Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
19 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 Failed Authentications When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that occurred during the time interval that you have specified up to the previous 24 hours. These authentication records are grouped by a common attribute, such as ACS Instance, User, Identity Group, and so on. The number of records within each of these groups is computed. If the count computed for any of these groups exceeds the specified threshold, an alarm is triggered. For example, if you configure a threshold with the following criteria: Failed authentications greater than 10 in the past 2 hours for Device IP. When ACS evaluates this threshold, if failed authentications have occurred for four IP addresses in the past two hours as follows: An alarm is triggered because at least one Device IP has greater than 10 failed authentications in the past 2 hours. MAC Address Click Select to choose or enter a valid MAC address on which to configure your threshold. This filter is available only for RADIUS authentications. NAD Port Click Select to choose a port for the network device on which to configure your threshold. This filter is available only for RADIUS authentications. AuthZ Profile Click Select to choose an authorization profile on which to configure your threshold. This filter is available only for RADIUS authentications. AuthN Method Click Select to choose an authentication method on which to configure your threshold. This filter is available only for RADIUS authentications. EAP AuthN Click Select to choose an EAP authentication value on which to configure your threshold. This filter is available only for RADIUS authentications. EAP Tunnel Click Select to choose an EAP tunnel value on which to configure your threshold. This filter is available only for RADIUS authentications. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+ Table 121 Passed Authentications (continued) Option Description Device IP Failed Authentication Count a.b.c.d 13 e.f.g.h 8 i.j.k.l 1 m.n.o.p 1
20 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Note: You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the authentication records and only those records whose filter value matches the value that you specify are counted. If you specify multiple filters, only the records that match all the filter conditions are counted. Modify the fields in the Criteria tab as described in Table 122 on page 20 to create a threshold with the failed authentication criteria. Table 122 Failed Authentications Option Description Failed Authentications Enter data according to the following: greater than count > occurrences |%> in the past time> Minutes|Hours for a object, where: count values can be the absolute number of occurrences or percent. Valid values must be in the range 0 to 99. occurrences | %> value can be occurrences or %. time values can be 5 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: —ACS Instance —User —Identity Group —Device IP —Identity Store —Access Service —NAD Port —AuthZ Profile —AuthN Method —EAP AuthN —EAP Tunnel In a distributed deployment, if there are two ACS instances, the count is calculated as an absolute number or as a percentage for each of the instances. ACS triggers an alarm only when the individual count of any of the ACS instance exceeds the specified threshold. Filter Failure Reason Click Select to enter a valid failure reason name on which to configure your threshold. ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold.
21 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 Authentication Inactivity When ACS evaluates this threshold, it examines the RADIUS or TACACS+ authentications that occurred during the time interval that you have specified up to the previous 31 days. If no authentications have occurred during the specified time interval, an alarm is triggered. You can specify filters to generate an alarm if no authentications are seen for a particular ACS instance or device IP address during the specified time interval. If the time interval that you have specified in the authentication inactivity threshold is lesser than that of the time taken to complete an aggregation job, which is concurrently running, then this alarm is suppressed. The aggregation job begins at 00:05 hours every day. From 23:50 hours, up until the time the aggregation job completes, the authentication inactivity alarms are suppressed. For example, if your aggregation job completes at 01:00 hours today, then the authentication inactivity alarms will be suppressed from 23:50 hours until 01:00 hours. Note: If you install ACS between 00:05 hours and 05:00 hours, or if you have shut down your appliance for maintenance at 00:05 hours, then the authentication inactivity alarms are suppressed until 05:00 hours. Device Group Click Select to choose a valid device group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold. MAC Address Click Select to choose or enter a valid MAC address on which to configure your threshold. This filter is available only for RADIUS authentications. NAD Port Click Select to choose a port for the network device on which to configure your threshold. This filter is available only for RADIUS authentications. AuthZ Profile Click Select to choose an authorization profile on which to configure your threshold. This filter is available only for RADIUS authentications. AuthN Method Click Select to choose an authentication method on which to configure your threshold. This filter is available only for RADIUS authentications. EAP AuthN Click Select to choose an EAP authentication value on which to configure your threshold. This filter is available only for RADIUS authentications. EAP Tunnel Click Select to choose an EAP tunnel value on which to configure your threshold. This filter is available only for RADIUS authentications. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+ Table 122 Failed Authentications (continued) Option Description
22 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Choose this category to define threshold criteria based on authentications that are inactive. Modify the fields in the Criteria tab as described in Table 123 on page 22. Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 TACACS Command Accounting When ACS evaluates this threshold, it examines the TACACS+ accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ accounting records match, it calculates the time that has elapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the TACACS+ accounting records received during the interval between the previous and current alarm evaluation cycle. I If one or more TACACS+ accounting records match a specified command and privilege level, an alarm is triggered. You can specify one or more filters to limit the accounting records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on TACACS commands. Modify the fields in the Criteria tab as described in Table 124 on page 23. Table 123 Authentication Inactivity Option Description ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device Click Select to choose a valid device on which to configure your threshold. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+ Inactive for Use the drop-down list box to select one of these valid options: Hours—Specify the number of hours in the range from 1 to 744. Days—Specify the number of days from 1 to 31.
