Installation Guide for the Cisco 1120 Secure Access Control Server 4.2 - Administering the Cisco 1120 Secure Access Control Server [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

Administering the Cisco 1120 Secure Access Control Server

Basic Command Line Administration Tasks

Logging In to the CSACS 1120 from a Serial Console

Shutting Down the CSACS 1120 from a Serial Console

Logging Off the CSACS 1120 from a Serial Console

Rebooting the CSACS 1120 from a Serial Console

Determining the Status of CSACS 1120 System and Services from a Serial Console

Tracing Routes

Stopping ACS Services from a Serial Console

Starting ACS Services from a Serial Console

Restarting ACS Services from a Serial Console

Getting Command Help from the Serial Console

Working with System Data

Obtaining Support Logs from the Serial Console

Exporting Logs

Exporting a List of Groups

Exporting a List of Users

Backing Up ACS Data from the Serial Console

Restoring ACS Data from the Serial Console

Enabling RDBMS Synchronization

Enabling Remote Invocation for CSDBSync Functionality

Reconfiguring CSACS 1120 System Parameters

Resetting the CSACS 1120 Administrator Password

Resetting the CSACS 1120 CLI Administrator Name

Resetting the GUI Administrator Login and Password

Resetting the CSACS 1120 Database Password

Reconfiguring the CSACS 1120 IP Address

Setting the System Time and Date Manually

Setting the System Time and Date with NTP

Setting the System Timeout

Setting the CSACS 1120 System Domain

Setting the CSACS 1120 System Hostname

Patch Rollback

Removing Installed Patches

Understanding the CSAgent Patch

Recovery Management

Recovering from Loss of Administrator Credentials

Re-imaging the CSACS 1120 Hard Drive

Administering the Cisco 1120 Secure Access Control Server

This section describes the major CSACS 1120 system administration tasks that you can perform using the CLI in the serial console connection. For all other configuration and administration tasks, that is, those performed from the ACS web interface, see the User Guide for Cisco Secure Access Control Server 4.2.

Serial console service starts automatically when the boots and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.

This section contains:

•Basic Command Line Administration Tasks

•Working with System Data

•Reconfiguring CSACS 1120 System Parameters

•Patch Rollback

•Recovery Management

Basic Command Line Administration Tasks

This section details basic administrative tasks you can perform from a serial console connected to the . This section contains:

•Logging In to the CSACS 1120 from a Serial Console

•Shutting Down the CSACS 1120 from a Serial Console

•Logging Off the CSACS 1120 from a Serial Console

•Rebooting the CSACS 1120 from a Serial Console

•Determining the Status of CSACS 1120 System and Services from a Serial Console

•Tracing Routes

•Stopping ACS Services from a Serial Console

•Starting ACS Services from a Serial Console

•Restarting ACS Services from a Serial Console

•Getting Command Help from the Serial Console

Logging In to the CSACS 1120 from a Serial Console

To log in to the CASACS 1120 from a serial console:

Step 1 Establish a serial console connection to the CSACS 1120. For details, see Configuring CSACS 1120.

Step 2 At the login: prompt, enter the administrator name, and press Enter.

Step 3 At the password: prompt, enter the password, and press Enter.

Result: The system prompt appears:

name

Note Only one set of login credentials (administrator name and password) has the serial connection privilege.

Shutting Down the CSACS 1120 from a Serial Console

You can use the serial console to shut down the CSACS 1120.

Caution Powering off the CSACS 1120 by using only the power switch may cause the loss or corruption of data.

To use the serial console to shut down the:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter shutdown, and press Enter.

Step 3 At the Are you sure you want to shut down? (Y/N): prompt, enter Y for yes, and press Enter.

Result: The console displays:
It is now safe to turn off the computer
Step 4 Press the power switch and hold it down for 4 seconds to turn off the CSACS 1120.

For the location of the power switch see Figure 1-2.

Result: The CSACS 1120 powers OFF.

Logging Off the CSACS 1120 from a Serial Console

To log off the CSACS 1120 from a serial console:

At the system prompt, enter exit, and press Enter.

Result: The serial console connection closes, and the login prompt appears.

Rebooting the CSACS 1120 from a Serial Console

To reboot the CSACS 1120 from the serial console:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter reboot, and press Enter.

Step 3 At the Are you sure you want to reboot? (Y/N): prompt, enter Y for yes, and press Enter.

Result: The CSACS 1120 reboots. When the reboot is finished, the login prompt appears.

