ACS-GANYMEDE 4.2 to 5.2 upgrade

Similar Questions

• ACS 3.3.3 to 4.1 upgrade questions

  We are running Cisco ACS for Windows version 3.3.3. We have recently been acquired by another company that has placed us on their Cisco service contract but the FAC was not placed on the new service contract because the support that it had expired. I said that if we have the serial number or license of our ACS version 3.3 key that we could add to the new service, contract number and able to perform the upgrade to 4.1. I'm not aware of any place that the serial number or license information are saved. IT seems to me that the information is stored somewhere so that Cisco could validate that the installation is valid for any medium that can happen. As I talked to people, it's a download rather than a CD while it was installed the first time, but no one recalls the name of the Cisco Reseller we used at that time. I just need to know if there is a way to find the old series/license key number, then I can predict that, to the new representative of Cisco. What I've read, it seems that we would need to buy the 4.1 update, but I am not certain about it. If anyone knows where we can get a license or serial number for Cisco ACS for Windows (not the device) or could relay that a purchase is necessary for the upgrade, I'd appreciate it.

  There is no license or serial number for ACS for windows. In order to upgrade to 4.1 you must purchase a software upgrade contract.

  Without contract to upgrade you can not switch to 4.x.

  Kind regards

  ~ JG

  Note the useful messages

• How to turn off turn on privilege for ACS Ganymede +.

  I have an MSFC with the following configuration.

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  orders accounting AAA 15 by default start-stop Ganymede group.

  I have an ACS v3.0 under NT.

  I have setup an advanced option of GANYMEDE + in the ACS which can activate the privileges for users. However, the user can still connect to the MSFC and question 'enable the command '.

  Is there a better way on the ACS to refuse a user to run the 'enable' command so that it can not go mode even though it may have the secret password that is located in the MSFC.

  Thank you

  David

  David

  You can make consent orders and refuse this command 'enable '.

  So now the router, you will have:

  AAA authorization commands 0 default local taca group

  The GBA, so that the user, under the authority of command, add the command like enable, deny arguments. '. Make sure you also unlisted arguments have denied.

  Once permission to order had been enabled on the router, each user will be checked for authorization. So for other users, in the GBA box, make sure that you have - unmatched orders Cisco IOS updated allowed and also arguments unlisted allowed nec.

  Make first Chang on GBA and then add the router config.

  Thank you

  Nisha

• ACS 4.2 to 5.3/4 upgrade

  All,

  We will be upgrading our device ACS of a GBA running 1113 4.2 for a 3415 running ACS 5.3/4. From what I read, I will need to build a machine from migration. How this migration machine is set up?

  Dave Draper

  Migration from ACS 4.x to 5.4

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.4/migration/guide/Migration_overview_oper.html#wp1017943

  Machine migration for the ACS 4.x will be a windows server, when you run the Migration utility.

  NOTE: The Migrator does not support remote desktop connection. You must run the Migration utility on the migration machine or use VNC to connect the machine to the migration.

  Jatin kone
  -Does the rate of useful messages-

• ACS Ganymede + via generic ldap to AD

  Hello

  I have configured ACS to use ldap generic access to active directory via radius. It was very, very easy.

  How can I configure the same via Ganymede +? Is it possible to use generic ldap to AD via Ganymede +?

  Tnax for help

  BB

  In this case, try and set up a generic LDAP external user database, as you have no doubt already:

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

  and configure the unknown user policy Option to check in this database.

  As long as you do not NAPs Ganymede should work.

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs41/user/unknusr.htm

• A configuration user ACS - GANYMEDE + activate password

  When a user logs on for the first time that I need to go in the change and configuration of the user the GANYMEDE + activate password of "password separate use" for 'use password database external' - how can I do this by default?

  Once this change has been made, everything works fine but I want this piece to be automatic.

  Thank you very much!

  It is certainly a change that would be useful - which is a group of installation command option that allows global configuration of the enable command to use the same password as external DB password. Unfortunately at the moment, this option is not available.

  Jeff

• ACS 5.6 not able to add or change the device

  Hi all

  CSA 5.6, Patch 5-6-0-22-2 installed, try to add or modify a device, as a result of the disconnected session, displaying "user logged out successfully!

  Does anyone have experience with this issue or any idea how to proceed with this. It looks and works like the script of the Submit button is changed with the output script.

  I'm starting to encounter this problem after upgrading from 5.4 to 5.6 and above all the mentioned patches.

  All already added devices work perfectly.

  Thanks in advance

  ACS GANYMEDE + global settings page GUI is disconnected
  CSCuq65102
   

  Description

• Cisco ACS wireless authentication

  Hello guys,.

  I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

  Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

  From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

  I also looking default RADIUS ports 1812 and 1813 the GBA.

  On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

  I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

  I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

  For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

  Thank you

  Yes it's true, and it applies as well in Wired.

  On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
  

  Configuration of WLC and ACS for the RADIUS settings.

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

  You can visit the listed link below to install the certificate on ACS 4.2

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Integration of ASA with ACS

  Hi all

  I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

  SH run | in aaa
  RADIUS Protocol RADIUS AAA server
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + (management) host 10.243.14.24
  GANYMEDE + LOCAL console for AAA of http authentication
  authentication AAA ssh console GANYMEDE + LOCAL
  Console telnet authentication GANYMEDE + LOCAL AAA
  AAA accounting console GANYMEDE + ssh
  AAA accounting command 15 GANYMEDE privilege +.
  Console telnet accounting AAA GANYMEDE +.
  AAA authorization exec-authentication server
  AAA authorization GANYMEDE + loCAL command

  The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

  I have the same sets of commands and the shell profiles created for switches and it works perfectly.

