extraxi news, hints 'n' tips

RBAC Style Device Management using CIsco Secure ACS and TACACS+

2009-06-17T11:31:00.006+01:00

A few years back when we all worked on ACS at Cisco a good friend wrote a really clear guide to using ACS (with TACACS+) to implement an RBAC style system for managing administrative authentication and authorization of IOS devices.

The Cisco web site isnt always very easy to find stuff and Im sure one day it'll get deleted, so here is link to a local copy:

Missing user names in the ACS package.cab

2009-06-17T11:05:00.007+01:00

aaa-reports! can import the ACS cab file to get an up-to-date list of usernames, group assignments and even much of the policy. However, its possible that dynamic users (eg externally authenticated via Windows, RSA, LDAP etc) may not be included in the cab file.

This is because ACS now has an extra setting to disable dynamic users. If enabled the external users will not be included in the package.cab file. The setting is in the Configure Caching Unknown Users section on the External Authenticators ACS Admin page.

Also worth a mention, on the User Setup page there is the Remove Dynamic Users button, that will do exactly that!

TIP: If you wish to purge stale records - export the cab into aaa-reports! and run the inactivity reports to see which user records can go. Only then should you remove the dynamic users.

SHAMELESS PLUG: csvsync v3.0 can initiate the creation of the package.cab and download it ready for automated import into aaa-reports! enterprise v1.1

aaa-reports! v2.3

2009-05-26T14:34:00.002+01:00

In final testing now... this release addresses some issues with Windows Server 2008 and Cisco Secure ACS v4.2

As usual free of charge to customers with support & maintenance contracts.

Why we do CSV

2009-02-25T08:47:00.011Z

We still get the occasionall comment about why aaa-reports! uses CSVs to import data from ACS - as opposed to syslog and ODBC (both of which will be supported in future) and this week a good reminder surfaced.

While looking at some release notes for ACS v4.2 we stumbled across CSCsg62239. This bug blandly says "Binary text appears [randomly] in syslog output". Nice one.

In our experience CSV logging tends (with a few minor issues) to just work. ODBC logging slows the ACS to a crawl and syslog packets could go into a black hole and you'd never know.

If you have a legal or audit requirement to retain logs for any period of time - you need to use CSV based logs and collect/archive them regularly. This is where our csvsync client can help :)

csvsync runtime errors - missing dll

2009-02-05T11:32:00.003Z

A customer recently got a missing DLL error when running csvsync - MSVCO60D.dll to be exact. This is part of the C/C++ runtime and should normally be present already.

Anyhow, there is a Microsoft KB article on how to download the latest Visual C++ 6.0 run-time at this URL:

http://support.microsoft.com/kb/259403

What the Government should be spending on in the credit crunch

2009-01-29T17:36:00.003Z

A bit off the usual topic, but...

I was at my local gym this week (part of a larger council run leisure centre) and commented on how hot the poolside and changing rooms felt - not what you need after a 5km run!! It struck me how incredibly high their energy usage must be - 3 pools, sports hall, gym, various studios etc etc with what looks like quite a thin uninsulated roof.

It struck me that instead of pumping millions into banks, the car industry, more roads, 3rd runway at Heathrow etc.. that perhaps the government should embark on a project to retrofit all public owned buildings with solar thermal and electric (where possible). This would cost many millions of pounds but provide much needed jobs by creating a whole new industry and above all would SAVE MONEY and CO2 for years to come.

My local gym has a massive flat roof structure that would be ideal for mounting the panels and tubes etc. Right now the staff are being told to switch off lights to save money... given the lighting is all low energy anyway its hard to see them saving much.

Come on Mr Brown - spend money.. lots of money, but on the right stuff.

Calculated Fields in the Query Builder

2009-01-29T17:22:00.005Z

This week I had to help a customer with the aaa-reports! query builder - amazingly flexible but equally a little hard to master! So I thought I'd post here by way of a primer.

