Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17 Understanding My Workspace Using the Web Interface Related Topic ACS 5.x Policy Model, page 1 Ta b l e 2 2 R u l e Ta b l e P a g e O p t i o n s Option Description # Ordered column of rules within the rule table. You can renumber the rules by reordering, adding, or deleting rules and then clicking Save Changes to complete the renumbering. New rules are added to the end of the ordered column, so you must reorder them if you want to move a new rule to a different position within the ordered list. You cannot reorder the default (catch-all) rule, which remains at the bottom of the rule table. Check box Click one or more check boxes to select associated rules on which to perform actions. Status (Display only.) Indicates the status of rules within the rule table. The status can be: Enabled—Indicated by a green (or light colored) circle with a white check mark. Disabled—Indicated by a red (or dark colored circle) with a white x. Monitor-only—Indicated by a gray circle with a black i. Name Unique name for each rule (except the default, catch-all rule). Click a name to edit the associated rule. When you add a new rule, it is given a name in the format Rule-num, where num is the next available consecutive integer. You can edit the name to make it more descriptive. Cisco recommends that you name rules with concatenation of the rule name and the service and policy names. Conditions Variable number of condition types are listed, possibly in subcolumns, dependent upon the policy type. Results Variable number of result types are listed, possibly in subcolumns, dependent upon the policy type. Hit Counts column View the hits counts for rules, where hits indicate which policy rules are invoked. Rules scroll bar Use the scroll bar at the right of the rules rows to scroll up and down the rules list. Conditions and results scroll barUse the scroll bar beneath the Conditions and Results columns to scroll left and right through the conditions and results information. Default rule Click to configure the catch-all rule. This option is not available for exception policy rule tables. Customize Click to open a secondary window where you can determine the set and order of conditions and results used by the rule table. Hit Counts button Click to open a secondary window where you can: View when the hit counters were last reset or refreshed. View the collection period. Request a reset or refresh of the hit counts. See Displaying Hit Counts, page 9 for more information. Move to... Use the ^ and v buttons to reorder selected rules within the rule table. Save Changes Click to submit your configuration changes. Discard Changes Click to discard your configuration changes prior to saving them.
18 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface Importing and Exporting ACS Objects Through the Web Interface You can use the import functionality in ACS to add, update, or delete multiple ACS objects at the same time. ACS uses a comma-separated values (CSV) file to perform these bulk operations. This .csv file is called an import file. ACS provides a separate .csv template for add, update, and delete operations for each ACS object. The first record in the .csv file is the header record from the template that contains column (field) names. You must download these templates from the ACS web interface. The header record from the template must be included in the first row of any .csv file that you import. Note: You cannot use the same template to import all the ACS objects. You must download the template that is designed for each ACS object and use the corresponding template while importing the objects. However, you can use the export file of a particular object, retain the header and update the data, and use it as the import file of the same object. You can use the export functionality to create a .csv file that contains all the records of a particular object type that are available in the ACS internal store. You must have CLI administrator-level access to perform import and export operations. Additionally: To import ACS configuration data, you need CRUD permissions for the specific configuration object. To export data to a remote repository, you need read permission for the specific configuration object. This functionality is not available for all ACS objects. This section describes the supported ACS objects and how to create the import files. This section contains: Supported ACS Objects, page 18 Creating Import Files, page 20 Supported ACS Objects While ACS 5.7 allows you to perform bulk operations (add, update, delete) on ACS objects using the import functionality, you cannot import all ACS objects. The import functionality in ACS 5.7 supports the following ACS objects: Users Hosts Network Devices Identity Groups NDGs Downloadable ACLs Command Sets Table 23 on page 19 lists the ACS objects, their properties, and the property data types. The import template for each of the objects contains the properties described in this table. Note: The limitations given in Table 23 on page 19 is applicable only to the internal database users and not applicable to the external database (AD, LDAP, or RSA) users.
