Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
29 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 RADIUS Sessions When ACS evaluates this threshold, it determines whether any authenticated RADIUS sessions have occurred in the past 15 minutes where an accounting start event has not been received for the session. These events are grouped by device IP address, and if the count of occurrences for any device IP exceeds the specified threshold, an alarm is triggered. You can set a filter to limit the evaluation to a single device IP. Choose this category to define threshold criteria based on RADIUS sessions. Modify the fields in the Criteria tab as described in Table 131 on page 30. Table 130 ACS AAA Health Option Description Average over the past Use the drop-down list box to select the amount of time you want to configure for your configuration, where is minutes and can be: 15 30 45 60 RADIUS Throughput Enter the number of RADIUS transactions per second you want to set (lesser than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 999999. TACACS Throughput Enter the number of TACACS+ transactions per second you want to set (lesser than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 999999. RADIUS Latency Enter the number in milliseconds you want to set for RADIUS latency (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 999999. TACACS Latency Enter the number in milliseconds you want to set for TACACS+ latency (greater than or equal to the specified value) for your threshold configuration. The valid range is from 1 to 999999. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold.
30 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Unknown NAD When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that have occurred during the specified time interval up to the previous 24 hours. From these failed authentications, ACS identifies those with the failure reason Unknown NAD. The unknown network access device (NAD) authentication records are grouped by a common attribute, such as ACS instance, user, and so on, and a count of the records within each of those groups is computed. If the count of records for any group exceeds the specified threshold, an alarm is triggered. This can happen if, for example, you configure a threshold as follows: Unknown NAD count greater than 5 in the past 1 hour for a Device IP If in the past hour, failed authentications with an unknown NAD failure reason have occurred for two different device IP addresses as shown in the following table, an alarm is triggered, because at least one device IP address has a count greater than 5. You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on authentications that have failed because of an unknown NAD. Modify the fields in the Criteria tab as described in Table 132 on page 31. Table 131 RADIUS Sessions Option Description More than num authenticated sessions in the past 15 minutes, where accounting start event has not been received for a Device IPnum—A count of authenticated sessions in the past 15 minutes. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device IP Count of Unknown NAD Authentication Records a.b.c.d 6 e.f.g.h 1
31 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 External DB Unavailable When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that have occurred during the specified interval up to the previous 24 hours. From these failed authentications, ACS identifies those with the failure reason, External DB unavailable. Authentication records with this failure reason are grouped by a common attribute, such as ACS instance, user, and so on, and a count of the records within each of those groups is computed. If the count of records for any group exceeds the specified threshold, an alarm is triggered. This can happen if, for example, you configure a threshold as follows: External DB Unavailable count greater than 5 in the past one hour for a Device IP If in the past hour, failed authentications with an External DB Unavailable failure reason have occurred for two different device IP addresses as shown in the following table, an alarm is triggered, because at least one device IP address has a count greater than 5. Table 132 Unknown NAD Option Description Unknown NAD count greater than num in the past time Minutes|Hours for a object, where: num values can be any five-digit number greater than or equal to zero (0). time values can be 5 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: —ACS Instance —Device IP Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+
32 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on an external database that ACS is unable to connect to. Modify the fields in the Criteria tab as described in Table 133 on page 32. Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 Device IP Count of External DB Unavailable Authentication Records a.b.c.d 6 e.f.g.h 1 Table 133 External DB Unavailable Option Description External DB Unavailablepercent|count greater than num in the past time Minutes|Hours for a object, where: Percent|Count value can be Percent or Count. num values can be any one of the following: —0 to 99 for percent —0 to 99999 for count time values can be 5 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: —ACS Instance —Identity Store Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+
33 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds RBACL Drops When ACS evaluates this threshold, it examines Cisco Security Group Access RBACL drops that occurred during the specified interval up to the previous 24 hours. The RBACL drop records are grouped by a particular common attribute, such as NAD, SGT, and so on. A count of such records within each of those groups is computed. If the count for any group exceeds the specified threshold, an alarm is triggered. For example, consider the following threshold configuration: RBACL Drops greater than 10 in the past 4 hours by a SGT. If, in the past four hours, RBACL drops have occurred for two different source group tags as shown in the following table, an alarm is triggered, because at least one SGT has a count greater than 10. You can specify one or more filters to limit the RBACL drop records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the RBACL drop records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Modify the fields in the Criteria tab as described in Table 134 on page 33. SGT Count of RBACL Drops 117 314 Table 134 RBACL Drops Option Description RBACL drops greater than num in the past time Minutes|Hours by a object, where: num values can be any five-digit number greater than or equal to zero (0). time values can be 5 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: —NAD —SGT —DGT —DST_IP Filter Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. SGT Click Select to choose or enter a valid source group tag on which to configure your threshold. DGT Click Select to choose or enter a valid destination group tag on which to configure your threshold. Destination IP Click Select to choose or enter a valid destination IP address on which to configure your threshold.
