Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
19 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring System Alarm Settings 2.Check the check box of the collection filter or filters that you want to delete, then click Delete. The following message appears: Are you sure you want to delete the selected item(s)? 3.Click Ye s. The Collection Filters page appears without the deleted collection filter. Configuring System Alarm Settings See Configuring System Alarm Settings, page 36 for a description of how to configure system alarm settings. Configuring Alarm Syslog Targets See Understanding Alarm Syslog Targets, page 37 for a description of how to configure the syslog targets. Configuring Remote Database Settings Use this page to configure a remote database to which you can export the Monitoring and Report Viewer data. ACS exports data to this remote database at specified intervals. You can schedule the export job to be run once every 1, 2, 4, 6, 8, 12, or 24 hours. You can also schedule the export job to run every 20 or 40 minutes. You can create custom reporting applications that interact with this remote database. ACS supports the following databases: Oracle SQL Developer 12c Microsoft SQL Server 2012 R2 Note: ACS does not support remote database with cluster setup. To configure a remote database: 1.From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings. The Remote Database Settings Page appears as described in Table 12 on page 19. Table 12 Remote Database Settings Page Option Description Publish to Remote Database Check the check box for ACS to export data to the remote database periodically. By default, ACS exports data to the remote database every 4 hours. Server Enter the IP address of the remote database. Port Enter the port number of the remote database. The default port for Microsoft database is 1433 and the default port for Oracle database is 1521. To change the port number for Oracle database, see Changing the Port Numbers for Oracle Database, page 20. Username Enter the username for remote database access. Password Enter the password for remote database access.
20 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Remote Database Settings 2.Click Submit to configure the remote database. Note: Special characters are not supported in remote database names. Note: You can view the status of your export job in the Scheduler. See Viewing Scheduled Jobs, page 11 for more information. Note: If there are two log collector servers that have been configured to export data to a remote database, only one log collector server can export data to the remote database at a time. If a second log collector is pointed to the same remote database, it can cause issues such as over-writing of existing entries in the tables. Changing the Port Numbers for Oracle Database To change the port number for Oracle database, complete the following steps: 1.Log in to Oracle database. 2.Open the command prompt. 3.Run the command cd C:\oraclexe\app\oracle\product\10.2.0\server\BIN. 4.Run the command LSNRCTL status to find the status of the listener service. 5.Run the command LSNRCTL Stop to stop the listerner service 6.Go to C:\oraclexe\app\oracle\product\10.2.0\server\NETWORK\ADMIN folder and edit the oracle database port numbers in listener.ora and tnsnames.ora files. You should update the same port number in ACS web interface. 7.Run the command LSNRCTL Start to start the listerner service. 8.Log in to ACS web interface. Export Every Minutes Choose a time interval from the drop-down list box for ACS to use to export data. Valid options are 20 and 40 minutes. The default interval is 20 minutes. Note: If you choose the time interval as 40 minutes, ACS starts the remote database export operation immediately for the first time and it continues to do the operation every 40 minutes from then. Export Every Hours Choose a time interval from the drop-down list box for ACS to use to export data. Valid options are 1, 2, 4, 6, 8, 12, and 24 hours. The default interval is 4 hours. Database Type The type of remote database that you want to configure: Click Microsoft Database radio button to configure a Microsoft database, and enter the name of the remote database. Click Oracle SID radio button to configure an Oracle database, and enter the Oracle service name for the Oracle database. Download Remote Database schema filesClick this link to download the remote database schema files. The following two schema files are downloaded: acsview_microsoft_schema.sql acsview_oracle_schema.sql Table 12 Remote Database Settings Page Option Description
21 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Remote Database Settings 9.From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings to change the oracle database port number. 10.Enter the new oracle database port number. ACS displays the following message: This will require view database restart. Are you sure you want to do this? 11.Click OK. For more information, see Configuring Remote Database Settings, page 19.
