ACS 5.1 allowing accountants

Similar Questions

• ACS - ASA authorization and accounting

  Hello

  I have a few questions about the authorization and accounting on the ASA via an ACS server

  1. When I activate the command 'aaa authorization command' users of SSH commands I get locked on console then I have to configure the console, telnet and allow to be authenticated via Ganymede too, is it possible to allow SSH via Ganymede while keeping the Console and telnet authenticated locally or not even no authentication?
  2. I visited command 'aaa accounting TAC' accountant on ASA, but I noticed that GBA records just mod configuration commands ' focus on in 15 "not show all command or privilege 1, is possible to fix this?"»
  3. RADIUS supports authorized SHELL?

  Thank you for your support

  1.] Unfortunately, it is currently not possible to exclude the command authorization serial number / console or ssh to users while having it apply to other methods of access in the case of ASA. Once you run this command, it would be applicable to all methods such as ssh, telnet, http, enable and console. This can be easily achieved by IOS (routers and switches) by creating a list of method.

  2.] when configuring the aaa accounting command , each other than display command command commands entered by an administrator is recorded and sent to accounts or servers. This is a default behavior on the SAA. IOS send/check orders show on ACS/Ganymede.

  http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A1.html

  Kind regards

  Jousset

  The rate of useful messages-

• ACS 3.1 user account disable failure attempts to exceed:

  I look through the documentation on ACS 3.1 and can't seem to find the default password attempts failed. What I want to know is if there is a time limit for how long between password attempts failed the counter is reset. ACS retains an infinite number of the race and after failed attempts the account determined locks if there were 2 minutes or 2 weeks between failed attempts or there at - it some time, after which the failed attempts are disabled?

  Thanks in advance.

  There is no timetable associated with it. If the user enters an incorrect password 5 times in a row (by default) over a period of time, the account is disabled.

  ACS maintains a counter of the current number of connection failures for each account in its database, and it resets it to 0 if there is a successful connection. Theoretically, you can connect 4 times incorrectly, wait a year, and as long as your database is still intact connection again with an invalid pw and the account will be disabled.

• ACS 5 limited user account

  Hi, I have cisco ACS 5.2 and you want to create the user account of technician, with only some commands.

  How can I achieve this?

  Thank you

  Hello

  It is possible of course.

  This paper (part of it) shows approval of order on acs 5.x

  http://www.Cisco.com/en/us/products/ps9911/products_configuration_exampl...

  HTH

  Amjad
  Sent by Cisco Support technique iPad App

• Accounting ACS logs to Syslog server

  Dear Experts,

  We use the Cisco Secure ACS 4.2 in our Organization, where accounting Ganymede has been turned on AAA cleints. Currently, ACS connects with the accounting information accurate cli.

  Is it possible to repel these accounting logs to syslog server. For example, here's a scenario.

  User connected to the Cisco device at 10:00 and configured the device with 5 orders and logg unit at 10:05. These must be alerted/connected to the ACS syslog server.

  Kindly advice...

  Best regards

  Shiji

  Shiji,

  Yes you can.

  Go to system-> logging configuratoin and page you can configure which opens a session must be sent to the syslog server.

  

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ACS, WCS, PEAP, Machine Authentication

  We are building a new wireless network with a new unit of ACS 5.2 and new controllers LAN with WCS.  We want to create a SSID encrypted/secure ONLY the machines managed by our care who can access the LAN with.  We are looking for the best solution with a minimum of complexity.  After that several internal discussions, we seek to use authentication PEAP (testing with a self-signed certificate), and then create a strategy to access the ACS to validate the machine is a member of Active Directory.  Unfortunately I can't find the way to validate membership of the machine.  I don't know if I'm missing something or if this is even possible.  If anyone has any suggestions for that to happen, or a better way to handle this, I would appreciate the help.

  What you need is the authentication of the computer. The machine will first authenticate with its letters of nobility (AD account) and then the user authenticates too. This option is available in the windows client.