19 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface Table 23 ACS Objects – Property Names and Data Types Property Name Property Data Type Object Type: User Username (Required in create, edit, and delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Enabled (Required in create) Boolean. Change Password (Required in create) Boolean. Password (Required in create) String. Maximum length is 32 characters. Not available in Export. Enable Password (Optional) String. Maximum length is 32 characters. Password Type (Required in create) String. Maximum length is 256 characters. User Identity Group (Optional) String. Maximum length is 256 characters. List of attributes (Optional) String and other data types. Object Type: Hosts MAC address (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Enabled (Optional) Boolean. Host Identity Group (Optional) String. Maximum length is 256 characters. List of attributes (Optional) String. Object Type: Network Device Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Subnet (Required in create) Subnets IPv4: /m excluding a.b.c.d/32; wild cards (*,-). IPv6: /n; wild cards (:,::). The exclude range is available only for IPv4 addresses. Support RADIUS (Required in create) Boolean. RADIUS secret (Optional) String. Maximum length is 32 characters. coaPort (Optional) Integer. SupportKeyWrap (Optional) Boolean. KeywrapKEK (Optional) String. Maximum length is 32 characters. KeywrapMACK (Optional) String. Maximum length is 40 characters. KeywrapDisplayInHex (Optional) Boolean. Support TACACS (Required in create) Boolean. TACACS secret (Optional) String. Maximum length is 32 characters. Single connect (Optional) Boolean. Legacy TACACS (Optional) Boolean. Support SGA (Required in create) Boolean. SGA Identity (Optional) String. Maximum length is 32 characters. SGA trusted (Optional) Boolean.
20 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface Fields that are optional can be left empty and ACS substitutes the default values for those fields. For example, when fields that are related to a hierarchy are left blank, ACS assigns the value of the root node in the hierarchy. For network devices, if Security Group Access is enabled, all the related configuration fields are set to default values. Creating Import Files This section describes how to create the .csv file for performing bulk operations on ACS objects. You can download the appropriate template for each of the objects from the ACS web interface. This section contains the following: Downloading the Template from the Web Interface, page 21 Understanding the CSV Templates, page 21 Creating the Import File, page 22 Password (Optional) String. Maximum length is 32 characters. sgACLTTL (Optional) Integer. peerAZNTTL (Optional) Integer. envDataTTL (Optional) Integer. Session timeout (Optional) Integer. List of NDG names (Optional) String. Location (Optional) String. Maximum length is 32 characters. Device Type (Optional) String. Maximum length is 32 characters. Object Type: Identity Group Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Object Type: NDG Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Object Type: Downloadable ACLs Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Content (Required in create, edit, delete) String. The ACL content is split into permit/deny statements separated by a semicolon (;). Maximum length for each statement is 256 characters. There is no limit for ACL content. Object Type: Command Set Name (Required in create, edit, delete) String. Maximum length is 64 characters. Description (Optional) String. Maximum length is 1024 characters. Commands (in the form of grant:command:argu ments)(Optional) String. This is a list with semi separators (:) between the values that you supply for grant. Table 23 ACS Objects – Property Names and Data Types Property Name Property Data Type
21 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface Downloading the Template from the Web Interface Before you can create the import file, you must download the import file templates from the ACS web interface. To download the import file templates for adding internal users: 1.Log into the ACS 5.7 web interface. 2.Choose Users and Identity Stores > Internal Identity Stores > Users. The Users page appears. 3.Click File Operations. The File Operations wizard appears. 4.Choose any one of the following: Add—Adds users to the existing list. This option does not modify the existing list. Instead, it performs an append operation. Update—Updates the existing internal user list. Delete—Deletes the list of users in the import file from the internal identity store. 5.Click Next. The Template page appears. 6.Click Download Add Te m p l a t e. 7.Click Save to save the template to your local disk. The following list gives you the location from which you can get the appropriate template for each of the objects: User—Users and Identity Stores > Internal Identity Stores > Users Hosts—Users and Identity Stores > Internal Identity Stores > Hosts Network Device—Network Resources > Network Devices and AAA Clients Identity Group—Users and Identity Stores > Identity Groups NDG —Location—Network Resources > Network Device Groups > Location —Device Type—Network Resources > Network Device Groups > Device Type Downloadable ACLs—Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs Command Set—Policy Elements > Authorization and Permissions > Device Administration > Command Sets Follow the procedure described in this section to download the appropriate template for your object. Understanding the CSV Templates You can open your CSV template in Microsoft Excel or any other spreadsheet application and save the template to your local disk as a .csv file. The .csv template contains a header row that lists the properties of the corresponding ACS object.