This particular customer had imported their ACS user database and wanted to list inactive users. Although there is a canned report to do this, they wanted to export the data in XLS - which meant doing it in the query builder. Because they are using ACS password ageing, the last authentication date is actually stored inside the ACS database, and is imported into aaa-reports!

So in this case we can use the Last Authenticated field as it holds... guess what? The last authenication date. We have to create a "Calculated Field" that is essentially the result of our test condition - say users who havent authenticated for 30 days. We can then set a criteria to test the calculated column.

So to get a .XLS of inactive users (via password ageing):

Goto to the Query page and set the Query Type radio button to Filter/Sort
Select ACS DB User Details from the Data Sets drop down
On the Attributes tab select the user attributes you want to display
On the Sorting tab pick the Last Authenticated attribute then click Add Ascending
Click run

You'll now get users displayed with the oldest "last authenticated" date at the top.

Ok, the above simple query will display all users and not just those that have been inactive for some period. To show only inactive users (say for 30 days or more) we need to modify the query slightly:

Back on the Attributes tab, select the Calculated Fields radio button
In the Name field enter IsInactive and in the Expression enter [Last Authenticated] < (Date() - 30)
Click on Set to save the calculated column.
Click Run again - you'll see a new IsInactive column with values 0 (false) and -1 (true)
Finally on the Criteria tab select the new calculated col in the Attribute drop down, select <> from the Operator dropdown and enter 0 (zero) into the Value. Click Add
Click Run again and now you will only see users whose last authentication date was more than 30 days ago.

This query can now be saved (for inclusion into a batch of reports) and exported to XLS, CSV etc.

This post shows how the use of a calculated field can help modify the ready made datasets in aaa-reports!

Web Reports Beta 2

2008-12-09T14:53:00.003Z

After a significant amout of testing we can now confirm additional OS support:

Windows Server 2003, 32/64 bit, IIS6 or IIS7
Windows Server 2008, 32/64 bit, IIS7

Some manual configuration is required depending on OS/IIS version. With IIS6 our install script should take care of everything - provided there is a Default Web Site. With IIS7 there are some non-default installation features that are required - asp.net and IIS6 management compatibility and these are documented in the user guide.

Web Report Beta

2008-10-24T20:53:00.004+01:00

As described in the previous post... the BETA of aaa-reports! enterprise web reporting is now on the download site.

This can be installed on the same server as aaa-report! enterprise itself and requires that IIS is installed with the "Default Web Site" on port 80.

If your IIS doesnt have the Default Web or isnt running on port 80 you'll have to manually add and configure a virtual web folder using the IIS Management Console.

Web Reporting!

2008-10-01T11:56:00.007+01:00

The aaa-reports! enterprise product will soon feature web based reporting. The initial release will feature a simple to use query builder that enables a table based report on each of the primary ACS log types (eg Failed Attempts, TACACS+ Adminstration, RADIUS accounting etc)

Once you're happy with the query and the number of matching records founds, the results are displayed in a tabular report with PDF,CSV,XLS export, paging and sorting controls.

Security is handled by Windows authentication on the web server - users will require an account on the aaa-reports! server but can be put into a dedicated group that only allows web access.

CSVSync V3.0

2008-07-17T15:38:00.003+01:00

Released a week or two ago, this new version of csvsync can automate the process of exporting the ACS database via the Support function.

We posted about this a while back here and now its officially released.

If you have an active support & maintenance contract you get an automatic 40% discount on list price, and if you purchase aaa-reports! enterprise you'll get it bundled.

Cisco Secure ACS View 4.0

2008-05-19T14:54:00.011+01:00

Well they've been talking about it for long enough... and finally Cisco Secure ACS View 4.0 arrived. Although we have not actually been able to see it in the flesh on first look it seems OK. However Cisco have made some questionable architecture choices.. #1 being that they based log collection on syslog and #2 its appliance only.

