Windows Server 2008 UAC Issues

When aaa-reports! is installed on a Windows Server 2008 system, you may get a message displayed when attempting to launch aaa-reports:

"An unidentified program is attempting to access your computer"

This is caused by User Access Control kicking in - even though you may be logged in as an administrator by default applications you run will not. You can either elevate to admin level on a use-by-use basis or right-click+properties to see aaa-reports! to always "run as administrator".

However, because the RunAAARe.exe is merely a bootstrap, you will need to locate the RunAccess.exe application as well and elevate this also.

Alternatively, you can find instructions at Microsoft Technet to either disable UAC completely, or just disable UAC prompting for members of the local admin group.

Missing user names in the ACS package.cab

aaa-reports! can import the ACS cab file to get an up-to-date list of usernames, group assignments and even much of the policy. However, its possible that dynamic users (eg externally authenticated via Windows, RSA, LDAP etc) may not be included in the cab file.

This is because ACS now has an extra setting to disable dynamic users. If enabled the external users will not be included in the package.cab file. The setting is in the Configure Caching Unknown Users section on the External Authenticators ACS Admin page.

Also worth a mention, on the User Setup page there is the Remove Dynamic Users button, that will do exactly that!

TIP: If you wish to purge stale records - export the cab into aaa-reports! and run the inactivity reports to see which user records can go. Only then should you remove the dynamic users.

SHAMELESS PLUG: csvsync v3.0 can initiate the creation of the package.cab and download it ready for automated import into aaa-reports! enterprise v1.1

aaa-reports! v2.3

In final testing now... this release addresses some issues with Windows Server 2008 and Cisco Secure ACS v4.2

As usual free of charge to customers with support & maintenance contracts.

Calculated Fields in the Query Builder

This week I had to help a customer with the aaa-reports! query builder - amazingly flexible but equally a little hard to master! So I thought I'd post here by way of a primer.

This particular customer had imported their ACS user database and wanted to list inactive users. Although there is a canned report to do this, they wanted to export the data in XLS - which meant doing it in the query builder. Because  they are using ACS password ageing, the last authentication date is actually stored inside the ACS database, and is imported into aaa-reports!

So in this case we can use the Last Authenticated field as it holds... guess what? The last authenication date. We have to create a "Calculated Field" that is essentially the result of our test condition - say users who havent authenticated for 30 days. We can then set a criteria to test the calculated column.

So to get a .XLS of inactive users (via password ageing):

1. Goto to the Query page and set the Query Type radio button to Filter/Sort
   
2. Select ACS DB User Details from the Data Sets drop down
3. On the Attributes tab select the user attributes you want to display
   
4. On the Sorting tab pick the Last Authenticated attribute then click Add Ascending
   
5. Click run

You'll now get users displayed with the oldest "last authenticated" date at the top. 

Ok, the above simple query will display all users and not just those that have been inactive for some period. To show only inactive users (say for 30 days or more) we need to modify the query slightly:

1. Back on the Attributes tab, select the Calculated Fields radio button
2. In the Name field enter IsInactive and in the Expression enter [Last Authenticated] < (Date() - 30)
3. Click on Set to save the calculated column.
4. Click Run again - you'll see a new IsInactive column with values 0 (false) and -1 (true)
   
5. Finally on the Criteria tab select the new calculated col in the Attribute drop down, select <> from the Operator dropdown and enter 0  (zero) into the Value. Click Add
6. Click Run again and now you will only see users whose last authentication date was more than 30 days ago.

This query can now be saved (for inclusion into a batch of reports) and exported to XLS, CSV etc.

This post shows how the use of a calculated field can help modify the ready made datasets in aaa-reports!

ACS v4.1(4) Compatibility Issue

If you have recently upgraded to ACS v4.1(4) there is a compatibility issue when importing the ACS database into aaa-reports! due to file format changes inside the cab and dump files.

We've posted a fixed build (15th Jan) onto the download site for the .cab file issue and are working on the dump file import now.

If you experience the error "database contains no groups or users" when importing the database you need this patch. The patched aaa-reports! version is "FE 2.2342" (click help/about to check)

aaa-reports! enterprise... sneak preview

Well we're almost there for the first beta of aaa-reports! enterprise. The screenshots below show off our refreshed UI (ok.. about time!)



This is a major step forward for aaa-reports! with an all new back end based on SQL Server Express giving us a total of 32GB of storage. Of course we're keeping the multi-DB feature so you actually get n*32GB !!

For our biggest customers there is also the option to swap out Express with full blown SQL Server.



Switching to SQL Server enables a whole wealth of server-sided filtering that wasnt possible before. As a result all of the canned reports can now be filtered on one or more attributes, eg Network Device Group, Group etc allowing you to make them as general or specific as you wish. The reports also appear much faster as the datasets are created in SQL Server.

Oh and the query builder has undergone a major overhaul to allow column ordering to be saved, column renaming and even free form SQL statement entry for very advanced users.