  Then, you can also set the ACS to only allow a user to authenticate if the machien was authenticated before.

  You must enable auth on the ACS server machine (users and identity stores--> external Identiry stores--> Active Directory, check the box to turn on computer authentication)?

  Also - under Access--> Access Services policies, tab protocols allowed, you enable the option "host Lookup process.

  Create an access policy, activate the search for PEAP-MSCHAPv2/process host, set the conditions by using the identity group and has been authenticated Machine that looks like:

  (1) if Identitty group to the computer group, then allow access

  (2) if Identtity group to the Group of users and the Machine has been authenticated, then allow access

  (3) deny access by default

  More details in discussions like https://supportforums.cisco.com/thread/2014145

  I hope this helps.

  Nicolas

  ===

  Remember responses of the rate that you find useful

• PuTTY and password change issue ACS server

  When a new user is created with the checkbox 'Must change the password at the next logon' checked, ACS does not allow the user to change the password.  The password prompt displays a message access denied. Could someone point me in the right direction to solve this problem?

  I created a new account on cisco ACS server and check the box "user must change password at the next logon". I then used ssh to test the newly created using PuTTY user account. When I ssh to the cisco devices [switch or router] password prompt appears and ask me to type the new password. Once I did this I get a message access denied.

  It worked well with secure CRT. But users do not have secure CRT, they are supposed to use PuTTY. Users can connect in devices using PuTTY. The problem is that when we try to change the password.

  ACS Version: ACS 4.0

  Thank you

  Nachi

  When a user connects in SSH to the system and uses an expired password GANYMEDE, he is prompted to change their password. However, this password change does not work correctly.

  To resolve this problem, you must have the SSH v2 with "Keyboard interactive" authentication for SSH v2 game. Cisco bug ID CSCin91851 addresses this problem.

  Symptom:

  When you use the router as a ssh server is authenticating with a normal SDI/RADIUS, work of authentication backend. However, neither the new BUGS mode or mode next token dialogues completes successfully.

  Conditions:

  Problem only occurs in mode again PIN or next token dialogue mode.
  Specific SSHv2

  Workaround solution:

  Use telnet for authentication or to define vty lines to authenticate against RADIUS
  (non - SDI) server instead.

  Other Description of the problem:

  Not all ssh clients are supported the dialogue for the new PIN mode or next token to work.

• AAA of VPN3k authentication for accounts of Mgmt

  I see that I can implement CS - ACS to authenticate the accounts of administration for my VPN3k (ver 4.x). A few questions if anyone knows.

  1. What is the behavior if no AAA server is available? Access to the consoles of the is the only option, or it will revert to the accounting configured locally on the hub?

  2. is there another way other than the restriction of access to the CS - ACS to limit admin? In other words, it seems that all those configured in CS - ACS with the level of privilege at an appropriate level and shell permissions will be able to administer VPN concentrators.

  The level of privileges assigned to the user of the CSA must match the VPN3000 user privilege level, so that the user gets some privilege assigned in the GUI of 3000.

  The configuration example is somewhat misleading for this, I've been after them to change it for a while. Basically, as soon as you add an AAA Admin Server in the config of 3000, then the 3000 will use this external server. The names of users on the 3000 (admin, config, isp, GIS, user) at this stage now mean nothing. The only thing that is checked is the privilege level assigned to the title of each of these users, and it is compared the level of privilege assigned on the RADIUS server. So basically, you go under the "admin" user 3000 and set the privilege level of say, 15 and the "config" user gets say, 11 and the user gets "div" say, 9. Then the server RADIUS configure you your users with permissions Exec (shell), and the privilege level of say, 15. When this user logs in the 3000, it gets the rights that the user "admin" has, because his level of privileel is the same. If on the RADIUS server, you set the level of privilege to 9, then he would get the rights available to the user 'div '. The username on the 3000 is meaningless, the only things that are being matched are the privilege level and from there, the permissions are affected accordingly.

