Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1 Cisco Systems, Inc.www.cisco.com Configuring System Operations You can configure and deploy ACS instances so that one ACS instance becomes the primary instance and the other ACS instances can be registered to the primary as secondary instances. An ACS instance represents ACS software that runs on a network. An ACS deployment may consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally. All instances in a system will have an identical configuration. Use the Distributed System Management page (System Administration > Operations > Distributed System Management) to manage all the instances in a deployment. You can only manage instances from the primary instance. You can invoke the Deployment Operations page from any instance in the deployment, but it only controls the operations on the local server. Note: You can register any primary instance or any secondary instance to another primary instance; however, the primary instance you wish to register cannot have any secondary instances registered to it. The primary instance, created as part of the installation process, centralizes the configuration of the registered secondary instances. Configuration changes made in the primary instance are automatically replicated to the secondary instance. Yo u c a n f o r c e a full replication to the secondary instance if configuration changes do not replicate to the secondary instance. This chapter contains: Understanding Distributed Deployment, page 2 Scheduled Backups, page 5 Synchronizing Primary and Secondary Instances After Backup and Restore, page 9 Editing Instances, page 9 Activating a Secondary Instance, page 14 Registering a Secondary Instance to a Primary Instance, page 15 Deregistering Secondary Instances from the Distributed System Management Page, page 17 Deregistering a Secondary Instance from the Deployment Operations Page, page 18 Changing the IP address of a Primary Instance from the Primary Server, page 21 Failover, page 22 Promoting a Secondary Instance from the Distributed System Management Page, page 19 Replicating a Secondary Instance from a Primary Instance, page 20 Creating, Duplicating, Editing, and Deleting Software Repositories, page 23 Managing Software Repositories from the Web Interface and CLI, page 25 Configuring RSA Public Key for Authentication against SFTP Repositories, page 25 Exporting Policies from ACS Web Interface, page 27
2 Configuring System Operations Understanding Distributed Deployment Trust Communication in a Distributed Deployment, page 29 Understanding Distributed Deployment You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers. In general, you make configuration changes on the primary server only, and the changes are propagated to all secondary servers, which can then view the configuration data as read-only data. A small number of configuration changes can be performed on a secondary server, including configuration of the server certificate, and these changes remain local to the server. There is no communication between the secondary servers. Communication happens only between the primary server and the secondary servers. The secondary servers do not know the status of the other secondaries in their deployment. ACS allows you to deploy an ACS instance behind a firewall. Table 1 on page 2 lists the ports that must be open on the firewall for you to access ACS through the various management interfaces. The ports that are displayed as a listening port on 127.0.0.1 are not listed in the above table. These ports are not accessible outside ACS instance. The Distributed System Management page can be used to monitor the status of the servers in a deployment and perform operations on the servers. Table 1 Ports to Open in Firewalls Process Port ACS Web Interface/Web Service 443 Database replication TCP 2638 RADIUS server1812 and 1645 (RADIUS authentication and authorization) 1813 and 1646 (RADIUS accounting) 3799 (RADIUS COA and POD listen for proxy purpose) If your RADIUS server uses port 1812, ensure that your PIX firewall software is version 6.0 or later. Then, run the following command to use port 1812: aaa-server radius-authport 1812 Replication over the Message Bus TCP 61616 RMI TCP 2020 (for RMI registry service) TCP 2030 (for incoming calls) SNMP (for request) UDP 161 SNMP (for notifications) UDP 162 SSH 22 TACACS+ server TCP 49 or the port numbers that are configured on TACACS+ Port to listen (1024 to 65535). ACS View Collector UDP 20514 ACS View net flow syslog processing UDP 9993
3 Configuring System Operations Understanding Distributed Deployment ACS 5.7 supports one primary and twenty one secondary ACS instances in a large ACS deployment. You can make one secondary instance as a dedicated hot standby secondary instance which can be promoted as a primary instance when the actual primary instance goes down. The medium ACS deployment consists of one primary and thirteen secondary ACS instances. Similarly, you can make one secondary instance as a dedicated hot standby secondary instance which can be promoted as a primary instance when the actual primary instance goes down. Also, all ACS 5.7 deployments supports 100,000 AAA clients, 10,000 network device groups, 300,000 users, and 150,000 hosts. ACS 5.7 log collector server can handle 2 million records per day and 750 messages per second for stress that are sent from various ACS nodes in the deployment to the log collector server.For more information on ACS server deployments, see Installation and Upgrade Guide for Cisco Secure Access Control System 5.7. Note: ACS 5.7 does not support the large deployment with more than twenty two ACS instances. Related Topics Activating Secondary Servers, page 3 Removing Secondary Servers, page 3 Promoting a Secondary Server, page 4 Understanding Local Mode, page 4 Understanding Full Replication, page 4 Specifying a Hardware Replacement, page 5 Activating Secondary Servers To add a server to a deployment: 1.From the secondary server, issue a request to register on the primary server by selecting the Deployment Operations option. 2.Activate the secondary instance on the primary server. You must activate the secondary instance on the primary instance in order for the secondary instance to receive configuration information; this provides a mechanism of admission control. However, there is an option to automatically activate newly added secondary instances, rather than performing a manual activation request. Related Topics Removing Secondary Servers, page 3 Promoting a Secondary Server, page 4 Understanding Local Mode, page 4 Understanding Full Replication, page 4 Specifying a Hardware Replacement, page 5 Removing Secondary Servers To permanently remove a secondary server from a deployment, you must first deregister the secondary server and then delete it from the primary. You can make the request to deregister a server from either the secondary server to be deregistered or from the primary server.
