ACS issue 5.2

Hey all,.

I think it's a fairly straightforward issue of ACS.  We are looking to set up a new installation of ACS5.2, and it was a question of whether or not we can use administrative accounts internal ACS (System---> accounts Administration) for you to connect to our network infrastructure devices.

I've been looking through the documentation, but I have not found a way to do this, and I'm not sure if this is done for security, IE, separate account / group depending on what you are trying to administer or if Miss me just something obvious...

Thank you-

Jon

Not the system administration account is used for authentication of the user interface of acs.

Sent by Cisco Support technique Android app

Tags: Cisco Security

Similar Questions

  • ACS issues update 4.2 to 4.2.1

    I have been instructed to upgrade our four ACS servers of

    4.2.1.15 to the latest version.  ACS servers are

    the applianced basis.  I went through the software download page

    from cisco.com and we found this file:

    cumulative (ACS SE 4.2.1.15.11 app/Acs_4.2.1.15.11.zip

    patch).

    Can anyone confirm if it is the download of the file more later/better

    the latest version 4.2 of material according to Cisco Secure ACS?

    For those who have upgraded to the latest version, you can

    Comment on your experience with the process of upgrading or

    ACS performance after upgrade?  Any questions/warnings on the

    process or performance after upgrade?

    Thanks in advance for any useful information that you can

    predict this?

    Adil

    I don't see installation step by step of the fix documented somewhere because the same by applying the upgrade and simple too. Here are the steps you need to perform.

    1. download the zip file patch for any PC which we will call the server upgrade or the distribution server.

    2 unzip the patch

    3. run autorun.bat (you will see a window ACS appliance update and it remains in the background.

    You will also see an another IE window lauch which you gives a place to put the host name or IP address of the device)

    4. Enter the name of host or IP address of the device and click on install.

    5. This will bring to the opening window of session for the ACS unit.

    6 log in to the TAS

    7. click on System Configuration

    8. click on upgrade the device status

    9. click on download

    10 enter the upgrade server IP address, then click on connect

    11. you will see the patch you are trying to install.  Click Download now

    12. click on download it again.

    13. click on apply the update

    14. click on the upgrade again.

    15. click on Yes

    16. click on Yes.

    17 click done.

    18. on the upgrade server, click 'stop the Distribution Server '.

    In order to stop csagent, go to system configuration > configuration of the device (I think)

    P.S. Please open a TAC case if you are not comfortable in the application of the hotfix.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Updated VM of ACS 5.4 a space issue warnings

    Updated to 5.4 last night and ran into several caveats regarding the storage space.  Here are the specific message:

    Warning: [acsDiskSizeCheckUtil.sh] Patch of 1079 M size exceeds the quota allowed 1000 M. it will not prohibit hotfix installation process as long as there's enough disk space. Please note that this indicates that you should consider moving ACS to a superior machine of disk space

    I note also that records 5.5 upgrade to do you have 500GB or more available for the upgrade.

    The virtual machine was thin supplied with 512 GB drive and shows only 84 GB actually used, so a few questions.

    1. Is the underlying operating system used by ACS smart enough for me to simply increase the underlying capacity of the virtual disk and do recognizes this new capacity?
    2. Are there of the CLI commands in ACS that will allow me to see/manage the underlying disk capacity?
    3. The documentation says to increase the ability to be either "redefining" the virtual machine or install a completely new instance and restore the backup of the original.  What exactly does Cisco means "re-Imaging"?  They refer to storage vMotion, where can I change the disk during a migration?

    Thank you for all time.

    My comments:

     Is the underlying OS used by ACS smart enough for me to simply expand the capacity of the underlying virtual disk and have it recognize this new larger capacity

    -Unfortunately, the answer is 'No' I tried to increase the capacity of a disc in ISE and ACS with root privileges and both times have been a complete failure. Now maybe it was because of my low Linux skills but... in any case, the answer is really 'no' If you want that more disk space you must re-create the VM of the CSA and then restore/re-build your config

     Are there any CLI commands in ACS that will let me view/manage the underlying disk capacity?

    -Have you tried to display the records

     The documentation says to increase the capacity be either "re-imaging" the vm or installing a totally new instance and restoring the backup from the original. What exactly does Cisco mean by "re-imaging" ? Are they referring to storage vMotion where I can change the disk during a migration?

    -Related to the #1 issue. Basically, you blow the current VM and build a new one. Then you restore your configs.

