Welcome to the extraxi blog...

If you found this page accidentally and don't know what extraxi is about... we specialise in reporting solutions for the Cisco Secure ACS and Funk SBR access control servers (aka AAA servers).

The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.

Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.

Tuesday, 8 September 2009

Csvsync v3.0.3 Released

For csvsync users who are:
  1. Running on Server 2008, and
  2. Using SSL/HTTPS with their ACS server
v3.0.3 will fix an issue introduced by a feature (read bug) in the latest winhttp.dll (v6). During the csv file download ACS will reject further requests from csvsync. Csvsync will error:
File Sync Error (2)

On the ACS side, CSAdmin will log the following error in its Admin.log:
ADMN 08/28/2009 13:32:27 E 1261 1896 0x0 Possible attack on session 33542 from 192.168.254.30


Posted by at No comments:
Labels: , , ,

Wednesday, 17 June 2009

RBAC Style Device Management using CIsco Secure ACS and TACACS+

A few years back when we all worked on ACS at Cisco a good friend wrote a really clear guide to using ACS (with TACACS+) to implement an RBAC style system for managing administrative authentication and authorization of IOS devices.

The Cisco web site isnt always very easy to find stuff and Im sure one day it'll get deleted, so here is link to a local copy:
Posted by at No comments:
Labels: , ,

Missing user names in the ACS package.cab

aaa-reports! can import the ACS cab file to get an up-to-date list of usernames, group assignments and even much of the policy. However, its possible that dynamic users (eg externally authenticated via Windows, RSA, LDAP etc) may not be included in the cab file.

This is because ACS now has an extra setting to disable dynamic users. If enabled the external users will not be included in the package.cab file. The setting is in the Configure Caching Unknown Users section on the External Authenticators ACS Admin page.
Also worth a mention, on the User Setup page there is the Remove Dynamic Users button, that will do exactly that!
TIP: If you wish to purge stale records - export the cab into aaa-reports! and run the inactivity reports to see which user records can go. Only then should you remove the dynamic users.
SHAMELESS PLUG: csvsync v3.0 can initiate the creation of the package.cab and download it ready for automated import into aaa-reports! enterprise v1.1
Posted by at No comments:
Labels: , , , ,

Tuesday, 26 May 2009

aaa-reports! v2.3

In final testing now... this release addresses some issues with Windows Server 2008 and Cisco Secure ACS v4.2

As usual free of charge to customers with support & maintenance contracts.
Posted by at No comments:
Labels:

Wednesday, 25 February 2009

Why we do CSV

We still get the occasionall comment about why aaa-reports! uses CSVs to import data from ACS - as opposed to syslog and ODBC (both of which will be supported in future) and this week a good reminder surfaced. 

While looking at some release notes for ACS v4.2 we stumbled across CSCsg62239. This bug blandly says "Binary text appears [randomly] in syslog output". Nice one.
In our experience CSV logging tends (with a few minor issues) to just work. ODBC logging slows the ACS to a crawl and syslog packets could go into a black hole and you'd never know.
If you have a legal or audit requirement to retain logs for any period of time - you need to use CSV based logs and collect/archive them regularly. This is where our csvsync client can help :)
Posted by at No comments:
Labels: , ,

Thursday, 5 February 2009

csvsync runtime errors - missing dll

A customer recently got a missing DLL error when running csvsync - MSVCO60D.dll to be exact. This is part of the C/C++ runtime and should normally be present already.

Anyhow, there is a Microsoft KB article on how to download the latest Visual C++ 6.0 run-time at this URL:

http://support.microsoft.com/kb/259403
Posted by at No comments:
Labels: , ,

Thursday, 29 January 2009

What the Government should be spending on in the credit crunch

A bit off the usual topic, but...

I was at my local gym this week (part of a larger council run leisure centre) and commented on how hot the poolside and changing rooms felt - not what you need after a 5km run!! It struck me how incredibly high their energy usage must be - 3 pools, sports hall, gym, various studios etc etc with what looks like quite a thin uninsulated roof.

It struck me that instead of pumping millions into banks, the car industry, more roads, 3rd runway at Heathrow etc.. that perhaps the government should embark on a project to retrofit all public owned buildings with solar thermal and electric (where possible). This would cost many millions of pounds but provide much needed jobs by creating a whole new industry and above all would SAVE MONEY and CO2 for years to come.

My local gym has a massive flat roof structure that would be ideal for mounting the panels and tubes etc. Right now the staff are being told to switch off lights to save money... given the lighting is all low energy anyway its hard to see them saving much.

Come on Mr Brown - spend money.. lots of money, but on the right stuff.


Posted by at No comments:
Labels:

Calculated Fields in the Query Builder

This week I had to help a customer with the aaa-reports! query builder - amazingly flexible but equally a little hard to master! So I thought I'd post here by way of a primer.

This particular customer had imported their ACS user database and wanted to list inactive users. Although there is a canned report to do this, they wanted to export the data in XLS - which meant doing it in the query builder. Because  they are using ACS password ageing, the last authentication date is actually stored inside the ACS database, and is imported into aaa-reports!

So in this case we can use the Last Authenticated field as it holds... guess what? The last authenication date. We have to create a "Calculated Field" that is essentially the result of our test condition - say users who havent authenticated for 30 days. We can then set a criteria to test the calculated column.

So to get a .XLS of inactive users (via password ageing):
  1. Goto to the Query page and set the Query Type radio button to Filter/Sort
  2. Select ACS DB User Details from the Data Sets drop down
  3. On the Attributes tab select the user attributes you want to display
  4. On the Sorting tab pick the Last Authenticated attribute then click Add Ascending
  5. Click run
You'll now get users displayed with the oldest "last authenticated" date at the top. 

Ok, the above simple query will display all users and not just those that have been inactive for some period. To show only inactive users (say for 30 days or more) we need to modify the query slightly:
  1. Back on the Attributes tab, select the Calculated Fields radio button
  2. In the Name field enter IsInactive and in the Expression enter [Last Authenticated] < (Date() - 30)
  3. Click on Set to save the calculated column.
  4. Click Run again - you'll see a new IsInactive column with values 0 (false) and -1 (true)
  5. Finally on the Criteria tab select the new calculated col in the Attribute drop down, select <> from the Operator dropdown and enter 0  (zero) into the Value. Click Add
  6. Click Run again and now you will only see users whose last authentication date was more than 30 days ago.
This query can now be saved (for inclusion into a batch of reports) and exported to XLS, CSV etc.

This post shows how the use of a calculated field can help modify the ready made datasets in aaa-reports!
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)