ACS 4.2 questions

Similar Questions

• Upgrade ACS 4, 1 - question of Remote Agent

  I've updated Cisco ACS 3.2 to 4.1. Having satisfied certain issues, we finally got installed. Now, we are facing this problem of the remote agent. There is a lot of configuration to do for this agent? Here is the part of the instructions. I know right what they want me to. Where is this Cisco computer? Where we put the Cisco account? We certainly do not have a domain controller on our network called Cisco. Is it better to put this on a domain controller or a member server?

  Thank you

  Dwane

  Step 1 Add CISCO workstation.

  To meet the requirements of Windows for authentication requests, ACS must specify windows

  in my computer to which the user tries to open a session. Because the ACS cannot determine this information

  of authentication requests that send AAA clients, it uses a name of generic workstation for all applications.

  Use CISCO under the name of the workstation.

  In the local domain and in each trusted domain and a child domain that uses ACS to authenticate users.

  ensure that:

  ? A computer named CISCO account exist.

  ? All users that Windows will authenticate are allowed to connect to the computer named CISCO.

  For more information, see the Microsoft documentation for your operating system.

  Go down to da external user---> DB Configuration---> Windows---> Configiure--->---> RA remote agent choose in the drop-down list---> Summit.

  ACS will now use this remote agent.

  Kind regards

  ~ JG

  Please rate if this helps

• Cisco ACS 4.2: Question about the license...

  Dear Sir

  When I started this project, we start with the demo available on the Download Center on Cisco.

  We have purchase a license and we expect the CD/DVD with the license.

  But... How can I convert the 'demo' to a licensed version?

  Should I reinstall Cisco ACS?

  How the license is supplied, is a registry key? A small file?...?

  Thanks in advance,

  Make a backup of the current configuration, you want to keep it.

  System configuration > backup ACS > backup now.

  Then when you get the full version, just run the setup and it automatically detects the trial version, and invite you, if you want to keep the configuration or not, checks to keep the configuration and move forward. And you'll have improved trial full version.

  There is not the registry keys concerned.

  Kind regards

  Prem

  Please rate if this can help!

• PIX and ACS ACL downloadable Question

  Good day to all,

  I'm just working on a project to test using a PIX 535 and a cisco ACS (we use RADIUS) and I need to know what order the pix acl is applied.

  On the pix, we have a set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). It works well, but now we have a problem, can you use rules ACSACL to remove the default rights within the rules on the pix?

  Basically I'm curious to know what order the parsed pix ACLs, (ACSACL and then pix ACL, pix ACL the ACSACL, or none of the above)

  all the links on more information would be great.

  Thanks for any information,

  Brian

  I did some tests with ACL applied by a Radius Server on a PIX 525 6.3.3 running.

  In my particular case, the user is a remote VPN connection. I ACL applied on the external interface, and then on the shelf, I applied the specific user against another ACL.

  The ACL on the external interface is applied first. The downloadable ACLs cannot add services that are not listed in the other ACL, however, it can refuse and remove services.

  You use your ACL in a different way that I like it. I use a server Radius of third parties and the use of the ACL extended via the Id attribute of the filter.

  See you soon,.

  -Joshua

• ACS device groups Question

  Hello

  I have install ACS with a device group that covers a large number of devices on my network and I apply rights to this if necessary.

  But now I need to give to a group of users access to a single device that is included in this group. I can't create a new device group to cover this unique device as the address overlaps. Is there a way that I do this without having to split my existing at least 3 volume group.

  Hello

  This can be achieved by using restricted access network (OAN) GBA.

  By NAR, you can deny access permission/user/group based on device/NDG/NAF.

  The following link can give you more details about it:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

  Note: If you do not get the option to NAR allow configuration of the interface.

  ~ Rohit

• ACS HOW TO USE ADINFO

  Hello

  I need to see what domain controllers which communicate with the ACS. I tried;

  XXXACS02 / admin # acs troubleshooting adinfo - Server
  This command is only for advanced troubleshooting and could suffer a lot of network traffic

  Do you want to continue?  (yes/no) Yes
  Server1.domain.no

  The server1.domain.no is a server located in another place, so I don't think it's the primary server that is in talks with the ACS. Other commands that give out?