    Thank you for evaluating useful messages!

  • Issue of operability of the ACS as RADIUS with ASA 5.0?

    Hello

    I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

    Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

    Concerning

    Ritesh

    Ritesh,

    Yes, there is a lack of ACS 5.0 with vpn authentication.

    When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
    The ASDM logs: you'll see radius server is not accessible.
    Debugs you show RADIUS period.
    This will work with Ganymede.

    Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

    http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

    If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

    You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

    Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

    Reference: update of the CSA since version 5.0 to 5.1:
    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

    HTH

    Kind regards

    JK

    The rate of useful messages-

  • Issue of ACS upgrad

    I'm about to upgrade the ACS servers two and I have a few questions. Both servers are running 4.0.27 and I'll take the last revision. I have all the files and the necessary appropriate "patches" in light of all that I read in the release notes. My questions are:

    1. as long as I have move away a GBA work, is it one problem to another for the upgrade down?

    2. is it all current server certificates that are installed stay or will they be reused after the upgrade?

    3. the current certificate is issued by an IAS server and will expire soon. What is the procedure for me to apply the new certificate?

    Thanx, Seth

    Go ahead and take a look at this:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/Sau.html#wp373226

  • ACS 5.1 issues

    Experts of the Association,

    Need quick answers to issues related to GBA 5.1 for a customer. I haven't used the ACS5.1 still so watch out for the easy questions

    (1) is it possible to generate the report for users who are inactive for 30 days? Customer looking for these users to see if they really need access to any checking device.

    (2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?

    (3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.

    Thank you

    Hello

    Please find answers inline:

    (1) is it possible to generate the report for users who are inactive for 30 days?  Customer looking for these users to see if they really need access to any checking device.

    [YEARS] You can generate reports of user using several elements, including reports for the last 30 days:

    (2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?

    [YEARS] You can do exactly the same implementation GBA 5.x. just create permission authenticate profiles to apply to users with success.

    (3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.

    [YEARS] You can create "Alarms" which will send an e-mail notification or a syslog server:

    Monitoring and reports > ... > Alarms > Thresholds > Add

    HTH,
    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • ACS server installation issues

    I have a client of the remote site that is replacing their ACS servers and several questions:

    (1) what version we should be installed?

    (2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)

    (3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?

    (4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?

    (5) how to use GSK signed cert? Have previously tried & failed - something special here?

    Thanks for any help you can give.

    RO

    

    I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
    

    1) What version should we be installing?
    

    2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have   to apply successive patches?)
    

    3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
    

    4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
    

    5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
    

    Thanks for any help you can give.
    

    RO

    Hi Richard,

    For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.

    For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.

    For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.

    So useful note valauable post.

    Concerning

    Ganesh.H

  • ACS remote 4.1 change password issued.

    I need assistance with obtaining changes remote working password. The user gets challenged to change his password and confirm the new password, but it fails to connect to the switch. I check the ACS and he says that his account is expired. I use ssh entry transport on the vty lines I don't know if this is the problem?

    Help, please!

    SSH password aging, unique password change etc are supported by bug CSCin91851.

    The fix is included in the version 12.4 (10.01) T.

    http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCin91851&SUBM

    He = search

    Kind regards

    ~ JG

    Note the useful messages

  • ACS 4.1 evaluation issues

    I have problems with the ACS 4.1 on a Windows 2003 SP1 / SP2 server.

    I can't add additional administrators to connect to the ACS. Error code in Internet Explorer: "error on page". I tried other machines, the problem remains the same...

    Also, after a few seconds (30), the session hangs and I have to reconnect back... Error: "cannot display page". Is this a known problem and what can I do about it?

    Thank you

    Remco

    First of all, make sure that you have JAVA Sun JRE 1.4.2_04 installed on the system with the browser. It is documented at:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/Windows/install.html

  • ACS 5.6.0.22 GANYMEDE authentication issue

    According to this scenario: Active Directory server does not or is not available.

    ACS is configured with both AD and Local users.  When the ad is online, I can use a Local account for the RADIUS authentication or AD account.  When the ad is unavailable I get error: 24444 Active Directory operation failed because of an error that is not specified in ACS, trying to use the Local account. (Of course I expect is not able to use an AD account)

    Is this as expected? or is there an error in the configuration at hand?