22 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface For example, the internal user Add template contains the fields described in Table 24 on page 22: Each row of the .csv file corresponds to one internal user record. You must enter the values into the .csv file and save it before you can import the users into ACS. See Creating the Import File, page 22 for more information on how to create the import file. This example is based on the internal user Add template. For the other ACS object templates, the header row contains the properties described in Table 23 on page 19 for that object. Creating the Import File After you download the import file template to your local disk, enter the records that you want to import into ACS in the format specified in the template. After you enter all the records into the .csv file, you can proceed with the import function. The import process involves the following: Adding Records to the ACS Internal Store, page 22 Updating the Records in the ACS Internal Store, page 23 Deleting Records from the ACS Internal Store, page 23 Adding Records to the ACS Internal Store When you add records to the ACS internal store, you add the records to the existing list. This is an append operation, in which the records in the .csv file are added to the list that exists in ACS. To add internal user records to the Add template: 1.Download the internal user Add template. See Downloading the Template from the Web Interface, page 21 for more information. 2.Open the internal user Add template in Microsoft Excel or any other spreadsheet application. See Table 23 on page 19 for a description of the fields in the header row of the template. 3.Enter the internal user information. Each row of the .csv template corresponds to one user record. Figure 14 on page 23 shows a sample Add Users import file. Table 24 Internal User Add Template Header Field Description name:String(64):Required Username of the user. description:String(1024) Description of the user. enabled:Boolean (True,False):RequiredBoolean field that indicates whether the user must be enabled or disabled. changePassword:Boolean (True,False):RequiredBoolean field that indicates whether the user must change password on first login. password:String(32):Required Password of the user. enablePassword:String(32) Enable password of the user. UserIdentityGroup:String(256) Identity group to which the user belongs. All the user attributes that you have specified would appear here.
23 Understanding My Workspace Importing and Exporting ACS Objects Through the Web Interface Figure 14 Add Users – Import File 4.Save the add users import file to your local disk. Updating the Records in the ACS Internal Store When you update the records in the ACS store, the import process overwrites the existing records in the internal store with the records from the .csv file. This operation replaces the records that exist in ACS with the records from the .csv files. The update operation is similar to the add operation except for one additional column that you can add to the Update templates. The Update template can contain an Updated name column for internal users and other ACS objects, and an Updated MAC address column for the internal hosts. The Updated Name replaces the name. Note: Instead of downloading the update template for each of the ACS objects, you can use the export file of that object, retain the header row, and update the data to create your update .csv file. To add an updated name or MAC address to the ACS objects, you have to download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template. For example, Figure 15 on page 23 shows a sample import file that updates existing user records. Figure 15 Update Users–Import File Note: The second column, Updated name, is the additional column that you can add to the Update template. Deleting Records from the ACS Internal Store You can use this option to delete a subset of records from the ACS internal store. The records that are present in the .csv file that you import are deleted from the ACS internal store. The Delete template contains only the key column to identify the records that must be deleted. For example, to delete a set of internal users from the ACS internal identity store, download the internal user Delete template and add the list of users that you want to delete to this import file. Figure 16 on page 24 shows a sample import file that deletes internal user records. Note: To delete all users, you can export all users and then use the same export file as your import file to delete users.
24 Understanding My Workspace Common Errors Figure 16 Delete Users – Import File Common Errors You might encounter these common errors: Concurrency Conflict Errors, page 24 Deletion Errors, page 25 System Failure Errors, page 25 Accessibility, page 26 Concurrency Conflict Errors Concurrency conflict errors occur when more than one user tries to update the same object. When you click Submit and the web interface detects an error, a dialog box appears, with an error message and an OK button. Read the error message, click OK, and resubmit your configuration, if needed. Possible error messages, explanations, and recommended actions are: Error Message The item you are trying to Submit has been modified elsewhere while you were making your changes. Explanation You accessed an item to perform an edit and began to configure it; simultaneously, another user accessed and successfully submitted a modification to it. Your submission attempt failed. Recommended Action Click OK to close the error message and display the content area list page. The page contains the latest version of all items. Resubmit your configuration, if needed. Error Message The item you are trying to Submit has been deleted while you were making your changes. Explanation If you attempt to submit an edited item that another user simultaneously accessed and deleted, your submission attempt fails. This error message appears in a dialog box with an OK button. Recommended Action Click OK to close the error message and display the content area list page. The page contains the latest version of all items. The item that you tried to submit is not saved or visible. Error Message The item you are trying to Duplicate from has been deleted. Error Message The item you are trying to Edit has been deleted. Explanation You attempted to duplicate or edit a selected item that another user deleted at the same time that you attempted to access it. Recommended Action Click OK to close the error message and display the content area list page. The page contains the latest version of all items. The item that you tried to duplicate or edit is not saved or visible.
