Cisco CSACSE-1111-K9 - Secure Access Control Server Solution Engine, Installation Manual

Page 1: ...West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Installation Guide for Cisco Secure ACS Solution Engine 4 1 Version 4 1 License and Warranty April 2007 Text Part Number OL 9969 03 ...

Page 2: ... measures Turn the television or radio antenna until the interference stops Move the equipment to one side or the other of the television or radio Move the equipment farther away from the television or radio Plug the equipment into an outlet that is on a different circuit from the television or radio That is make certain the equipment and the television or radio are on circuits controlled by diffe...

Page 3: ...Field Notices xviii Obtaining Technical Assistance xviii Cisco Technical Support Documentation Website xviii Submitting a Service Request xix Definitions of Service Request Severity xx Obtaining Additional Publications and Information xx Cisco 90 Day Limited Hardware Warranty Terms xxiii C H A P T E R 1 Cisco Secure ACS Solution Engine Overview 1 1 System Description 1 1 ACS SE Hardware Descriptio...

Page 4: ... E R 3 Installing and Configuring Cisco Secure ACS Solution Engine 4 1 3 1 Installation Quick Reference 3 1 Installing the Cisco 1113 in a Rack 3 2 Attaching the Chassis Rail Mount 3 3 Attaching the Server Rail 3 6 Sliding Chassis On the Rack 3 8 Connecting to the AC Power Source 3 9 Connecting Cables 3 10 Initial Configuration 3 10 Establishing a Serial Console Connection 3 10 Configuring ACS SE ...

Page 5: ...dministrator Password 4 15 Resetting the Solution Engine CLI Administrator Name 4 16 Setting the GUI Administrator Logon and Password 4 17 Resetting the Solution Engine Database Password 4 18 Reconfiguring the Solution Engine IP Address 4 18 Setting the System Time and Date Manually 4 20 Setting the System Time and Date with NTP 4 20 Setting the System Timeout 4 21 Setting the Solution Engine Syst...

Page 6: ... B 1 Services That Are Not Run B 2 A P P E N D I X C Command Reference C 1 CLI Conventions C 1 Command Privileges C 1 Checking Command Syntax C 2 System Help C 2 Command Description Conventions C 3 Commands C 3 add guiadmin C 3 backup C 3 download C 4 exit C 4 exportgroups C 5 exportlogs C 5 exportusers C 6 help C 6 ntpsync C 7 lock guiadmin C 7 ping C 7 reboot C 9 restart C 9 restore C 10 rollbac...

Page 7: ...Contents vii Book Title 78 xxxxx xx set timeout C 14 show C 14 shutdown C 14 start C 15 stop C 15 support C 16 tracert C 16 unlock guiadmin C 18 upgrade C 18 ...

Page 8: ...Contents viii Book Title 78 xxxxx xx ...

Page 9: ...uipment and are familiar with Cisco IOS software Warning Only trained and qualified personnel should install replace or service this equipment Organization This guide contains Preface Chapter 1 Cisco Secure ACS Solution Engine Overview Chapter 2 Preparing for Installation Chapter 3 Installing and Configuring Cisco Secure ACS Solution Engine 4 1 Chapter 4 Administering Cisco Secure ACS Solution Eng...

Page 10: ...AVE THESE INSTRUCTIONS Note This documentation is to be used in conjunction with the specific product installation guide that shipped with the product Please refer to the Installation Guide Configuration Guide or other enclosed additional documentation for further details Waarschuwing BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwingssymbool betekent gevaar U verkeert in een situatie die lichame...

Page 11: ...iter les accidents Pour prendre connaissance des traductions d avertissements figurant dans cette publication consultez les consignes de sécurité traduites qui accompagnent cet appareil Remarque CONSERVEZ CES INFORMATIONS Remarque Cette documentation doit être utilisée avec le guide spécifique d installation du produit qui accompagne ce dernier Veuillez vous reporter au Guide d installation au Gui...

Page 12: ...ne specifica spedita con il prodotto Per maggiori informazioni consultare la Guida all installazione la Guida alla configurazione o altra documentazione acclusa Advarsel VIKTIGE SIKKERHETSINSTRUKSJONER Dette varselssymbolet betyr fare Du befinner deg i en situasjon som kan forårsake personskade Før du utfører arbeid med utstyret bør du være oppmerksom på farene som er forbundet med elektriske kret...

Page 13: ...s de manipular cualquier equipo considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes Vea las traducciones de las advertencias que acompañan a este dispositivo Nota GUARDE ESTAS INSTRUCCIONES Nota Esta documentación está pensada para ser utilizada con la guía de instalación del producto que lo acompaña Si necesita más detalles c...

Page 14: ...4 1 OL 9969 03 Documentation Updates Table 1 Updates to Installation Guide for Cisco Secure ACS Solution Engine 4 1 Date Description 12 15 2009 Updated Solution Engine Specifications for the Cisco 1113 Updated the table ACS SE Technical Specifications for the Cisco 1113 ...

Page 15: ...or Cisco Secure ACS Release 4 1 On Cisco com http www cisco com en US products sw secursw ps2086 products_installation_and_configuration_guides_list html Installation Guide for Cisco Secure ACS for Windows Release 4 1 On Cisco com http www cisco com en US products sw secursw ps2086 prod_installation_guides_list html Installation Guide for Cisco Secure ACS Solution Engine Release 4 1 On Cisco com h...

Page 16: ...sco com techsupport You can access the Cisco website at this URL http www cisco com You can access international Cisco websites at this URL http www cisco com public countries_languages shtml Product Documentation DVD The Product Documentation DVD is created and released regularly DVDs are available singly or by subscription Registered Cisco com users can order a Product Documentation DVD product ...

