Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
12-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Configuring General Threshold Information, page 12-13 Configuring Threshold Criteria, page 12-14 Configuring Threshold Notifications, page 12-32 Configuring General Threshold Information To configure general threshold information, fill out the fields in the General Tab of the Thresholds page. Table 12-9 describes the fields. Related Topics Configuring Threshold Criteria, page 12-14 Configuring Threshold Notifications, page 12-32 Table 12-9 General Tab Option Description Name Name of the threshold. Description (Optional) The description of the threshold. Enabled Check this check box to allow this threshold to be executed. Schedule Use the drop-down list box to select a schedule during which the threshold should be run. A list of available schedules appears in the list.
12-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Configuring Threshold Criteria ACS 5.3 provides the following threshold categories to define different threshold criteria: Passed Authentications, page 12-14 Failed Authentications, page 12-16 Authentication Inactivity, page 12-18 TACACS Command Accounting, page 12-19 TACACS Command Authorization, page 12-20 ACS Configuration Changes, page 12-21 ACS System Diagnostics, page 12-22 ACS Process Status, page 12-23 ACS System Health, page 12-24 ACS AAA Health, page 12-25 RADIUS Sessions, page 12-26 Unknown NAD, page 12-27 External DB Unavailable, page 12-28 RBACL Drops, page 12-29 NAD-Reported AAA Downtime, page 12-31 Passed Authentications When ACS evaluates this threshold, it examines the RADIUS or TACACS+ passed authentications that occurred during the time interval that you have specified up to the previous 24 hours. These authentication records are grouped by a common attribute, such as ACS Instance, User, Identity Group, and so on. The number of records within each of these groups is computed. If the count computed for any of these groups exceeds the specified threshold, an alarm is triggered. For example, if you configure a threshold with the following criteria: Passed authentications greater than 1000 in the past 20 minutes for an ACS instance. When ACS evaluates this threshold and three ACS instances have processed passed authentications as follows: An alarm is triggered because at least one ACS instance has greater than 1000 passed authentications in the past 20 minutes.ACS Instance Passed Authentication Count New York ACS 1543 Chicago ACS 879 Los Angeles 2096
12-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds NoteYou can specify one or more filters to limit the passed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the authentication records and only those records whose filter value matches the value that you specify are counted. If you specify multiple filters, only the records that match all the filter conditions are counted. Modify the fields in the Criteria tab as described in Table 12-10 to create a threshold with the passed authentication criteria. Table 12-10 Passed Authentications Option Description Passed AuthenticationsEnter data according to the following: greater than count > occurrences |%> in the past time > Minutes | Hours for a object, where: count values can be the absolute number of occurrences or percent. Valid values are: –count must be in the range 0 to 99 for greater than. –count must be in the range 1 to 100 for lesser than. occurrences | %> value can be occurrences or %. time values can be 1 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: –ACS Instance –User –Identity Group –Device IP –Identity Store –Access Service –NAD Port –AuthZ Profile –AuthN Method –EAP AuthN –EAP Tunnel In a distributed deployment, if there are two ACS instances, the count is calculated as an absolute number or as a percentage for each of the instances. ACS triggers an alarm only when the individual count of any of the ACS instance exceeds the specified threshold. Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold.