4 Configuring System Operations Understanding Distributed Deployment Related Topics Activating Secondary Servers, page 3 Understanding Distributed Deployment, page 2 Promoting a Secondary Server There can be one server only that is functioning as the primary server. However, you can promote a secondary server so that is assumes the primary role for all servers in the deployment. The promotion operation is performed either on the secondary server that is to assume the primary role or on the primary server. Note: When the primary server is down, do not simultaneously promote two secondary servers. Related Topics Activating Secondary Servers, page 3 Removing Secondary Servers, page 3 Understanding Local Mode, page 4 Understanding Full Replication, page 4 Understanding Local Mode You can use the local mode option: If the primary server is unreachable from a secondary server (for example, there is a network disconnection) and a configuration change must be made to a secondary server, you can specify that the secondary server go into Local Mode. If you want to perform some configuration changes on a trial basis that would apply to only one server and not impact all the servers in your deployment, you can specify that one of your secondary servers go into Local Mode. In Local Mode, you can make changes to a single ACS instance through the local web interface, and the changes take effect on that instance only. The Configuration Audit Report available in the Monitoring and Report Viewer has an option to report only those configuration changes that were made in the local mode. You can generate this report to record the changes that you made to the secondary server in Local Mode. For more information on reports and how to generate them from ACS, see Managing Reports, page 1. When the connection to the primary server resumes, you can reconnect the disconnected secondary instance in Local Mode to the primary server. From the secondary instance in Local Mode, you specify the Admin username and password to reconnect to the primary instance. All configuration changes made while the secondary server was in Local Mode are lost. Related Topics Activating Secondary Servers, page 3 Understanding Full Replication, page 4 Understanding Full Replication Under normal circumstances, each configuration change is propagated to all secondary instances. Unlike ACS 4.x where full replication was performed, in ACS 5.7, only the specific changes are propagated. As configuration changes are performed, the administrator can monitor (on the Distributed System Management page) the status of the replication and the last replication ID to ensure the secondary server is up to date.
5 Configuring System Operations Scheduled Backups If configuration changes are not being replicated as expected, the administrator can request a full replication to the server. When you request full replication, the full set of configuration data is transferred to the secondary server to ensure the configuration data on the secondary server is re synchronized. Note: Replication on the Message Bus happens over TCP port 61616. Full replication happens over the Sybase DB TCP port 2638. Warning: ACS management services are started even when a warning message is displayed as connection failed. The services do not get stuck in the initialization stage. Related Topics Activating Secondary Servers, page 3 Promoting a Secondary Server, page 4 Understanding Local Mode, page 4 Specifying a Hardware Replacement You can perform a hardware replacement to allow new or existing ACS instance hardware to re-register to a primary server and take over an existing configuration already present in the primary server. This is useful when an ACS instance fails and needs physical replacement. To perform the hardware replacement 1.From the web interface of the primary instance, you must mark the server to be replaced as deregistered. 2.From the secondary server, register to the primary server. In addition to the standard administrator credentials for connecting to the primary server (username/password), you must specify the replacement keyword used to identify the configuration in the primary server. The keyword is the hostname of the instance that is to be replaced. 3.You must activate the secondary server on the primary, either automatically or by issuing a manual request. Related Topics Viewing and Editing a Primary Instance, page 9 Viewing and Editing a Secondary Instance, page 13 Activating a Secondary Instance, page 14 Registering a Secondary Instance to a Primary Instance, page 15 Deregistering Secondary Instances from the Distributed System Management Page, page 17 Promoting a Secondary Instance from the Distributed System Management Page, page 19 Using the Deployment Operations Page to Create a Local Mode Instance, page 22 Scheduled Backups You can schedule backups to be run at periodic intervals. You can schedule backups from the primary web interface. The Scheduled Backups feature backs up ACS configuration data. You can back up data from an earlier version of ACS and restore it to a later version.