Page 17: ...y incidents that involve Cisco products Register to receive security information from Cisco A current list of security advisories security notices and security responses for Cisco products is available at this URL http www cisco com go psirt To see security advisories security notices and security responses as they are updated in real time you can subscribe to the Product Security Incident Respons...

Page 18: ... Cisco Field Notices You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco com This tool enables you to create a profile and choose those products for which you want to receive information To access the Product Alert Tool you must be a registered Cisco com user To register as a Cisco com user go to this URL http tools cisco com RPF register register ...

Page 19: ...search to look in technical documentation not the entire Cisco com website On the Cisco com home page click the Advanced Search link under the Search box and then click the Technical Support Documentation radio button To provide feedback about the Cisco com website or a particular technical document click Contacts Feedback at the top of any Cisco com web page Submitting a Service Request Using the...

Page 20: ...of Cisco e mail newsletters and other communications Create a profile and then select the subscriptions that you would like to receive To visit the Cisco Online Subscription Center go to this URL http www cisco com offer subscribe The Cisco Product Quick Reference Guide is a handy compact reference tool that includes brief product overviews key features sample part numbers and abbreviated technica...

Page 21: ...ss networking What s New in Cisco Documentation is an online publication that provides information about the latest documentation releases for Cisco products Updated monthly this online publication is organized by product category to direct you quickly to the documentation for your products You can view the latest release of What s New in Cisco Documentation at this URL http www cisco com univercd...

Page 22: ...Contents xxii Installation Guide for Cisco Secure ACS Solution Engine 4 1 OL 9969 03 ...

Page 23: ...part number 78 5235 03B0 is highlighted b Select the language in which you would like to read the document c Click Go The Cisco Limited Warranty and Software License page from the Information Packet appears d Read the document online or click the PDF icon to download and print the document in Adobe Portable Document Format PDF Note You must have Adobe Acrobat Reader to view and print PDF files You...

Page 24: ... Authorization RMA request Actual delivery times can vary depending on the customer location Cisco reserves the right to refund the purchase price as its exclusive warranty remedy To Receive a Return Materials Authorization RMA Number Contact the company from whom you purchased the product If you purchased the product directly from Cisco contact your Cisco Sales and Service Representative Complete...

Page 25: ...e over IP solutions content networking and switched and wireless local area networks LANs and WLANs In addition you can use the same AAA framework via TACACS to manage administrative roles and groups and to control how network administrators change access and configure the network internally ACS SE provides almost the same set of features and functions as in the Cisco Secure ACS for Windows Server...

Page 26: ...ountable 1U box The sections below describe the Cisco 1113 device which runs on a Quanta S27 system Serial Port The integrated serial port on the back panel of the appliance uses a 9 pin D subminiature connector Serial Port Connector If you reconfigure your hardware you may need information regarding the pin number and signal for the serial port connector Figure 1 4 illustrates the pin numbers for...

Page 27: ... 667 unbuffered memory DVD Combo drive 345 W power supply Technical specifications are detailed in Appendix A Technical Specifications for the Cisco 1113 This section contains Front Panel Features for the Cisco 1113 page 1 3 Back Panel Features for the Cisco 1113 page 1 5 Serial Port page 1 2 Ethernet Connectors page 1 7 Network Cable Requirements page 1 7 Front Panel Features for the Cisco 1113 T...

Page 28: ...8 1 2 3 4 5 6 CISCO 1190 BUILDING BROADBAND SERVICE MANAGER 7 No Switch or LED Indicator Description 1 DVD ROM drive activity LED On Activity Off No Activity 2 Power On Off button and LED Pushing the power button turns the unit on or off The LED in the center of the power On Off button has three states Blinking Green Power is connected but not on Green Power On Off Power Off 3 Unused button This b...

Page 29: ...button on the back panel To turn off the Unit Identification LED when the LED is on push the Unit Identification Button 6 Unit Identification LED The Unit Identification LED has the following states Off System power is off the system ID button has not been pushed and there is no fault assertion condition the system cover is on the device and there is no fault condition Flashing Blue When the syste...

Page 30: ...gnments and interface signals for the serial port connector Pin numbering proceeds bottom to top and right to left as illustrated 149999 1 2 2 1 Gb 1 9 8 7 2 3 4 5 6 No Description 1 AC power receptacle 2 Mouse connector not supported Do not use 3 USB connectors not supported Do not use 4 Serial connector see Figure 1 3 5 Video connector not supported Do not use 6 RJ 45 Fast Ethernet connector wit...

Page 31: ... and 1000BASE TX Ethernet standards Each NIC is configured to automatically detect the speed and duplex mode of the network Network Cable Requirements Pin Signal I O Definition 1 DCD I Data carrier detect 2 SIN I Serial input 3 SOUT O Serial output 4 DTR O Data terminal ready 5 GND N A Signal ground 6 DSR I Data set ready 7 RTS O Request to send 8 CTS I Clear to send 9 RI I Ring indicator Shell N ...

Page 32: ... of the UTP cable into the Ethernet connector until the plug snaps securely into place Connect the other end of the cable to an RJ 45 port on a hub or other device depending on your network configuration Observe the following cabling restrictions for 10BASE T 100BASE TX and 1000BASE TX networks For 10BASE T networks use Category 3 or greater wiring and connectors For 100BASE TX and 1000BASE TX net...