  Hope that makes sense. The sample configuration shows a user "admin" being added to the ACS server, but it is misleading because it makes people think that the GANYMEDE username must be equal to 3000 username, this is NOT the case. The GANYMEDE username can be anything, and that the user will get the permissions through the hub based on what the user 3000 has the EXACT same privilege level set in place.

• ACS report problem

  Hello...

  I have GBA 2.6 (4) 4 and all the problems are happening:

  Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.

  Is this a BUG? If not, why I solve this problem?

  the configuration of my equipment is:

  ======

  Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)

  ======

  Console rate-limit logging 10 except errors

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authentication ppp default to group Ganymede + local

  authorization AAA console

  default AAA authorization exec group Ganymede + none

  default network AAA authorization group Ganymede + none

  AAA accounting update newinfo

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  AAA accounting network default start-stop Ganymede group.

  Default connection accounting AAA power Ganymede group.

  ====

  TKS.

  Yep, it's a bug.

  See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239

• Updated VM of ACS 5.4 a space issue warnings

  Updated to 5.4 last night and ran into several caveats regarding the storage space.  Here are the specific message:

  Warning: [acsDiskSizeCheckUtil.sh] Patch of 1079 M size exceeds the quota allowed 1000 M. it will not prohibit hotfix installation process as long as there's enough disk space. Please note that this indicates that you should consider moving ACS to a superior machine of disk space

  I note also that records 5.5 upgrade to do you have 500GB or more available for the upgrade.

  The virtual machine was thin supplied with 512 GB drive and shows only 84 GB actually used, so a few questions.

  1. Is the underlying operating system used by ACS smart enough for me to simply increase the underlying capacity of the virtual disk and do recognizes this new capacity?
  2. Are there of the CLI commands in ACS that will allow me to see/manage the underlying disk capacity?
  3. The documentation says to increase the ability to be either "redefining" the virtual machine or install a completely new instance and restore the backup of the original.  What exactly does Cisco means "re-Imaging"?  They refer to storage vMotion, where can I change the disk during a migration?

  Thank you for all time.

  My comments:

   Is the underlying OS used by ACS smart enough for me to simply expand the capacity of the underlying virtual disk and have it recognize this new larger capacity

  -Unfortunately, the answer is 'No' I tried to increase the capacity of a disc in ISE and ACS with root privileges and both times have been a complete failure. Now maybe it was because of my low Linux skills but... in any case, the answer is really 'no' If you want that more disk space you must re-create the VM of the CSA and then restore/re-build your config

   Are there any CLI commands in ACS that will let me view/manage the underlying disk capacity?

  -Have you tried to display the records

   The documentation says to increase the capacity be either "re-imaging" the vm or installing a totally new instance and restoring the backup from the original. What exactly does Cisco mean by "re-imaging" ? Are they referring to storage vMotion where I can change the disk during a migration?

  -Related to the #1 issue. Basically, you blow the current VM and build a new one. Then you restore your configs.

  Thank you for evaluating useful messages!

• Import of host internship ACS 5.0

  Hi all!

  I would like to import some hosts of GBA. I know, the ACS gives a model in a CSV file, but I do not download anything. Can you help me?

  Model:

  MACAddress:String (64): Required, description: String (1024), "enabled:Boolean(true,false):Required", HostIdentityGroup:String (256)

  Regads,

  Gyuri

  This is the process for importing hosts in ACS 5.0

  1) go to

  Users and identity stores:... > internal identity stores > hosts, press "Import" and then "Download Template".

  (2) open the model file. The first line should be left unchanged. Underneath, the records must be added with a record for each host

  An example of the minimum value that must be set for a host is illustrated below:

  11-22-33-44-55-66,,true, / / / group identity is left blank and the top-level node is assigned

  Format of each line is,

  Each record occupies a single line. Save the file

  (3) once the documents are created, press "import." Select the file 'step 2', then press 'Start Import'. Import the host records should begin. All errors will be displayed in the progress window

  Note that ACS 5.0 allows to add new rcords. the ACS 5.1, can also modify existing records and export. ACS 5.1

• First and ACS View Server Integration

  Can someone point me in the right direction for a good doc on implement first (1.3) with a display ACS (5.1) Server?

