5.2 WCS and ACS 4.2

Similar Questions

• Installation of ISE and ACS

  Hi all

  I have a problem to install ISE and ACS on VM server. Linux Redhat Enterprise is detected by the system when the iso file is selected.

  But some dependencies of the package are noticed as openssl kernel-devel or cisco...

  The installation will stop from print virtual daemon.

  Any help!

  OK, I recommend:

  1. check that all the VM gusts are configured to meet the required specifications (RAM, CPU, disk space, etc.)

  2 re - download the ISO file and try the installation again

  3. download and try OVA

  Let us know how it goes :)

  Thank you for evaluating useful messages!

• WLC, WCS and WCS Navigator

  I would like to know what is the difference between wireless Lan controller and controller wireless system.

  I need WLC if I want to deploy WCS.

  Can I use WCS without wireless LAN controllers?

  What is the diference between WCS and WCS Navigator?

  And just to add WCS navigator is used to group multiple instances of WCS. This would serve in a very large deployment (in thousands of controllers).

  -Mike

  http://CS-Mars.blogspot.com

• WCS and co-located IAS

  I want to install the configuration wireless unified, 6500 WISN card-based. I'll also install MS IAS server and PDC additioanal just to authenticate wireless clients ONLY. I also try to install the WCS Server also on the same server. What would be the possible isseus with this scenario?

  The thing is, it will work, but it will not support if you have any questions and you call TACS. In addition, according to the number of users will be the IAS server authentication or if you use IAS for othere features of RADIUS, look on the box operation. WCS with several wlc, cards and other stuff could really slow down the box. If you're willing to try, I suggest putting IAS on the first and who, in the image then the box stall WCS and installation and configuration of the who. If you are good with performance and you have no problems, then you should be good to go with this configuration.

• Integration of CSM 3.3 and ACS 5.1

  Been looking around the site of Cisco to check if Cisco Secure ACS 5.1 will fit with CSM 3.3

  The best I could find this: http://www.cisco.com/en/US/products/ps6498/products_configuration_example09186a00808eada8.shtml#tabcom

  Claiming that the CSM 3.2 works with ACS 4.2

  I assume that, because of the huge difference between 4.2 and 5.x that will not integrate?

  Thanks in advance,

  Bruce

  Bruce,

  Unfortunately, ACS 5.0 is not officially supported for integration with CSM 3.3. As shown in http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/release/notes/csmrn331.html AC 4.1and 4.2 are.

  PK

• Ploblem with 2950 and ACS

  Hi all

  I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.

  What I missed out the config that will allow me to execute commands?

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA authorization commands 15 default group Ganymede + authenticated if

  AAA authorization network default group Ganymede + local authenticated by FIS

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  AAA accounting network default start-stop Ganymede group.

  GANYMEDE server host ***. ***

  radius-server key 7 *.

  Thanks in advance.

  Bruno

  Hi friend

  AAA of the switch seems ok, maybe you need to take a look at your ACS.

  Check the following information, where you have to apply it in your ACS config:

  http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

  If it helps, please note or ask another question.

  Kind regards

  Rafael Lanna

• Upgrade CSM and ACS

  1. cisco ACS /Solution Engine, according to me, the dedicated device, unknown version)

  2 cisco Security Manager 3.1

  Are updates possible, or buy the latest version of the product is the only way out?

  What do we need for the upgrade?

  Are there specific codes or new need to buy new products?

  In case of purchase of new products, which are the configurations?

  Your response will be appreciated.

  The GBA unit has been released with at least three different major versions - 3.x, 4.x and 5.x. If you have ACS 4.2 on a device of 1120, you can proceed to the last (5.3) on the same hardware. Anything else will be require a new device (or use a VM solution).

  Please see guide to orders and the migration guide for this information.

  For the CSM, to upgrade you would need to go to 3.3. First, then to the current version of CSM (4.2). The necessary licenses are described in this product bulletin.

  It would probably be easier and more own just build a new facility in both cases. Architecture products both db schema have changed significantly. The SKU upgrade probably will save in licensing fees, even though the two products have undergone changes in how they are allowed.

  Note that CSM will come out with a new version 4.3 more later this spring.

