ACS is serving

Similar Questions

• ACS secondary server does not authenticate users through 3850 WLC

  HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

  3850 WLC by using the code version 03.07.00E

  ACS Version 5.6 (primary/secondary)

  The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

  A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

  configuration of 3850 also attached for reference.

  Any help would be appreciated.

  Thank you

  Scott

  Please add the below listed orders and test again when you can.

  Server radius # deadtime $min$
  retransmission of radius-# 1 Server
  # Server radius-dead-criteria times 5 tent 1

  Configuring settings for all RADIUS servers

  HTH

  ~ Jousset

• 3005 integrated VPN with ACS and server RSA auth

  Hi guys, I have a VPN 3005, using the version 4.7.2.B version, and I have the following problem.

  When a remote user using the Cisco VPN client tries to connect to the VPN 3005, it must try twice to authenticate.

  The first test, the user is authenticated, but the connection is immediately undermined by the peer.

  After the second attempt, the user is authenticated ok.

  Pablo,

  When you use RADIUS authentication on the hub, the ACS server will automatically send all the attributes of the user towards the concentrator for the user who is connecting. There is no need to have the authorization to be configured on the RADIUS server.

  According to the newspapers, it looks like the IP pool is the problem.

  [GroupP] user group [tuser] obtained IP addr (192.168.32.128) before launching the Cfg Mode (active XAuth)

  Subnet mask of the user [tuser] sending [GroupP] (255.255.255.224) group to the remote client

  User group [GroupP] [tuser] attempt to assign network or broadcast IP address, remove (192.168.32.128) of the

  After that, I see the customer negotiation again and the client is connected.

  Thus, the IP address is removed from the pool. Please make sure that you set up a pool that does not have a broadcast IP address.

  Thank you

  Gilbert

  Write it down, if this post can help.

• First and ACS View Server Integration

  Can someone point me in the right direction for a good doc on implement first (1.3) with a display ACS (5.1) Server?

  Guy: I was doing a little research on this topic and I just wanted to add that there is not much config, that we have to do on ths ACS.

  All you have to have this command on ACS CLI "view of acs config-web-interface to activate".

  On the first, we already have information ip and port view ACS server. In addition, include the first with ACS using a privileged account super admin. Default acsadmin has super admin rights, so we can use it on the preferred side or you can create a specific account on GBA and assign the super admin under system administrator rights > directors > accounts > new account.

  Once this done, please try to shoot balls of NCS and let me know how it goes.

  Jatin kone
  -Does the rate of useful messages-

• ACS any Version with Windows Server 2008 R2 64-bit domain controller

  Hi all

  Is there any version of ACS is currently working with Windows Server 2008 R2 domain controllers?

  Our server controls has recently upgraded domain controllers to 2008r2 and off 2003 servers. This did not our ACS 4.1.4 really happy.

  I read now serveral messages about problems with the ACS and Server 2008r2 and hope to find a solution (not to mention that switching to LDAP, yukk).

  Thank you

  Pato

  ACS currently cannot be installed on a server running Windows 2008 R2.

  As an alternative, you can install ACS on a member server.  Authentication

  ACS uses the local machine net API authentication both compared to a 2008

  R2 domain will work.  The Remote Agent can also be installed on a 2008 R2

  Server if you use devices.

  If you install ACS on a member instead server here is how to configure services

  to authenticate properly with the domain:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/Windows/postin.html#wp1041304

  -Jesse

• AAA / adding additional ACS server

  Hello guys,.

  You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.

  Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.

  Hope you could understand my needs and the current configuration. PFA...

  Thanks in advance!

  Best regards

  Anurag.K

  Hi Anurag,

  You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.

  10.16.2.10 RADIUS server host

  10.16.2.8 RADIUS server host

  10.16.2.9 RADIUS server host

  GANYMEDE server key xxxxx

  If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.

  AAA server Ganymede group + Group1

  Server 10.16.2.8

  Server 10.16.2.9

  AAA server Ganymede group + group2

  Server 10.16.2.10

  AAA authentication login default group GROUP1 GROUP2 line

  I want to knoiw if you have doubts.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• where is the secret field shared for the ACS 5.3 server itself?

  Hello

  We currently have a distributed PR and DR ACS 5.3 installation, implemented with Ganymede and a unit RADIUS.

  The RADIUS is AppResponse Xpert admin. used Opnet we try to intergrate AppResponse Xpert Admin with ACS.

  The GUI for AppResponse Xpert Admin request the ip address of the radius server - IE our ACS, RADIUS port - is to say 1812 and 'secret' - I assume that means the secret shared real AEC itself (not the shared secret used by network devices).

  On our ACS 4.2 systems, we have a field for a secret shared on the ACS itself Server (to allow replication?).

  With the help of the search function for "Shared Secret" in pdf format "the User Guide for Cisco Secure Access Conrol system 5.3" has only found references to define one for network devices and not a ground for GBA is.»

  A shared secret of the ACS server is still topical for the 5.x ACS system?

  Hi Stuart,

  To answer your question:

  There is no shared secret for the ACS itself.