Determining the Status of CSACS 1120 System and Services from a Serial Console

You can use the serial console connection to obtain system and service status information.

Note You typically perform status determination in the CSACS 1120 web interface. For more information, see "Determining the Status of Cisco Secure ACS Services" in the User Guide for Cisco Secure Access Control Server 4.2.

To determine the status of the CSACS 1120 and it's services:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter show, and press Enter.

Result: The console displays:
  Name
  Version
Appliance Management Software Version
Appliance Base Image Version
CSA build XXXX: (Patch: x_x_x_xxx)
Session Timeout (in minutes)
Last Reboot Time
Current Date & Time
Time Zone
NTP Server(s)
CPU Load (percentage)
Free Disk (amount of hard drive space available)
Free Physical Memory
Appliance IP Configuration
DHCP Enabled (Yes/No)
IP Address
Subnet Mask 
Default Gateway
DNS Servers 
ACS Services (running/stopped)
CSAdmin
CSAgent
CSAuth
CSDbSync
CSLog 
CSMon
CSRadius 
CSTacacs
Tracing Routes

If you are unfamiliar with the trace route command or want information on the command's optional arguments, see the Command Reference entry tracert.

To trace the network route that the CSACS 1120 takes to a given destination:

At the system prompt, enter tracert, followed by zero (0) or more optional arguments, and the IP address of the target destination, and press Enter.

Result: The console displays the route tracing information followed by the message:
Trace complete
Stopping ACS Services from a Serial Console

Note You typically stop ACS services in the web interface.

You can stop any of the ACS services from the serial console. The CSACS 1120 services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of CSACS 1120 System and Services from a Serial Console.

Note When you stop the CSAgent service, the service remains disabled until you explicitly start it again because the CSAgent service does not automatically restart when the system is rebooted.

To stop an ACS service:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter stop followed by a single space and the name of the ACS service that you want to stop, and press Enter.

Tip You can list more than one service to stop; enter a single space between each.

Result: The console displays:
Stopping service: [service name]. . . .
[service name] is not running
Starting ACS Services from a Serial Console

Note You typically start ACS services in the web interface.

You can start any of the ACS services from the serial console. The ACS services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of CSACS 1120 System and Services from a Serial Console.

To start an ACS service:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter start followed by a single space and the name of the ACS service that you want to start, and press Enter.

Tip You can list more than one service to start; enter a single space between each.

Result: The console displays:
Starting service: [service name].s. . . .
[service name] is starting
[service name] is running
Restarting ACS Services from a Serial Console

Note You typically restart ACS services in the web interface.

You can restart any ACS service from the serial console. ACS services include:

•CSAdmin

•CSAgent

•CSAuth

•CSDbSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of CSACS 1120 System and Services from a Serial Console.

To restart an ACS service:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter restart followed by a single space and the name of the ACS service that you want to restart, and press Enter.

Tip You can list more than one service to restart; enter a single space between each.

Result: The console displays:
[service name] is stopping. . .
[service name] is not running
[service name] is starting
[service name] is running
Getting Command Help from the Serial Console

To obtain a list and description of commands on the CSACS 1120 from the serial console:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter help, and press Enter.

Tip Press Enter again to scroll through the list of commands, as necessary.

Result: The console displays the list of commands and their descriptions, as shown in Table 4-1.

Table 4-1 CSACS 1120 Commands

Command

Description

?

List commands

unlock guiadmin

Unlock GUI administrator

remove guiadmin

Remove GUI administrator

add guiadmin

Adds a GUI administrator account that allows access to the SE using the ACS web GUI.

backup

Back up appliance

download

Download ACS Install Package

exit

Log off

exportgroups

Export group information to an FTP server

exportlogs

Export appliance diagnostic logs to FTP server

exportusers

Export user information to an FTP server

help

List commands

ntpsync

Perform Network Time Protocol synchronization with predefined NTP servers

ping

Verify connections to remote computers

reboot

Soft reboot appliance

restart

Restart ACS services

restore

Restore appliance

rollback

Rollback patched package

set

Set commands

set admin

Set administrator's name

set domain

Set DNS domain

set hostname

Set appliance's hostname

set ip

Set IP configuration

set password

Set administrator's password

set dbpassword

Set database encryption password

set time

Set timezone, enable NTP synch, or set date and time

set timeout

Set the timeout for serial console with no activity

show

Show appliance status

shutdown

Shut down appliance

start

Start ACS services

stop

Stop ACS services

support

Collect logs, registry, and other useful information

tracert

Determine the route taken to a destination

upgrade

Upgrade appliance (stage II)

