Accounting distribution ACS server
Hello
I wanted to install a patch for ACS solution engine. I would like to know how we can configure the distribution server. I refer to the foll.document:
I have an XP machine. I extracted the patch in one of the Windows folder. Now when I try to install the patch to the web interface of ACS. I get an error "failed to contact server.
I would be grateful if someone help me to solve this problem.
Thank you.
Rgds.,.
Sachin
Sachin,
Find enclosed the doc that explains the whole process.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
SSH after ACS server "locked up" and had to be reconfigured is no longer works.
Hello
I have a VPN tunnel between an ASA5520, and a Cisco 891.
I had the 891 configured with the following text:
AAA server Ganymede group + VTY
Ganymede IP source-interface Loopback0
!
AAA server Ganymede group + GANYMEDE-ACS
Server 10.8.x.x
Server 10.16.y.x
!
AAA authentication login CONSOLE none
Connection authentication AAA VTY Ganymede + local group
VTY AAA authorization exec group Ganymede + local
AAA authorization commands VTY 0 group Ganymede +.
AAA authorization commands 15 VTY Ganymede group.
orders accounting AAA 15 VTY arrhythmic group Ganymede +.
orders accounting AAA 15 CONSOLE arrhythmic group Ganymede +.!
Ganymede IP source-interface Loopback0
!
RADIUS-server host 10.8.x.x touches yadayadayadayada 7
RADIUS-server host 10.16.y.x touches yadayadayadayada 7
RADIUS-server application made!
line vty 0 4
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transport
line vty 5 15
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transportI can't access device remotely. I'm sure it has to do with the ACS server, but don't know where to look.
Any help would be greatly appreciated.
Hello
When you say you cannot remote access device you are not able to ssh to the device or there is no rechablity itself?
Is ssh is the problem while you get a login prompt? Error message? Also have you checked ACS has no newspapers for all messages?
Concerning
Najaf
-
PuTTY and password change issue ACS server
When a new user is created with the checkbox 'Must change the password at the next logon' checked, ACS does not allow the user to change the password. The password prompt displays a message access denied. Could someone point me in the right direction to solve this problem?
I created a new account on cisco ACS server and check the box "user must change password at the next logon". I then used ssh to test the newly created using PuTTY user account. When I ssh to the cisco devices [switch or router] password prompt appears and ask me to type the new password. Once I did this I get a message access denied.
It worked well with secure CRT. But users do not have secure CRT, they are supposed to use PuTTY. Users can connect in devices using PuTTY. The problem is that when we try to change the password.
ACS Version: ACS 4.0
Thank you
Nachi
When a user connects in SSH to the system and uses an expired password GANYMEDE, he is prompted to change their password. However, this password change does not work correctly.
To resolve this problem, you must have the SSH v2 with "Keyboard interactive" authentication for SSH v2 game. Cisco bug ID CSCin91851 addresses this problem.
Symptom:
When you use the router as a ssh server is authenticating with a normal SDI/RADIUS, work of authentication backend. However, neither the new BUGS mode or mode next token dialogues completes successfully.
Conditions:
Problem only occurs in mode again PIN or next token dialogue mode.
Specific SSHv2Workaround solution:
Use telnet for authentication or to define vty lines to authenticate against RADIUS
(non - SDI) server instead.Other Description of the problem:
Not all ssh clients are supported the dialogue for the new PIN mode or next token to work.
-
local user name and password if the ACS server fails
Hello
I have every router and switch configuration for authentication of the connection via the ACS server. I used these 12 lines below and it works very well. Each engineer has their own account.
AAA new-model
AAA of default login authentication group Ganymede + activate
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA - the id of the joint sessionRADIUS-server host x.x.x.x
RADIUS-server application made
radius-server key, regardless of----------------------------------------------
I would add to this a local username and password so that if the ACS server was offline engineers have yet to connect with a knowledge of username and default password
username privilege 15 secret mypassword MYUSERNAME
line vty 0 4
local connectionQ. How do I make ACS a first preference and connection server only local users username and password if the ACS server is down?
Kind regards
Kevin
Now you have the password to enable as the fall back method:
AAA of default login authentication group Ganymede + activate
Change 'enable' for 'local' and the local (to the router) database of user names and passwords is used.
The same works to activate authentication (the second line "authentication, aaa... ("in the config that you posted).
-
The host 'pop3' could not be found. Please check that you have entered the server name correctly.
I get this message if I'm in Windows is trying to send an email:
Account: 'windows mail', server: 'pop3', Protocol: POP3, Port: 110, secure (SSL): no, Socket error: 11001, error number: 0x800CCC0D
Where should I go on my PC to fix this?
