Welcome to the extraxi blog...

If you found this page accidentally and don't know what extraxi is about... we specialise in reporting solutions for the Cisco Secure ACS and Funk SBR access control servers (aka AAA servers).

The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.

Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.

Thursday, 18 October 2007

Scripting Automation and MS Office

Here's one that can trip you up.

If you create a specific Windows user account for running aaa-reports! automation (most people do) and you have retail MS Office installed on the same PC.... you'll need to login as this user and start an Office app (eg Word) at least ONCE. When you do this Office will spot its a new user and prompt you to confirm your name an initials.

Now, when aaa-reports! automation kicks in Office will not throw a spanner in the works by asking for user details.

Otherwise an unattended session is left waiting for user input and you'll think aaa-reports! is broken. Thank you Microsoft!

Wednesday, 17 October 2007

aaa-reports! v2.2.1

v2.2.1 will be posted onto the download page in the next week or so. This release has some significant new features and as usual is available free for customers with support contracts.

Enhancements include
  1. Multi-Database feature enhanced to allow database “cloning”. Cloning allows the creation of a new database by copying any existing database and provides a simple mechanism to quickly create pre-configured blank databases or copy existing populated databases for diagnostic work or as point-in-time snapshots.
  2. User List import (for inactive user reports). It is now possible to populate the User List from an ACS Dump/CAB File. Where users have access to the Dump/CAB file this can be imported instead of creating and importing a separate CSV file with User List data.
  3. New Data Purge facility with much improved filtering and selection options to make it easier to identify and purge specific log data.
  4. Improved processing of ACS logs to find and handle known problematic issues with log content.
  5. Support for very long filenames (previously 64 characters) to offer more flexibility when processing logs with CSVsync and/or CSVsplit and adding descriptive suffixes and AAA Server names to create meaningful filenames.
  6. Recognition of logs with underscores in place of spaces in their filenames. Some systems appear to automatically insert underscores into filenames when downloading logs from ACS, e.g. “Administration Audit 2007-10-10.csv” becomes “Administration_Audit_2007-10-10.csv”. Previously filenames with underscores were not recognised as valid log files.
  7. Improved detection and warning when importing logs that have a different date format to the MDY or DMY setting in Options. Specifying the wrong date format will result in log dates being misinterpreted and have adverse affects on the integrity of reports.
    Extended handling of common issues with log content that can otherwise prevent logs being parsed correctly.
  8. Improved regional support for the Log Import process running in Locales where the comma character “ , ‘” is not used as the Field Separator character. Users in most affected regions no longer have to change to a compatible locale prior to importing log files.

Tuesday, 16 October 2007

Support for ACS Express v5

We are curently working with Cisco to add support for ACS v5.0 to aaa-reports!

A version of aaa-reports! with ACS v5.0 support is planned to coincide with the full feature version of ACS shipping in late 2008.

Friday, 12 October 2007

What Can Extraxi Get From The ACS Database?

aaa-reports! support for importing (and reporting against) data from the Cisco ACS database has grown over time. In v1.x we could import users and group assignments from a CSV file.

In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.

In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:
  • Service enabled (y/n)
  • Service attributes (returned after authentication)
  • Group level access restrictions
  • Shared access restrictions
  • Group level shell/pix command authorisations
  • Shared shell/pix command authorisations (via NDG->DCS mappings)

With all this data imported we can offer reports to both document the config (eg our group/user detail report that has layout similar to the ACS UI) and explore the config (eg who has access to what devices AND what commands can they execute. Also, the Query Builder can see the same data too - so you can create custom reports about the users in the ACS db too!

Cool huh?

Of course, the next question is how to get the data OUT of ACS and then IN to aaa-reports!

If you have ACS v4.x on either software or appliances its easy. You just create a support "package.cab" using either the command line cssupport.exe (s/w version) or the Support admin page (appliance version). Make sure you tick the check boxes to include the user & group db + config.

If you have ACS v3.x then unfortunately the appliance is not supported. On the s/w version we have a script you can download to suck the data out - available on our download page.

Once you have a .cab file (from either of the methods above) you just click on Import ACS Database on the aaa-reports Import page.

Thursday, 11 October 2007

Minimum Server Spec for aaa-reports!

Virtually any new server PC/blade will be powerful enough to run aaa-reports! Afterall because of Moore's Law server specs have gone up considerably since our v1.0 release.

Here is Microsoft's guide to the hardware requirements for Server 2003. The R2 datacenter reqs probably make the most sense.

BTW the same goes for csvsync and csvsplit too.

aaa-reports! on the ACS server?

A lot of poeple will ask if its ok to install aaa-reports! on the same server as ACS is installed on.

The answer is you can... but we dont recommend it. The reasons being:
  • aaa-reports! will greedily try to use all available CPU while importing and running reports, so depending on the amount of data this could represent quite heavy usage for minutes at a time. This could in turn affect the performance of your ACS server.
  • The ACS services have active csv's (ie the files it is currently writing to) locked. So the aaa-reports! move-on-import feature will not work and you might get incomplete rows imported.

Best practice is to roll out a dedicated server (or VM) with plenty of hard drive space and make it the "reporting server" and the log repository.

Date Format Woes (updated)

One thing to check BEFORE importing any CSV files into aaa-reports! is that you configure the date format options to match your ACS server.

That is either DMY or MDY

If these do not match aaa-reports! will still import your logs, but it will get the day and month mixed up. For example, data from July 10th will appear to be from November 7th. Worse still, is that any rows dated after the 12th day of the month will look invalid (ie the month will look greater than 12) and be dropped.

Also, if you change the date format in ACS, it will not roll the active logs. Great - you end up with both formats in a single log. This is enough to confuse any database batch import (or even ODBC insert) process.

We'll look at actually rejecting logs completely if it looks like the date format is wrong - probably in v2.2.1 - in fact several additional checks are being added:
  • The date of the first row MUST be later than the date stamp in the csv filename
  • The day/month should not appear to reverse from one row to another

Tuesday, 2 October 2007

extraxi Software On Linux

We know some organisations try to run Windows apps on Linux using emulators such as Wine.

To our knowledge aaa-reports! has not been tried.
csvsplit should work no problem as its a command line program.
csvsync v1.0 was known to work, but v2.0 changed winsock libraries which revealed a bug in (the then current version of) Wine.

At present we have no plans to officially test or support this. However, if you tried it please let us know!

Monday, 1 October 2007

System Locale Issues

If you're in the USA... you can skip this item ;)

For everyone else, particularly those in Europe its important to note that some locales do not use the comma as the seperator inside a CSV file. OK, this is a bit wacky as the C in CSV stands for Comma, but there you go!

CSVs produced by Cisco Secure ACS are hard coded to use comma's. aaa-reports! uses ODBC to import logs and this uses the system locale to know how they are delimetered.. hence the problem.

If your locale setting says the delimeter is a semi-colon ODBC will complain when it sees comma's. The workaround is to set your locale to USA or other county that uses the comma.

We are actively looking for a better solution and hope to fix this issue in aaa-reports! v2.2.1