ACS Setup using CSACS-1121-K9

I have following querry in refrence to the ACS configuration

1 - the advantages or disadvantages of ACS - 5.4 VM vs use

2. can we have instance ACS - 5.4 VM configured as main and ACS unit as secondary

Hey,.

1 - a virtual machine performance is slower than on a real device from 1120 because of the overload of the virtual machine. A virtual machine performance increases when you increase the CPU resources.

http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

VM are built into your existing infrastructure of the vm.

No additional hardware.

Revival of the virtual machine is easy.

2 - Yes

Rate if useful :)

Knowledge sharing makes you immortal.

Kind regards

Ed

Tags: Cisco Security

Similar Questions

  • Grouping of cards NETWORK CSACS-1121

    Hello

    Is it possible to configure a NIC team on the 1121 device?

    Kind regards

    Average of Thibault.

    Hi Thibault,

    the second NETWORK adapter on the GBA unit is actually not supported, you will need to connect ACS only using the interface GigabitEthernet0:

    On the installation guide:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_hw_ins.html#wp1119105

    You can also see that the only interface "in use" is indeed GigabitEthernet0.

    I hope this helps.

    Kind regards

    Federico

    --

    If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

  • reinstallation of the server Cisco ACS CSACS-1121

    How can I reinstall the ACS server? This is the new installation, after installation is complete it may not work properly

    ACS / admin # acs reset-config

    Stub library could not be opened

    libCARSAcsCtrlCli.so: cannot open shared object file: no such file or directory *.

    ACS / admin # display the version of the acs application

    % Error finding application version information: acs

    ACS / admin # display application

             

    blank screen

    How can I reinstall it?

    Hello

    If you have the ACS 1121 device, you'll need the DVD to reinstall the recovery software is available from the Cisco page:

    Download software > Products > Security > identity management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.3

    It is the name of the file:

    ACS_v5.3.0.40.ISO

    Here are the instructions for resettlement or reimage:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_ins.html#wp1101132

    The 'acs reset-config' command removes only the configuration of the ACS GUI, but it is not re - install the software.

    Rate if this can help!

  • ACS Auth: Use of group data for the authentication of the user-> security problem?

    IM only using a VPN-installation (router, ACS, Cisco VPN Client) and I noticed that the name of the Group and the Group decrypted password can also be used in the second step of the authentication (the extent of authentication or authentication of users), which is a big security concern. What wrong with my setup.

    For the test I have set up a VPN configuration as described in cisco documents. Here, it also works. The identification information of the Working Group in the authentication of the user, too, which is quite logical, because the group credentials are also a user in the database of GBA. Of course, this user can be authenticated in the user authentication process.

    Who is wrong? How other admins to solve this problem? Am I wrong in my approach?

    Thank you!

    Yes, permission will have password for "cisco", at least for isakmp and pki. The group will send its name and password Cisco to receive the av pairs (ASA has a function to create a "good word of different past" but he's not here on IOS, AFAIR)

    It is a restriction known - you should not use the same server for authentication and authorization, with IOS and ASA.

    Did you give this property (either / or):

    -local isakmp authorization

    -l' authentication certificate (Group)

    -sharing features for authentication and authorization between servers.

    I don't think we can do much wise configuration to prohibit this behavior.

    Edit: spelling correction.

  • Error messages HP 8600 Officejet Premium network folder Setup using Mac OS x 10.6.8 - HELP!

    I'll implement the Officejet HP8600 premium and I'll have hard set Setup of network for the folder. I'm following the steps, but to continue to get the message, it is an invalid part when you enter the IP address MacBook Pro. If I remove the IP address and then enter the name, I get a connection failure message. Is someone can you please help me understand this?

    I'm upgrading from HP8500 predecessor to the successor. Unfortunately I had problems with the network folder using the 8500 after I've had it for 2 years and HP suggested to upgrade to the newer model.