• Features of WCS and order info

  Hello!

  as described in:

  http://www.Cisco.com/en/us/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd802570d0.html

  More Cisco WCS

  • Support of Cisco WCS deployment on a single server

  • Supports mobility services enablement, availability and the ability to track the location of a single device Wi - Fi or tag on request

  and

  Cisco WCS location

  • Support of Cisco WCS deployment on a single server

  • Includes location services to support the follow-up of a single Wi - Fi device on request or location extended functionality by adding a Cisco wireless location appliance.

  • Cisco WCS location must be installed to support the deployment of a Cisco wireless location appliance.

  This means, that permits tracking of clients by WCS interface without deployment of the location device?

  What are diffirences between MORE & LOC licenses? (There is no difference between WCS-STANDARD-K9 + WCS - APLOC - 50 (or AIR-WCS-WL - 1.0 - K9) and WCS-STANDARD-K9 + WCS - PLUS - 50, instead of HA on PLUSlic, isn't?)

  You can follow a single customer by drilling down to the client without the location device.

  Adding the location device allows you to track several client/tags/thieves on the cards that you configured.

  Basis was without location.

  More (change of name of place) is the basic + location.

  These are old reference numbers and should not be used:

  AIR-WCS-WL - 1.0 - K9 (location of Windows)

• First and ACS View Server Integration

  Can someone point me in the right direction for a good doc on implement first (1.3) with a display ACS (5.1) Server?

  Guy: I was doing a little research on this topic and I just wanted to add that there is not much config, that we have to do on ths ACS.

  All you have to have this command on ACS CLI "view of acs config-web-interface to activate".

  On the first, we already have information ip and port view ACS server. In addition, include the first with ACS using a privileged account super admin. Default acsadmin has super admin rights, so we can use it on the preferred side or you can create a specific account on GBA and assign the super admin under system administrator rights > directors > accounts > new account.

  Once this done, please try to shoot balls of NCS and let me know how it goes.

  Jatin kone
  -Does the rate of useful messages-

• ASA5520 and ACS 4.0 - AnyConnect WebVPN (Clientless SSL Tunnel) does not downloadable ACLs (DACL)

  I'm having a lot of problems called "Clientless SSL-Tunnel" AnyConnect VPN sessions - i.e. those that are enacted by visit https:// via a browser, and let the Java/ActiveX plugin will automatically run Fat Client AnyConnect VPN for you - downloadable ACL honor.

  Our installation is integrated via RADIUS Cisco ACS 4.0.

  Dynamic group-> connection profile strategy seems to work for either (direct according to AnyConnect VPN Client heavy or indirectly via a browser-> /Java Client ActiveX), however, our only downloadable ACL take affect if the user instantiates the SSL VPN via AnyConnect VPN Client Fat; first of all, users who access the site through the "Browser-> https://" route seem to have no ACLs applied to all?

  I understand that I can change the custom "Cisco VPN/3000/etc" parameters RADIUS, such as 'WebVPN-filters' and 'WebVPN-Access-List' to apply an ACL configured locally on the firewall of the SAA, but what I have to configure to make the sessions ' WebVPN/Clientless-SSL-Tunnel"to honor the DACL that sends our ACS?

  It is a known problem with some Software ASA Versions see bug cisco CSCtv19046 - DACL is not applied to acre during connection via the Web portal. You probably need to update your ASA 8.4 (4.1) or a later version.

• 3.3 of the ACS, changed the password of domain and ACS beat

  I do not set up the GANYMEDE. I want to disable the AD administrator account, but it seems to require ACS.

  I changed the admin PW and GANYMEDE stop. ACS windows services all begin to use the administrator account. If I change to use a different domain administrator account, they start, but disabling administrator again breaks GANYMEDE.

  Ideas?

  Thank you

  I'm not sure your point.

  Yet once, your windows services ACS are led by administrator Windows AD account. ACS will use this account to connect to AD for authentication of the user. If you disable the window AD admin account or change its password, ACS could not access AD to authenticate the user. This is probably the reason that GANYMEDE authentication failed after you changed windows AD admin account. In configuration of the ACS external DB user, you should see the windows of the AD.

• What is the difference between Cisco NAC and ACS?

