Table Of Contents
Adding WCS as a TACACS+ Server
Adding WCS UserGroups into ACS for TACACS+
Adding WCS to ACS server for use with RADIUS
Adding WCS UserGroups into ACS for RADIUS
Adding WCS to a non-Cisco ACS server for use with RADIUS
Turning Password Rules On or Off
Performing Data Management Tasks
Administrative Tasks
This chapter describes administrative tasks to perform with WCS. These tasks include the following:
•Running Background Tasks (such as database cleanup, location server synchronization, network audit, server backup)
•Turning Password Rules On or Off
•Performing Data Management Tasks
Running Background Tasks
Choose Administration > Background Tasks to view several scheduled tasks. The Background Tasks window displays (see Figure 15-1).
Figure 15-1 Background Tasks Window
You can view the administrative and operating status, task interval, and time of day in which the task occurs. To execute a particular task, click the check box of the desired task and choose Execute Now from the Select a command drop-down menu. The task executes based on what you have configured for the specific task.
Performing a Task
Follow these steps to perform a task (such as scheduling an automatic backup of the WCS database).
Note All tasks related to collecting data or any other background task would be handled in a similar manner.
Step 1 Choose Administration > Background Tasks to display the Background Tasks page (see Figure 15-1).
Step 2 On this window, perform one of the following:
•Execute the task now.
Click the check box of the task you want to execute. From the Select a command drop-down menu, choose Execute Now and click GO.
•Enable the task.
Click the check box of the task you want to enable. From the Select a command drop-down menu, choose Enable Collection and click GO. The task converts from grayed out to active after enabling is complete.
•Disable the task.
Click the check box of the task you want to disable. From the Select a command drop-down menu, choose Disable Collection and click GO. The task is grayed out after the disabling is complete.
•View details of a task.
Click a URL in the Data Set column to view a specific task. The details on that task appear (see the figure in Figure 15-2).
Note For this example, performing a WCS server backup was selected as the task. The screens and fields to enter on the detailed screens vary based on what task you choose.
Figure 15-2 Detailed Background Task Window
Step 3 Check the Admin Status check box to enable it.
Step 4 In the Max Backups to Keep field, enter the maximum number of backup files to be saved on the server.
Range: 7 to 50
Default: 7
Note To prevent the WCS platform from running out of disk space, the server automatically deletes old backup files when the number of files exceeds the value entered for this field.
Step 5 In the Interval (Days) field, enter the number of days between each backup. For example, 1 = a daily backup, 2 = a backup every other day, 7 = a weekly backup, and so on.
Range: 1 to 360
Default: 7
Step 6 In the Time of Day field, enter the back-up start time. It must be in this format: hh:mm AM/PM (for example: 03:00 AM).
Note Backing up a large database affects the performance of the WCS server. Therefore, Cisco recommends that you schedule backups to run when the WCS server is idle (such as, in the middle of the night).
Step 7 Click Submit to save your settings. The backup file is saved as a .zip file in the ftp-install-dir/ftp-server/root/WCSBackup directory using this format: dd-mmm-yy_ hh-mm-ss.zip
(for example, 11-Nov-05_10-30-00.zip).
Importing Tasks Into ACS
To import tasks into Cisco Secure ACS server, you must add WCS to an ACS server (or non-Cisco ACS server).
Adding WCS to an ACS Server
Follow these steps to add WCS to an ACS server.
Note The instructions and illustrations in this section pertain to ACS version 4.1 and may vary slightly for other versions or other vendor types. Refer to the CiscoSecure ACS documentation or the documentation for the vendor you are using.
Step 1 Click Add Entry on the Network Configuration window of the ACS server (see Figure 15-3).
Figure 15-3 ACS Server Network Configuration Window
.
Step 2 In the AAA Client Hostname field, enter the WCS hostname.
Step 3 Enter the WCS IP address into the AAA Client IP Address field.
Step 4 In the Key field, enter the shared secret that you wish to configure on both the WCS and ACS servers.