Page 33: ...sibly damage the system and components You should observe the following safety guidelines when working with any equipment that connects to electrical power or telephone wiring They can help you avoid injuring yourself or damaging the ACS SE Note The English warnings in this document are followed by a statement number To see the translations of a warning into other languages look up its statement n...

Page 34: ...TIONAL Statement 1005 Warning There is the danger of explosion if the battery is replaced incorrectly Replace the battery only with the same or equivalent type recommended by the manufacturer Dispose of used batteries according to the manufacturer s instructions Statement 1015 Warning This unit is intended for installation in restricted access areas A restricted access area can be accessed only th...

Page 35: ...rician if you are uncertain that suitable grounding is available Statement 1024 Warning This unit might have more than one power supply connection All connections must be removed to de energize the unit Statement 1028 Warning Blank faceplates and cover panels serve three important functions they prevent exposure to hazardous voltages and currents inside the chassis they contain electromagnetic int...

Page 36: ...orking on equipment powered by electricity If any of the following conditions occurs contact the Cisco Technical Assistance Center The power cable or plug is damaged An object has fallen into the product The product has been exposed to water The product has been dropped or damaged The product does not operate correctly when you follow the operating instructions Use the correct external power sourc...

Page 37: ...ischarge ESD When unpacking a static sensitive component from its shipping carton do not remove the component from the antistatic packing material until you are ready to install the component in your computer Just before unwrapping the antistatic packaging ensure that you discharge static electricity from your body When transporting a sensitive component first place it in an antistatic container o...

Page 38: ...equipment failure Ensure that the chassis cover is secure The chassis allows cooling air to flow effectively within it An open chassis allows air leaks which could interrupt and redirect the flow of cooling air from internal components Electrical equipment generates heat Ambient air temperature might not be adequate to cool equipment to acceptable operating temperatures without adequate circulatio...

Page 39: ...ity AC Power Ensure that the plug socket combination is accessible at all times because it serves as the main disconnecting device For the ACS SE power requirements see Appendix A Technical Specifications for the Cisco 1113 Warning This product requires short circuit overcurrent protection to be provided as part of the building installation Install only in accordance with national and local wiring...

Page 40: ...the following precautions for rack stability and safety Also refer to the rack installation documentation accompanying the rack for specific warning and caution statements and procedures Note Component refers to any server storage system or appliance and to various peripherals or supporting hardware Do not move large racks by yourself Due to the height and weight of the rack a minimum of two peopl...

Page 41: ...03 Chapter 2 Preparing for Installation Required Tools and Equipment Required Tools and Equipment You need the following tools and equipment to install the ACS SE Number 2 Phillips head screwdriver Tape measure and level Antistatic mat or antistatic foam ESD grounding strap ...

Page 42: ...2 10 Installation Guide for Cisco Secure ACS Solution Engine 4 1 OL 9969 03 Chapter 2 Preparing for Installation Required Tools and Equipment ...

Page 43: ... to the CSACSE 1113 K9 platform only Installation Quick Reference Table 3 1 provides a high level overview of the installation and initial configuration process Following installation and initial configuration see the User Guide for Cisco Secure ACS for information on how to use a browser and the web interface to fully configure your ACS SE to provide the AAA services that you want from this insta...

Page 44: ... I CSA C22 1 Other countries If local and national electrical codes are not available see IEC 364 Part 1 through Part 7 Do not work alone under potentially hazardous conditions Do not perform any action that creates a potential hazard to people or makes the equipment unsafe Do not attempt to install the ACS SE in a rack that has not been securely anchored in place Damage to the system and personal...

Page 45: ...ack Rail Components To install the Cisco 1113 in a rack 1 Attach the chassis rail mount to the chassis see Attaching the Chassis Rail Mount page 3 3 2 Attach the server rail to the rack assembly see Attaching the Server Rail page 3 6 3 Slide the chassis on to the rack assembly see Sliding Chassis On the Rack page 3 8 Attaching the Chassis Rail Mount You must first remove the chassis rail mount sec...

Page 46: ...gure 3 2 Removing the Chassis Rail Mount Step 2 See Figure 3 3 Slide the white tab 1 in the direction of its arrow and slide out the chassis rail mount part Set it aside for attaching to the chassis in the next step Figure 3 3 Sliding the Chassis Rail Mount Release Tab Step 3 Align the holes in the chassis rail mount to the pegs on the chassis 1 and 2 in Figure 3 4 1 2 3 154629 1 154625 ...

Page 47: ...olution Engine 4 1 Installing the Cisco 1113 in a Rack Figure 3 4 Positioning Chassis Rail Mount on Chassis Step 4 See Figure 3 5 Align the holes 1 and then slide the rail until it locks into place 2 Figure 3 5 Attaching Chassis Rail Mount to Chassis Figure 3 6 shows the chassis rail mount locked into place 1 2 154618 154621 1 1 2 ...

Page 48: ...ure 3 6 Chassis Rail Mount in Locked Position Attaching the Server Rail Now that you have mounted the chassis rail mount retract the server rail that you previously extended and then attach it to the rack If you have already retracted the server rail go to step 2 Procedure Step 1 To retract the arm of the server rail push the tab shown in Figure 3 7 Then slide the arm back in 2 154620 1 ...

Page 49: ...S Solution Engine 4 1 Installing the Cisco 1113 in a Rack Figure 3 7 Retracting the Server Rail Step 2 Attach the server rail to the rack as shown in the figure that corresponds to your rack For a square peg rack see Figure 3 8 For a circular peg rack see Figure 3 9 Figure 3 8 Attaching Rail to a Square Peg Rack 1 154617 154622 ...