  Guy: I was doing a little research on this topic and I just wanted to add that there is not much config, that we have to do on ths ACS.

  All you have to have this command on ACS CLI "view of acs config-web-interface to activate".

  On the first, we already have information ip and port view ACS server. In addition, include the first with ACS using a privileged account super admin. Default acsadmin has super admin rights, so we can use it on the preferred side or you can create a specific account on GBA and assign the super admin under system administrator rights > directors > accounts > new account.

  Once this done, please try to shoot balls of NCS and let me know how it goes.

  Jatin kone
  -Does the rate of useful messages-

• ACS RADIUS 4.2 - wireless - certificates

  I set up our ACS server 4.2 to GANYMEDE and also to provide RADIUS authentication for our WLAN and eventually will use for authentication 802. 1 x for the local network.

  I'm not an expert on the certificates. I called TAC for assistance to install the certificate self-signed on ACS. This allowed me to build and test my WLan. Now that I'm close to the point to go live with it, I would install a certificate that will expire in 1 year.

  How many people do that? We have a windows 2003 server that is under the authority of certification for other services. Should I do something with this? And how to get these certifactes deployed on the clients most of the people? by GPO?

  Clearly, I'm not very familiar with the certificates and I apologize for this, but read about them becomes a source of confusion, if someone could point me in the right direction that would be a great help! Thank you!

  Edit: I should mention that I've been using PEAP with the self-signed certificate. And currently manually install the certificate on my test clients. As it is right now everytihng on my WiFi works fine: authentication, assignment of VLANs, etc.. I'm just confused on best practices for the certificate.

  ACS can provide valid for a year. Using Microsoft CA you configure for 5... 6... 7 years, according to your need.

  It is easy to handle and manage via GPO.

  Two scenarios of PEAP,

  Using the Protocol peap without validating server verified---> easy to deploy that cert is required only on ACS.

  Using the PEAP Protocol with validate server verified---> cert CA needs every customer.

  You can also get the CERT from providers such as Entrust, Equifax, Verisign, GeoTrust etc. The advantage with these certificates is that we do not have to install CA on each client as it is installed by default on each operating system.

  Hope that helps!

  Kind regards

  ~ JG

  Note the useful messages

• 3.3 of the ACS, changed the password of domain and ACS beat

  I do not set up the GANYMEDE. I want to disable the AD administrator account, but it seems to require ACS.

  I changed the admin PW and GANYMEDE stop. ACS windows services all begin to use the administrator account. If I change to use a different domain administrator account, they start, but disabling administrator again breaks GANYMEDE.

  Ideas?

  Thank you

  I'm not sure your point.

  Yet once, your windows services ACS are led by administrator Windows AD account. ACS will use this account to connect to AD for authentication of the user. If you disable the window AD admin account or change its password, ACS could not access AD to authenticate the user. This is probably the reason that GANYMEDE authentication failed after you changed windows AD admin account. In configuration of the ACS external DB user, you should see the windows of the AD.

• Cisco ACS 4.2: The most important to back up files?

  Dear Sir

  Can you tell me what are the most important files to back up in the Cisco ACS directory?

  Currently, I am only backup (with Symantec Backup Exec):

  C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups

  * But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...)

  * The Cisco ACS there change in the Windows registry?

  * Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc.

  I ask this question because it takes time to install the patches...

  * Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup?

  Thank you very much for giving me your experience about it.

  Kind regards

  You should back up the files that come from ACS backups, i.e.

  System configuration > backup GBA, the location that is specified in this section.

  And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups"

  In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings.

  When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/Windows/postin.html#wp1041202

  Kind regards

  Prem

  Please rate if this can help!