Step 5 Choose TACACS+ in the Authenticate Using drop-down menu.
Step 6 Click Submit + Apply.
Adding WCS as a TACACS+ Server
Follow these steps to add WCS to a TACACS+ server.
Step 1 Go to the TACACS+ (Cisco IOS) Interface Configuration window (see Figure 15-4).
Figure 15-4 TACACS+ Cisco IOS Interface Configuration Window
Step 2 In the New Services portion of the window, add Wireless-WCS in the Service column heading.
Step 3 Enter HTTP in the Protocol column heading.
Note HTTP must be in uppercase.
Step 4 Click the check box in front of these entries to enable the new service and protocol.
Step 5 Click Submit.
Adding WCS UserGroups into ACS for TACACS+
Follow these steps to add WCS UserGroups into an ACS Server for use with TACACS+ servers.
Step 1 Log into WCS.
Step 2 Navigate to Administration > AAA > Groups. The All Groups window appears (see Figure 15-5).
Figure 15-5 All Groups Window
Step 3 Click on the Task List URL (the Export right-most column) of the User Group that you wish to add to ACS. The Export Task List window appears (see Figure 15-6).
Figure 15-6 Export Task List Window
Step 4 Highlight the text inside of the TACACS+ Custom Attributes, go to your browser's menu, and choose Edit > Copy.
Step 5 Log in to ACS.
Step 6 Go to Group Setup. The Group Setup window appears (see Figure 15-7).
Figure 15-7 Group Setup Window on ACS Server
Step 7 Choose which group to use and click Edit Settings. Wireless-WCS HTTP appears in the TACACS+ setting.
Step 8 Use your browser's Edit > Paste sequence to place the TACACS+ custom attributes from WCS into this field.
Step 9 Click the checkboxes to enable these attributes.
Step 10 Click Submit + Restart.
You can now associate ACS users with this ACS group.
Note To enable TACACS+ in WCS, refer to the "Configuring TACACS+ Servers" section.
Adding WCS to ACS server for use with RADIUS
Follow these steps to add WCS to an ACS server for use with RADIUS servers. If you have a non-Cisco ACS server, refer to the "Adding WCS to a non-Cisco ACS server for use with RADIUS" section.
Step 1 Go to Network Configuration on the ACS server (see Figure 15-8).
Figure 15-8 Network Configuration Window on ACS Server
Step 2 Click Add Entry.
Step 3 In the AAA Client Hostname field, enter the WCS hostname.
Step 4 In the AAA Client IP Address field, enter the WCS IP address.
Step 5 In the Key field, enter the shared secret that you wish to configure on both the WCS and ACS servers.
Step 6 Choose RADIUS (Cisco IOS/PIX 6.0) from the Authenticate Using drop-down menu.
Step 7 Click Submit + Apply.
You can now associate ACS users with this ACS group.
Note To enable RADIUS in WCS, refer to the "Configuring RADIUS Servers" section.
Adding WCS UserGroups into ACS for RADIUS
Follow these steps to add WCS UserGroups into an ACS Server for use with RADIUS servers.
Step 1 Log into WCS.
Step 2 Navigate to Administration > AAA > Groups. The All Groups window appears (see Figure 15-9).
Figure 15-9 All Groups Window
Step 3 Click on the Task List URL (the Export right-most column) of the User Group that you wish to add to ACS. The Export Task List window appears (see Figure 15-10).
Figure 15-10 Export Task List Window
Step 4 Highlight the text inside of the RADIUS Custom Attributes, go to your browser's menu, and choose Edit > Copy.
Step 5 Log in to ACS.
Step 6 Go to Group Setup. The Group Setup window appears (see Figure 15-11).
Figure 15-11 Group Setup Window on ACS Server
Step 7 Choose which group to use and click Edit Settings. Find [009\001]cisco-av-pair under Cisco IOS/PIX 6.x RADIUS Attributes.
Step 8 Use your browser's Edit > Paste sequence to place the RADIUS custom attributes from WCS into this field.
Step 9 Click the checkboxes to enable these attributes.