25 Understanding My Workspace Common Errors Error Message The item you are trying to Submit is referencing items that do not exist anymore. Explanation You attempted to edit or duplicate an item that is referencing an item that another user deleted while you tried to submit your change. Recommended Action Click OK to close the error message and display the previous page, the Create page or the Edit page. Your attempted changes are not saved, nor do they appear in the page. Error Message Either Import or Export is already in progress. Explanation You attempted to import or export a .csv file while a previous import or export is still in progress. The subsequent import or export will not succeed. The original import or export is not interrupted due to this error. Recommended Action Click OK to close the error message and display the previous page. For a currently running import process, consult the Import Progress secondary window and wait for the Save Log button to become enabled. Save the log, then attempt to import or export your next .csv file. Deletion Errors Deletion errors occur when you attempt to delete an item (or items) that another item references. When you click Delete and an error is detected, a dialog box appears, with an error message and an OK button. Read the error message, click OK, and perform the recommended action. Possible error messages, explanations, and recommended actions are: Error Message The item you are trying to Delete is referenced by other Items. You must remove all references to this item before it can be deleted. Error Message Some of the items you are trying to Delete are referenced by other Items. You must remove all references to the items before they can be deleted. Explanation If you attempt to delete one or more items that another item references, the system prevents the deletion. Recommended Action Click OK to close the error message and display the content area list page. Your deletion does not occur and the items remain visible in the page. Remove all references to the item or items you want to delete, then perform your deletion. System Failure Errors System failure errors occur when a system malfunction is detected. When a system failure error is detected, a dialog box appears, with an error message and OK button. Read the error message, click OK, and perform the recommended action. Possible error messages, explanations, and recommended actions are: Error Message The following System Failure occurred: . Where description describes the specific malfunction. Explanation You have attempted to make a configuration change and the system detected a failure at the same time. Recommended Action Click OK to close the error message and display the content area list page. Your changes are not saved. Investigate and troubleshoot the detected malfunction, if possible. Error Message An unknown System Failure occurred. Explanation You tried to change the configuration and the system detected an unknown failure at the same time. Recommended Action Click OK to close the error message and display the content area list page. Investigate possible system failure causes, if possible.
26 Understanding My Workspace Accessibility Accessibility The ACS 5.7 web interface contains accessibility features for users with vision impairment and mobility limitations. This section contains the following topics: Display and Readability Features, page 26 Keyboard and Mouse Features, page 26 Obtaining Additional Accessibility Information, page 26 Display and Readability Features The ACS 5.7 web interface includes features that: Increase the visibility of items on the computer screen. Allow you to use screen reader software to interpret the web interface text and elements audibly. The display and readability features include: Useful text descriptions that convey information that appears as image maps and graphs. Meaningful and consistent labels for tables, buttons, fields, and other web interface elements. Label placement directly on, or physically near, the element to which they apply. Color used as an enhancement of information only, not as the only indicator. For example, required fields are associated with a red asterisk. Confirmation messages for important settings and actions. User-controllable font, size, color, and contrast of the entire web interface. Keyboard and Mouse Features You can interact with the ACS 5.7 web interface by using the keyboard and the mouse to accomplish actions. The keyboard and mouse features include: Keyboard accessible links to pages that display dynamic content. Standard keyboard equivalents are available for all mouse actions. Multiple simultaneous keystrokes are not required for any action. Pressing a key for an extended period of time is not required for any action. Backspace and deletion are available for correcting erroneous entries. Obtaining Additional Accessibility Information For more information, refer to the Cisco Accessibility Program: E-mail: [email protected] Web: http://www.cisco.com/go/accessibility