12-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 Failed Authentications When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that occurred during the time interval that you have specified up to the previous 24 hours. These authentication records are grouped by a common attribute, such as ACS Instance, User, Identity Group, and so on. The number of records within each of these groups is computed. If the count computed for any of these groups exceeds the specified threshold, an alarm is triggered. For example, if you configure a threshold with the following criteria: Failed authentications greater than 10 in the past 2 hours for Device IP. When ACS evaluates this threshold, if failed authentications have occurred for four IP addresses in the past two hours as follows: Device Group Click Select to choose a valid device group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold. MAC Address Click Select to choose or enter a valid MAC address on which to configure your threshold. This filter is available only for RADIUS authentications. NAD Port Click Select to choose a port for the network device on which to configure your threshold. This filter is available only for RADIUS authentications. AuthZ Profile Click Select to choose an authorization profile on which to configure your threshold. This filter is available only for RADIUS authentications. AuthN Method Click Select to choose an authentication method on which to configure your threshold. This filter is available only for RADIUS authentications. EAP AuthN Click Select to choose an EAP authentication value on which to configure your threshold. This filter is available only for RADIUS authentications. EAP Tunnel Click Select to choose an EAP tunnel value on which to configure your threshold. This filter is available only for RADIUS authentications. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+ Table 12-10 Passed Authentications (continued) Option Description Device IP Failed Authentication Count a.b.c.d 13 e.f.g.h 8
12-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds An alarm is triggered because at least one Device IP has greater than 10 failed authentications in the past 2 hours. NoteYou can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the authentication records and only those records whose filter value matches the value that you specify are counted. If you specify multiple filters, only the records that match all the filter conditions are counted. Modify the fields in the Criteria tab as described in Table 12-11 to create a threshold with the failed authentication criteria.i.j.k.l 1 m.n.o.p 1 Device IP Failed Authentication Count Table 12-11 Failed Authentications Option Description Failed Authentications Enter data according to the following: greater than count > occurrences | %> in the past time> Minutes|Hours for a object, where: count values can be the absolute number of occurrences or percent. Valid values must be in the range 0 to 99. occurrences | %> value can be occurrences or %. time values can be 1 to 1440 minutes, or 1 to 24 hours. Minutes|Hours value can be Minutes or Hours. object values can be: –ACS Instance –User –Identity Group –Device IP –Identity Store –Access Service –NAD Port –AuthZ Profile –AuthN Method –EAP AuthN –EAP Tunnel In a distributed deployment, if there are two ACS instances, the count is calculated as an absolute number or as a percentage for each of the instances. ACS triggers an alarm only when the individual count of any of the ACS instance exceeds the specified threshold. Filter Failure Reason Click Select to enter a valid failure reason name on which to configure your threshold.
12-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 Authentication Inactivity When ACS evaluates this threshold, it examines the RADIUS or TACACS+ authentications that occurred during the time interval that you have specified up to the previous 31 days. If no authentications have occurred during the specified time interval, an alarm is triggered. You can specify filters to generate an alarm if no authentications are seen for a particular ACS instance or device IP address during the specified time interval. If the time interval that you have specified in the authentication inactivity threshold is lesser than that of the time taken to complete an aggregation job, which is concurrently running, then this alarm is suppressed. ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold. Identity Store Click Select to choose a valid identity store name on which to configure your threshold. Access Service Click Select to choose a valid access service name on which to configure your threshold. MAC Address Click Select to choose or enter a valid MAC address on which to configure your threshold. This filter is available only for RADIUS authentications. NAD Port Click Select to choose a port for the network device on which to configure your threshold. This filter is available only for RADIUS authentications. AuthZ Profile Click Select to choose an authorization profile on which to configure your threshold. This filter is available only for RADIUS authentications. AuthN Method Click Select to choose an authentication method on which to configure your threshold. This filter is available only for RADIUS authentications. EAP AuthN Click Select to choose an EAP authentication value on which to configure your threshold. This filter is available only for RADIUS authentications. EAP Tunnel Click Select to choose an EAP tunnel value on which to configure your threshold. This filter is available only for RADIUS authentications. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TACACS+ Table 12-11 Failed Authentications (continued) Option Description
12-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds The aggregation job begins at 00:05 hours every day. From 23:50 hours, up until the time the aggregation job completes, the authentication inactivity alarms are suppressed. For example, if your aggregation job completes at 01:00 hours today, then the authentication inactivity alarms will be suppressed from 23:50 hours until 01:00 hours. NoteIf you install ACS between 00:05 hours and 05:00 hours, or if you have shut down your appliance for maintenance at 00:05 hours, then the authentication inactivity alarms are suppressed until 05:00 hours. Choose this category to define threshold criteria based on authentications that are inactive. Modify the fields in the Criteria tab as described in Table 12-12. Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 TACACS Command Accounting When ACS evaluates this threshold, it examines the TACACS+ accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ accounting records match, it calculates the time that has elapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the TACACS+ accounting records received during the interval between the previous and current alarm evaluation cycle. I If one or more TACACS+ accounting records match a specified command and privilege level, an alarm is triggered. You can specify one or more filters to limit the accounting records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on TACACS commands. Modify the fields in the Criteria tab as described in Table 12-13. Table 12-12 Authentication Inactivity Option Description ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Device Click Select to choose a valid device on which to configure your threshold. Protocol Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options are: RADIUS TA C A C S + Inactive for Use the drop-down list box to select one of these valid options: Hours—Specify the number of hours in the range from 1 to 744. Days—Specify the number of days from 1 to 31.
