ACS issue 5.2
Hey all,.
I think it's a fairly straightforward issue of ACS. We are looking to set up a new installation of ACS5.2, and it was a question of whether or not we can use administrative accounts internal ACS (System---> accounts Administration) for you to connect to our network infrastructure devices.
I've been looking through the documentation, but I have not found a way to do this, and I'm not sure if this is done for security, IE, separate account / group depending on what you are trying to administer or if Miss me just something obvious...
Thank you-
Jon
Not the system administration account is used for authentication of the user interface of acs.
Sent by Cisco Support technique Android app
Tags: Cisco Security
Similar Questions
-
ACS issues update 4.2 to 4.2.1
I have been instructed to upgrade our four ACS servers of
4.2.1.15 to the latest version. ACS servers are
the applianced basis. I went through the software download page
from cisco.com and we found this file:
cumulative (ACS SE 4.2.1.15.11 app/Acs_4.2.1.15.11.zip
patch).
Can anyone confirm if it is the download of the file more later/better
the latest version 4.2 of material according to Cisco Secure ACS?
For those who have upgraded to the latest version, you can
Comment on your experience with the process of upgrading or
ACS performance after upgrade? Any questions/warnings on the
process or performance after upgrade?
Thanks in advance for any useful information that you can
predict this?
Adil
I don't see installation step by step of the fix documented somewhere because the same by applying the upgrade and simple too. Here are the steps you need to perform.
1. download the zip file patch for any PC which we will call the server upgrade or the distribution server.
2 unzip the patch
3. run autorun.bat (you will see a window ACS appliance update and it remains in the background.
You will also see an another IE window lauch which you gives a place to put the host name or IP address of the device)
4. Enter the name of host or IP address of the device and click on install.
5. This will bring to the opening window of session for the ACS unit.
6 log in to the TAS
7. click on System Configuration
8. click on upgrade the device status
9. click on download
10 enter the upgrade server IP address, then click on connect
11. you will see the patch you are trying to install. Click Download now
12. click on download it again.
13. click on apply the update
14. click on the upgrade again.
15. click on Yes
16. click on Yes.
17 click done.
18. on the upgrade server, click 'stop the Distribution Server '.
In order to stop csagent, go to system configuration > configuration of the device (I think)
P.S. Please open a TAC case if you are not comfortable in the application of the hotfix.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Updated VM of ACS 5.4 a space issue warnings
Updated to 5.4 last night and ran into several caveats regarding the storage space. Here are the specific message:
Warning: [acsDiskSizeCheckUtil.sh] Patch of 1079 M size exceeds the quota allowed 1000 M. it will not prohibit hotfix installation process as long as there's enough disk space. Please note that this indicates that you should consider moving ACS to a superior machine of disk space
I note also that records 5.5 upgrade to do you have 500GB or more available for the upgrade.
The virtual machine was thin supplied with 512 GB drive and shows only 84 GB actually used, so a few questions.
- Is the underlying operating system used by ACS smart enough for me to simply increase the underlying capacity of the virtual disk and do recognizes this new capacity?
- Are there of the CLI commands in ACS that will allow me to see/manage the underlying disk capacity?
- The documentation says to increase the ability to be either "redefining" the virtual machine or install a completely new instance and restore the backup of the original. What exactly does Cisco means "re-Imaging"? They refer to storage vMotion, where can I change the disk during a migration?
Thank you for all time.
My comments:
Is the underlying OS used by ACS smart enough for me to simply expand the capacity of the underlying virtual disk and have it recognize this new larger capacity
-Unfortunately, the answer is 'No' I tried to increase the capacity of a disc in ISE and ACS with root privileges and both times have been a complete failure. Now maybe it was because of my low Linux skills but... in any case, the answer is really 'no' If you want that more disk space you must re-create the VM of the CSA and then restore/re-build your config
Are there any CLI commands in ACS that will let me view/manage the underlying disk capacity?
-Have you tried to display the records
The documentation says to increase the capacity be either "re-imaging" the vm or installing a totally new instance and restoring the backup from the original. What exactly does Cisco mean by "re-imaging" ? Are they referring to storage vMotion where I can change the disk during a migration?
