Accounting on ACS 5.1

Similar Questions

• Maximum "user accounts" on ACS 5.1

  Is there a maximum number of IDs 'user account' to manage the local database to an ACS 5.1?

  Thank you...

  It has not coded maximum hard

  The product has been tested with over 100 K users in the internal database

• Accounting on ACS 3.3, doesn't seem to work.

  Hi guys,.

  I followed 6 lines configured on our gear, switches, router & Cisco ASA.

  However our worm 3.3 ACS did not appear to be seized of the commands used by the CLI users.

  1 2 3 4 5 6

  AAA authentication login default group Ganymede + local AAA authentication login VTYLogin group Ganymede + local AAA authentication login CONLogin group Ganymede + local the AAA authentication enable default AAA authorization exec default group Ganymede + local AAA accounting exec default start-stop Ganymede group.

  These 13 lines of configuration I have on our ASA 8.2

  1 2 3 5 6 7 8 9 10 11 12 13

  RADIUS Protocol RADIUS AAA server AAA-server RADIUS (inside) host x.x.x.19 timeout 30 cxxxxxxxr key AAA-server RADIUS (inside) host x.x.x.20 cxxxxxxxr key AAA-server SDI sdi Protocol AAA-server SDI (inside) host x.x.x.64 authentication AAA ssh console RADIUS LOCAL Console http AAA RADIUS authentication Console Telnet AAA authentication RADIUS LOCAL AAA authentication secure-http-client

  These 15 lines of configuration, I used previously to another organization that I worked at.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

  AAA authentication login default line VTYLogin authentication connection group Ganymede + line of AAA. CONLogin authentication connection group Ganymede + line of AAA. AAA authorization config-commands AAA authorization exec default group Ganymede + authenticated if AAA authorization commands 0 default group Ganymede + authenticated if AAA authorization commands 1 default group Ganymede + authenticated if AAA authorization commands by default 4 Ganymede group. AAA authorization commands 15 default group Ganymede + authenticated if AAA accounting send stop-record an authentication failure AAA accounting exec default start-stop Ganymede group. orders accounting AAA 15 by default start-stop Ganymede group. AAA accounting network default start-stop Ganymede group. Default connection accounting AAA power Ganymede group. AAA accounting system default start-stop Ganymede group.

  Your contribution is very much appreciated and evaluated.

  Try looking the GANYMEDE + Administration, report rather than accounting report.

• Accounting on ACS 5 report event

  Hi all

  I remember GBA 4.2, we can see all orders of this type of user in the console of the router cisco for example, after the user to connect to a router (with orders of AAA and ACS) when we saw on the newspaper article. When the user type "show run" on the log of account you can see. but GBA 5.1 where and how we config and see them?

  Thank you

  Kamal,

  First, you must configure the device to send info credit aaa to GBA box.

  GBA 5.x, you can find the info of accounting to the next place.

  Monitoring & reports >

  ... >

  Reports >

  Catalog >

  AAA Protocol

• Adding accounts on ACS using SNMP

  Hi people,

  I use ACS 4.2 and I was just wondering if it is possible to add user accounts by using snmpset? If so, anyone found any documentation on what needs to be done?  I have the SNMP running on it and check with the ACS using snmpget.

  Thank you, S.

  Hi Shane,

  It is unfortunately not possible. You cannot add users via SNMP.
  However, you can add multiple users at once using RDBMS synchronization.

  HTH

  Amjad

  Sent by Cisco Support technique iPad App

• Read-only account 5 ACS

  I can create a read-only on the ACS 5 Server account? I have the ACSAdmin account.

  Thank you

  Yes

  Reach:

  System Administration > directors > accounts > create

  Create a new admin with the role of "ReadOnlyAdmin".

  Now open as a new admin

• Accounting distribution ACS server

  Hello

  I wanted to install a patch for ACS solution engine. I would like to know how we can configure the distribution server. I refer to the foll.document:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCBasic.html#wp288292

  I have an XP machine. I extracted the patch in one of the Windows folder. Now when I try to install the patch to the web interface of ACS. I get an error "failed to contact server.

  I would be grateful if someone help me to solve this problem.

  Thank you.

  Rgds.,.

  Sachin

  Sachin,

  Find enclosed the doc that explains the whole process.

  Kind regards

  ~ JG

  Note the useful messages

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• ACS 5.2 - accounts User File Update does not work as expected

  Hello, I have a serious problem with the import of the fixed IP addresses to user accounts in ACS 5.2.

  Because this attribute cannot be migrated directly I try via "file operations--> update". I created the file update model, but entered IP addresses aren't imported - all other attributes can be changed without problem.

  If I try to "Add file operations-->" it works well, but I can't use this option.

  IPv4 address attribute in 'System Administration--> Configuration--> dictionaries--> identity--> internal users' is added correctly and appropriate field is not in user accounts.

  Do you have any idea what can be wrong?

  Hi Michal,

  Yes I submitted this as a bug recently. Sometimes after a migration from ACS 4.

