accounting data to a second remote Cisco Secure ACS server if the first server fails. |
Step 6 For each remote Cisco Secure ACS server you want to have in the Log To list, follow these steps:
a. In the Log Servers list, select the name of a Cisco Secure ACS server to which you want to send accounting data for locally authenticated sessions.
|
Note The Cisco Secure ACS servers available in the Log Servers list is determined by the AAA Servers table in Network Configuration. For more information about the AAA Servers table, see the "AAA Server Configuration" section. |
Step 7 To assign an order to the servers in the Log To list, click Up and Down to move selected Cisco Secure ACS servers until you have created the order you need.
|
Note If the Log to Subsequent Selected Hosts on Failure option is selected, Cisco Secure ACS logs to the first accessible Cisco Secure ACS server Log To list. |
Step 8 Click Submit.
Result: Cisco Secure ACS saves and implements the remote logging configuration you specified.
Disabling Remote Logging
You can prevent a Cisco Secure ACS server from sending its accounting information to a central logging Cisco Secure ACS server by disabling the Remote Logging feature.
To disable remote logging, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
Step 3 Click Remote Logging.
Step 4 Select the Do not Log Remotely option.
Step 5 Click Submit.
Result: This Cisco Secure ACS server no longer sends its accounting information for locally authenticated sessions to remote logging servers.
Service Logs
The service logs may be considered diagnostic logs and are used for troubleshooting or debugging purposes only. These logs are not intended for general use by Cisco Secure ACS administrators; instead, they are mainly sources of information for Cisco support personnel. Service logs contain a record of all Cisco Secure ACS service actions and activities. Cisco Secure ACS generates these logs whenever you log in to Windows NT/2000 and the services are started, whether or not the administrative interface is started, and whether or not you are using the service. For example, RADIUS service logs are created even if you are not using the RADIUS protocol in your network.
For more information about Cisco Secure ACS services, see "Cisco Secure ACS Internal Architecture."
Services Logged
Cisco Secure ACS generates logs for the following services:
These files are located in the \Logs subdirectory of the applicable service's directory. For example, the following is the default directory for the CiscoSecure authentication service:
The most recent debug log is named as follows:
where SERVICE is the name of the applicable service.
Older debug logs are named with the year, month, and date they were created. For example, a file created on July 13, 1999, would be named as follows:
where SERVICE is the name of the applicable service.
If you selected the Day/Month/Year format, the file would be named as follows:
Configuring Service Logs
You can configure how Cisco Secure ACS generates and manages the service log file. The options for configuring the service log file are listed below.
- Level of detail—You can set the service log file to contain one of three levels of detail:
- Generate new file—You can control how often a new service log file is created:
-
- Every Day—Cisco Secure ACS generates a new log file at 12:01 A.M. local time every day.
- Every Week—Cisco Secure ACS generates a new log file at 12:01 A.M. local time every Sunday.
- Every Month—Cisco Secure ACS generates a new log file at 12:01 A.M. on the first day of every month.
- When Size is Greater than x KB—Cisco Secure ACS generates a new log file after the current service log file reaches the size specified, in kilobytes, by x.
- Manage Directory—You can control how long services log files are kept:
To configure how Cisco Secure ACS generates and manages the service log file, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Service Control.
Result: The status of the services appears in the CiscoSecure ACS on hostname table, where hostname is the name of the Cisco Secure ACS server.
Step 3 To disable the service log file, under Level of detail, select the None option.
Result: After you click Restart, Cisco Secure ACS does not generate new service logs file.
Step 4 To configure how often Cisco Secure ACS creates a service log file, select one of the options under Generate New File.
Step 5 To manage which service log files Cisco Secure ACS keeps, follow these steps:
a. Select the Manage Directory check box.
b. To limit the number of service log files Cisco Secure ACS retains, select the Keep only the last x files option and in the x box type the number of files you want Cisco Secure ACS to retain.
c. To limit how old service log files retained by Cisco Secure ACS can be, select the Delete files older than x days option and in the x box type the number of days for which Cisco Secure ACS should retain a service log file before deleting it.
Step 6 Click Restart.
Result: Cisco Secure ACS restarts its services and implements the service log settings you specified.