6 Configuring System Operations Scheduled Backups Refer to the Installation and Setup Guide for Cisco Secure Access Control System 5.7 for more information on upgrading ACS to later versions. ACS Backup Encryption ACS backup is encrypted using a dynamic encryption password. The user is prompted for an encryption password while performing a backup operation. ACS encrypts only the ACS data using a dynamic encryption key. The CARS and ACS view data are encrypted using a static key. Therefore ACS prompts for an encryption password when you run a backup that contains ACS data. The user is prompted for a decryption password while restoring a backup that contains ACS data. When you run a full backup in ACS, ACS uses the static key to encrypt the CARS and ACS data and makes a .gpg file; whereas the ACS backup data is saved inside this .gpg file as a separate .gpg file using the dynamic encryption password. When you restore the full backup, ACS prompts for the decryption password to decrypt the ACS backup data. ACS decrypts the CARS data and ACS view data using the static key. The encryption password should have: A minimum of 8 characters Not more than 32 characters At least one upper case letter. At least one lower case letter. Special characters are allowed except: ` $ ( ) ACS displays the password policy if the entered password does not meet the password requirements. Note: ACS 5.7 does not support scheduled backups through the CLI. Related Topic Creating, Duplicating, and Editing Scheduled Backups, page 6 Creating, Duplicating, and Editing Scheduled Backups You can create a scheduled backup only for the primary instance. To create, duplicate, or edit a scheduled backup: 1.Choose System Administration > Operations > Scheduled Backups. The Scheduled Backups page appears. Table 2 on page 7 describes the fields listed in the Scheduled Backups page.
7 Configuring System Operations Backing Up Primary and Secondary Instances 2.Click Submit to schedule the backup. Related Topic Backing Up Primary and Secondary Instances, page 7 Backing Up Primary and Secondary Instances ACS allows you to encrypt the backup with a password. The backup file encryption is available only for ACS configuration backup. The password-based encryption is not applicable if you choose to obtain only the ADE-OS configuration data backup from secondary ACS instances. ACS provides you the option to back up the primary and secondary instances at any time apart from the regular scheduled backups. For a primary instance, you can back up the following: ACS configuration data only ACS configuration data and ADE-OS configuration data For secondary instances, ACS only backs up the ADE-OS configuration data. In this case, ACS does not prompt for an encryption password. Table 2 Scheduled Backups Page Option Description Backup Data Filename created by backup includes a time stamp and file type information appended to the prefix entered Filename Prefix Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg. Note: In ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Encryption Password Enter a password to encrypt the ACS backup files. Confirm Encryption PasswordRe-enter the encryption password. Repository Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file. Schedule Options Time of Day Choose the time of the day at which you want ACS to back up the ACS configuration data. Backups can be scheduled on a daily, weekly, or monthly basis. Daily—Choose this option for ACS to back up the ACS configuration data at the specified time every day. Weekly—Choose this option and specify the day of the week on which you want ACS to back up the ACS configuration data every week. Monthly—Choose this option and specify the day of the month on which you want ACS to back up the ACS configuration data every month.
8 Configuring System Operations Backing Up Primary and Secondary Instances To run an immediate backup from Distributed System Management page: 1.Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. 2.From the Primary Instance table or the Secondary Instances table, select the instance that you want to back up. You can select only one primary instance, but many secondary instances for a backup. 3.Click Backup. The Distributed System Management - Backup page appears with the fields described in Table 3 on page 8. 4.Click Submit to run the backup immediately. To run an immediate backup from Deployment Operations page: 1.Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears. 2.Click Backup. The Deployment Operations - Backup page appears with the fields described in Table 3 on page 8. 3.Modify the fields in Table 3 on page 8 and click Submit to run the backup immediately. Related Topic Scheduled Backups, page 5 Table 3 Distributed System Management - Backup Page Option Description Backup Data Filename created by backup includes a time stamp and file type information appended to the prefix entered Filename Prefix Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg. Note: In ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Encryption Password Enter the encryption password to encrypt the ACS backup files. Confirm Encryption Password Re-enter the encryption password which must match the encryption password exactly. Repository Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file. Backup Options (only applicable for primary instances) ACS Configuration Backup Click this option if you want to back up only the ACS configuration data. ACS Configuration and ADE-OS Backup Click this option if you want to back up both the ACS configuration data and the ADE-OS configuration data.