For more information on commands, see Appendix C, "Command Reference"

Working with System Data

This section explains basic data-manipulation tasks performed from a serial console connected to the CSACS 1120:

•Obtaining Support Logs from the Serial Console

•Exporting Logs

•Exporting a List of Groups

•Exporting a List of Users

•Backing Up ACS Data from the Serial Console

•Restoring ACS Data from the Serial Console

•Enabling RDBMS Synchronization

•Enabling Remote Invocation for CSDBSync Functionality

Obtaining Support Logs from the Serial Console

This section details the procedure for running the support tool. The support tool first collects logs, system Registry information, and other ancillary data, and then compresses the collected information into a single file with the extension .cab. This file is then sent to support personnel for analysis.

Caution Performing this procedure stops and restarts all services, and will interrupt use of ACS.

Note You typically perform this procedure in the ACS web interface.

This procedure uses the support command. For more information on this command, see support. The arguments for the support command include:

Argument

Description

-d n

Collect the previous n days logs

-u

Collect user database information

server

Hostname for the FTP server to which the file is to be sent

filepath

Location under the FTP root for the server into which the package.cab is to be sent

username

Account used to authenticate the FTP session

To generate a .cab file of log and system registry information:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter support and the necessary arguments, and press Enter.

Step 3 To collect user database information, at the Collect User Data? <Y or N>: prompt, enter Y and press Enter.

Step 4 At the Collect Previous days logs? <N or Number of days><1>: prompt, enter the number of days for which you want to collect information (from 1 to 9999), and press Enter.

Step 5 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server hostname or IP address, and press Enter.

Step 6 At the Enter FTP Server Directory: prompt, enter the pathname to the location on your FTP server to which you want to send the file, and press Enter.

Step 7 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Caution Performing this next step begins the procedure that stops and restarts all services, and will interrupt use of the ACS.

Step 8 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: The console displays a series of messages detailing the writing and dumping of the files, and the stopping and starting of services. At file transfer conclusion the system displays the following message on the console:
Transferring `Package.cab' completed
Press any key to finish.
This message indicates that ACS has packaged and transferred the .cab file as specified, and restarts services.

Result: The system returns to the system prompt.

Exporting Logs

This section details the procedure for exporting ACS log files to an FTP server for further examination and processing. Using the exportlogs command, you can enter the name of the log(s) or to export, or select log names from a list.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS .

To export log files to an FTP server:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter exportlogs logname, and press Enter.

Where logname is the name of the log you want to export.

Tip You can enter more than one log name and separate each with a space. If you enter no log name, and press Enter, the system displays the names of the log files available for export.

Caution Performing this procedure stops and restarts all services, and will interrupt use of the ACS.

Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the IP address or hostname of the FTP server, and press Enter.

Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: ACS exports the specified files to the specified location.

Exporting a List of Groups

This section details the procedure for exporting a list of ACS user groups to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS.

To export a user group list to an FTP server:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter exportgroups, and press Enter.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Result: The console displays:
Command will restart CSAuth. Are you sure you want to continue? <Y/N>:
Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS.

Step 3 To proceed, enter Y, and press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: ACS exports the group list file to the specified location. When this is completed the console displays:
Transferring `groups.txt' completed
The system prompt returns.

Exporting a List of Users

This section details the procedure for exporting a list of ACS users to an FTP server for further examination and processing.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS.

To export a list of users to an FTP server:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter exportusers, and press Enter.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Result: The console displays:
Command will restart CSAuth. Are you sure you want to continue? <Y/N>:
Caution Performing this procedure stops and restarts the CSAuth service, and will interrupt use of the ACS.

Step 3 To proceed, enter Y, and press Enter.

Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 6 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 7 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Result: ACS exports the file of the list of users to the specified location, When this is completed the console displays:
Transferring `users.txt' completed
The system prompt reappears.

Backing Up ACS Data from the Serial Console

This section details how to use the serial console to back up ACS data to an FTP server.

Note You typically perform this procedure in the web interface.

During back up, AAA services are interrupted, and ACS data is packaged and sent in a file to an FTP server. You may choose to encrypt this file package. For information on how to restore the backup data to the system, see Restoring ACS Data from the Serial Console.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password).

Caution This procedure interrupts the use of ACS for AAA services.

To export ACS data to an FTP server:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter backup and press Enter.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname, and press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username and. press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password and, press Enter.