In this case, use the settings given here:Use port 587 instead of port 25 of the SMTP server.To give you a little history, Windows Mail does not support the HTTP messaging, which for a long time was the only authorized method of access for free Hotmail/MSN accounts. In addition, given that the development of Windows Mail was frozen in July 2006, there no knowledge that Microsoft has enabled POP access for free Hotmail/Live/MSN accounts in February 2009. Therefore, the Windows Mail Account Setup Wizard is hardcoded to reject the Hotmail and MSN addresses. To work around this limitation, when you enter your Hotmail/MSN email address, initially, use a fake domain, such as * address email is removed from the privacy *. After the account setup is complete, you can go back into the settings and correct your email address.Gary van, Microsoft MVP (Mail)
------------------------------------------------------"janhowe" wrote in the new message: * e-mail address is removed from the privacy... *I use MSN hotmailGary van, Microsoft MVP (Mail)
-
I have reception problems of the email on the account Windows Live - Server error: 0x800CCC90
I am in England and I've seen problems of email - I can send emails but not receive. Error msg is
Can't send or receive messages for the account.
Server error: 0x800CCC90
Server response:-ERR timeout
Server: 'mail.btinternet.com '.
Windows Live Mail error ID: 0x800420CD
Protocol: POP3
Port: 110
Secure (SSL): No.How this can be solved?
Former title: I have reception problems of e-mail on the Windows Live account
Windows Live Mail error ID: 0x800420CD
This means generally that there is a dubious message on the Server Windows Live Mail will not or can not download. Connect to the Web e-mail account and start by clearing out the junk mail folders and deleted .
Then, create a new folder and move the contents of the Inbox to the new folder. Try to send/receive again in Windows Live Mail - it works now, or you see an error message? No new e-mail message should appear in the status bar.
You can then return half of the messages to the new folder in the Inbox and then send/receive again in Windows Live Mail. Repeat until the error occurs, if you can identify any rogue message that won't download.
-
Hello
I installed a Cisco ACS server. I am able to use the "remote desktop" to http to the server, however, what can I do if I wanted http in the application of GBA directly?
Rgds
Hello
http://: 2002
HTH
PJD
-
Enable AAA fails on the second ACS server
I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?
Thank you
Vivek
Hello
Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."
-Jesse
-
Design of ACS server question 4.2 - role - based is a limit?
Currently, I've implemented this ACS server.
An ACS group maps to a group of active live in AD. For example, the Group ACS router_access maps to AD group called $f (gbr) raccess. If the user tries to connect to a router and it has this group in its profile AD, that it will be accepted and if not rejected.
If for example, I want to revoke, allow access to some features I use NARS (for example accept connections from devices switch and router).
It works - but this apparently isn't the way I do things.
The best way is to have a group of ads by device group.
EG for access to the router, you must $g (t) of group routers in your AD profile
To get access to switch the Group $g (t) must spend in your AD profile
Now, we hit the problem - the EC will use the first group in your AD profile to apply for pass/fail.
Let as well as John has $g routers and switch (t) $g (t) group in its AD profile. When he tries to connect to a switch, the ACS attempts to use routers $g (t) because it's the first ACS AD Group in his profile. Subsequently, it fails, which means that ACS will not look through several AD strategies.
I hope this makes sense.
Anyway, I can't get it to work because it keeps failing!
Hi Will,
This is a limitation of how ACS 4.x performs operations. It defines everything based on your local user group on ACS as opposed to your ad groups - so the mapping of the group comes first and then everything else comes later.
If you use Radius (this does not apply to the GANYMEDE) you may be able to use the network access profile feature to substitute some access. If for example you can tell if the user is in the local group, but authentication comes from a certain type of device, you can transmit different attributes. However, in terms of blocking, it is always based on the local group you are a member. He can do some additional checking of LDAP group, but I don't know if that will solve your problem.
Is 5.x ACS to a new level - the entire platform is built as the network access profiles - so you can make rules as granular as you want - that is to say: If you are in a specific ad group (do not need to map - we can draw external groups) and it is a router then go down a permission set with a Pass. If it is a different ad group (or a different device type), then send a failure.
Thank you
Nate
-
AAA / adding additional ACS server
Hello guys,.
You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.
Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.
Hope you could understand my needs and the current configuration. PFA...
Thanks in advance!
Best regards
Anurag.K
Hi Anurag,
You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.
10.16.2.10 RADIUS server host
10.16.2.8 RADIUS server host
10.16.2.9 RADIUS server host
GANYMEDE server key xxxxx
If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.
AAA server Ganymede group + Group1
Server 10.16.2.8
Server 10.16.2.9
AAA server Ganymede group + group2
Server 10.16.2.10
AAA authentication login default group GROUP1 GROUP2 line
I want to knoiw if you have doubts.