Page 50: ...ocess with the other rail and rack assembly Note Leaving some play between the bracket and the rail until you install the rail into the rack will make affixing the rail to the rack easier After the rail is attached to the rack you can tighten the screws Sliding Chassis On the Rack Step 1 See Figure 3 10 On the chassis rail mount slide and hold the purple tab in the direction of the arrow This allo...

Page 51: ...s on the building s installation for short circuit overcurrent protection Ensure that you use a fuse or circuit breaker no larger than 120 VAC 15A U S CAN 240 VAC 10A INTERNATIONAL Statement 1005 Connecting to the AC Power Source Warning This equipment must be grounded Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor Contact the app...

Page 52: ... 3 10 Configuring ACS SE page 3 11 Verifying the Initial Configuration page 3 15 Note You perform the fourth and final part of the configuration which includes providing AAA services by establishing administrative and user accounts and configuring network connections from the web interface See User Guide for Cisco Secure ACS for more information Establishing a Serial Console Connection Before you ...

Page 53: ...for the first time and whenever you re image the system Before you begin to configure the solution engine you should have the following information Network hostname of the solution engine DNS domain name Administrator name and password Database password Whether you will enable DHCP enabling DHCP is not recommended IP netmask and gateway addresses you will assign to the ACS SE Whether you will be u...

Page 54: ...sole Initialize Appliance Machine will be rebooted after initialization Entering Ctrl C before setting appliance name will shutdown the appliance Step 5 At the ACS Appliance name deliverance1 prompt type the name that you intend to use for your ACS SE and then press Enter Tip The name can contain up to 15 letters and numbers but no spaces Result The system displays the following message on the con...

Page 55: ... database password and press Enter Note The new password must contain a minimum of 6 characters and it must include a mix of at least three character types uppercase letters lowercase letters digits and special characters Each of the following examples is acceptable 1PaSsWoRd password44 Pass word Step 11 At the Enter new password again prompt type the new database password and then press Enter Res...

Page 56: ...k value and then press Enter c At the Default Gateway xx xx xx xx prompt type the default gateway value and then press Enter d At the DNS Servers xx xx xx xx prompt type the address of any DNS servers that you intend to use separate each by a single space and then press Enter Note If you do not intend to use a DNS server enter the IP address of the ACS SE at the DNS Servers xx xx xx xx prompt If y...

Page 57: ...t the Enter desired time zone index 0 for more choices prompt type the index number of the time zone that you want and then press Enter Result The system displays the new time zone Step 19 At the Synchronize with NTP server N prompt do one of the following To set the time manually type N and then press Enter To use an NTP server for setting time type Y and when prompted enter the IP address of the...

Page 58: ...trator account when prompted for one by the setup script a GUI administrator account exists However before the designated GUI administrator user can use this account you must unlock it by entering the unlock guiadmin command You can also set up an additional GUI administrator account that can access the SE To set up an initial web GUI account Step 1 Log in as the CLI administrator Step 2 If a GUI ...

Page 59: ...SE is installed and initially configured The next step is to log in using the GUI administrator account and use a browser and the web interface to fully configure your ACS SE to provide the AAA services that you want from this installation The HTML address is in the following format http ip address 2002 where ip address is the address that you assign during configuration For information on setting...

Page 60: ...3 18 Installation Guide for Cisco Secure ACS Solution Engine 4 1 OL 9969 03 Chapter 3 Installing and Configuring Cisco Secure ACS Solution Engine 4 1 Initial Configuration ...

Page 61: ...page 4 1 Working with System Data page 4 8 Reconfiguring Solution Engine System Parameters page 4 15 Patch Rollback page 4 23 Recovery Management page 4 24 Basic Command Line Administration Tasks This section details basic administrative tasks performed from a serial console connected to the ACS SE This section contains Logging In to the Solution Engine From a Serial Console page 4 2 Shutting Down...

Page 62: ...ssword has the serial connection privilege Shutting Down the Solution Engine From a Serial Console You use the serial console to shut down the ACS SE Caution Powering off the ACS SE by using only the power switch may cause the loss or corruption of data To use the serial console to shut down the ACS SE Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine From a Se...

Page 63: ...t to reboot Y N Step 3 Enter Y for yes Result The ACS SE reboots When the reboot is finished the login prompt reappears Determining the Status of Solution Engine System and Services From a Serial Console You can use the serial console connection to obtain system and service status information Note You typically perform status determination in the ACS SE web interface For more information see Deter...

Page 64: ...ng Routes If you are unfamiliar with the trace route command or want information on the command s optional arguments see the Command Reference entry tracert page C 16 To trace the network route that the ACS SE takes to a given destination Step 1 At the system prompt type tracert followed by zero 0 or more optional arguments and then the IP address of the target destination Step 2 Press Enter Resul...

Page 65: ...art when the system is rebooted To stop a service on the ACS SE Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine From a Serial Console page 4 2 Step 2 Type stop followed by a single space and the name of the ACS service that you want to stop Tip You can list more than one service to stop type a single space between each Step 3 Press Enter Result The system imm...

Page 66: ...ingle space and the name of the ACS service that you want to start Tip You can list more than one service to start type a single space between each Step 3 Press Enter Result The system immediately displays the message service name is starting Followed by the message service name is running Restarting Solution Engine Services From a Serial Console Note You typically restart solution engine services...

Page 67: ...me is running Getting Command Help From the Serial Console To obtain a list and description of commands on the ACS SE from the serial console Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine From a Serial Console page 4 2 Step 2 At the system prompt type help and then press Enter Tip Press Enter again to scroll through the list of commands as necessary Result ...