Step 10 Click Submit + Restart.
You can now associate ACS users with this ACS group.
Note To enable RADIUS in WCS, refer to the "Configuring RADIUS Servers" section.
Adding WCS to a non-Cisco ACS server for use with RADIUS
WCS requires authorization information sent by a RADIUS server using the Vendor-Specific Attributes (IETF RADIUS attribute number 26). The VSA contains the WCS RADIUS task list information (refer to Figure 15-12).
Figure 15-12 Extracting Task List
The content of the VSA is as follows:
•Type = 26 (IETF VSA number)
•Vendor Id = 9 (Cisco vendor ID)
•Vendor Type = 1 (Custom attributes)
•Vendor Data = The WCS task information (for example Wireless-WCS: task0 = Users and Group)
Each line from the WCS RADIUS task list should be sent in its own RADIUS VSA.
Setting AAA Mode
Follow these steps to choose a AAA mode.
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Setting window appears (see Figure 15-13).
Figure 15-13 AAA Mode Settings Window
Step 3 Choose which AAA mode you want to use. Only one can be selected at a time.
Any changes to local user accounts are effective only when you are configured for local mode (the default). If you use remote authentication, changes to the credentials are made on a remote server. The two remote authentication types are RADIUS and TACACS+. RADIUS requires separate credentials for different locations (East and West Coast). TACACS+ is an effective and secure management framework with a built-in failover mechanism.Step 4 Click the Fallback to Local check box if you want the administrator to use the local database when the external AAA server is down.
Note This option is unavailable if Local was selected as a AAA mode type.
Step 5 Click OK.
Turning Password Rules On or Off
You have the ability to customize the various password rules to meet your criteria. Follow these steps to customize the password rules.
Step 1 Choose Administration > AAA.
Step 2 From the left sidebar menu, choose Local Password Policy. The password rules are displayed individually, and each has a check box in front of it.
Step 3 Click the check boxes to enable the rules you want. The rules are as follows:
Note All rules are on by default.
•Password minimum length is 8 characters (the length configurable).
•Password cannot contain username or the reverse of the username.
•Password cannot be cisco or ocsic (Cisco reversed).
•Root password cannot be public.
•No character can be repeated more than three times consecutively in the password.
•Password must contain characters from three of the character classes: uppercase, lowercase, digits, and special characters.
Configuring TACACS+ Servers
This section describes how to add and delete TACACS+ servers. TACACS+ servers provide an effective and secure management framework with built-in failover mechanisms. If you want to make configuration changes, you must be authenticated.
Note In order to activate TACACS+ servers, you must enable them as described in the "Importing Tasks Into ACS" section.
Step 1 Choose Administration > AAA.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ window appears (see Figure 15-14).
Figure 15-14 TACACS+ Window
Step 3 The TACACS+ window shows the TACACS+ server's IP address, port, retransmit rate, and authentication type (Password Authentication Protocol (PAP)) or Challenge Handshake Authentication Protocol (CHAP). The TACACS+ servers are tried based on how they were configured.
Note If you need to change the order of how TACACS+ servers are tried, delete any irrelevant TACACS+ servers and re-add the desired ones in the preferred order.
Step 4 Use the drop-down menu in the upper right-hand corner to add or delete TACACS+ servers. You can click on an IP address if you want to make changes to the information.
Step 5 The current server address and port are displayed. Use the drop-down menu to choose either ASCII or hex shared secret format.
Step 6 Enter the TACACS+ shared secret used by your specified server.
Step 7 Re-enter the shared secret in the Confirm Shared Secret field.
Step 8 Specify the time in seconds after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.
Step 9 Specify the number of retries that will be attempted.
Step 10 In the Authentication Type drop-down menu, choose a protocol: PAP or CHAP.
Step 11 Click Submit.
Configuring RADIUS Servers
This section describes how to add and delete RADIUS servers. You must enable RADIUS servers and have a template set up for them in order to make configuration changes.
Note In order to activate RADIUS servers, you must enable them as described in the "Importing Tasks Into ACS" section.