  The location of the server wouldn't matter if we use ACS AD configurations and default AD. Unless something has changed, ACS uses DNS to resolve all the available domain controllers. You can use the following command to list all the domain controllers that ACS is the question:

   acs troubleshoot adinfo --test 

  Then, you can use this command to see that an ACS is currently connected to:

   admin# acs troubleshoot adinfo -a

  This command will also give you the output of the "favorite Site". You can use this field in your AD environment to control that uses ACS domain controllers. For more information, see this link:

  http://blog.priveonlabs.com/sec_blog.php?title=ACS-V5-should-be-able-to-query-only-desired-domain-controllers-Active-Directory-DNS-workaround&more=1&c=1&TB=1&pb=1

  This link also contains a reference to a default (CSCte92062) Association which provides some associated ACS confgs that you can use to restrict who uses ACS domain controllers.

  I hope this helps!

  Thank you for evaluating useful messages!

• How does ACS check redundancy?

  Hello

  In a router, if you configure the RADIUS server, Ganymede-1 host Ganymede-2, this is how you configure the redundancy of the ACS.  My question is, how does the router check the pulse of each RADIUS server?  By ping or another keepalive mechanism?  What this command do really behind the scene?

  What is happening in our environment, is that Ganymede-1 in Windows services keep stops by itself.  We cannot authenticate and Ganymede service does not switch to Ganymede-2.

  
  Hi Ganesh.H,
  Thanks for the reply.  Looking at the command documentation, it states:
  "If the command is not configured, the timeout interval is 5 seconds."
  So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?
  

  Kevin,

  This command is not by default configured in cisco swithces the default setting is 5 seconds if you configure timeout Server tacas only without sepcifying the time in sec.

  HTH

  Ganesh.H

• ACS 4.2.0 two entered "self."

  Equipment: I am running 4.2.0.124 on a SE 1113 ACS.

  Question: I get two entries 'self' under AAA servers.  One is the IP in fact of the SE of GBA.  I am eager to respond to one point.  No idea how to get rid of the loop?

  I already tried this TAC.

    1. Execute the command "SET IP" in CLI

    2. Give "No" in "Use static IP address" field. Here DHCP will automatically take ip address.

    3. Confirm the changes and wait for some time.

    4. Type SHOW command to check the DHCP ip.

    5. Then again execute the command "SET IP" in CLI.

    6. Here set static ip address by providing "YES" in "Use static IPaddress" field

    7. In IP address field, give actual IP address of the ACS.

    8. Then provide the actual subnet mask, default gateway and DNS server.

    9. Confirm the changes.

  
  10. This process will trigger the correct ip address to show in GUI page.
  Thanks.
  

  No, it does not however make a backup of the current ACS config before installing the eval copy

• Configuration of the Cisco ACS Radius

  Hello

  I'm trying to set up authentication radius on cisco ACS but short question. When I set up my group of network devices in the configuration of the AAA Client as one of ray device groups, my authentications fail with authentication as a failure code"

  CS invalid password' but when I change my group of devices to "Unassigned", everything started working.

  On my AAA client, when authentication fail, I see

  Server RADIUS audit package fails:

  Please note that the AAA client is a non-cisco device.

  Any suggestions?

  It seems that you run ACS 4.x. You are facing this problem because the key is set on the excessive rides of the level (Group of devices network XYZ in your case) NDG key at the level of the AAA client.  Please make sure that you don't have different secret key on the client inside the NDG AAA and on the NDG himself.

  Not affected is working because it has no key defined in the NDG.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342738

  "Each device that is assigned to the network device group will use the shared key you enter here. The key that has been attributed to the device when it has been added to the system is ignored. If the Enter key is null, the key of the AAA client is used. »

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Question of VPN & ACS

  Hello

  It's maybe a stupid question, but I need to learn more about security issues, so here's my question: If the remote end users can access their corporate network via secure VPN, then why do need ACS solution? Thank you to educate me.

  My examples are not too clear. You are right in that you can provide access to the server to your VPN users through AAA filters for the VPN concentrator.

  In the environment where I work, we also use ACS to authenticate wireless users AS5300 dial-up users and access to our routers and switches.

  Here is a link that I hope this explains a bit more clear:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a5d.html

  HTH

  Steve

• Create a group of users to ACS 3.3 - simple question

  Hello

  I have a simple question:

  How can I create a group of additional users at the ACS 3.3?

  I don't see the option to delete or create groups of users. Perhaps is it not possible?

  Thanks in advance

  All groups that you have already exist in the list of groups (0 to 499). To "create" a new group, just rename one of the unused existing groups and use.