22 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Remote Database Settings
1 Cisco Systems, Inc.www.cisco.com Managing System Administrators System administrators are responsible for deploying, configuring, maintaining, and monitoring the ACS servers in your network. They can perform various operations in ACS through the ACS administrative interface. When you define an administrator in ACS, you assign a password and a role or set of roles that determine the access privilege, the administrator has for various operations. When you create an administrator account, you initially assign a password, which the administrator can subsequently change through the ACS web interface. Irrespective of the roles that are assigned, the administrators can change their own passwords. ACS provides the following configurable options to manage administrator passwords: Password Complexity—Required length and character types for passwords. Password History—Prevents repeated use of same passwords. Password Lifetime—Forces the administrators to change passwords after a specified time period. Account Inactivity—Disables the administrator account if it has not been in use for a specified time period. Password Failures—Disables the administrator account after a specified number of consecutive failed login attempts. In addition, ACS provides you configurable options that determine the IP addresses from which administrators can access the ACS administrative web interface and the session duration after which idle sessions are logged out from the system. You can use the Monitoring and Report Viewer to monitor administrator access to the system. The Administrator Access report is used to monitor the administrators who are currently accessing or attempting to access the system. You can view the Administrator Entitlement report to view the access privileges that the administrators have, the configuration changes that are done by administrators, and the administrator access details. In addition, you can use the Configuration Change and Operational Audit reports to view details of specific operations that each of the administrators perform. The System Administrator section of the ACS web interface allows you to: Create, edit, duplicate, or delete administrator accounts Change the password of other administrators View predefined roles Associate roles to administrators Configure authentication settings that include password complexity, account lifetime, and account inactivity Configure administrator session setting Configure administrator access setting The first time you log in to ACS 5.7, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system.
2 Managing System Administrators Understanding Administrator Roles and Accounts The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. When you register a secondary instance to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance apply to the secondary instance. Note: After installation, the first time you log in to ACS, you must do so through the ACS web interface and install the licenses. You cannot log in to ACS through the CLI immediately after installation. This section contains the following topics: Understanding Administrator Roles and Accounts, page 2 Configuring System Administrators and Accounts, page 3 Understanding Roles, page 3 Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 Viewing Predefined Roles, page 10 Configuring Authentication Settings for Administrators, page 11 Configuring Session Idle Timeout, page 13 Configuring Administrator Access Settings, page 14 Working with Administrative Access Control, page 15 Resetting the Administrator Password, page 25 Changing the Administrator Password, page 25 Understanding Administrator Roles and Accounts The first time you log in to ACS 5.7, you are prompted for the predefined administrator username (ACSAdmin) and are required to change the predefined password name (default). The acsadmin account in Cisco Secure ACS, Release 5.7, is similar to any other admin account with the Super Admin role. The default acsadmin account can now be disabled or deleted, provided you have another recovery admin account with the Super Admin role. The account disablement criteria, such as password lifetime, account disablement, and exceeding failed authentication attempts, also apply to the default acsadmin account. After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. If you do not need granular access control, the Super Admin role is most convenient, and this role assigned to the predefined ACSAdmin account. To create further granularity in your access control, follow these steps: 1.Define Administrators. See Configuring System Administrators and Accounts, page 3. 2.Associate roles to administrators. See on page 3Understanding Roles, page 3. When these steps are completed, defined administrators can log in and start working in the system. Understanding Authentication An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out.
3 Managing System Administrators Configuring System Administrators and Accounts ACS 5.7 authenticates every login operation by using user credentials (username and password). Then, by using the administrator and role definitions, ACS fetches the appropriate permissions and answers subsequent authorization requests. The ACS user interface displays the functions and options for which you have the necessary administrator privileges only. Note: Allow a few seconds before logging back in so that changes in the system have time to propagate. Related Topics Understanding Administrator Roles and Accounts, page 2 Configuring System Administrators and Accounts, page 3 Configuring System Administrators and Accounts This section contains the following topics: Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 Viewing Role Properties, page 11 Understanding Roles Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task. You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 for more information. Assigning Roles You can assign roles to the internal administrator account. ACS 5.7 provides two methods to assign roles to internal administrators: Static Role assignment—Roles are assigned manually to the internal administrator account. Dynamic Role assignment—Roles are assigned based on the rules in the AAC authorization policy. Assigning Static Roles ACS 5.7 allows you to assign the administrator roles statically to an internal administrator account. This is applicable only for the internal administrator accounts. If you choose this static option, then you must select the administrator roles for each internal administrator account manually. When an administrator is trying to access the account, if that administrator is configured in an administrator internal identity store with a static role assignment, only the identity policy is executed for authentication. The authorization policy is skipped. After successful execution of the identity policy, the administrator is assigned with the selected role for the administrator account. Assigning Dynamic Roles ACS 5.7 allows you to assign the administrator roles statically to an internal administrator account.