Step 7 At the File: prompt, enter the name that you want to give the backup file, and press Enter.

Step 8 At the Encrypt Backup file? <Y or N>: prompt, enter Y to encrypt the backup file or N not to encrypt it, and press Enter.

Caution This procedure interrupts the use of ACS for AAA services.

Step 9 If you entered Y to encrypt the backup file, at the Encryption Password: prompt, enter a password and then press Enter.

Result: The console displays:
Backing up now . . .
All running services will be stopped and restarted automatically.
Are you sure you want to proceed? <Y or N>
Step 10 To proceed, enter Y and press Enter.

Result: ACS exports the backup file to the specified location and displays messages regarding the progress of the back up.

When the backup process is completed, the console displays:
Transferring xxx completed.
The system prompt reappears.

Restoring ACS Data from the Serial Console

This section details how to use the serial console to restore ACS data from an FTP server after you perform a back up. For more information on backing up ACS data, see Backing Up ACS Data from the Serial Console.

Note You typically perform this procedure in the web interface.

Before You Begin

You must have the FTP server address and pathname, as well as the proper credentials for writing to the FTP server (username and password). You also need the name of the backup file and, the decryption password, if the backup was encrypted.

Caution This procedure interrupts the use of the ACS for AAA services.

Caution This procedure overwrites current system data and replaces it with the backup data.

To restore ACS data from an FTP server:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter restore, and press Enter.

Tip You can enter the following parameters after the command or in response to subsequent prompts: [server] [username] [filepath]

Step 3 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname, and press Enter.

Step 4 At the Enter FTP Server Directory: prompt, enter the FTP server directory pathname and, press Enter.

Step 5 At the Enter FTP Server Username: prompt, enter the FTP server username, and press Enter.

Step 6 At the Enter FTP Server Password: prompt, enter the FTP server password, and press Enter.

Step 7 At the File: prompt, enter the name of the backup file, and press Enter.

Step 8 At the Select Components to Restore: User and Group Database: <Y or N> prompt, enter Y to restore the user and group database, and press Enter.

Step 9 At the CiscoSecure ACS System Configuration: <Y or N> prompt, enter Y to restore the system configuration data, and press Enter.

Step 10 At the Decrypt Backup file? <Y or N>: prompt, enter Y, if you previously encrypted the backup file, and press Enter.

Step 11 If you entered Y to decrypt the backup file, at the Encryption Password: prompt, enter the FTP password, and press Enter.

Note The console displays a warning message: on the console:
Reloading a system backup will overwrite ALL current configuration information. All services will be stopped and started automatically

Step 12 At the Are you sure you want to proceed? <Y or N>: prompt, enter Y and press Enter.

Result: ACS receives the backup file from the specified location and displays messages regarding the restoration. You may see warnings about components not included in the backup file. For example, if ACS has no shared profile components configured, you see a message about Device Command Sets (DCS) not on the backup, which is normal.

When this is completed, the console displays:
Done
Note You cannot restore ACS 4.1 data from the serial console. You can perform this procedure only through the web interface.

Enabling RDBMS Synchronization

RDBMS Sycnchronisation supports the manipulation and updation of ACS internal database objects. You can Create, Read, Update, and Delete all data items that RDBMS Synchronization can access. This section details the procedure for invoking RDBMS Synchronization on the CSACS 1120.

For more information about RDBMS Synchronization, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/
4.1/user/user.html

Note You must upload and use the accountActions.csv file to perform RDBMS Synchronization on the CSACS 1120.

Before You Begin

You must have the FTP server address and pathname, as well as write permissions to the FTP server directory.

To configure RDBMS Synchronization on the SE:

Step 1 Connect to the CSACS 1120 via the SSH client. Check the connectivity between the SSH client and the SSH server.

Step 2 Log in to the GUI administrator account and enter the administrator name and password.

Step 3 In the navigation bar, click System Configuration.

Step 4 Click RDBMS Synchronization.

The RDBMS Synchronization setup page appears.

Step 5 In the FTP Setup For Account Actions Download Table, enter:

a. The name of the accountActions file that you want to use to update ACS.

b. The IP address or hostname of the FTP server from where CSACS 1120 must download the accountActions file.

c. The directory path on the FTP server where the accountActions file resides.

d. The username for ACS to access the FTP server.

e. The password for the FTP server.

Step 6 Upload the CSVfile.

CSACS 1120 will automatically create the DSN.