    HP Officejet Pro 8600 Plus e - AiO Printer N911g model CM750A

    Operating system: MAC OS x 10.6.8

    Hello

    If please try following the steps below and let me know if this is useful:

    1. Create a new folder on the desktop.
    2. Right click (or CTRL + left click on the Mac keyboard) the folder and select information.
    3. Under sharing & permissions, verify that your user name is listed with writing & privilleges.
    4. Click the Apple icon, and then click System Preferences.
    5. Click sharing,
    6. Check and select the file sharing service.
    7. Under shared folders, click the plus sign and select the folder.
    8. Under users, select your user name as read & write. If your username is not listed, click the plus sign and Add.
    9. Click the Options button.
    10. Check the option to share files and folders using SMB (Windows) .
    11. Check your username as on.
    12. Open Safari and click on the bookmark icon.
    13. In the left pane, click Hello and double-click the name of the printer.
    14. Under the configuration section, click Fax to Email/Network (for Fax) folder or configuration of a network (for scanning) folder. confirm an alert.
    15. Follow the steps by providing the user name and passowrd for your Mac OS user.
    16. Fill the Nwtwork path as \\IP Address\Sharename (the name of the folder).
      Note: For you can find the IP address of the Mac by clicking the Airport icon and then open network preferences.
      The IP address is listed under Ethernet (wired) or Airport (wireless), depanding on your Mac connection.
    17. After completing the wizard by your needs click on Save and test.

    Please let me know of any changes,

    Shlomi

  • Setup using LV Runtime Engine 2010 build error

    I had an executable and installer work which was built in LV2009.  Since then, I changed my source code and registered as LV version 2010.  I have rebuilt the executable, but when I tried to run it on the target computer, I got an error message saying that it had LV Runtime Engine 2010.  So I tried to rebuild the installer using LV Runtime Engine 2010 as an extra Installer.  However, this version was missed and I got a long error msg that I don't understand (see attached).

    Thanks in advance.

    See this knowledge base article . There are a few possible solutions listed.  Let us know if these don't work.

    Error code - 12 creating an installer of LabVIEW or LabVIEW SDK installation.

    http://digital.NI.com/public.nsf/allkb/afc375154efbd6ae8625760b005fb723

  • Windows didn't start because the following file is missing or corrupt: __\WINDOWS\SYSTEM32\CONFIG\SYSTEM___YOU CAN ATTEMPT to REPAIR THIS FILE BY STARTING WINDOWS SETUP using THE ORIGINAL SETUP CD - ROM__SELECT 'r' in the first screen to start repair

    This problem is on my laptop and I can not further only the screen with the above opinion.  I don't have the original disc, since I received the laptop of my mother when she could no longer remember how to use it. I need a repair of xp, or all that it can be called and information how to fix this problem is driving nuts me to have a laptop that is faulty... Please help me.

    This problem happens almost daily.

    You can search the forums for discussions with similar problems (or the same problem) and peruse the threads where the result is a happy ending and examine everything first using these methods.  This will reduce the time to resolution and frustration.

    Something like this example:

    http://social.answers.Microsoft.com/forums/en-us/XPRepair/thread/83d5c57f-9836-4f3a-bec8-04c7d81861d3/

    The question was preceded by a loss of power, aborted reboot or abnormal termination? (this includes pulling and buttons power)

    These can cause corruption in the file system that must be fixed before you do anything else.

    If none of these events occurred (or even if they have not taken place), you must verify the integrity of your file system before anything else (especially "try" things).

    Use the XP Recovery Console to check the file system on your HARD drive and fix the problems and then try to start your system - this may be all you need to do.  Or, you are welcome to just start trying things that might work.

    Boot into the Recovery Console Windows using an XP bootable installation CD.

    If you have no XP bootable media (or aren't sure you have) create a bootable XP Recovery CD of Console and do not forget.

    This is not the same as recovery disks that may have come to a store to purchase the system.

    You can make a bootable Recovery Console CD by downloading an ISO file and burn it to a CD.