  If you don't see the groups in your list, you must verify that you have access to see all these groups.

  Verifier check in the control of the Administration, select your admin user ID. In the second table below marked 'administrator', you will see the "available groups" and the editable section 'groups '. move the groups that you want to use available for editable.

  Present and then OU should be able to see these groups on your drop-down list in the section groups.

• Question about ACS 5.1 and expiration of user account

  Hi all

  Is there a setting on ACS 5.1 where you can configure the user account expires? Speaking of users configured locally on GBA.

  If this isn't the case, you can do it with an external db such as MS AD? How?

  We are looking for a hotspot guest management solution so that we can create temporary users without having to purchase any additional hardware/software cost.

  Thanks in advance,

  Raga

  Raga,

  Here's the answer to your first questions-

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html#wp122068

  As much as to be able to do that in the AD, it is possible, you can consult the following documentation that shows how to set the attributes of the AD, I helped a client recovering the lockouttime attribute in its AD environment, I don't think that this attribute is present in the 2003 domain controller because I was unable to replicate this attribute.

  Another step would be to use useraccountcontrol-

  http://support.microsoft.com/kb/305144 - if set a simple condition, if this value is 512 can you allow access, when you lock the account it will add status to disable for the account type if it is 512 (Normal_Account), it is equal to 514. The safest is to see what value you have for the guest account by retrieving the attribute after you create the account, create a condition which corresponds to this account.

  Let me know if it helps!

  Tarik

• Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts

  Hello

  I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...

  Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?

  Thanks in advance

  WM

  I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system

  In order to change the multiple/all documents for internal users, the following approach can be taken:

  1. Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
  2. Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
  3. To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish

  Afetr imort is completed, all records of internal user should now display "Enabled".

• Question 5.1 Patch 4 ACS

  OK, maybe a stupid question... when I download the patch on the Cisco site, it indicates that it is a. GPG file, however, once the download complete it appears as one. TAR. TAR file... am I supposed to rename it? Or am I wanted to unzip somehow, unpack everything utility I try says that the file contains no archives or is incomplete or corrupted!

  If there is a document that details how to install patches please someone could post the link.

  Hi Paul,.

  It is a browser problem. You must rename the file with the extension .gpg (the original name of the patch file) for a successful installation of patch later. In other words, the installation will fail if you leave the patch name with the. tar.tar extension.

  As for your question on how to install the patch, it's in the Readme of the patch that you would see a link to "Readme for ACS download the patch file itself. "Here is the link to the Readme for 5.1.0.44.4 update rollup. Click this link to open the readme file before you click on the "Go ahead with Download" button to download the patch file.

  Here is the Readme for patch 5.1 ACS 4.

  http://www.Cisco.com/Web/software/282766937/28141/ACS-5-1-0-44-4-Readme...

  Kind regards

  Cam.

• ACS 5.2 selection policy/access service attribute question

  Hello

  I use ACS 5.2.0.26 and formed the selection air Service to authenticate the PEAP wireless clients based on the suffix of the domain that is used by clients. If I use the IETF-RADIUS-RADIUS attribute: User name to do this, am I right to say that this corresponds to the 'roaming identity' as opposed to the actual connection of the users id?

  In respect of Access Services, I can use the system attribute: username that corresponds to real customers login id-based. My questions are:

  Is the IETF RADIUS: use attribute Name corresponds to the "roaming identity"?

  Can I use the system attribute: user name with access but not it seems with a selection of the Service strategy. Why is this?

  Thank you

  Andy

  Hello

  Is the IETF RADIUS: use attribute Name corresponds to the "roaming identity"?

  -> No.The roaming identity is specific to certain claimants and didn't always match the user name.

  If the roaming identity is cleared, %domain%\%username% is the default value.

  When 802. 1 x MS RADIUS is used as an authentication server, the server authenticates the device using the username identity of roaming of the Intel PROSet/Wireless software and ignores the authentication protocol MS-CHAP-V2 user name. This feature is the 802 identity. 1 x supplied by the authenticator. Microsoft IAS RADIUS accepts only a valid username (dotNet user) for EAP clients. When 802. 1 x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired domain (for example, [email protected] / * /) instead of a true identity.

  Can I use the system attribute: user name with access but not it seems with a selection of the Service strategy. Why is this?

  -> Because this attribute is not valid for function selection policy. It was designed this way... we can't do anything.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.