  If the ACS needs to communicate with another device, you must define an AAA client and define a shared secret.

  ACS 4, used this secret shared to protect/secure replication, the ACS 5, secured by encryption replication and not shared secrets (hash).

  Rate if useful

• Accounting ACS logs to Syslog server

  Dear Experts,

  We use the Cisco Secure ACS 4.2 in our Organization, where accounting Ganymede has been turned on AAA cleints. Currently, ACS connects with the accounting information accurate cli.

  Is it possible to repel these accounting logs to syslog server. For example, here's a scenario.

  User connected to the Cisco device at 10:00 and configured the device with 5 orders and logg unit at 10:05. These must be alerted/connected to the ACS syslog server.

  Kindly advice...

  Best regards

  Shiji

  Shiji,

  Yes you can.

  Go to system-> logging configuratoin and page you can configure which opens a session must be sent to the syslog server.

  

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ACS 3.2 - users 'ghosts' of a group

  It is a bit of a strange. We run ACS 3.2 (1) on a Windows 2000-based computer. We have about 30 groups for different users. The only group (Group 1) always tells us that we have 30 users that are actually part of the group. The group says 90 users but when you list users there is only 60. I moved all users to a new group and now it says there are 30 users in the group, but when you a list of people, it gives you nothing. I have backed up the database, did a new install of 3.2 (2) on another machine and perform a restore to this area and I always get the same result. I'm trying to find out if the Group has not correctly or if there are 30 users 'ghosts' somewhere! I recently inherited the ACS boxes so I don't know when this problem started.

  There seems to be all known bugs related to this. Has anyone else seen this before?

  Thank you!

  We have definitely corrected the issue and the matter is now closed. What we did that I sent him a copy of backup of ACS server so he could watch. He then sent back me a backup file saying they found the problem and restore the backup file to the ACS. The TAC Guy sent email me looked like this:

  "We cannot create a Dump.txt we can do on ACS installed on Windows Server by the csutil-d option basically on the device.

  This dump.txt is a readable format of the database unlike the .dmp

  I downloaded the .dmp sent by you on the ACS (Windows Server) service at my end created a dump.txt, corrected by running the perl script and downloaded and then turn it back on to the ACS server by the-l option of csutil. They I took a backup of the ACS and sent it. I have check the .dmp even on the device at my end to confirm the correction.

  It basically an indexing problem, caused when the admin deletes users and link pointer not are deleted in the registry of the origin of the problem.

  As discussed, regular backup, and performance of the dbcompact should help prevent this problem.

  I have attached the perl script, you can use it if necessary in the future.

  Hope this helps, feel free to contact me if you have further questions. At this point I go ahead and close the request service, as discussed. »

  If you want I can send you the email of the script that the guy sent me. But obviously as it said and what I thought, it's a matter of pointer in the database.

• Permission of AAA with ACS Shell-games

  Hi all

  I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

  I have difficulty getting permission to AAA to work properly with ACS.

  I am able to configure ACS fine users and assign them shell and private level 7.

  I then install a set of Shell Auth and enter the issuance of orders and configure.

  When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

  to access global configuration mode by typing in conf (or set up) terminal or t.

  If I type con? It is the only command connect, configure is never an option...

  The only way I can get this to work is by entering the command:

  privilege exec level 7 Configure terminal

  I thought the whole purpose of the ACS Shell Set to provide this information to the router?

  It's frustrating

  The ACS server is set up with the Shell Set named Level_7 order authorization

  It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

  The "unmatched Args allowed" is also selected.

  See an extract of my IOS config below:

  AAA new-model

  !

  !

  AAA group Ganymede Server + ACS

  Server 10.90.0.11

  !

  AAA authentication login default group local ACS

  AAA authorization exec default group ACS

  AAA authorization commands 7 by default local ACS group

  !

  Cisco radius-server host 10.90.0.11 keys

  !

  !

  privilege exec level 7 Configure terminal

  privilege exec level 7 set up

  privilege exec level 7 show running-config

  privileges exec level 7 show

  !

  Hope you can help me with this one...

  PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

  Hello

  So now,

  You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

  Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

  That's what I suggest that orders back to a normal level.

  Provided below are the steps to set up the shell command authorization:

  -------------------------------------------

  Follow these steps on the router:

  -------------------------------------------

  ! - is the desired username

  ! - is the password

  ! create - us a local user name and password

  ! - in case we are not able to get authenticated via

  ! - our Ganymede server +. To provide a backdoor.

  password username 15 privilege

  ! - To apply the aaa on the router model

  AAA new-model

  ! - Following command is to specify our ACS

  ! - location of the server, where is the

  ! - ip address of the ACS server. And

  ! - is the key which must be the same during the FAC and the router.

  radius-server host key

  ! - To get the authentication of users through ACS, when they try to log - in

  ! - If our router is unable to join the ACS, we will use

  ! - our local user name & the password that we created above. This

  ! - we prevent locking.

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization config-commands

  AAA authorization commands 0 default group Ganymede + local

  AAA authorization commands 1 default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  ! - Sequence of commands are for posting to the activity of the user.