12-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 TACACS Command Authorization When ACS evaluates this threshold, it examines the TACACS+ accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the TACACS+ authorization records received during the interval between the previous and current alarm evaluation cycle. If one or more TACACS+ authorization records match a specified command, privilege level, and passed or failed result, an alarm is triggered. You can specify one or more filters to limit the authorization records that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on TACACS command authorization profile. Modify the fields in the Criteria tab as described in Table 12-14. Table 12-13 TACACS Command Accounting Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: Any A number from 0 to 15. Filter User Click Select to choose or enter a valid username on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold. Table 12-14 TACACS Command Authorization Option Description Command Enter a TACACS command on which you want to configure your threshold. Privilege Use the drop-down list box to select the privilege level on which you want to configure your threshold. Valid options are: Any A number from 0 to 15.
12-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 ACS Configuration Changes When ACS evaluates this threshold, it examines the accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines the ACS configuration changes made during the interval between the previous and current alarm evaluation cycle. If one or more changes were made, an alarm is triggered. You can specify one or more filters to limit which configuration changes are considered for threshold evaluation. Each filter is associated with a particular attribute in the records, and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on configuration changes made in the ACS instance. Modify the fields in the Criteria tab as described in Table 12-15. Authorization Result Use the drop-down list box to select the authorization result on which you want to configure your threshold. Valid options are: Passed Failed Filter User Click Select to choose or enter a valid username on which to configure your threshold. Identity Group Click Select to choose a valid identity group name on which to configure your threshold. Device Name Click Select to choose a valid device name on which to configure your threshold. Device IP Click Select to choose or enter a valid device IP address on which to configure your threshold. Device Group Click Select to choose a valid device group name on which to configure your threshold. Table 12-14 TACACS Command Authorization Option Description Table 12-15 ACS Configuration Changes Option Description Administrator Click Select to choose a valid administrator username on which you want to configure your threshold. Object Name Enter the name of the object on which you want to configure your threshold. Object Type Click Select to choose a valid object type on which you want to configure your threshold.
12-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 12 Managing Alarms Creating, Editing, and Duplicating Alarm Thresholds Related Topics Creating, Editing, and Duplicating Alarm Thresholds, page 12-11 Configuring General Threshold Information, page 12-13 Configuring Threshold Notifications, page 12-32 ACS System Diagnostics When ACS evaluates this threshold, it examines the accounting records that it received during the interval between the previous and current alarm evaluation cycle. If one or more accounting records match, it calculates the time that has lapsed since the previous alarm evaluation cycle. When it reaches two, three, or five minutes depending on the number of active thresholds, ACS examines system diagnostic records generated by the monitored ACS during the interval. If one or more diagnostics were generated at or above the specified security level, an alarm is triggered. You can specify one or more filters to limit which system diagnostic records are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted. Choose this category to define threshold criteria based on system diagnostics in the ACS instance. Modify the fields in the Criteria tab as described in Table 12-16. Change Use the drop-down list box to select the administrative change on which you want to configure your threshold. Valid options are: Any Create—Includes “duplicate” and “edit” administrative actions. Update Delete Filter ACS Instance Click Select to choose a valid ACS instance on which to configure your threshold. Table 12-15 ACS Configuration Changes Option Description