    The ISO bootable image file you need to download is called:

    xp_rec_con. ISO

    Download the ISO from here:

    http://www.mediafire.com/?ueyyzfymmig

    Use a new CD and this simple and free program to burn your ISO file and create your bootable CD:

    http://www.ImgBurn.com/

    Here are some instructions for ImgBurn:

    http://Forum.ImgBurn.com/index.php?showtopic=61

    It would be a good idea to test your bootable CD on a computer running.

    You may need to adjust the computer BIOS settings to use the CD-ROM drive as the first device to boot instead of the hard drive.  These adjustments are made before Windows tries to load.  If you miss it, you will need to restart the system again.

    When you start on the CD, follow the instructions:

    Press any key to boot from CD...

    Installing Windows... going to pronounce.

    Press 'R' to enter the Recovery Console.

    Select the installation that you want to access (usually 1: C:\WINDOWS)

    You may be asked to enter the password (usually empty).

    You should be in the folder C:\WINDOWS.  It's the same as the

    C:\Windows folder that you see in Solution Explorer.

    The Recovery Console allows base as file commands: copy, rename, replace, delete, chkdsk, fixboot, fixmbr, cd, etc.

    For a list of the commands in the Recovery Console, type help at the command prompt.

    Start by checking the integrity of your file system by using the chkdsk command.

    In the command prompt window, run the chkdsk command on the drive where Windows is installed to try to fix any problems on the afflicted player.

    Running chkdsk is fine, even if he finds no problem.  It won't hurt anything to run it.

    Assuming your boot drive is C, run the following command:

    CHKDSK C: /r

    Let chkdsk finish to correct the problems, he could find.  It may take a long time for chkdsk complete or they seem to be "stuck".  Be patient.  If the HARD drive led blinks always, chkdsk is something.  Keep an eye on the amount of the percentage to be sure that it is still making progress.  It may even seem to go back sometime.

    You must run chkdsk/r again until it finds no error to correct.

    Remove the CD, and then type "exit" to exit the RC and restart the computer.

    You have not to set the BIOS to boot the disk HARD since the CD won't be.

    Do not guess what the problem might be - understand and resolve it. I need YOUR voice and the points for helpful answers and propose responses. I'm saving for a pony!

  • BB 8330 Email Setup used blackBerry smartphones

    I recently bought a used 8330. I'm trying to set up my email and it keeps telling me there is another account for this PIN...

    What to do now?

    Thank you in advance,

    K

    So you can call your provider and explain the situation, maybe they have exceptions, and they ask rim to release the pin number, be nice in the call.

  • using AD with ACS 5.3

    Hello guys,.

    I joined my ACS unit to my AD domain and I want authentication via active directory.

    I already have a group of ads that I see, but I can just know where to specify that all applications must arrive at the AD. at least when I test, it does not work. for internal users, it works perfectly. I have to do this in the directory attributes box?

    I also want to set up strategies to access for some users. I do this on the ad or the GBA?

    Thanks in advance.

    Review the below listed link and see if this will meet your quesries. In case you still have questions, please let us know.

    http://www.security-solutions.co.za/Cisco-csacs-1121-K9-5.2-configuration-example.html#_Toc299956260

    Kind regards

    Jousset

    The rate of useful messages-

  • Authorization of EAP - TLS machine uses ACS 5.2

    Hi all

    I've been struggling with this during a few days now and I think there must be something I'm not quite understand.

    We strive to deploy new wireless infrastructure using windows, APs from Motorola (with switches RFS) wireless clients and using a Cisco ACS as Radius Server 5.2.

    Trying to get EAP - TLS to work, I can get customers to connect if no actual authorization is used, but when I try to validate if the name of the computer in the client certificate belongs to a particular group, the authorization fails.  I don't see how to get the ACS to use the RADIUS "Username" it receives via the certificate allowing the machine.  The value of the Radius user name attribute is the name of the machine.  I would like the ACS to check to determine if this computer name belongs to a group, especially in the Windows AD.