34 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 NAD-Reported AAA Downtime When ACS evaluates this threshold, it examines the NAD-reported AAA down events that occurred during the specified interval up to the previous 24 hours. The AAA down records are grouped by a particular common attribute, such as device IP address or device group, and a count of records within each of those groups is computed. If the count for any group exceeds the specified threshold, an alarm is triggered. For example, consider the following threshold configuration: AAA Down count greater than 10 in the past 4 hours by a Device IP If, in the past four hours, NAD-reported AAA down events have occurred for three different device IP addresses as shown in the following table, an alarm is triggered, because at least one device IP address has a count greater than 10. You can specify one or more filters to limit the AAA down records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the AAA down records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on the AAA downtime that a network access device reports. Modify the fields in the Criteria tab as described in Table 135 on page 34. Device IP Count of NAD-Reported AAA Down Events a.b.c.d 15 e.f.g.h 3 i.j.k.l 9 Table 135 NAD-Reported AAA Downtime Option Description AAA down greater than num in the past time Minutes|Hours by a object, where: num values can be any five-digit number greater than or equal to zero (0). time values can be 5 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: —Device IP —Device Group
35 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 10 Configuring General Threshold Information, page 16 Configuring Threshold Notifications, page 35 Configuring Threshold Notifications Use this page to configure alarm threshold notifications. 1.Select Monitoring and Reports > Alarms > Thresholds, then do one of the following: Click Create to create a new alarm threshold. Click the name of an alarm threshold, or check the check box an existing alarm threshold and click Edit to edit a selected alarm threshold. Click the name of an alarm threshold, or check the check box an existing alarm threshold and click Duplicate to duplicate a selected alarm threshold. 2.Click the Notifications tab. The Thresholds: Notifications page appears as described in Table 136 on page 35: Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold. Table 135 NAD-Reported AAA Downtime (continued) Option Description Table 136 Thresholds: Notifications Page Option Description Severity Use the drop-down list box to select the severity level for your alarm threshold. Valid options are: Critical Warning Info Send Duplicate NotificationsCheck the check box to be notified of duplicate alarms. An alarm is considered a duplicate if a previously generated alarm for the same threshold occurred within the time window specified for the current alarm.