Note The uploaded CSV file must be in a valid format and the values given in the CSV file for RDBMS Synchronization must be valid.

Step 7 Log in to the CLI administrator account and enter the administrator username and password.

Step 8 At the system prompt, enter csdbsync -syncnow and press Enter.

Step 9 The console displays:
CSDbSync v4.2(0.113), Copyright 1997-2007, Cisco Systems Inc 
Logging mode: FULL 
Transaction processing invoked manually 
 
Sync complete: 10 transaction(s) 0 parse error(s) 0 process error(s) 
SL:Disconnect Start 
DBConnectionPool: 2 Connecion(s) to delete 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
Going to sleep for 0.5 sec 
DBConnectionPool: Destructor Complete 
SL:Disconnect Complete
CSACS 1120 fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Sycnchronisation operations specified in the file.

Enabling Remote Invocation for CSDBSync Functionality

CSDBSync supports the configuring of ACS on the CSACS 1120, via remote systems. The CSDBSync service reads each record from the accountActions file and updates the ACS internal database according to the action code specified in the record. Synchronization events fail if CSDBSync cannot access the accountActions file. In a distributed environment, a single ACS, known as the senior synchronization partner, accesses the accountActions table and sends synchronization commands to its synchronization partners.

For more information about CSDBSync, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/user.html

Reconfiguring CSACS 1120 System Parameters

This section details basic reconfiguration tasks performed from a serial console connected to the CSACS 1120. This section contains:

•Resetting the CSACS 1120 Administrator Password

•Resetting the CSACS 1120 CLI Administrator Name

•Resetting the GUI Administrator Login and Password

•Resetting the CSACS 1120 Database Password

•Reconfiguring the CSACS 1120 IP Address

•Setting the System Time and Date Manually

•Setting the System Time and Date with NTP

•Setting the System Timeout

•Setting the CSACS 1120 System Domain

•Setting the CSACS 1120 System Hostname

Resetting the CSACS 1120 Administrator Password

There is always a single ACS administrator username and password that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface. This account is called the CLI administrator account and allows access to ACS only through a serial console.

You can reset the ACS CLI administrator name, the administrator password, or both. This procedure details how to reset the password after you log in with the existing credentials. To reset the CLI administrator name see Resetting the CSACS 1120 CLI Administrator Name.

If you do not have the existing ACS CLI administrator login credentials, you must have the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging in, see Recovering from Loss of Administrator Credentials.

To reset the ACS administrator login credentials:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set password, and press Enter.

Step 3 At the Enter old password: prompt, enter the old password, and press Enter.

Step 4 At the Enter new account name: prompt, enter the new account name, and press Enter.

Step 5 At the Enter new password: prompt, enter the new password, and press Enter.

Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Step 6 At the Renter new password again: prompt, reenter the new password, and press Enter.

Result: The console displays:
Password is set successfully.  
Administrator account name is set to ____
Resetting the CSACS 1120 CLI Administrator Name

There is always a single set of ACS CLI administrator credentials that consists of the administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the ACS web interface.

You can reset the ACS CLI administrator name, the administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the CSACS 1120 Administrator Password.

Note The CLI administrator login does not provide access to the CSACS 1120 using the web GUI. You must set up an initial web GUI password using the add guiadmin command. For information on setting up an initial web GUI account, see Resetting the GUI Administrator Login and Password.

If you do not have the existing CLI administrator login credentials, you must use the recovery CD-ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials.

To reset the ACS CLI administrator name:

Step 1 Log in to the CSACS 1120 . For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set admin, and press Enter.

Step 3 At the Set administrator's name: prompt, enter the new administrator name, and press Enter.

Step 4 At the Set administrator name again: prompt, enter the administrator name again, and press Enter.

Result: The console displays:
Administrator name is set successfully.
Resetting the GUI Administrator Login and Password

You can reset the ACS GUI administrator name, administrator password, or both. This procedure details how to reset the administrator name after you log in with the existing credentials. To reset the password, see Resetting the CSACS 1120 Administrator Password.

After initial installation of the CSACS 1120, the only password that exists is the CLI administrator password. This password allows access only through a serial console login and CLI commands.

To enable an initial administrator account that can access ACS through the web GUI, you must set up a GUI administration account using the add guiadmin command.

To set up an initial web GUI account:

Step 1 Log in as the CLI administrator.

Step 2 At the command prompt, enter:

add guiadmin <admin> <password>

where admin is the name of the GUI administrator account and password is the password is the password for the GUI administrator.