    Hi Richard,

    Announcement is offline, in the case you should still be able to use your account if you select the option to 'Continue to next identity store in the sequence', on the 'advanced options' on the 'sequence to store identity' that you created:

    Section "users and identity stores > identity store sequences > Edit:

    Advanced options
     
    If the current identity store access does not
     
    Break sequence
    * Continue to next in the sequence identity store

    Note: Please mark as answer as appropriate

  • Issue of ACS Windows Agent

    Hello

    Just, we have improved our 3.3. ACS to the latest version without problem. I created the Remote Agent on GBA, but we I install the Agent on the Windows 2003 Server I get "could not initialize variables. Anyone? Thank you.

    John

    John,

    -Log on to the computer as long as Local Administrator, preferably 'administrator' and then try to uninstall the Remote Agent & try and install back. Log on locally to the box and install the AR.

    -If above does not work, you may need to manually uninstall the Remote Agent. After uninstalling, you can try to reinstall the latest version of the remote agent.

    somishra

  • ACS 4.2 Remote agent compatibility issues.

    I did a little reading on the compatibility of remote ACS 4.2 with Windows 2008 R2 agent, and it seems that the only way out is to upgrade the ACS to 5.2. We have Cisco ACS 4.2 SE and I would like someone to confirm that I have installed what happens if the remote agent on a Windows 2003 server of Member rather than the 2008 R2 domain controller. Such a scenario will work?

    Comments are appreciated.

    Concerning

    Yes, here's what a bug documented with this CSCtg37183 information:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg37183

    Excerpt from the previous link:

    ACS 4.x does not support the Server 2008 R2 to AD.

    Symptom:

    ACS 4.x does not support authentication to a back-end Server 2008 R2 Active Directory.

    Conditions:

    ACS 4.x
    Windows Server 2008 R2 installed on the domain controller
    ACS or remote agent installed on a member server in the environment (even if the Server 2003/2008)

    Workaround solution:

    Install the ACS or the Remote Agent on a domain controller 2003/2008

    Cisco does not support this scenario because sometimes work well other doesn't work at all, so nobody wants an unstable network right, unfortunately workaround doesn't help much. Although there is an ACS 5.2 trial version that you can test, let me know if I can get you the links.

  • ACS 5.1 - Ganymede + issue witch 'network access' access services

    Hello world

    can someone explain why Ganymede + cannot be used with the network access services?

    I know that Ganymede is mainly intended command authorization, but as I remember with ACS 4.2 it is possible. For example for the purpose of PPP.

    THX and regards

    Przemek

    GANYMEDE + applications cannot be managed by access with the Service Type «Peripheral Administration» services

    If the type is NetworkAccess, it will fail. Please check the Service Type defined for the Access Service 'VPM-access '.

  • Cisco ACS authentication issues

    Hi all

    I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...

    AAA new-model

    AAA authentication login default group Ganymede + local

    the AAA authentication enable default group Ganymede + activate

    Here is the information of debugging on Ganymede

    183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961

    183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

    183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5

    183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49

    183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued

    183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed

    183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683

    WC2950-12 #.

    183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).

    183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49

    183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

    183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure

    I have the same keys on the AAA server as I do on my switch...

    Thank you

    Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.

    Make sure you have the right key in NDG >

    Kind regards

    ~ JG

    Note the useful messages

  • ACS 5.3 AD integration issues

    Hi all

    We have two devices ACS 5.3 in mode synchro with some local users, groups, devices, etc. I need to join the ACS service to Active Directory. I have a few questions, you can help me please?

    (1) we have a Parent domain and three child domians, I need customer of all areas of three children to be able to authenticate on ACS, should I become a member of the ACS in the parent domain, or is it possible to connect a GBA to three child domains?

    (2) will join ACS announcement affect the current configuration (local), somehow local users will lose access to certain devices or devices will disappear? What is a safe procedure?

    (3) another small question, I can access the WEB user interface, but can't SSH (putty) by using the same credentials, I'm doing something wrong?

    Thank you!

    1) join the parent domain and you can authenticate you of parent and child.

    -The parent and the child have default two-way trust, which is what is needed.

    (2) No, and that's for sure.

    (3) SSH creds differ from those of the web GUI.

    This is usually set when you install the ACS software.

    If you have forgotten it, perform a recovery password by using the DVD.

    Rate if useful :)

    Knowledge sharing makes you immortal.

    Kind regards

    Ed

Maybe you are looking for