-Related to the #1 issue. Basically, you blow the current VM and build a new one. Then you restore your configs.
Thank you for evaluating useful messages!
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
I'm about to upgrade the ACS servers two and I have a few questions. Both servers are running 4.0.27 and I'll take the last revision. I have all the files and the necessary appropriate "patches" in light of all that I read in the release notes. My questions are:
1. as long as I have move away a GBA work, is it one problem to another for the upgrade down?
2. is it all current server certificates that are installed stay or will they be reused after the upgrade?
3. the current certificate is issued by an IAS server and will expire soon. What is the procedure for me to apply the new certificate?
Thanx, Seth
Go ahead and take a look at this:
-
Experts of the Association,
Need quick answers to issues related to GBA 5.1 for a customer. I haven't used the ACS5.1 still so watch out for the easy questions
(1) is it possible to generate the report for users who are inactive for 30 days? Customer looking for these users to see if they really need access to any checking device.
(2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?
(3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.
Thank you
Hello
Please find answers inline:
(1) is it possible to generate the report for users who are inactive for 30 days? Customer looking for these users to see if they really need access to any checking device.
[YEARS] You can generate reports of user using several elements, including reports for the last 30 days:
(2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?
[YEARS] You can do exactly the same implementation GBA 5.x. just create permission authenticate profiles to apply to users with success.
(3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.
[YEARS] You can create "Alarms" which will send an e-mail notification or a syslog server:
Monitoring and reports > ... > Alarms > Thresholds > Add HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
ACS server installation issues
I have a client of the remote site that is replacing their ACS servers and several questions:
(1) what version we should be installed?
(2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)
(3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?
(4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?
(5) how to use GSK signed cert? Have previously tried & failed - something special here?
Thanks for any help you can give.
RO
I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
1) What version should we be installing?
2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have to apply successive patches?)
3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
Thanks for any help you can give.
RO
Hi Richard,
For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.
For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.
For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.
So useful note valauable post.
Concerning
Ganesh.H
-
ACS remote 4.1 change password issued.
I need assistance with obtaining changes remote working password. The user gets challenged to change his password and confirm the new password, but it fails to connect to the switch. I check the ACS and he says that his account is expired. I use ssh entry transport on the vty lines I don't know if this is the problem?
Help, please!
SSH password aging, unique password change etc are supported by bug CSCin91851.
The fix is included in the version 12.4 (10.01) T.
http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCin91851&SUBM
He = search
Kind regards
~ JG
Note the useful messages
-
ACS 4.1 evaluation issues
I have problems with the ACS 4.1 on a Windows 2003 SP1 / SP2 server.
I can't add additional administrators to connect to the ACS. Error code in Internet Explorer: "error on page". I tried other machines, the problem remains the same...
Also, after a few seconds (30), the session hangs and I have to reconnect back... Error: "cannot display page". Is this a known problem and what can I do about it?
Thank you
Remco
First of all, make sure that you have JAVA Sun JRE 1.4.2_04 installed on the system with the browser. It is documented at:
-
ACS 5.6.0.22 GANYMEDE authentication issue
According to this scenario: Active Directory server does not or is not available.
ACS is configured with both AD and Local users. When the ad is online, I can use a Local account for the RADIUS authentication or AD account. When the ad is unavailable I get error: 24444 Active Directory operation failed because of an error that is not specified in ACS, trying to use the Local account. (Of course I expect is not able to use an AD account)
Is this as expected? or is there an error in the configuration at hand?
Hi Richard,
Announcement is offline, in the case you should still be able to use your account if you select the option to 'Continue to next identity store in the sequence', on the 'advanced options' on the 'sequence to store identity' that you created:
Section "users and identity stores > identity store sequences > Edit:
Advanced optionsIf the current identity store access does notBreak sequence* Continue to next in the sequence identity storeNote: Please mark as answer as appropriate
-
Hello
Just, we have improved our 3.3. ACS to the latest version without problem. I created the Remote Agent on GBA, but we I install the Agent on the Windows 2003 Server I get "could not initialize variables. Anyone? Thank you.
John
John,
-Log on to the computer as long as Local Administrator, preferably 'administrator' and then try to uninstall the Remote Agent & try and install back. Log on locally to the box and install the AR.