Step 3 At the Enter new GUI administrator name: prompt, enter the new GUI administrator name and press Enter.

Step 4 At the Enter new password: prompt, enter the new password and press Enter.

Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.

Step 5 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays:
GUI Administrator added successfully.
Now, you can use the GUI administrator account to remotely access the ACS GUI running on the CSACS 1120.

Resetting the CSACS 1120 Database Password

You should change the ACS database password from time to time, to ensure database security. This procedure details how to reset the password after you have logged on with the existing credentials.

To reset the ACS database password:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set dbpassword, and press Enter.

Step 3 At the Please enter the OLD ACS Database Encryption Password: prompt, enter the old database password, and press Enter.

Step 4 At the Please enter the NEW ACS Database Encryption Password: prompt, enter the new password, and press Enter.

Note The new password must not contain the administrator account name, must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Step 5 At the Reenter new password: prompt, enter the new password again, and press Enter.

Result: The console displays:
Password is set successfully.
Reconfiguring the CSACS 1120 IP Address

Typically, you configure the IP address only once, during initial configuration. See Configuring CSACS 1120.

Caution Reconfiguring the IP address may cause other network devices to fail to recognize the CSACS 1120.

Caution Reconfiguring the IP address causes services to restart. AAA services to users will be interrupted.

Note To set or change the IP address of your CSACS 1120, the CSACS 1120 must be connected to a working Ethernet connection.

To reconfigure the IP address:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set ip, and press Enter.

Step 3 At the Use Static IP Address [Yes]: prompt, enter Y for yes or N for No, and press Enter.

Step 4 If you entered No, the system displays a confirmation of DHCP and the message IP Address is reconfigured appears on the console. Continue the procedure with Step 5.

If you entered Yes, to specify the CSACS 1120 IP address:

a. At the IP Address [xx.xx.xx.xx]: prompt, enter the IP address, and press Enter.

b. At the Subnet Mask [xx.xx.xx.xx]: prompt, enter the subnet mask, and press Enter.

c. At the Default Gateway [xx.xx.xx.xx]: prompt, enter the default gateway, and press Enter.

d. At the DNS Servers [xx.xx.xx.xx]: prompt, enter the address of any DNS servers you intend to use (separate each by a single space), and press Enter.

Result: The console displays the new configuration information and the following message:
IP Address is reconfigured.
Step 5 Review the information displayed, and at the Confirm the changes? [Y]: prompt, enter Y, and press Enter.

Result: The CSACS 1120 restarts. The console displays:
New ip address is set.
Step 6 At the Test network connectivity [Yes]: prompt, enter Y, and press Enter.

Tip This step executes a ping command to ensure the connectivity of the .

Step 7 At the Enter hostname or IP address: prompt, enter the IP address or hostname of a device connected to the CSACS 1120, and press Enter.

Result: If successful, the system displays the ping statistics. Once again the system displays the Test network connectivity [Yes]: prompt.

Step 8 If network connectivity is successful in the previous two steps, at the Test network connectivity [Yes]: prompt, enter N, and press Enter.

Tip The system will continue to provide you with the opportunity to test network connectivity until you answer N. This procedure gives you an opportunity, if required, to correct network connections or retype the IP address.

Result: The CSACS 1120 restarts services, and displays the system prompt.

Setting the System Time and Date Manually

You can set and maintain the system date and time by using one of two methods:

•Set the time and date manually.

•Assign a network time protocol (NTP) server with which the system synchronizes its date and time.

To set the CSACS 1120 system time and date by using an NTP, see Setting the System Time and Date with NTP.

To set the CSACS 1120 system time and date manually:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set time, and press Enter.

Result: The console displays:
Current Date/Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy hh/mm/ss
NTP Servers: ("Ntp Synchronization Disabled" - or -a list of NTP servers)
Change Date & Time Setting? [N]
Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.

Result: The console displays a list of indexed time zones and the following message:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 At the Enter desired time zone index (0 for more choices) [x]: prompt, enter the desired time zone index number from the time zone setting list, and press Enter.

Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers.

Result: The console displays the new time zone.

Step 5 At the Synchronize with NTP Server? prompt, enter N, and press Enter.

Step 6 At the Enter date [mm/dd/yyyy]: prompt, enter the date, and press Enter.

Step 7 At the Enter time [hh:mm:ss]: prompt, enter the current time, and press Enter.

Result: The system time is reset.

Setting the System Time and Date with NTP

You can set and maintain the system date and time by using one of two methods:

•Set the time and date manually.