Step 1 Choose Administration > AAA.
Step 2 From the left sidebar menu, choose RADIUS. The RADIUS window appears (see Figure 15-15).
Figure 15-15 RADIUS Window
Step 3 The RADIUS window shows the server address, authentication port, retransmit timeout value, and authentication type for each RADIUS server that is configured. The RADIUS servers are tried based on how they were configured.
Note If you need to change the order of how RADIUS servers are tried, delete any irrelevant RADIUS servers, and re-add the desired ones in the preferred order.
Step 4 Use the drop-down menu in the upper right-hand corner to add or delete RADIUS servers. You can click on an IP address if you want to make changes to the information. When you click on a particular IP address, the window shown in Figure 15-16 appears.
Figure 15-16 RADIUS Server Detailed Window
Step 5 The current authentication port is displayed. Use the drop-down menu to choose either ASCII or hex shared secret format.
Step 6 Enter the RADIUS shared secret used by your specified server.
Step 7 Re-enter the shared secret in the Confirm Shared Secret field.
Step 8 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller.
Step 9 Specify the number of retries that will be attempted.
Step 10 In the Authentication Type drop-down menu, choose a protocol: PAP or CHAP.
Step 11 Click Submit.
Establishing Logging Options
Use Administration > Logging to access the Administer Logging Options page. This logging function is related only to WCS logging and not syslog information. The logging for controller syslog information can be done on the Controller > Management > Syslog window.
Follow the steps below to enable email logging. The settings you establish are stored and are used by the email server.
Step 1 Choose Administration > Logging. The Logging Options menu appears (see Figure 15-17).
Figure 15-17 Logging Options Window
Step 2 Choose a message level option of Trace, Information, or Error in the General portion of the window.
Step 3 Click the check boxes within the Log Modules portion of the window to enable various administration modules (such as performance, status, object, configuration, monitor, fault analysis, SNMP mediation, general, location servers, XML mediation, asynchronous, and portal).
Note Some functions should be used only for short periods of time during debugging so that the performance is not degraded. For example, trace mode and SNMP meditation should be enabled only during debugging because a lot of log information is generated.
Performing Data Management Tasks
Within the Settings window, you can determine what data to generate for reports and emails. Choose Administration > Settings in the left sidebar menu. Three choices appear.
•Refer to the "Data Management" section to establish trends for hourly, daily, and weekly data periods.
•Refer to the "Report" section to designate where the scheduled reports will reside and for how long.
•Refer to the "Mail Server" section to set the primary and secondary SMTP server host and port.
•Refer to the "Login Disclaimer" section to enter disclaimer information.
•Refer to the "Alarms" section to specify how to handle old alarms and how to display assigned and acknowledged alarms in the Alarm Summary window.
Data Management
Follow the steps below to manage data aggregation on an hourly, daily, and weekly basis.
Step 1 Choose Administration > Settings.
Step 2 From the left sidebar menu, choose Data Management. The Data Management window appears (see Figure 15-18).
Figure 15-18 Data Management Window
Step 3 Specify the number of days to keep the hourly data. The valid range is 1 to 31.
Step 4 Specify the number of days to keep the daily data. The valid range is 7 to 31.
Step 5 Specify the number of weeks to keep the weekly data. The valid range is 2 to 10.
Step 6 Specify the number of days to retain the audit data before purging. The limit is 90 days, and the minimum cleanup interval is 7 days.
Note For the best interactive graph data views, change the default settings to the maximum possible: 90 days for daily aggregated data and 54 weeks for weekly aggregated data. You must also make the appropriate measures to increase RAM and CPU capacity to compensate for these adjustments.
Step 7 Click Save.
Report
Follow the steps below to indicate where the scheduled reports will reside and for how many days.
Step 1 Choose Administration > Setting.
Step 2 From the left sidebar menu, choose Report. The Report window displays (see Figure 15-19).
Figure 15-19 Report Window
Step 3 Enter the location on the WCS server where you want the scheduled reports to reside on the server.