  ! - When the user connects to the device.

  AAA accounting exec default start-stop Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  --------------------

  ACS configuration

  --------------------

  [1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

  Provide any name at all.

  provide sufficient description (if necessary)

  (a) for full administrative access set.

  In the unmatched controls, select 'allow '.

  (b) for all access limited.

  In the unmatched controls, select "decline."

  And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

  For example: If we want the user to only have access to the following commads:

  opening of session

  Logout

  output

  Enable

  Disable

  Show

  Then, the configuration should be:

  -----------------------------------------------

  -Allowed unparalleled Args.

  -----------------------------------------------

  connection permit

  permit disconnection

  exit permits

  Select the permit

  disable the permit

  license terminal configuration

  ethernet interface license

  permits 0

  to see the running-config

  ------------------------------------------------

  in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

  [2] press 'submit '.

  [3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

  (more...)

• Cisco ACS and Pix Firewall

  I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.

  In the router, I have the configuration option

  AAA authentication login default group Ganymede + local

  that tells the router first looking for a radius server and if is not available connect through the local database.

  Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?

  Thanks in advance

  Hello

  PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.

  Kind regards

  Mahmoud Singh

• ACS 16:00 by password local enale

  Hello

  I had the following in ACS 3.3 scenario:

  3.3 ACS radius server communicates with my Active Directory. so to connect to a router, user and pass to AD, and then enable password is stored locally on acs3.3.this has been working great.

  now the same scenario translates into error in ACS 4.0: User unknown CS.

  the only way to get it to authenticate without the AD, the two connection on the router (user and pass), then activate it either locally on ACS4.0

  Please no work around?

  When we use the password for windows

  enable authentication it works, but when we choose 'use seprate password', select authentication failure, if this the case, we hit a bug.

  http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCsd86017&SUBM

  He = search

  CSCsd86017

  ACS 4.0 separate GANYMEDE activate password authentication fails

  First Version found in 4.0 (1.27)

  Symptom:

  GANYMEDE + activate password fails if explicitly set to "separate use."

  password"If you use an external authentication source (for example Windows). User is able to connect fine, but when they issue the enable command, the user fails authentication and the failed attempts record States:

  "user cs unknown".

  Same configuration works very well if the enable password password Windows or 'using '.

  Password for CiscoSecure PAP"(although it is worth noting that the latter is automatically deleted and effectively becomes the password of Windows).

  This is a regression bug, these features worked correctly in 3.3.3 and previous codes.

  Kind regards

  ~ JG

• Secondary ACS does not authenticate

  I install an ACS secondary, database replication works correctly.

  But when I try to use the ACS secondary server to authenticate the user, I can't authenticate successfully.

  In reports and activities (ACS secondary), it does not appear anything.

  In primary school, ACS, he failed attempts, I see an "unknown SIN" the ip address of the secondary ACS, it seems only secondary try to use elementary to authenticate...

  Where I'm wrong?

  Thank you

  Daniele

  Hi Daniele,

  It is because the parameter on the acs secondary proxy. On secondary acs visit acs--> configuration network--> table tell proxy---> bring your secondary acs under the front walk to the box.

  That should fix it.

  Kind regards

  ~ JG

  Note the useful messages

• ACS: checking the replication topology

  I currently have two productive of ACS upward and running with everything that I need. I need to activate multiple devices in a network of partners to use all the features of AAA already configured with my "local" network devices

  The problem, a direct link between the two areas of ACS or any other direct flow between two networks is prohibited. The solution as a network of intermediary which can host shared resources and is accessible from both sides.

  So if I'm not mistaken I should be able to replicate my local ACS network to an intermediate ACS and from there to my ACS in the network of partners. So before I put another device of ACS in the intermediate network I have a second opinion on my scheduled replication topology.

  I added a simple drawing of the scheduled replication topology.

  All tips are welcome, thanks for reading.

  Roble

  Hi Roble,

  Sorry for the delay.

  (3) correction

  ACS A---> partner B (on request)

  B ACS---> partner C (automatically triggered cascade) AAA - server has

  C ACS---> AAA-server B associate no (manual)

  AAA server: This is the name of the ACS in the AAA servers partners column.

  Kind regards

  ~ JG

• Issue of ACS UCP

  I have ACS, IIS & UCP installed on the same Windows 2003 server. UCP has been installed recently. IIS configuration was made before the installation of the UCP.

  After installation I tried to UCP accessing through the URL http://localhost/secure/login.htm

  I get the login prompt. When I enter the user name and password, I get "cannot display page" Web page. Please let me know the resolution for the same thing.

  1. make

  2. make

  3. making

  4. make

  5 fact

  6 do

  7. do

  8 do

  9 - restart windows 2003 Server

  10 - from the ACS itself, server launch https://server/secure/login.htm

  11 - the Cisco Secure ACS UCP Application looks:

  12. Enter an ACS useraname user and password:

  It is said:

  The page is not found

  The page you are looking for has been removed, had its name changed, or is temporarily unavailable.

  Error HTTP 404 - file or directory not found.

  Internet Information Services (IIS)

  More ideas? Thank you.