  This is the behavior of ACS journals

  1. once I am having authenticated, I can see the logs in ACS with my username
  2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

  Can someone help me identify what the problem is

  Thank you
  Reverchon

  This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

  AAA authentication enable console LOCAL + GANYMEDE

  After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

  ~ Jousset

• ACS - ASA authorization and accounting

  Hello

  I have a few questions about the authorization and accounting on the ASA via an ACS server

  1. When I activate the command 'aaa authorization command' users of SSH commands I get locked on console then I have to configure the console, telnet and allow to be authenticated via Ganymede too, is it possible to allow SSH via Ganymede while keeping the Console and telnet authenticated locally or not even no authentication?
  2. I visited command 'aaa accounting TAC' accountant on ASA, but I noticed that GBA records just mod configuration commands ' focus on in 15 "not show all command or privilege 1, is possible to fix this?"»
  3. RADIUS supports authorized SHELL?

  Thank you for your support

  1.] Unfortunately, it is currently not possible to exclude the command authorization serial number / console or ssh to users while having it apply to other methods of access in the case of ASA. Once you run this command, it would be applicable to all methods such as ssh, telnet, http, enable and console. This can be easily achieved by IOS (routers and switches) by creating a list of method.

  2.] when configuring the aaa accounting command , each other than display command command commands entered by an administrator is recorded and sent to accounts or servers. This is a default behavior on the SAA. IOS send/check orders show on ACS/Ganymede.

  http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A1.html

  Kind regards

  Jousset

  The rate of useful messages-

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• ASA 8.2 (3): can't 'turn on' GANYMEDE ACS4.2 user with the privilege level 10

  I can't activate in ASA with a user privilege level of non - 15 set to 4.2 ACS (Ganymede).

  When I activate in IOS device, it allows and "show the privilege" shows the level 10 as planned. ACS must be configured properly, as it works very well with IOS. The user is not defined with explicit parameters. Group is set to 'max activate level' 15 and 'shell level priv exec' 15. The enable password is set to the internal password ACS PAP. Works fine in the IOS.

  When I activate in ASA, it fails to activate, and ACS journal indicates "Ganymede + activate the insufficient privileges. I suspect that ASA is trying to turn in level 15 explicitly. If I try the command "Activate 10" in ASA, it is said:

  Allowing privilege levels is not allowed when it is configured for

  Authentication of the AAA. Use 'activate' only.

  My config (only with relevant orders):

  AAA authentication telnet console LOCAL mmsacs01

  enable authentication AAA console LOCAL mmsacs01

  AAA authorization command LOCAL mmsacs01

  AAA authorization exec-authentication server

  Thank you!

  Set the Options activate on the grp in

  Max Priv for any customer of AAA

  TO

  Level 15

  This will activate and also limit your options of Shell to 10 and the command set that you created

• AAA / adding additional ACS server

  Hello guys,.

  You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.

  Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.

  Hope you could understand my needs and the current configuration. PFA...

  Thanks in advance!

  Best regards

  Anurag.K

  Hi Anurag,

  You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.

  10.16.2.10 RADIUS server host

  10.16.2.8 RADIUS server host

  10.16.2.9 RADIUS server host

  GANYMEDE server key xxxxx

  If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.

  AAA server Ganymede group + Group1

  Server 10.16.2.8

  Server 10.16.2.9

  AAA server Ganymede group + group2

  Server 10.16.2.10

  AAA authentication login default group GROUP1 GROUP2 line

  I want to knoiw if you have doubts.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ACS issues update 4.2 to 4.2.1

  I have been instructed to upgrade our four ACS servers of

  4.2.1.15 to the latest version.  ACS servers are

  the applianced basis.  I went through the software download page

  from cisco.com and we found this file:

  cumulative (ACS SE 4.2.1.15.11 app/Acs_4.2.1.15.11.zip

  patch).

  Can anyone confirm if it is the download of the file more later/better

  the latest version 4.2 of material according to Cisco Secure ACS?

  For those who have upgraded to the latest version, you can

  Comment on your experience with the process of upgrading or

  ACS performance after upgrade?  Any questions/warnings on the

  process or performance after upgrade?

  Thanks in advance for any useful information that you can

  predict this?

  Adil

  I don't see installation step by step of the fix documented somewhere because the same by applying the upgrade and simple too. Here are the steps you need to perform.

  1. download the zip file patch for any PC which we will call the server upgrade or the distribution server.

  2 unzip the patch

  3. run autorun.bat (you will see a window ACS appliance update and it remains in the background.

  You will also see an another IE window lauch which you gives a place to put the host name or IP address of the device)

  4. Enter the name of host or IP address of the device and click on install.

  5. This will bring to the opening window of session for the ACS unit.

  6 log in to the TAS

  7. click on System Configuration

  8. click on upgrade the device status

  9. click on download

  10 enter the upgrade server IP address, then click on connect

  11. you will see the patch you are trying to install.  Click Download now

  12. click on download it again.

  13. click on apply the update

  14. click on the upgrade again.

  15. click on Yes

  16. click on Yes.

  17 click done.

  18. on the upgrade server, click 'stop the Distribution Server '.

  In order to stop csagent, go to system configuration > configuration of the device (I think)

  P.S. Please open a TAC case if you are not comfortable in the application of the hotfix.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• 5.2 of the ACS and AD

  Hello

  We have engine ACS 4.1 and you want to upgrade to 5.x.

  Is that the new version of 5.2 ACS allows a user to belong to several ad groups?

  Best regards

  Yes, ACS 5.x allows this.

  But be aware that this is not an 'upgrade '. ACS 5 is a new device and migration is not fully automatic, you have to really plan the coming thing.