Tải bản đầy đủ - 0 (trang)
Chapter 12. Reports and Logging for Windows Server

Chapter 12. Reports and Logging for Windows Server

Tải bản đầy đủ - 0trang

ACSReports

ACShasthecapabilitytoprovideyou,thenetwork

administrator,withanumberofreportlogsandcangiveyou

informationaboutRemoteAuthenticationDial-InUserService

(RADIUS)interactionwithauthentication,authorization,and

accounting(AAA)clients,TACACS+interactionwithAAAclients,

andmanyotheraspectsofyourAAAenvironment.Youcansee

alistofthesereportsintheACSinterfacebyselectingthe

ReportsandActivitypage.YourdisplayisseeninFigure12-1.



Figure12-1.ReportsandActivity



[Viewfullsizeimage]



ThenumeroustypesofreportsthatACSiscapableof

maintainingarestoredaseithercomma-separatedvalue(CSV)

filesorperhapsasadynamicreportthatisnotstoredatall.

TheseCSVfilesmakeiteasytoimportintootherprogramsthat

generatecustomreports,suchasMicrosoftExcelorMicrosoft

Access.AlthoughthesearestoredasCSVfilesontheACS,you

canviewthemintheHTMLinterfaceintheformofawebpage

withtables.

Someofthereportsneedtointeractwithaccounting

configurationsonanAAAclientwhileothersuseinformation

gatheredbyACS.Somereportskeeptrackoffailed

authenticationandauthorizationattempts,whileotherstrack

theusersthathavebeenadministrativelydisabledinACS.

Eachofthereportlogsinthefollowinglistcanbeviewedinthe

ACSHTMLinterface,downloadedandviewedinatexteditor

suchasNotepad,orevenimportedintootherprogramsthatare

usedforcustomreporting.Ifyouhaveaccesstothefilesystem

oftheACSserver,youcanfindtheminthefollowingdirectory

locations:

TACACS+AccountingReportsProgramFiles\CiscoSecure

ACSvx.x\Logs\TACACS+Accounting

TACACS+AdminAccountingReportsProgram

Files\CiscoSecureACSvx.x\Logs\TACACS+Administration

RADIUSAccountingReportsProgramFiles\CiscoSecure

ACSvx.x\Logs\RADIUSAccounting

VOIPAccountingReportsProgramFiles\CiscoSecureACS

vx.x\Logs\VoIPAccounting

PassedAuthenticationsReportsProgram

Files\CiscoSecureACSvx.x\Logs\PassedAuthentications



FailedAttemptsReportsProgramFiles\CiscoSecureACS

vx.x\Logs\FailedAttempts

ACSBackupAndRestoreProgramFiles\CiscoSecureACS

vx.x\Logs\BackupandRestore

RDBMSSynchronizationProgramFiles\CiscoSecureACS

vx.x\Logs\DbSync

DatabaseReplicationProgramFiles\CiscoSecureACS

vx.x\Logs\DBReplicate

AdministrationAuditProgramFiles\CiscoSecureACS

vx.x\Logs\AdminAudit

UserPasswordChangesProgramFiles\CiscoSecureACS

vx.x\CSAuth\PasswordLogs

ACSServiceMonitoringProgramFiles\CiscoSecureACS

vx.x\Logs\ServiceMonitoring

Ifyoudon'twanttoviewthereportlogfilesthatACScreatesin

CSVformat,youmightchoosetousetheOpenDatabase

Connectivity(ODBC)-relationaldatabasecompliantformof

reportingandlogging.ThisallowsACStosendreportlog

informationdirectlytoanODBC-compliantrelationaldatabase

suchasSQLorCrystalReports.OnceinSQLorCrystalReports,

youhavetheabilitytocreateamuchmorecustomizedreport

basedonanycriteriaonwhichyouwanttogatherinformation.

Whenthismethodisused,ACSstillcreatesthelocalCSVfiles,

andyoucanstillviewreportstheACSHTMLinterface.



LoggingAttributesinACSReports

WhenusingACS,youcanseespecialattributesintheACS

reports.Thesespecialattributesaredesignedtogivethe

administratormoreinformationthatwouldnotnormallybeseen

inanaccountinglogonanAAAserver.Theseattributesare

specialbecausetheyarederivedfromtheACSconfiguration

thatyoucreate.Theseattributesincludethefollowing:

User-DefinedAttributes

AccessDevice

NetworkDeviceGroup

DeviceCommandSet

FilterInformation

ExtDBInfo

Theseloggingattributesarediscussedingreaterdetailinthe

nextfewsections.