23 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 TACACS Command Authorization When ACS evaluates this threshold, it examines the TACACS+ accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the TACACS+ authorization records received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ authorization records match a specified command, privilege level, and passed or failed result, an alarm is triggered. You can specify one or more filters to limit the authorization records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on TACACS command authorization profile. Modify the fields in the Criteria tab as described in Table 125 on page 24. Table 124 TACACS Command Accounting Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: Any A number from 0 to 15. Filter User Click Select to choose or enter a valid username on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold.
24 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 ACS Configuration Changes When ACS evaluates this threshold, it examines the accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the ACS configuration changes made during the interval between the previous and current alarm evaluation cycle. If one or more changes were made, an alarm is triggered. You can specify one or more filters to limit which configuration changes are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on configuration changes made in the ACS instance. Modify the fields in the Criteria tab as described in Table 126 on page 25. Table 125 TACACS Command Authorization Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: Any A number from 0 to 15. Authorization Result Use the drop-down list box to select the authorization result on which you want to configure your threshold. Valid options are: Passed Failed Filter User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold.
25 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 ACS System Diagnostics When ACS evaluates this threshold, it examines the accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines system diagnostic records generated by the monitored ACS during the interval. If one or more diagnostics were generated at or above the specified security level, an alarm is triggered. You can specify one or more filters to limit which system diagnostic records are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on system diagnostics in the ACS instance. Modify the fields in the Criteria tab as described in Table 127 on page 26. Table 126 ACS Configuration Changes Option Description Administrator Click Select to choose a valid administrator username on which you want to configure your threshold. Object Name Enter the name of the object on which you want to configure your threshold. Object Type Click Select to choose a valid object type on which you want to configure your threshold. Change Use the drop-down list box to select the administrative change on which you want to configure your threshold. Valid options are: Any Create—Includes “duplicate” and “edit” administrative actions. Update Delete Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
26 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 ACS Process Status When ACS evaluates this threshold, it examines the accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minu tes depend ing on the number of active thresholds, ACS determines whether any ACS process has failed during that time. If ACS detects one or more failures, an alarm is triggered. You can limit the check to particular processes or a particular ACS instance or both. Choose this category to define threshold criteria based on ACS process status. Modify the fields in the Criteria tab as described in Table 128 on page 26. Table 127 ACS System Diagnostics Option Description Severity at and above Use the drop-down list box to choose the severity level on which you want to configure your threshold. This setting captures the indicated severity level and those that are higher within the threshold. Valid options are: Fatal Error Warning Info Debug Message Text Enter the message text on which you want to configure your threshold. Maximum character limit is 1024. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Table 128 ACS Process Status Option Description Monitor Processes ACS Database Check the check box to add the ACS database to your threshold configuration. ACS Management Check the check box to add the ACS management to your threshold configuration. ACS Runtime Check the check box to add the ACS runtime to your threshold configuration. Monitoring and Reporting Database Check the check box to have this process monitored. If this process goes down, an alarm is generated.
27 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 ACS System Health When ACS evaluates this threshold, it examines whether any system health parameters have exceeded the specified threshold in the specified time interval up to the previous 60 minutes. These health parameters include percentage of CPU utilization, percentage of memory consumption, and so on. If any of the parameters exceed the specified threshold, an alarm is triggered. By default, the threshold applies to all ACS instances in your deployment. If you want, you can limit the check to just a single ACS instance. Choose this category to define threshold criteria based on the system health of ACS. Modify the fields in the Criteria tab as described in Table 129 on page 27. Monitoring and Reporting Collector Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Alarm Manager Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Job Manager Check the check box to have this process monitored. If this process goes down, an alarm is generated. Monitoring and Reporting Log Processor Check the check box to have this process monitored. If this process goes down, an alarm is generated. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Table 128 ACS Process Status (continued) Option Description Table 129 ACS System Health Option Description Average over the past Use the drop-down list box to select the amount of time you want to configure for your configuration, where is minutes and can be: 15 30 45 60 CPU Enter the percentage of CPU usage you want to set for your threshold configuration. The valid range is from 1 to 100. Memory Enter the percentage of memory usage (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100.
28 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 ACS AAA Health When ACS evaluates this threshold, it examines whether any ACS health parameters have exceeded the specified threshold in the specified time interval up to the previous 60 minutes. ACS monitors the following parameters: RADIUS Throughput TACACS Throughput RADIUS Latency TACACS Latency If any of the parameters exceed the specified threshold, an alarm is triggered. By default, the threshold applies to all monitored ACS instances in your deployment. If you want, you can limit the check to just a single ACS instance. Modify the fields in the Criteria tab as described in Table 130 on page 29. Disk I/O Enter the percentage of disk usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/opt Enter the percentage of /opt disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/local disk Enter the percentage of local disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/ Enter the percentage of the / disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Disk Space Used/tmp Enter the percentage of temporary disk space usage you want to set (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 100. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Table 129 ACS System Health (continued) Option Description