Ok, so syslog is one of the widest used logging protocols (historically) but its hardly the robust transport one would wish for when logging security events. The implementation by ACS is also hampered by their choice of format... basically each syslog packet comprises a single line of log data of the form "attr=value, attr=value, ... " so there is a lot of bloat in carrying the attribute names. Its unlikely that complex ACS deployments will be able to log all the required attributes in a single syslog packet (1024 characters max in ACS 4.1). The View user guide does include the odd explanation that is ok to receive partial data because the rest will get picked up at a later date (presumably by importing the ACS cab file). Yikes - creating a cab requires you stop (or at least pause) the ACS services AND importing the same data twice could lead to duplicate rows.

So it uses syslog (unreliable, non-ack'd, un-encrypted) to send partial (1024 characters we guess) log entries using a bloated ascii format that buries attributes names in the data. That could add up to a whole load more WAN traffic if your ACSs are distributed.

extraxi aaa-reports! on the other hand uses the tried and tested bulk download over http(s) using our csvsync client to download logs. The benefit here being that ACS just does what it does best - log locally then csvsync/aaa-reports! download the logs in bulk (and with encryption) at a time of your choosing.

Being appliance only there is no trial version so you cant test it before buying. It really only works with 4.1(4) but needs 4.2(1) to work well - so if you currently still have some 3.x servers in production you're out of luck. extraxi aaa-reports! works with all versions from 2.x through to 4.x and can be installed on anything from Windows XP to Server 2003 Terminal Server running inside VMWare.

On the topic of database size, View is based on Sybase SQL Anywhere which has a fixed 4GB of storage. aaa-reports! enterprise (due for release end of May 2008) uses multiple SQL Server Express databases offering a total of 48GB.

More as it arrives...

Installing aaa-reports! with Terminal Services

2008-05-15T11:53:00.000+01:00

As with any other application, to install on Windows Terminal Server you should do one of two things:

Use "Add/Remove Programs" in Control Panel to launch the application installer rather than just double-click the setup.exe, or
From the command line type "change user /install" before running the setup.

Either of one of these will put the server into install mode and will ensure that installed components and registry changes are made for all users.

Failure to do one of the above will result in the application not functioning correctly for other users because DLLs will not be installed into the global Windows\System32 folder but instead into your own personnal folder under Documents and Settings.

We recommend using the Add/Remove Programs method as is by far the simplest and future proofed.

New Features For CSVSync

2008-05-01T14:17:00.003+01:00

Quite a few customers have expressed the desire to generate and collect the ACS Support Cab (package.cab) using csvsync. This gives the advantage of being able schedule the operation via a script on a remote PC - essential if your ACS is the Appliance kind.

In testing now is the next version of csvsync with exactly this feature. You can connect to the following versions of ACS to collect the cab file:

Appliance v4.0(1) onwards
Software v4.1(4) onwards

Prior to v4.1(4) the Support page was not available via ACS Admin Software version.

Beta expected the next couple of weeks.

ACS v4.1(4) Compatibility Issue Resolved

2008-04-22T16:01:00.001+01:00

A new build of aaa-reports! v2.2.1 has been posted today that resolves all known issues with importing ACS v4.1(4) cab and dump files.

Hoorah!

aaa-reports! enterprise edition - beta now available

2008-03-20T11:06:00.003Z

aaa-reports! enterprise edition beta 2 is now available for download. Please use our contact page to request a copy.

New feature highlights:

Scalable SQL Server Express databases for upto 48GB capacity.
Advanced parameter filter on canned reports (equal, like, null, ...) incl wildcards.
Enhanced Query Builder. Re-order & re-name columns + complex expressions.
All ACS log types now supported (incl. appliance, replication etc).
New look UI and usability enhancements.

Note the system requirements for this version are higher than for aaa-reports! v2.x and this is because it uses SQL Server as the main repository. Ideally you would be installing on a dual/quad core 2 system with at least 2GB RAM.

There are two installers which must be used in the correct order:

Environment setup. Installs .NET framework and SQL Server Express
Application setup

ACS v4.1(4) Compatibility Issue

2008-01-23T15:53:00.000Z

If you have recently upgraded to ACS v4.1(4) there is a compatibility issue when importing the ACS database into aaa-reports! due to file format changes inside the cab and dump files.