  I am currently part of a new construction project and my Cisco account manager and sales engineer recommend Cisco NAC for our new MDF. I'm confused because I don't clearly know the difference between a Cisco ACS and the NAC. What is the difference?

  Thank you

  Chris

  Chris,

  The two are completely different, maybe the sales rep could present you with more information and application. Each offers a variety of services tailored to the specific needs. I think that we need to read more in depth on the proceeds of the NAC. NAC seems an excellent solution for authentication authorization but other regulatory compliance.

  When you see ask your representative to sales for more information/demo.

  ACS is more widely use as a central point to access control to network devices routers, an example is for acs accounting management and the authority to order on all devices on the network using acs as RADIUS server. Considering that the NAC is over a central point of safety inspection on earlier systems of access to your network by via LAN or outside, an example of these respected regulatory defined could be inspections could be virus definition checks before getting lan access thus preventing access to the LAN if the system does not have regulatory compliance defined in NAC access is denied. Another example could be the unknown local host connections etc... So, it seems that NAC is a much broader product that provides endpoint security internal, not only the authentication authorization as acs... ACS has been there for a long time, NAC is rather new product.

  NAC

  http://www.Cisco.com/en/us/NetSol/ns466/networking_solutions_package.html

  http://www.Cisco.com/en/us/solutions/collateral/ns340/ns394/ns171/ns466/ns617/net_qanda0900aecd800fdd6f_ns466_Networking_Solutions_Q_and_A.html

  ACS

  http://www.Cisco.com/en/us/products/sw/secursw/ps5338/index.html

  Rgds

  Jorge

• SSL VPN from Cisco ASA and ACS 5.1 change password

  Dear Sir.

  I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?

  Thank you

  Aphichat

  
  Dear Sir,
  I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
  Thank you
  Aphichat
  

  Hi Aphichat,

  Go to the password link below change promt via AEC in ASA: -.

  https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0

  Hope to help!

  Ganesh.H

  Don't forget to note the useful message

• Question about the attributes Active Directory and ACS 5.2

  To authenticate on our wireless, our ACS server checks to ensure that a node is a member of a specific group of computers.  When we disable the computer account, the continuous ACS server to spend despite the account being disabled the authentication. This isn't the only thing that is checked, we also checked for a valid certificate issued by our CA.  Regardless, if the computer account is disabled I would like for the ACS server to the authentication failed.  Is it possible to map an attribute of the computer account to a radius attribute?  Or simply configure the ACS server to check a flag on the AD attribute?

  Specifically, here's what we see in the steps in the section for a machine that's account has been disabled:

  24475 account user or host is disabled; setting the IdentityAccessRestricted flag to true.

  I want to let him see this 'true' flag and fail authentication, but it does not work.  Any suggestions?

  The IdentityAccessRestricted attribute that is referenced in the steps is an additional attribute that can be used in conditions of approval

  It is set to true if access to the account is disabled, outside the period of access etc.

  This gives flexibility when AD attributes are retrieved for use in licensing requirements and will allow the application to be refused if the flag is set.

  To do this add a new condition in the authorization policy

  If (AD1-> IdentityAccessRestricted) == TRUE select profile permission to deny access to the suite

• PIX and ACS ACL downloadable Question

  Good day to all,

  I'm just working on a project to test using a PIX 535 and a cisco ACS (we use RADIUS) and I need to know what order the pix acl is applied.

  On the pix, we have a set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). It works well, but now we have a problem, can you use rules ACSACL to remove the default rights within the rules on the pix?

  Basically I'm curious to know what order the parsed pix ACLs, (ACSACL and then pix ACL, pix ACL the ACSACL, or none of the above)

  all the links on more information would be great.

  Thanks for any information,

  Brian

  I did some tests with ACL applied by a Radius Server on a PIX 525 6.3.3 running.

  In my particular case, the user is a remote VPN connection. I ACL applied on the external interface, and then on the shelf, I applied the specific user against another ACL.

  The ACL on the external interface is applied first. The downloadable ACLs cannot add services that are not listed in the other ACL, however, it can refuse and remove services.

  You use your ACL in a different way that I like it. I use a server Radius of third parties and the use of the ACL extended via the Id attribute of the filter.

  See you soon,.

  -Joshua