NOTE

Allattributesfortheuserarebasedonthegroupofwhichthat

userisamember.Thismightbeaspecificgroup,oritcouldbe

agenericgroupbasedontheunknownuserauthentication

policy.TheUnknownUserPolicyisdiscussedinChapter11,

"SystemConfiguration."



User-DefinedAttributes

Userattributesappearintheattributeslistforanylog

configurationpagethatincludesinformationabouttheuser.The

defaulttextboxlabelsareRealName,Description,UserField3,

4,and5fromtheuserconfigurationpage.Rememberthatyou

canchangethesevaluestoappearwithinformationthatis

relevanttoyourusers.

Toconfigureuser-definedattributesfields,followthesesteps:

Step1. SelectInterfaceConfiguration.

Step2. ChooseUserAttributes.

Step3. FromtheUserAttributesconfigurationpage,enterthe

attributefieldlabelsasyouwantthemtoappear.This

isseeninFigure12-2.Notethatthisactiondictates

onlyhowtheseattributefieldlabelsappearintheuserconfigurationpage;youstillneedtoenterthe

individualuserattributesineachprofile.



Figure12-2.ConfiguringUser-DefinedFields

[Viewfullsizeimage]



Whenauserauthenticates,these"user-defined"attributesare

enteredintothereporttogiveyouadditionalinformation.In

Figure12-3,youcanseetheattributesastheyappearinUser

Setup,andinFigure12-4,youcanseehowtheyappearinthe

PassedAuthenticationsreport.



Figure12-3.UserAttributesinUserSetup



[Viewfullsizeimage]



Figure12-4.User-DefinedAttributesinthe

PassedAuthenticationsReport



[Viewfullsizeimage]



AccessDevice

TheAccessDeviceattributeisanattributethatreflectsthe

nameoftheAAAclientconfigurationthatissendinglogging

informationtoACS.WhenAAAclientsperformatransaction

withACS,theAAAclientincludesinformationforauthentication

toACS.Thisisdoneusingasharedsecretkey.Allthis

informationislocatedinNetworkConfigurationandcanbeseen

inFigure12-5.



Figure12-5.NetworkConfiguration



[Viewfullsizeimage]



ThisinformationisusedbyACStomatchanAAAclient

configurationfromthelistofAAAclientsintheNetwork

Configurationpage.Whenamatchisfound,ACSusesthisto

logtheAAAClientConfigurationentrytoitsreportlog.Thiscan

beseeninFigure12-6.NoticethattheKeyentryfieldhasthe

samenameinitsentryastheentryfoundinFigure12-5.



Figure12-6.AccessDeviceinthePassed

AuthenticationsReport



[Viewfullsizeimage]



NetworkDeviceGroup

TheNetworkDeviceGroupattributeindicatesthenameofthe

NetworkDeviceGroupofwhichtheAAAclientisamember.

WhenauserauthenticatesthroughdifferentAAAclients,each

AAAclientispossiblygoingtobeamemberofanetworkdevice

group,dependingonyournetworkconfiguration.Inthe

previoussectionontheAccessDeviceattribute,youcansee

thatinFigure12-5thevmsaccessdeviceisnotamemberofa

NetworkDeviceGroup.InFigure12-6,youseethatthe

NetworkDeviceGroupfiledinthePassedAuthenticationslogis

blank.AddingthevmsaccessdevicetoaNetworkDevice

Groupcausestheadditionalinformationtobeloggedtothe

ACSreport.YoucanseetheresultinFigure12-7.



Figure12-7.NetworkDeviceAttributeinthe



PassedAuthenticationsReport



[Viewfullsizeimage]



DeviceCommandSet

ThepurposeoftheDeviceCommandSetattributeistoindicate

thenameofthecommandauthorizationsetthatwasusedto

fulfillacommandauthorizationrequest.Ifacommand

authorizationispassed,youwillnotseethenameofthe

commandauthorizationsetinalogfile.Ifacommand

authorizationattemptfails,youwillseethenameofthe

commandauthorizationsetthatcausedthefailure,aswellas

informationsuchasthereasonforthefailure.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 12. Reports and Logging for Windows Server

Tải bản đầy đủ ngay(0 tr)

×