We've posted a fixed build (15th Jan) onto the download site for the .cab file issue and are working on the dump file import now.

If you experience the error "database contains no groups or users" when importing the database you need this patch. The patched aaa-reports! version is "FE 2.2342" (click help/about to check)

Merry Christmas!

2007-12-25T16:41:00.000Z

To any and all who celebrate this time of year....

... and especially our customers

Have a great one!!

aaa-reports! enterprise... sneak preview

2007-12-20T09:32:00.000Z

Well we're almost there for the first beta of aaa-reports! enterprise. The screenshots below show off our refreshed UI (ok.. about time!)

This is a major step forward for aaa-reports! with an all new back end based on SQL Server Express giving us a total of 32GB of storage. Of course we're keeping the multi-DB feature so you actually get n*32GB !!

For our biggest customers there is also the option to swap out Express with full blown SQL Server.

Switching to SQL Server enables a whole wealth of server-sided filtering that wasnt possible before. As a result all of the canned reports can now be filtered on one or more attributes, eg Network Device Group, Group etc allowing you to make them as general or specific as you wish. The reports also appear much faster as the datasets are created in SQL Server.

Oh and the query builder has undergone a major overhaul to allow column ordering to be saved, column renaming and even free form SQL statement entry for very advanced users.

Negative values in canned reports

2007-11-29T11:53:00.000Z

This week we had some reports of very large negative values in our canned reports - in particular the device utilisation reports.

After some delving it turned out to be the customers PIX sending garbage values in the TACACS+ "elapsed time" attribute.

The customer is now following this up with Cisco.

aaa-reports! "Software as a service"

2007-11-24T20:36:00.000Z

For those of you out there that don't want the hassle or expense of managing yet another Windows server but still want to benefit from extraxi's reporting expertise...

We are developing a virtually hosted subscription based offering with our partner 1&1 Internet Ltd. For a fraction of the TCO of a real Windows server we will offer a choice of shared virtual server or dedicated server - both running industry standard Windows Server 2003. 1&1 are one of Europe's largest ISPs and offer state of the art hosting facilities with unparalleled uptime.

The solution comprises extraxi csvsync for collecting logs from all your ACS servers, a secure FTP client for pushing logs onto the hosted server. You then have FULL terminal service access to the server with a pre-installed copy of aaa-reports! with automation.

Report PDFs are published to an IIS web folder where your authenticated users can download directly over secure https.

For more information please contact us

Online Quote & Ordering Page

2007-11-05T14:16:00.001Z

You can get quotes and submit orders online at

http://www.extraxi.com/order1.asp

Extraxi Licensing FAQ

2007-11-05T14:07:00.000Z

When you want to order copies of any extraxi product there are several factors that decide the cost:

Number of AAA servers you wish to report against
Number of installed copies you wish to purchase
Maintenance & support requirements

Its a common mistake to assume if you have 2 AAA servers you need 2 copies of say aaa-reports! as well - you don't. A single copy of aaa-reports! can import logs from 10's of servers.

You only need multiple copies if you want to install on multiple PCs - for example if you wanted a copy in two locations.

aaa-reports! v2.2.1 released

2007-11-03T15:04:00.000Z

aaa-reports! v2.2.1 is now available in our downloads area via the trial request page.

For details about features see the previous post.

Scripting Automation and MS Office

2007-10-18T11:59:00.000+01:00

Here's one that can trip you up.

If you create a specific Windows user account for running aaa-reports! automation (most people do) and you have retail MS Office installed on the same PC.... you'll need to login as this user and start an Office app (eg Word) at least ONCE. When you do this Office will spot its a new user and prompt you to confirm your name an initials.

Now, when aaa-reports! automation kicks in Office will not throw a spanner in the works by asking for user details.

Otherwise an unattended session is left waiting for user input and you'll think aaa-reports! is broken. Thank you Microsoft!