Page 68: ...synchronization ping Verify connections to remote computers reboot Soft reboot appliance restart Restart ACS services restore Restore Appliance rollback Rollback patched package set admin Set administrator s name set dbpassword Set database password set domain Set DNS domain set hostname Set appliance s hostname set ip Set IP configuration set password Set administrator s password set time Set tim...

Page 69: ...to the Solution Engine From a Serial Console page 4 2 Step 2 Type support and the arguments necessary to your purpose Step 3 Press Enter Step 4 To collect user database information at the Collect User Data prompt type Y and then press Enter Step 5 At the Enter FTP Server directory prompt enter the pathname to the location on your FTP server to which you want to send the file and then press Enter S...

Page 70: ...og names from a list Before You Begin You must have the FTP server address and pathname as well as the proper credentials for writing to the FTP server username and password Caution Performing this procedure stops and restarts all services and will interrupt use of the ACS SE To export log files to an FTP server Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine...

Page 71: ...ngine From a Serial Console page 4 2 Step 2 Type exportgroups Tip You can enter the following parameters after the command or in response to subsequent prompts server username filepath Step 3 Press Enter Result The system displays the message Command with restart CSAuth Are you sure you want to continue Caution Performing this procedure stops and restarts the CSAuth service and will interrupt use ...

Page 72: ...fter the command or in response to subsequent prompts server username filepath Step 3 Press Enter Result The system displays the message Command with restart CSAuth Are you sure you want to continue Caution Performing this procedure stops and restarts the CSAuth service and will interrupt use of the ACS SE Step 4 To proceed type Y and press Enter Step 5 At the Enter FTP Server Hostname or IP Addre...

Page 73: ...filepath Step 3 Press Enter Step 4 At the Enter FTP Server Hostname or IP Address prompt enter the FTP server IP address or hostname and press Enter Step 5 At the Enter FTP Server Directory prompt enter the FTP server pathname and press Enter Step 6 At the Enter FTP Server Username prompt enter your FTP server username and press Enter Step 7 At the Enter FTP Server Password prompt enter your FTP s...

Page 74: ... interrupts the use of the ACS SE for AAA services Caution This procedure overwrites current system data and replaces it with the backup data To restore ACS SE data from an FTP server Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine From a Serial Console page 4 2 Step 2 Type restore Tip You can enter the following parameters after the command or in response to...

Page 75: ... see a message about DCS device command sets not on the backup which is normal When completed the system displays the message Done Reconfiguring Solution Engine System Parameters This section details basic reconfiguration tasks performed from a serial console connected the ACS SE This section contains Resetting the Solution Engine Administrator Password page 4 15 Resetting the Solution Engine CLI ...

Page 76: ...ompt Enter old password Step 3 Type the password and then press Enter Result The ACS SE displays the prompt Enter new account name Step 4 Type the new account name and then press Enter Result The ACS SE displays the prompt Enter new password Step 5 Type the new password and then press Enter Note The new password must not contain the administrator account name must contain a minimum of 6 characters...

Page 77: ...name Step 1 Log in to the ACS SE For more information see Logging In to the Solution Engine From a Serial Console page 4 2 Step 2 At the system prompt enter set admin Result The ACS SE displays the Set administrator s name prompt Step 3 Type the new administrator name and then press Enter Step 4 At the Set administrator name again prompt type the administrator name again and then press Enter Resul...

Page 78: ...sult The ACS SE displays the prompt Enter new password Step 4 Type the new password and then press Enter Note The new password must not contain the administrator account name must contain a minimum of 6 characters and it must include a mix of at least 3 character types numerals special characters uppercase letters and lowercase letters Each of the following examples is acceptable 1PaSsWoRd passwor...

Page 79: ...ss Enter d At the DNS Servers xx xx xx xx prompt type the address of any DNS servers you intend to use separate each by a single space and then press Enter Result The system displays the new configuration information and the message IP Address is reconfigured Step 5 Review the information presented and at the Confirm the changes Y prompt press Enter Result The ACS SE restarts The system displays t...

Page 80: ...NTP servers Change Date Time Setting N Step 3 To set the time zone time or date type Y and then press Enter Result The system displays a list of indexed time zones and the message xx GMT xx xx XXX Time Enter desired time zone index 0 for more choices x Step 4 Enter the desired time zone index number from the time zone setting list and then press Enter Tip You can also type 0 zero and press Enter t...

Page 81: ...dex number from the time zone setting list and then press Enter Tip You can also type 0 zero and press Enter to see more time zone index numbers or simply press Enter to accept the existing time zone Result The system displays the time zone setting Step 5 At the Synchronize with NTP Server prompt type Y and then press Enter Step 6 At the Enter NTP Server IP Address es prompt enter the IP address o...

Page 82: ...ce and the domain name Step 3 Press Enter Result The system displays the confirmation message You should reboot appliance for the change to take effect Setting the Solution Engine System Hostname Caution Performing this procedure stops and restarts all services and will interrupt use of the ACS SE You can set the system hostname To set the ACS SE system hostname Step 1 Log in to the ACS SE For mor...

Page 83: ...st to identify the patch application name type rollback followed by the patch application name and then press Enter Result The system displays the confirmation message Are you sure you want to rollback patch name Y N Step 3 Type Y to continue Result The system displays a series of messages that include Rolling patch back Rollback process initiated successfully Successfully rolled back patch name t...

Page 84: ...ult during initial configuration Administrator login credentials may be reset For more information see Resetting the Solution Engine Administrator Password page 4 15 This recovery procedure entails replacing the administrator login credentials with a new account name and password To reset the administrator login credentials Step 1 Connect a console to the ACS SE console port For the location of th...