4 Managing System Administrators Understanding Roles If the administrator account is configured in an external or internal identity store and has a dynamic role assignment, ACS evaluates the authorization policy and gets a list of administrator roles and use it dynamically or Deny Access as the result. If the Super Admin assigns a dynamic role for an administrator and does not configure the authorization policy, then authorization of that administrator account uses the default value “deny access”. As a result, the authorization for this administrator account is denied. But, if you assign a static role for an administrator, then the authorization policy does not have any impact on authorizing that administrator. Based on the selected role, ACS authenticates and manages the administrator access restrictions and authentications. If Deny Access is the result of the evaluation, then ACS denies access to the administrator and logs the reason for failure in the customer logs. Note: The ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not have permissions for the functions in that drawer. Permissions A permission is an access right that applies to a specific administrative task. Permissions consist of: A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements. Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed. A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available. If no permission is defined for an object, the administrator cannot access this object, not even for reading. Note: You cannot make permission changes. Predefined Roles ACS 5.7 introduces two new predefined administrator roles called Provisioning Admin and Operations Admin. You can create new administrator accounts using these two new roles. You cannot use these two administrator roles together or along with any other administrator roles while creating administrator accounts. Table 13 on page 4 shows the predefined roles included in ACS: Table 13 Predefined Role Descriptions Role Privileges ChangeAdminPassword This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators. ChangeUserPassword This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users. NetworkDeviceAdmin This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions: Read and write permissions on network devices Read and write permissions on NDGs and all object types in the Network Resources drawer
5 Managing System Administrators Understanding Roles OperationsAdmin This role is a combination of a few of the existing administrator accounts along with some extra resources and privileges. To view the resources and privileges of OperationsAdmin: 1.Choose System Administration > Administrators > Roles from ACS web interface. 2.Click the radio button near OperationsAdmin. 3.Click View. ACS displays the resources and privileges associated with OperationsAdmin. OperationsAdmin can be authenticated against external databases similar to other administrators in ACS. Note: You cannot combine OperationsAdmin role with any other administrator role while creating administrator accounts. Note: You can assign roles, resources, and privileges to ProvisioningAdmin similar to other administrators. But, you cannot assign the OperationsAdmin as a recovery administrator account. PolicyAdmin This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions: Read and write permissions on all the elements used in policies, such as authorization profile, NDGs, IDGs, conditions, and so on Read and write permissions on services policy ProvisioningAdmin This role is a combination of a few of the existing administrator accounts along with some extra resources and privileges. To view the resources and privileges of ProvisioningAdmin: 1.Choose System Administration > Administrators > Roles from ACS web interface. 2.Click the radio button near ProvisioningAdmin. 3.Click View. ACS displays the resources and privileges associated with ProvisioningAdmin. ProvisioningAdmin can be authenticated against external databases similar to other administrators in ACS. Note: You cannot combine ProvisioningAdmin role with any other administrator role while creating administrator accounts. Note: You can assign roles, resources, and privileges to ProvisioningAdmin similar to other administrators. But, you cannot assign the ProvisioningAdmin as a recovery administrator account. ReadOnlyAdmin This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface. This role has read-only access to all resources Table 13 Predefined Role Descriptions (continued) Role Privileges
6 Managing System Administrators Understanding Roles Note: At first login, only the Super Admin is assigned to a specific administrator. Related Topics Administrator Accounts and Role Association, page 7 Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 Changing Role Associations By design, all roles in ACS are predefined and cannot be changed. ACS allows you to only change role associations. Owing to the potential ramifications on the system’s entire authorization status, the ACS Super Admin and SecurityAdmin roles alone have the privilege to change role associations. Changes in role associations take effect only after the affected administrators log out and log in again. At the new login, ACS reads and applies the role association changes. Note: You must be careful in assigning the ACS Super Admin and SecurityAdmin roles because of the global ramifications of role association changes. ReportAdmin This role is intended for administrators who need access to the ACS Monitoring and Report Viewer to generate and view reports or monitoring data only. This role has read-only access on logs. SecurityAdmin This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions: Read and write permissions on internal protocol users and administrator password policies Read and write permissions on administrator account settings Read and write permissions on administrator access settings SuperAdmin The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account. This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources. SystemAdmin This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions: Read and write permissions on all system administration activities except for account definition Read and write permissions on ACS instances UserAdmin This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions: Read and write permissions on users and hosts Read permission on IDGs Table 13 Predefined Role Descriptions (continued) Role Privileges