Filter
Top Products
13-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 13 Managing Reports
• Catalog—Monitoring & Reports > Reports > Catalog > <report_type>
For easy access, you can add reports to your Favorites page, from which you can customize and delete
reports. You can customize the reports that must be shared within your group and add them to the Shared
page. The Catalog pages provide a rich set of reports on log, diagnostic, and troubleshooting data
retrieved from the ACS servers in your deployment.
The reports that reside in these pages can be:
• System reports—Preconfigured with the ACS software; you can view the list of system reports in
the Reports > Catalog pages.
• Customized reports—System reports that you have configured and saved (see Customizing Reports,
page 13-20).
Note Performance of reports in Internet Explorer (IE) 7.0 is slow because of a phishing filter, which is a new
feature in IE 7.0. To resolve this issue, you must get the latest security updates from Microsoft. For more
information on this, go to http://support.microsoft.com/kb/928089/.
In addition, ACS 5.3 introduces the Dynamic Change of Authorization (CoA) feature through a new
report, the RADIUS Active Sessions report, which allows you to dynamically control active RADIUS
sessions. With this feature, you can send a reauthenticate or disconnect request to a NAD to:
• Troubleshoot issues related to authentication—You can use the Disconnect:None option to follow
up with an attempt to reauthenticate again.
You must not use the disconnect option to restrict access. To restrict access, use the shutdown option.
• Block a problematic host—You can use the Disconnect:Port Disable option to block an infected host
that sends a lot of traffic over the network.
The RADIUS protocol currently does not support a method for re-enabling a port that is shut down.
• Force endpoints to reacquire IP addresses—You can use the Disconnect:Port Bounce option for
endpoints that do not have a supplicant or client to generate a DHCP request after VLAN change.
• Push an updated authorization policy to an endpoint—You can use the Re-Auth option to enforce an
updated policy configuration, such as a change in the authorization policy on existing sessions based
on the administrator’s discretion.
For example, if posture validation is enabled, when an endpoint gains access initially, it is usually
quarantined. After the endpoint’s identity and posture are known, it is possible to send the CoA
Re-Auth command to the endpoint for the endpoint to acquire the actual authorization policy based
on its posture.
Legacy NAS devices do not support the CoA feature. Cisco plans to support CoA in all its devices as
part of the NPF program.
Note For the CoA commands to be understood correctly by the device, it is important that you configure the
options appropriately.
For the CoA feature to work properly, you must configure in ACS the shared secret of each and every
device for which you want to dynamically change the authorization. ACS uses the shared secret
configuration, both for requesting access from the device and for issuing CoA commands to it.
See Changing Authorization and Disconnecting Active RADIUS Sessions, page 13-18 for more
information.