•Assign a NTP server with which the system synchronizes its date and time. (You can configure backup NTP servers if you desire.)

To set the CSACS 1120 system time and date manually, see Setting the System Time and Date Manually.

To set the CSACS 1120 system time and date with NTP:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set time, and press Enter.

Result: The console displays:
Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time 
Date and Time: mm/dd/yyyy hh/mm/ss 
NTP Servers: ("Ntp Synchronization Disabled" - or - List of NTP servers)
Change Date & Time Setting? [N]
Step 3 At the Change Date & Time Setting? [N]: prompt, to set the time zone, time, or date enter Y, and press Enter.

Result: The console display the indexed time zones:
[xx] (GMT -xx:xx) XXX Time.
Enter desired time zone index (0 for more choices) [x]:
Step 4 At the Enter desired time zone index (0 for more choices) [x]: prompt, enter the desired time zone index number from the time zone setting list, and press Enter.

Tip You can also enter 0 (zero) and press Enter to see more time zone index numbers; or simply press Enter to accept the existing time zone.

Result: The console displays the time zone setting.

Step 5 At the Synchronize with NTP Server? prompt, enter Y, and press Enter.

Step 6 At the Enter NTP Server IP Address(es): prompt, enter the IP address of the NTP server that you want to use, and press Enter.

Tip If you want to configure multiple NTP servers, at the Enter NTP Server IP Address prompt, enter multiple IP addresses, each separated by a space.

Result: The console displays:
Successfully synchronized with NTP server
Current Date/Time Setting:
	Time Zone: XXX
Date & Time:
NTP servers:
Setting the System Timeout

You can set a system timeout which, is the number of minutes that can pass with no activity on the serial console before the console login times out.

To set the CSACS 1120 system timeout:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set timeout, and press Enter.

Step 3 At the Enter timeout <minutes>: prompt, enter the timeout period in minutes followed by a single space, and press Enter.

Result: The system sets the new timeout period.

Setting the CSACS 1120 System Domain

You can set the system DNS domain from the serial console. To set the CSACS 1120 system domain:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set domain, and press Enter.

Step 3 At the Enter DNS domain: prompt, enter the domain name, and press Enter.

Result: The console displays:
You should reboot appliance for the change to take effect.
Setting the CSACS 1120 System Hostname

Caution Performing this procedure stops and restarts all services, and will interrupt use of the .

You can set the system hostname. To set the CSACS 1120 system hostname:

Step 1 Log in to the CSACS 1120. For more information, see Logging In to the CSACS 1120 from a Serial Console.

Step 2 At the system prompt, enter set hostname, and press Enter.

Step 3 At the Enter appliance name: prompt, enter the hostname, and press Enter.

Tip You can use up to 15 letters and numbers; but no spaces.

Result: The console displays:
Stopping all ACS Services
Stopping service: CSAdmin.
Stopping service: CSAuth..
Stopping service: CSDbSync.
Stopping service: CSLog.
Stopping service: CSMon.
Stopping service: CSRadius..
Stopping service: CSTacacs.
Starting all ACS Services
Starting service: CSAdmin....
Starting service: CSAuth..
Starting service: CSDbSync.
Starting service: CSLog..
Starting service: CSMon.
Starting service: CSRadius.
Starting service: CSTacacs..
You should reboot appliance for the change to take effect.
The system restarts all services, and the hostname is reset. The system then prompts you to reboot the appliance. The hostname is then reset after system reboot.

Patch Rollback

This section contains:

•Removing Installed Patches

•Understanding the CSAgent Patch

Removing Installed Patches

Use this procedure to uninstall one or more patches and to roll back ACS to the version that existed before the patch installation.

To roll back an ACS system patch:

Step 1 Connect a console to the CSACS 1120 console port. For the location of the console port, see Figure 1-2.

Step 2 At the system prompt, enter rollback and the name of the patch application that you want rolled back, and press Enter.

Tip If you do not include the specific patch application name as a parameter following the rollback command, the system displays the list of patches that can be rolled back. Use this list to identify the patch application name, enter rollback followed by the patch application name, and then press Enter.

Step 3 At the Are you sure you want to rollback [patch name]?)(Y/N): prompt, enter Y, and press Enter.

Result: The console displays:
Rolling patch back
Rollback process initiated successfully
Successfully rolled back `[patch name]' to 0.
Tip To obtain system information, including the current version, see Determining the Status of CSACS 1120 System and Services from a Serial Console.