36 Managing Alarms Deleting Alarm Thresholds Related Topics Viewing and Editing Alarms in Your Inbox, page 3 Creating, Editing, and Duplicating Alarm Thresholds, page 10 Deleting Alarm Thresholds, page 36 Deleting Alarm Thresholds To delete an alarm threshold: 1.Select Monitoring and Reports > Alarms > Thresholds. The Alarms Thresholds page appears. 2.Check one or more check boxes the thresholds you want to delete, and click Delete. 3.Click OK to confirm that you want to delete the selected alarm(s). The Alarms Thresholds page appears without the deleted threshold. Configuring System Alarm Settings System alarms are used to notify users of: Errors that are encountered by the Monitoring and Reporting services Information on data purging Email Notification Email Notification User ListEnter a comma-separated list of e-mail addresses or ACS administrator names or both. Do one of the following: Enter the e-mail addresses. Click Select to enter valid ACS administrator names. The associated administrator is notified by e-mail only if there is an e-mail identification specified in the administrator configuration. See Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 for more information. When a threshold alarm occurs, an e-mail is sent to all the recipients in the Email Notification User List. Click Clear to clear this field. Email in HTML FormatCheck this check box to send e-mail notifications in HTML format. Uncheck this check box to send e-mail notifications as plain text. Custom Text Enter custom text messages that you want associated with your alarm threshold. Syslog Notification Send Syslog MessageCheck this check box to send a syslog message for each system alarm that ACS generates. Note: For ACS to send syslog messages successfully, you must configure Alarm Syslog Targets, which are syslog message destinations. Understanding Alarm Syslog Targets, page 37 for more information. Table 136 Thresholds: Notifications Page (continued) Option Description
37 Managing Alarms Understanding Alarm Syslog Targets Use this page to enable system alarms and to specify where alarm notifications are sent. When you enable system alarms, they are sent to the Alarms Inbox. In addition, you can choose to send alarm notifications through e-mail to select recipients and as syslog messages to the destinations specified as alarm syslog targets. From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > System Alarm Settings. This section contains the following topics: Creating and Editing Alarm Syslog Targets, page 38 Deleting Alarm Syslog Targets, page 39 Understanding Alarm Syslog Targets Alarm syslog targets are the destinations where alarm syslog messages are sent. The Monitoring and Report Viewer sends alarm notification in the form of syslog messages. You must configure a machine that runs a syslog server to receive these syslog messages. To view a list of configured alarm syslog targets, choose Monitoring Configuration > System Configuration > Alarm Syslog Targets. Table 137 System Alarm Settings Page Option Description System Alarm Settings Notify System Alarms Check this check box to enable system alarm notification. System Alarms Suppress DuplicatesUse the drop-down list box to designate the number of hours that you want to suppress duplicate system alarms from being sent to the Email Notification User List. Valid options are 1, 2, 4, 6, 8, 12, and 24. Email Notification Email Notification User List Enter a comma-separated list of e-mail addresses or ACS administrator names or both. Do one of the following: Enter the e-mail addresses. Click Select to enter valid ACS administrator names. The associated administrator is notified by e-mail only if there is an e-mail identification specified in the administrator configuration. See Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 for more information. When a system alarm occurs, an e-mail is sent to all the recipients in the Email Notification User List. Click Clear to clear this field. Email in HTML Format Check this check box to send e-mail notifications in HTML format. Uncheck this check box to send e-mail notifications as plain text. Syslog Notification Send Syslog Message Check this check box to send a syslog message for each system alarm that ACS generates. For ACS to send syslog messages successfully, you must configure Alarm Syslog Targets, which are syslog message destinations. Understanding Alarm Syslog Targets, page 37 for more information.
38 Managing Alarms Understanding Alarm Syslog Targets Note: You can configure a maximum of two syslog targets in the Monitoring and Report Viewer. This section contains the following topics: Creating and Editing Alarm Syslog Targets, page 38 Deleting Alarm Syslog Targets, page 39 Creating and Editing Alarm Syslog Targets To create or edit an alarm syslog target: 1.Choose Monitoring Configuration > System Configuration > Alarm Syslog Targets. The Alarm Syslog Targets page appears. 2.Do one of the following: Click Create. Check the check box the alarm syslog target that you want to edit, then click Edit. The Alarm Syslog Targets Create or Edit page appears. 3.Modify the fields described in Table 138 on page 38. Table 138 Alarm Syslog Targets Create or Edit Page Option Description Identification Name Name of the alarm syslog target. The name can be 255 characters in length. Description (Optional) A brief description of the alarm that you want to create. The description can be up to 255 characters in length. Configuration IP Address IP address of the machine that receives the syslog message. This machine must have the syslog server running on it. We recommend that you use a Windows or a Linux machine to receive syslog messages.