This week we had some reports of very large negative values in our canned reports - in particular the device utilisation reports.
After some delving it turned out to be the customers PIX sending garbage values in the TACACS+ "elapsed time" attribute.
The customer is now following this up with Cisco.
Showing posts with label FAQ. Show all posts
Showing posts with label FAQ. Show all posts
Thursday, 29 November 2007
Monday, 5 November 2007
Extraxi Licensing FAQ
When you want to order copies of any extraxi product there are several factors that decide the cost:
- Number of AAA servers you wish to report against
- Number of installed copies you wish to purchase
- Maintenance & support requirements
Its a common mistake to assume if you have 2 AAA servers you need 2 copies of say aaa-reports! as well - you don't. A single copy of aaa-reports! can import logs from 10's of servers.
You only need multiple copies if you want to install on multiple PCs - for example if you wanted a copy in two locations.
Tuesday, 16 October 2007
Support for ACS Express v5
We are curently working with Cisco to add support for ACS v5.0 to aaa-reports!
A version of aaa-reports! with ACS v5.0 support is planned to coincide with the full feature version of ACS shipping in late 2008.
A version of aaa-reports! with ACS v5.0 support is planned to coincide with the full feature version of ACS shipping in late 2008.
Friday, 12 October 2007
What Can Extraxi Get From The ACS Database?
aaa-reports! support for importing (and reporting against) data from the Cisco ACS database has grown over time. In v1.x we could import users and group assignments from a CSV file.
In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.
In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:
In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.
In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:
- Service enabled (y/n)
- Service attributes (returned after authentication)
- Group level access restrictions
- Shared access restrictions
- Group level shell/pix command authorisations
- Shared shell/pix command authorisations (via NDG->DCS mappings)
With all this data imported we can offer reports to both document the config (eg our group/user detail report that has layout similar to the ACS UI) and explore the config (eg who has access to what devices AND what commands can they execute. Also, the Query Builder can see the same data too - so you can create custom reports about the users in the ACS db too!
Cool huh?
Of course, the next question is how to get the data OUT of ACS and then IN to aaa-reports!
If you have ACS v4.x on either software or appliances its easy. You just create a support "package.cab" using either the command line cssupport.exe (s/w version) or the Support admin page (appliance version). Make sure you tick the check boxes to include the user & group db + config.
If you have ACS v3.x then unfortunately the appliance is not supported. On the s/w version we have a script you can download to suck the data out - available on our download page.
Once you have a .cab file (from either of the methods above) you just click on Import ACS Database on the aaa-reports Import page.
Thursday, 11 October 2007
Minimum Server Spec for aaa-reports!
Virtually any new server PC/blade will be powerful enough to run aaa-reports! Afterall because of Moore's Law server specs have gone up considerably since our v1.0 release.
Here is Microsoft's guide to the hardware requirements for Server 2003. The R2 datacenter reqs probably make the most sense.
BTW the same goes for csvsync and csvsplit too.
Here is Microsoft's guide to the hardware requirements for Server 2003. The R2 datacenter reqs probably make the most sense.
BTW the same goes for csvsync and csvsplit too.
aaa-reports! on the ACS server?
A lot of poeple will ask if its ok to install aaa-reports! on the same server as ACS is installed on.
The answer is you can... but we dont recommend it. The reasons being:
The answer is you can... but we dont recommend it. The reasons being:
- aaa-reports! will greedily try to use all available CPU while importing and running reports, so depending on the amount of data this could represent quite heavy usage for minutes at a time. This could in turn affect the performance of your ACS server.
- The ACS services have active csv's (ie the files it is currently writing to) locked. So the aaa-reports! move-on-import feature will not work and you might get incomplete rows imported.
Best practice is to roll out a dedicated server (or VM) with plenty of hard drive space and make it the "reporting server" and the log repository.
Tuesday, 2 October 2007
extraxi Software On Linux
We know some organisations try to run Windows apps on Linux using emulators such as Wine.
To our knowledge aaa-reports! has not been tried.
csvsplit should work no problem as its a command line program.
csvsync v1.0 was known to work, but v2.0 changed winsock libraries which revealed a bug in (the then current version of) Wine.
At present we have no plans to officially test or support this. However, if you tried it please let us know!
To our knowledge aaa-reports! has not been tried.
csvsplit should work no problem as its a command line program.
csvsync v1.0 was known to work, but v2.0 changed winsock libraries which revealed a bug in (the then current version of) Wine.
At present we have no plans to officially test or support this. However, if you tried it please let us know!
Wednesday, 5 September 2007
aaa-reports! and VMWare
We get asked this all the time... "Does aaa-reports! work inside a VM?"
Yes it does!
Yes it does!
Saturday, 1 September 2007
A Collection of Useful Docs
All of these should have links on extraxi.com but just in case, here's a list of links to various docs:
aaa-reports! automation tutorial - all about the automation module and how to use it.
aaa-reports! deployment guide - the do's and dont's about installing aaa-reports!
aaa-reports! tacacs+ device admin white paper - reporting for device admin
aaa-reports! sales justification - what extraxi s/w can do and why you should buy it!
aaa-reports! datasheet - spec sheet
aaa-reports! automation tutorial - all about the automation module and how to use it.
aaa-reports! deployment guide - the do's and dont's about installing aaa-reports!
aaa-reports! tacacs+ device admin white paper - reporting for device admin
aaa-reports! sales justification - what extraxi s/w can do and why you should buy it!
aaa-reports! datasheet - spec sheet
Subscribe to:
Posts (Atom)