Understanding the CSAgent Patch

In ACS the CSAgent service is implemented as a pre-installed patch. You must stop CSAgent before you can install any patch or upgrade. Although, as a patch, the CSAgent can be rolled back, the preferred method for disabling this service is simply to stop it. Once stopped, the CSAgent service does not restart when the system is restarted; you must explicitly restart the service for it to operate. For more information, see the User Guide for Cisco Secure Access Control Server 4.2.

Recovery Management

ACS functionality includes two procedures that the administrator can perform by using the CSACS 1120 Recovery CD-ROM:

•Recovering from Loss of Administrator Credentials

•Re-imaging the CSACS 1120 Hard Drive

Recovering from Loss of Administrator Credentials

If you cannot log in to the system because you have lost the account name or password for the administrator account, perform this procedure. In this procedure you use the CSACS 1120 Recovery CD-ROM to access the system from the serial console and reset the administrator login credentials.

The ACS administrator login credentials:

•Consists of only one set of login credentials at one time.

•Are set (that is, changed from the default) during initial configuration.

•Can be reset at anytime. For more information, see Resetting the CSACS 1120 Administrator Password.

This recovery procedure entails replacing the administrator login credentials with a new account name and password.

To reset the administrator login credentials:

Step 1 Connect a console to the CSACS 1120 console port. For the location of the console port, see Figure 1-3.

Step 2 Power on the console.

Step 3 Insert the Recovery CD-ROM into the CSACS 1120 CD-ROM drive.

Step 4 Power on the CSACS 1120. (Or if already running, reboot the CSACS 1120. For more information, see Rebooting the CSACS 1120 from a Serial Console.)

Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 5 At the Enter menu item number: [ ] prompt, enter 1, and press Enter.

Step 6 At the Hit the Return key to log in: prompt, enter Y, and press Enter.

Result: The console displays:
Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:
Step 7 Remove the recovery CD from the drive, and press Enter.

Result: The system reboots, and displays the system version information:
Status: The appliance is functioning properly. 
Default administrator account can be reset now.
Press enter to change default administrator account and password.
Step 8 Press Enter to change the default administrator account and password.

Result: The console displays:
Enter new account name:
Note Press only the Enter key at Step 8. If you press any other key it will lead to the faliure of the password recovery process.

Step 9 At the Enter new account name: prompt, enter the name of the administrator, and press Enter.

Result: The console displays:

Enter new password:

Step 10 At the Enter new password: prompt, enter the new password, and press Enter.

Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must contain a minimum of six characters, and it must include a mix of at least three character types: numerals, special characters, uppercase letters, and lowercase letters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Result: The console displays:

Enter new password again:

Step 11 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays:
Password is set successfully.
Note The user name should not be configured as administrator. If it is set so, it will lead to the faliure of the password recovery process.

Re-imaging the CSACS 1120 Hard Drive

Use the CSACS 1120 Recovery CD-ROM to re-image the appliance if necessary.

Caution Performing this procedure destroys all data stored on the CSACS 1120.

To re-image your CSACS 1120:

Step 1 Connect a console to the CSACS 1120 console port. For the location of the console port, see Figure 1-3.

Step 2 Put the Recovery CD in the CSACS 1120 CD-ROM drive. See Figure 1-2.

Step 3 Power on the (or, if the CSACS 1120 is already running, reboot it). For more information, see Rebooting the CSACS 1120 from a Serial Console.

Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 4 At the Enter menu item number: [ ] prompt, enter 2, and press Enter.

Result: The console displays:
This operation will completely erase the hard drive. Press `Y' to confirm, any other key 
to cancel: __
Caution The next step erases the CSACS 1120 hard drive. You will permanently lose all system data that you have not backed up.

Step 5 Enter Y, and press Enter.

Result: The appliance processes the new image (this may take several minutes) while displaying odd characters and then displays the following message on the console:
The system has been reimaged successfully. Please remove this recovery CD from the drive, 
then hit RETURN to restart the system:
Note The reimaging process may take several minutes to complete.

Step 6 Remove the Recovery CD from the CSACS 1120, and press Enter to restart the appliance.

Result: The CSACS 1120 reboots, performs some configurations, and reboots again. The configurations that occur after the first reboot take a significant amount of time, during which there is no feedback. This is normal system behavior.

Note After re-imaging the CSACS 1120 hard drive, you must once again perform initial configuration of the CSACS 1120. For detailed instructions, see Configuring CSACS 1120.