Page 85: ...h of the following examples is acceptable 1PaSsWoRd password44 Pass word Step 12 At the Enter new password again prompt type the new ACS SE password and then press Enter Result The system displays the message Password is set successfully Re imaging the Solution Engine Hard Drive Use the ACS SE Recovery CD ROM to re image the ACS SE if necessary Caution Performing this procedure destroys all data s...

Page 86: ...displaying odd characters and then displays the message The system has been reimaged successfully Please remove this recovery CD from the drive then hit RETURN to restart the system Step 6 Remove the Recovery CD from the ACS SE Step 7 Press Enter to restart the ACS SE Result The ACS SE reboots performs some configurations and reboots again The configurations that occur after the first reboot take ...

Page 87: ...os page 5 2 Upgrade Paths page 5 2 Upgrade Procedure page 5 4 Migrating from ACS for Windows to ACS SE page 5 13 Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4 1 on the Cisco 1113 Platform page 5 15 Upgrade Scenarios Cisco Secure ACS Solution Engine 4 1 supports the following upgrade scenarios ACS 3 x to ACS 4 1 You can upgrade ACS 3 2 x or 3 3 x ACS 3 2 1 3 2 2 3 2 3 3 3 1 3 3 ...

Page 88: ...he ACS 1113 system software use the ACS SE 4 1 Recovery CD for 1113 Note If you are upgrading on an ACS 1111 or 1112 device and need to restore the ACS 1111 or 1112 system software obtain the required recovery CD from the Cisco Technical Assistance Center TAC For information on contacting the Cisco TAC see Obtaining Technical Assistance page xviii 2 ACS SE 3 3 3 to 4 1 The ACS SE 3 3 3 to 4 1 upgr...

Page 89: ...n Upgrade Path Results 3 2 x or 3 3 x to 4 1 Full Upgrade To perform a full upgrade with data restore 1 Use the ACS SE 3 3 3 Upgrade CD For instructions on upgrading to ACS 3 3 3 see Release Notes for Cisco Secure Access Control Server Solution Engine 3 3 at http www cisco com en US docs net_mgmt cisco_secure _access_control_server_for_solution_engine 3 3 release no tes RNsol331 html 2 Use the ACS...

Page 90: ...pliance Configuration and verify that the CSA Enabled check box is not checked If it is checked uncheck the CSA Enabled check box and click Submit Step 3 If you do not already have a GUI administrator account on the ACS SE create a new GUI administrator account from the web interface a Start the web interface b Click Administration Control The Administration Control page opens c Click Add Administ...

Page 91: ...appliance as shown in Figure 5 1 Figure 5 1 Appliance Prompt d Enter the hostname or the IP address of the distribution server and then click Install The web interface starts e Log in to the web interface f Choose System Configuration Appliance Upgrade Status The Appliance Upgrade page opens as shown in Figure 5 2 Figure 5 2 Appliance Upgrade Page g Click Download The Appliance Upgrade Form page o...

Page 92: ... h Enter the IP address of the distribution server and then click Connect The Appliance Upgrade Form page opens as shown in Figure 5 4 This page lists the current appliance management software version number Figure 5 4 Appliance Upgrade Form i Click Download Now The upgrade utility downloads the upgrade image The Appliance Upgrade page opens as shown in Figure 5 5 The Appliance Versions table prov...

Page 93: ... shown in Figure 5 1 c Enter the hostname or the IP address of the distribution server and then click Install The ACS web interface starts d Log in to the web interface e Choose System Configuration Appliance Upgrade Status The Appliance Upgrade page opens as shown in Figure 5 2 f Download and install the software upgrade The steps for downloading and installing the software upgrade package are th...

Page 94: ...rom ACS SE 3 3 3 to ACS SE 4 1 This section describes the procedure for performing a full upgrade from ACS SE 3 3 3 to ACS SE 4 1 Before You Begin Make a backup of your existing data and configuration The first backup is for ensuring that you have the 3 3 3 original data backed up Caution Back up and restore are supported and tested only when done on the same version For example backup on 4 1 and ...

Page 95: ...to log in to the ACS SE from the web interface Step 4 Insert the ACS SE 4 1 Upgrade CD into the CD ROM drive on the distribution server the server from which you are performing the upgrade Step 5 Download the ACS Management Upgrade package a Open the upgrade CD b Go to the Upgrade Appliance management ACS 4 1 folder c Double click the autorun bat icon The download utility starts You are prompted t...

Page 96: ...ad The Appliance Upgrade Form page opens as shown in Figure 5 8 On this page you enter the IP address of the distribution server Figure 5 8 Appliance Upgrade Form with Text Box for the Distribution Server h Enter the IP address of the distribution server and then click Connect The Appliance Upgrade Form page opens as shown in Figure 5 9 This page lists the current version number of the appliance m...

Page 97: ...pgrade page opens as shown in Figure 5 10 The Appliance Versions table provides information about the software version Figure 5 10 Appliance Upgrade Page j Click Apply Upgrade The upgrade utility applies the management software upgrade Note This process takes several minutes The system reboots several times Step 6 Download and apply the ACS Software Upgrade package a Go to the Upgrade package soft...

Page 98: ...ckage MS Hotfixes for ACS 4 0 to 4 1 folder on the upgrade CD verify folder b Double click the autorun bat icon The download utility starts You are prompted to enter the hostname of IP address of the appliance as shown in Figure 5 1 c Enter the hostname or the IP address of the distribution server and then click Install The ACS web interface starts d Log in to the web interface e Choose System Con...