~ BR
Jatin kone* Does the rate of useful messages *.
-
ACS server replication request
Hi all
I have two primary & secondary ACS server. New secondary to be deployed in the network server. My primary ACS server got 1000 clients AAA configured with 15000 user id configured in several group profile. My question here is when I have the database replication between primary and secondary, if any database is replicated from my primary server to the secondary as all customers AAA and configuation etc., otherwise it will be the end user interface, profile of the group, replication has restrictions of database.
Totally: AAA & ID customers user will be on the backup of a database or it will reside on different location
kindly clarify me here, thanks.
Hello
The entire database will be written more when a restore of the database.
The ACS database replication allows you to copy various components of the internal database of GBA in other ACSS. This method can help you plan a failover AAA architecture and reduce the complexity of your tasks of configuration and maintenance.
The components that can be replicated are:
User and group database
Database group only
Network device Configuration tables
WBS
Configuration of the interface
Interface security settings
Password validation settings
EAP-FAST master keys and policies
Network access profiles
Configuration of logging (enable/disable settings)
The following link will give you the details of database replication.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as solved if you feel that your query is resolved. Note the useful messages.
-
Configuring the ACS server on windows server
Hello
I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.
I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.
I checked the accessibility of the ACS server to client router and vice versa and also configuration.
The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.
Help PLZ.
Configuration of my router from AAA.
===============================================
AAA new-model
!
!
AAA authentication login default group Ganymede + local
exact AAA authentication login group Ganymede + local
AAA authorization exec default localRADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)
line vty 0 4
exact connection authentication================================================
I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.
When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user
Please help me.
reports and activity--> passed authentication
reports and activity--> failed attempts
Rating of useful answers is more useful to say "thank you".
-
PIX 525 configured for authentication Ganymede + for telnet, ssh etc. access Pix... If Cisco ACS server is not available I can use the Local user database as I do in the world of router. I saw no reference to this
failback AAA was introduced in the 6.3 (4) BONE of PIX. This isn't something I've tried, but this excerpt from a discussion earlier can help you
See you soon
-
Whence the ACS server get the DNS Info for the IP pools?
I'm changing the DNS servers that my VPN users are assigned from the pools of IP on the ACS server. Where IP pools Gets the DNS server information. I changed the IP addresses of the DNS on windows server and rebooted. But VPN clients are always assigned the old DNS servers.
ACS ip pools do not grow the DNS server information
It is either transmitted from the setup of group for the VPN concentrator or
It is to be send to the setup of the user/group ACS > attributes Radius (VPN 3000) > [026/3076/005] primary DNS.
I hope this helps.
Concerning
Rohit
-
Windows domain account to view reports / manage the ACS server.
All,
We have a Cisco ACS 5.2 deployment (device). It has existing integration with Active Directory. We use it with RADIUS to authenticate our users wireless and GANYMEDE to manage our network equipment.
RAY reports are useful for other teams (except my own) in order to resolve account lockouts and password (everyone forgets to change the password on his phone).
I would like to allow this team and other access to the report of RADIUS authentications.
I want them to be able to use their domain account to do this.<------- this="" is="" mandatory,="" based="" on="" our="" security="">------- >
We tried using an account local and which works very well.
My system tells me that domain accounts cannot access the administrative parts of ACS.
Is this true?
We have the support to allow us to upgrade to the latest version of the ACS.
5.4 of the ACS, it is possible to authenticate and authorize the directors of external stores, including AD accounts
Maybe you are looking for
-
Hi, I am using SABnzbd on my RN102 for awhile now, without a lot of problems to talk about. Recently, I had a pretty big download queue, which it would not be completed; He stopped at about 80%. I thought I'll restart SABnzb, see what happens. Howeve
-
Hello I have a laptop Dell Inspiron 1525 (32 bit). I'm driving Windows Vista Home Premiun Service Pack-2. I have configured my laptop to go to the Hibernate when I close my lid. When the laptop is not plugged in(not charging), it works fine.But if my
-
Can I reinstall Windows 7 Basic Home Edition with product key?
my computer hp laptop provided with windows 7 Home Basic installed, but it was crushed. I was wondering if I could reinstall windows 7 Home Basic with the product key?
-
Content of the screen is upside down - how to fix this?
The entire screen and the content is displayed upside down when the computer is turned on. How can you turn the images on the right side up? This program of Windows 8 is driving me crazy.
-
I put the Oracle database in Linux CentOS 7 computer. I create use as oracle with a band called oinstall.I can connect to the Linux system using name - oracle, but I couldn't find this user when I open system 'users and groups '. Is that what this us