-If above does not work, you may need to manually uninstall the Remote Agent. After uninstalling, you can try to reinstall the latest version of the remote agent.
somishra
-
ACS 4.2 Remote agent compatibility issues.
I did a little reading on the compatibility of remote ACS 4.2 with Windows 2008 R2 agent, and it seems that the only way out is to upgrade the ACS to 5.2. We have Cisco ACS 4.2 SE and I would like someone to confirm that I have installed what happens if the remote agent on a Windows 2003 server of Member rather than the 2008 R2 domain controller. Such a scenario will work?
Comments are appreciated.
Concerning
Yes, here's what a bug documented with this CSCtg37183 information:
Excerpt from the previous link:
ACS 4.x does not support the Server 2008 R2 to AD. Symptom:
ACS 4.x does not support authentication to a back-end Server 2008 R2 Active Directory.
Conditions:
ACS 4.x
Windows Server 2008 R2 installed on the domain controller
ACS or remote agent installed on a member server in the environment (even if the Server 2003/2008)Workaround solution:
Install the ACS or the Remote Agent on a domain controller 2003/2008
Cisco does not support this scenario because sometimes work well other doesn't work at all, so nobody wants an unstable network right, unfortunately workaround doesn't help much. Although there is an ACS 5.2 trial version that you can test, let me know if I can get you the links.
-
ACS 5.1 - Ganymede + issue witch 'network access' access services
Hello world
can someone explain why Ganymede + cannot be used with the network access services?
I know that Ganymede is mainly intended command authorization, but as I remember with ACS 4.2 it is possible. For example for the purpose of PPP.
THX and regards
Przemek
GANYMEDE + applications cannot be managed by access with the Service Type «Peripheral Administration» services
If the type is NetworkAccess, it will fail. Please check the Service Type defined for the Access Service 'VPM-access '.
-
Cisco ACS authentication issues
Hi all
I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Here is the information of debugging on Ganymede
183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961
183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5
183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49
183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued
183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed
183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683
WC2950-12 #.
183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49
183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure
I have the same keys on the AAA server as I do on my switch...
Thank you
Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.
Make sure you have the right key in NDG >
Kind regards
~ JG
Note the useful messages
-
ACS 5.3 AD integration issues
Hi all
We have two devices ACS 5.3 in mode synchro with some local users, groups, devices, etc. I need to join the ACS service to Active Directory. I have a few questions, you can help me please?
(1) we have a Parent domain and three child domians, I need customer of all areas of three children to be able to authenticate on ACS, should I become a member of the ACS in the parent domain, or is it possible to connect a GBA to three child domains?
(2) will join ACS announcement affect the current configuration (local), somehow local users will lose access to certain devices or devices will disappear? What is a safe procedure?
(3) another small question, I can access the WEB user interface, but can't SSH (putty) by using the same credentials, I'm doing something wrong?
Thank you!
1) join the parent domain and you can authenticate you of parent and child.
-The parent and the child have default two-way trust, which is what is needed.
(2) No, and that's for sure.
(3) SSH creds differ from those of the web GUI.
This is usually set when you install the ACS software.
If you have forgotten it, perform a recovery password by using the DVD.
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
Maybe you are looking for
-
Extremely slow on my Satellite Z930 - 15 X
Hello Here is my problem (sorry for my English): I have a Toshiba Satellite Z930 15 X. For several weeks, it is very very slow. If eco or normal mode, it is still slower than the eco mode. * Even without running any program *. When I look at the Task
-
Satellite M40-184 MP3 without OS
Hello I have laptop Satellite M40-184 and I would like to ask you, how to play MP3 on this laptop without OS for long time as possible. I installed the program of express Media Player, but it is not possible to play MP3 with it. Or y at - it an upgra
-
Since the upgrade to iOS 9.0.1 or later I couldn't get iCloud to work properly. For example, I can use is no longer Apple pay. Whenever I have it try appears saying that I need to login to iCloud. I try and it fails (Yes, the password is right). In a
-
is there a free program that set errors and freezes by microsoft
Is there a free program from microsoft that fix mistakes and freeze?
-
Save disabled for no use of original reson.cannot product key activate why?
No hardware changes, except delete and reinstall the memory