Page 99: ... the User Guide for Cisco Secure ACS 4 1 The restore command which you enter from the serial console For more information see Restoring ACS Data From the Serial Console page 4 14 Step 12 Verify that Cisco Security Agent is enabled by using one of the following features At the console enter show If the CSAgent service is not running enter start csagent In the web interface choose System Configurati...

Page 100: ...TP server The directory must be accessible from the FTP root directory ACS SE must be able to contact the FTP server Any gateway devices must permit FTP communication between the appliance and the FTP server Step 5 In the web interface for ACS 4 1 use the ACS Restore feature to restore the database For more information about restoring databases see the User Guide for Cisco Secure ACS 4 1 The ACS S...

Page 101: ...Cisco 1113 to run on the Cisco 1113 platform Step 1 Upgrade the software on a previous SE hardware platform the Cisco 1111 or the Cisco 1112 to ACS version 4 1 by using the full upgrade method For information on this method see Upgrade Procedure page 5 4 Step 2 Back up the software on the previous SE hardware platform Step 3 On the new hardware platform the Cisco 1113 platform a Install the ACS SE...

Page 102: ...de for Cisco Secure ACS Solution Engine 4 1 OL 9969 03 Chapter 5 Upgrading and Migrating to Cisco Secure ACS Solution Engine 4 1 Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4 1 on the Cisco 1113 Platform ...

Page 103: ...ry kits Power supply output 445 W steady state Maximum power consumption 275 W AC input current maximum 6 5 A AC input power maximum 0 507 kVA Maximum input power 482 VA Mean time before failure MTBF 41 000 hours at 40 C Operating temperature range 0 C to 40 C Shipping temperature range 40 to 65 C Operating relative humidity 80 noncondensing at 40 C Nonoperating relative humidity 80 noncondensing ...

Page 104: ...Chipset Intel E7230 Mukilteo MCH DVD ROM QSI DVD ROM Combo 1 The latest Cisco ACS 1113 appliances contain a 160 GB or 250 GB hard disk drive the older Cisco ACS 1113 appliances contain a 80 GB hard disk drive These appliances support high availability HA deployments You can deploy any combination of 80 GB 160 GB or 250 GB appliances in your HA deployments Table A 1 ACS SE Technical Specifications ...

Page 105: ... ACS SE Service Name Description COM Event System Provides automatic distribution of events to subscribing COM components DHCP Client Manages network configuration by registering and updating IP addresses and DNS names DNS Client Resolves and caches Domain Name System DNS names Event Log Logs event messages issued by programs and Windows Event Log reports contain information that can be useful in ...

Page 106: ...gement information Windows Management Instrumentation Driver Extensions Provides systems management information to and from drivers Table B 1 Operating System Services Automatically Run by ACS SE continued Service Name Description Table B 2 Disabled Operating System Services in ACS SE Service Name Description Alerter Notifies selected users and computers of administrative alerts Application Manage...

Page 107: ...er Generates session keys and grants service tickets for mutual client server authentication Logical Disk Manager Administrative Service Performs administrative service for disk management requests Messenger Sends and receives messages transmitted by administrators or by the Alerter service Net Logon Supports pass through authentication of account logon events for computers in a domain NetMeeting ...

Page 108: ...rvice and NetBIOS name resolution Telephony API TAPI Provides Telephony API TAPI support for programs that control telephony devices and IP based voice connections on the local computer and through the LAN on servers that are also running the service Terminal Services Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Wi...

Page 109: ...ination c or Ctrl c means hold down the Ctrl key while you press the c key A string is defined as a nonquoted set of characters Do not confuse the ACS SE CLI with the IOS CLI Though they are similar they are not identical Command Privileges Access to CLI commands on the ACS SE is limited to those who physically connect via the console port and who possess the proper administrative credentials Note...

Page 110: ... options the system displays Incomplete command Valid command but provide invalid options or parameters the system displays Invalid input In addition some commands have command specific error messages that notify you that a command is valid but that it cannot run correctly System Help You can obtain help by using the following methods For a list of all commands and their syntax enter help and then...

Page 111: ...sitive add guiadmin To add a GUI account that a remote user can use to access the ACS web GUI use the add guiadmin command add guiadmin admin password Syntax Description admin User name for the GUI account password Password for the GUI account Usage Guidelines During initial installation you are prompted to set up a GUI administration account that remote users can use to access and configure the A...

Page 112: ...n the onyx FTP server Recommended Action backup onyx joeadmin backupdata download To download an upgrade image to the ACS SE use the download command Executing the download command establishes contact with the system specified retrieves the manifest file from that system and automatically downloads the upgrade image to the ACS SE The syntax is download hostAddress Syntax Description hostAddress Th...

Page 113: ...o which the group list will be sent Usage Guidelines If you do not enter the parameters the system prompts you for the information Example The following command employs the user account joeadmin to send a list of user groups to the groupdata folder on the diamond FTP server exportgroups diamond joeadmin groupdata exportlogs To list and send selected logs to an FTP server use the exportlog command ...

Page 114: ...ription server Hostname for the FTP server to which the file will be sent username User account name used to authenticate the FTP session filepath Location under the FTP root for the server into which the users list will be sent Usage Guidelines If you do not enter the parameters the system prompts you for the information Example The following command employs the user account joeadmin to send a li...

Page 115: ...or the GUI account password Password for the GUI account Usage Guidelines During initial installation the setup script prompts the installer to set up a GUI administration account that remote users can use to access and configure the ACS solution engine A GUI administrator account can also be added by using the add guiadmin command GUI administrator accounts are not usable until they have been unl...