9 Configuring System Operations Synchronizing Primary and Secondary Instances After Backup and Restore Synchronizing Primary and Secondary Instances After Backup and Restore When you specify that a system backup is restored on a primary instance, the secondary instance is not updated to the newly restored database that is present on the primary instance. To make sure the secondary instance is updated, from the secondary instance, you need to request a hardware replacement to rejoin the restored primary instance. To do this: 1.Deregister the secondary instance from the primary instance. 2.From the web interface of the secondary instance, choose Systems Administration > Operations > Local Operations > Deployment Operations, then click Deregister from Primary. 3.Choose Systems Administration > Operations > Local Operations > Deployment Operations. This allows you to perform the hardware replacement of the secondary instance to the primary instance again. 4.Specify the primary hostname or IP address and the administrator credential. 5.Select Hardware Replacement and specify the hostname of the secondary instance. 6.Click Register to Primary. Editing Instances When you Choose System Administration > Operations > Distributed System Management, you can edit either the primary or secondary instance. You can take a backup of primary and secondary instances. The Distributed System Management page allows you to do the following: Viewing and Editing a Primary Instance, page 9 Viewing and Editing a Secondary Instance, page 13 Backing Up Primary and Secondary Instances, page 7 Synchronizing Primary and Secondary Instances After Backup and Restore, page 9 Viewing and Editing a Primary Instance To edit a primary instance: 1.Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with two tables: Primary Instance table—Shows the primary instance. The primary instance is created as part of the installation process. Secondary Instances table—Shows a listing and the status of the secondary instances. See Viewing and Editing a Secondary Instance, page 13 for more information. The Distributed System Management Page displays the information described in Table 4 on page 10:
10 Configuring System Operations Editing Instances Table 4 Distributed System Management Page Option Description Primary Instance Name Hostname of the primary instance. IP Address IP address of the primary instance. Online Status Indicates if the primary instance is online or offline. A check mark indicates that the primary instance is online; x indicates that the primary instance is offline. Replication ID The transaction ID that identifies the last configuration change on the primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity. Role Displays the role of the primary instance. If a primary ACS instance is set as a log collector server, the role is displayed as Primary: Log Collector. Last Update Time stamp of the last database configuration change. The time stamp is in the form hh:mm dd:mm:yyyy. Version Current version of the ACS software running on the primary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress. Description Description of the primary instance. Edit Select the primary instance and click this button to edit the primary instance. Backup Select the primary instance and click this button to back up the primary instance. See Backing Up Primary and Secondary Instances, page 7 for more information. Secondary Instances Name Hostname of the secondary instance. IP Address IP address of the secondary instance. Online Status Indicates if the secondary instance is online or offline. A check mark indicates that the secondary instance is online; x indicates that the secondary instance is offline. Replication ID The transaction ID that identifies the last configuration change which is received on a secondary instance from a primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity. This number must be the same as the Replication ID in the Primary Instance for the primary and secondary ACS servers to be in sync. Role Displays the role of the secondary instance. If a secondary ACS instance is set as a log collector server, the role is displayed as Secondary: Log Collector. Replication Status Replication status values are: UPDATED—Replication is complete on the secondary instance. Both Management and Runtime services are current with configuration changes from the primary instance. PENDING—Request for full replication has been initiated or the configuration changes made on the primary have not yet been propagated to the secondary. REPLICATING—Replication from the primary to the secondary is processing. LOCAL MODE—The secondary instance does not receive replication updates from the deployment and maintains its own local configuration. DEREGISTERED—The secondary instance is deregistered from the primary instance and is not part of the deployment. INACTIVE—The secondary instance is inactive. You must select this instance and click Activate to activate this instance. **—The communication between the primary instance and the secondary instance is not available now. You need to log in to the specific ACS instance to view the required information.