  CSCtk05027 : custom fields for users after migration - import/update does not work

  Try to change one of your user input. Just add an IP manually it for example. Then do the update. She will work for this user, and it will update the ip address.

  The solution is to export all users of your DCC 5. Then remove it from the database and then to make an import file 'Add' instead of update. A bit of a silly workaround but the bug should be fixed in future patches (no information on that yet).

  Kind regards

  Nicolas

  ===

  Remember responses of the rate that you find useful

• ACS 5.4 ASA 8.2.5 disable AAA for the particular user

  Hello!

  I want to disable journaling Ganymede + for the particular user. This user is used only for automated (python script) pooling of vpn tunnel ASA (limited command set - permission on ACS) group to verify the number of users authenticated via VPN. The problem is that this user generate a bunch of logs according to authentication authorization and accounting on ACS. Is there a solution, disable Ganymede + newspapers on ACS for this particular user? Maybe it is possible to modify the AAA on ASA to not connect this particular user?

  Thanks in advance.

  Hi Pawel,

  You can create filters collection for that specific user. When you configure monitoring filters & Report Viewer does not record these events in the database.

  Navigate to: Configuration of the analysis > System Configuration > filters Collection > add a filter

  What follows is the attributes that can be used. You must use the user.

  -Access service

  -User

  -Mac-add

  -Nas - IP

  Example: We get several hits of ASA by 'user' and we want ACS to ignore it. Create a filter by using the user. ACS must now ignore any attempt from the IP Address of the NAS.

  Jatin kone
  -Does the rate of useful messages-

• Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions

  Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.

  I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.

  When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).

  Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.

  Has anyone ever experience this problem? Help, please!

  Thank you

  neocec

  This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.

  Thank you

  Tarik

• Local use and authentication AD with ACS 5.6

  I have an ACS 5.6 unit configured to use AD authentication for my default network access and rules. It works very well.

  I tried to implement some features, put them in a group and give only locally defined ACS to users access to these devices.

  Problem, after you have created the local accounts on ACS creates a group of local identity, and trying to authenticate with a camera, I always get "object not found in the identity store.

  Is there a way to have the hybrid authentication like that? How do we?

  Hi Colin,

  One thing that comes to mind is "sequence of identity store. Ensure that you have "internal users" listed in there otherwise that demand would never be mapped against the internal users.

  I also want to double check the source of identity under default device admin or any service that you created. Ensure that internal users.

  Take a look at the document below for more details on the identity store sequence.

  https://supportforums.Cisco.com/document/103901/ACS-5x-identity-store-se...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• NAC ACS SSO

  Hi all

  I know that there is AD SSO in the NAC. I would like to have SSO with ACS that is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?

  Thank you

  Alex

  Alex,

  In the short number - or at least, I have to say that I don't know of any way to do. To make the SSO with GBA, looking to connect to Windows with Radius or GANYMEDE +. This means that Windows GINA (Ctrl-Alt-Delete the piece of code) should be able to talk Radius or GANYMEDE + with the ACS server.

  Only standards bodies supported on GRP are AD SSO (where connect you to your Windows machine and SSO happens) or RADIUS SSO (kind VPN wireless / installation). The second type is where you can make the accounting on ACS. With AD authentication, I don't know any way so he could be taken into account in the ACS.

  One thing you could do theoretical is to send an accounting package to your express ACS of the CPC or the machine itself, but these are wacky solutions and require a lot of work/trials etc.

  So in short, not :-)

  [EDIT] An option that I have completely forgotten and could work for your customer is to configure the accounting server to the CCA. In this way, you can connect to AD and always send accounting packets to an accounting server. More information here:

  http://www.Cisco.com/en/us/partner/docs/security/NAC/appliance/configuration_guide/45/cam/m_auth.html#wp1159082

  [END_EDIT]

  HTH,

  Faisal

• 3.3 of the ACS, changed the password of domain and ACS beat

  I do not set up the GANYMEDE. I want to disable the AD administrator account, but it seems to require ACS.

  I changed the admin PW and GANYMEDE stop. ACS windows services all begin to use the administrator account. If I change to use a different domain administrator account, they start, but disabling administrator again breaks GANYMEDE.

  Ideas?

  Thank you

  I'm not sure your point.

  Yet once, your windows services ACS are led by administrator Windows AD account. ACS will use this account to connect to AD for authentication of the user. If you disable the window AD admin account or change its password, ACS could not access AD to authenticate the user. This is probably the reason that GANYMEDE authentication failed after you changed windows AD admin account. In configuration of the ACS external DB user, you should see the windows of the AD.

• Connection of ACS command line...

  Hello

  I have a superadmin account with ACS.

  with this account, I can't able to connect GUI but can't login CLI mode.

  What could be the problem?

  Hello Tony,.

  ACS GUI administrator and CLI administrator accounts are different. You cannot log in with accounts of MISTLETOE in CLI.

  You must use CLI accounts created to access the ACS command line. You must have created one during installation first GBA 5.x.

  If this was helpful please note.