Step 4 Specify the number of days the file will stay in the repository.
Step 5 Click Save.
Mail Server
You can configure global email parameters to use when sending emails from WCS reports, alarm notifications, and so on. This mail server page allows you to configure email parameters at a single place to avoid re-entering the information each time you need it. The Mail Server window allows you to set the primary and secondary SMTP server host and port, the sender's email address, and the recipient's email address(es). Follow these steps to configure global email parameters.
Note You must configure the global SMTP server before setting global email parameters.
Step 1 Choose Administration > Setting.
From the left sidebar menu, choose Mail Server. The window in Figure 15-20 appears.
Figure 15-20 Mail Server Configuration Window
The Mail Server window allows you to set the primary and secondary SMTP server host and port, the sender's email address, and the recipient's email address. From this window, you can configure email parameters without having to visit multiple places.
You must designate the primary mail server, and the secondary one is used only if the primary fails. SMTP authorization is also supported for both primary and secondary mail servers. Follow the steps below to configure the mail server.
Step 1 Enter the host name of the primary SMTP server.
Step 2 The SMTP port is set to 25 by default, but you can change it if your mail server is using a non-default port.
Step 3 Enter the designated username if SMTP authorization is turned on for this mail server.
Step 4 Provide a password for logging on to the SMTP server and enter it for the Password and Confirm Password parameter.
Step 5 Provide the same information for the secondary SMTP server (only if a secondary mail server is available). The secondary server is used only if the primary fails.
Step 6 The From field in the Sender and Receivers portion of the window is populated with WCS@<WCS server IP address>. You can change it to a different sender.
Step 7 Enter the recipient's email address(es) in the To field. The email address you provide serves as the default values for other functional areas, such as alarms or reports. Multiple email addresses can be added and should be separated by a comma.
Note If you make global changes to the recipient email address(es) in Step 7, they are disregarded if email notifications were set in the "Alarm Emails" section on page 13-59.
You are required to set the primary SMTP mail server and the From address fields.
Step 8 Click the Test button to send a test email using the parameters you configured. The results of the test operation are shown on the same screen. The test feature checks the connectivity to both primary and secondary mail servers by sending an email with a "WCS test email" subject line.
Step 9 If the test results were satisfactory, click Save.
Login Disclaimer
The Login Disclaimer page allows you to enter disclaimer text at the top of the Login page for all users.
To enter Login Disclaimer text, follow these steps:
Step 1 Choose Administration > Settings.
Step 2 From the left sidebar menu, choose Login Disclaimer.
Step 3 Type your Login Disclaimer text in the available text box.
Step 4 Click Save.
Alarms
This Alarms page allows you to manage the following:
•The handling of old alarms.
•The display of assigned and acknowledged alarms in the Alarm Summary window.
To access this window, follow these steps:
Step 1 Choose Administration > Settings.
Step 2 From the left sidebar menu, choose Alarms.
Step 3 In the Cleanup of Old Alarms section, check the check box to enable the deletion of old alarms.
Step 4 Enter the number of days after which old alarms are deleted.
Step 5 In the Alarm Summary Window section, check the check box to hide acknowledged and assigned alarms on the Alarm Summary window. This preference applies only to the Alarm Summary window. A quick search or alarms for any entity show alarms regardless of the acknowledged or assigned state specified here. The default is to hide acknowledged alarms.
Setting User Preferences
This page contains user-specific settings you may want to adjust.
Step 1 Choose Administration > User Preferences. The User Preferences Window appears (see Figure 15-21).
Figure 15-21 User Preferences Window
Step 2 Use the Items Per List Page drop-down menu to configure the number of entries shown on a given list window (such as alarms, events, AP list, etc.).
Step 3 If you want the maps and alarms page to automatically refresh when a new alarm is raised by WCS, click the check box in the Alarms portion of the window.
Step 4 Use the drop-down menu to indicate how often you want the alarm count refreshed in the Alarm summary window on the left panel.
Step 5 Click Save.