Page 116: ...tics and continue type Ctl Break To stop type Ctl C a Resolve addresses to hostnames n count Number of echo requests to send l size Send buffer size f Set Don t Fragment flag in packet i TTL Time To Live v TOS Type Of Service r count Record route for count hops s count Timestamp for count hops j host list Loose source route along host list k host list Strict source route along host list w timeout ...

Page 117: ...ata Reply from 10 19 253 228 bytes 32 time 130ms TTL 120 Reply from 10 19 253 228 bytes 32 time 140ms TTL 120 Reply from 10 19 253 228 bytes 32 time 140ms TTL 120 Reply from 10 19 253 228 bytes 32 time 140ms TTL 120 Reply from 10 19 253 228 bytes 32 time 130ms TTL 120 Reply from 10 19 253 228 bytes 32 time 130ms TTL 120 Ping statistics for 10 19 253 228 Packets Sent 6 Received 6 Lost 0 0 loss Appr...

Page 118: ...e To restore ACS data from an FTP server use the restore command restore server username filepath filename Syntax Description Usage Guidelines If you do not enter the parameters the system prompts you for the information Also you will be prompted to enter a decrypt password and you will be prompted to restore the user or group database and the ACS system configuration Example The following command...

Page 119: ...d directories restoring a specified list of Registry entries and starting all ACS services once again Example The following command executes the program remvptch4 and returns the system to the state that existed before the patch program was applied rollback remvptch4 set admin To set the name of the ACS SE administrator use the set admin command set admin administratorname Syntax Description admin...

Page 120: ...xample The following command initiates the database password setting procedure set dbpassword set domain To set the DNS domain of the ACS SE use the set domain command set domain domain name Syntax Description domain name Name of DNS domain Example This command sets the domain name to xyz com set domain xyz com set hostname To set the hostname of the ACS SE use the set hostname command set hostnam...

Page 121: ...et password Syntax Description This command has no arguments or keywords Usage Guidelines Use the set password command to begin resetting the administrator s password Subsequent prompts take you through the process For more information see Resetting the Solution Engine Administrator Password page 4 15 Example The following command initiates the password setting procedure set password set time To s...

Page 122: ...he set timeout command set timeout minutes Syntax Description This command has a single argument the number of minutes before timing out If you enter the command with no argument the system prompts you for a value in minutes Example The following command establishes a serial console timeout after10 minutes set timeout 10 show To show the version of the ACS SE system load status ACS service status ...

Page 123: ...tarts the CSAuth and CSAgent services restart csauth csagent stop To stop one or more of the ACS services use the stop command stop service name s Note Services subject to this command are halted until restarted which may interfere with AAA services Note When you stop the CSAgent service not only does the ACS SE stop CSAgent but it also changes the startup type to manual This action has the effect...

Page 124: ...ch means that AAA services are interrupted Example The following command packages logs from the past 3 days together with user database information and sends it to the FTP server on the machine host as diagdir diag cab where the user will be prompted for the password to the sammy account on the FTP server support d3 u ftp host diagdir diag cab sammy tracert To display the network route to a specif...

Page 125: ...jce wbb gw1 cisco com 10 18 255 1 4 60 ms 70 ms 60 ms sjce rbb gw1 cisco com 171 69 7 233 5 71 ms 70 ms 60 ms sjce sbb1 gw1 cisco com 171 69 14 34 6 80 ms 51 ms 70 ms sjck as gw2 cisco com 171 69 14 246 7 60 ms 90 ms 80 ms sj frame 1 cisco com 171 70 192 54 8 150 ms 180 ms 161 ms 10 19 253 225 9 141 ms 160 ms 170 ms 10 19 253 228 Trace complete Argument Description d Do not resolve addresses to ho...

Page 126: ...ounts by using the add guiadmin command These accounts are not usable until they are unlocked by using the unlock guidamin command And if a GUI administrator account has been locked using the lock guiadmin command you can use the unlock guiadmin command to unlock the account Example The following command unlocks a GUI administrator account joeadmin with the password joltinjoe unlock guiadmin joead...

Page 127: ...allation 3 10 command reference C 1 CLI conventions C 1 command privileges C 1 syntax checking C 2 system help C 2 configuration initial 3 10 initial procedure 3 11 verifying 3 15 context diagram 1 2 conventions command line interface C 1 creating a safe environment 2 7 CSagent 4 23 D dbpassword set database password command C 11 description ACS Appliance 1 1 download command C 4 E electrostatic d...

Page 128: ...for 2 8 safety 2 1 site preparation 2 6 tools and equipment required 2 9 IP address reconfiguring 4 18 L LAN options precautions for 2 8 logging off 4 3 logging on 4 2 login credentials characteristics 4 24 logs obtaining support 4 9 M migrating from Windows 5 13 modems precautions for 2 8 N NIC connecting cables 3 10 ntpsync command C 7 P password recovering from loss of 4 24 resetting 4 16 4 17 ...

Page 129: ...4 1 system domain setting 4 22 T technical specifications A 1 telecommunications precautions for 2 8 temperature operating A 1 time and date setting 4 20 time and date setting with NTP 4 20 timeout setting manually 4 21 turning on the WLSE 3 10 U upgrade command C 18 upgrading the ACS Appliance 5 1 W warnings AC power disconnection 2 2 battery handling 2 2 circuit breaker 2 2 comply with electrica...

Page 130: ...Index IN 4 Installation Guide for Cisco Secure ACS Solution Engine 4 1 OL 9969 03 ...