    We started with PEAP-MSCHAPv2, but security wanted machine authorization so we thought that EAP - TLS was the only way to get it.  Now I'm not sure.

    I would like if someone can guide me in obtaining the ACS to validate if the computer belongs to a group in Active Directory using

    (1) EAP - TLS

    (2) PEAP-MSCHAPv2

    Thank you!

    Hello.

    Just check something here:

    You have in your policy, in terms of identity, AD1 (or certain Sequences of identity store with inside AD1) listed as Source of identity?

  • Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

    I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

    1. integrated AD

    2 EAP - TLS

    3 certificates

    4 Microsoft CA

    5. the applicant is XP SP 3

    6 non-Cisco 802.1 x compatible switches (switches are not the question)

    I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

    Thanks in advance.

    Hello, Christopher.

    I'll try to give you some tips to achieve what you want.

    Additional info can be found in the user guide:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

    1. in the identity store / Active directory, check "enable machine authentication.

    2 import a certificate for ACS

    Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

    Select how you want to import the certificate, and then verify the Protocol EAP

    3. Add your switches as aaa clients

    Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

    4-go to access policies > Access Services and click on create a new access service.

    Select the selected Type of Service and network access in the list.

    Verify the identity, group mapping and authorization

    5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

    You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

    If all your switches RADIUS will make eap - tls, you can change the rule

    Rule-1 Ray game Default network access

    While in the result, you choose your service of access created in step 3.

    6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

    7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

    8. check that the 'Allowed access' rule is selected in the authorization to access your service

    These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

    Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

    ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

  • ACS with two IP address?

    Hello

    We have the CSACS-1121-K9 Cisco ACS 5.4 running chassis, the chassis has four interfaces and I was wondering if I can configure two different ip addresses in different segments to authenticate network devices. This, because we have to manage two different networks.

    Thank you.

    I use SNS3495 ACS 5.5, and I already have,

    I had 3 interface (1 management MMIC, 1 ACS (gui and ssh), 1 officer of AAA services management)

    I think this would work on your case.

    but we could have only 1 Management (for GUI config and SSH) interface

    don't forget to add the static route between networks.

  • [Cisco ACS] Memory usage limit

    Hello

    We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10

    The main server manages authentication 20000 + per day.

    Its memory usage is growing every day.

    It's now 83%

    Is there a limit?

    What happens when memory use reaches this limit?

    What can we do to purge the memory usage? (reboot, restarting the service...)

    Thanks for your help

    Patrick

    Check the secondary collector newspaper. This will help to balance the load between the two nodes and you will see the memory usage decreases.

    Thank you

  • ACS 5.2 design issues

    Is it possible to have my managed network ACS Appliance (CSACS-1121-K9) 5.2 as primary and an ACS Server 5.2 VMWare (CSACS - 5.2 - VM - K9) as secondary? I have problems with basic license?

    Otherwise if I plan to run servers ACS 5.2 VMWare are my primary and secondary. Should I buy 1 or 2 VMWare Software (s) (CSACS - 5.2 - VM - K9)?

    We currently have a device of 4.2 ACS on a platform of 1113, is there any option for ACS 5.2 upgrade device or ACS 5.2 VMWare Server? The ordering Guide indicates that he's upgraded options like, CSACS-1121-UP-K9 & CSACS-5.2 - VM-UP-K9 to upgrade from previous versions. But the Migration Document, said that the ACS4.x device must be restored to a windows ACS4.x server before migration and backup. This does not seem like an easy migration. Is there another solution?

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Migration_support.html#wp1016086

    Is the new ISE product better for AAA / GANYMEDE + or I should have a separate ACS for AAA?

    Thanks in advance.

    Jenny,

    Here's the answer to your questions:

    Is it possible to have my managed network ACS Appliance (CSACS-1121-K9) 5.2 as primary and an ACS Server 5.2 VMWare (CSACS - 5.2 - VM - K9) as secondary?

    Yes

    I have problems with basic license?

    NO.

    Otherwise if I plan to run servers ACS 5.2 VMWare are my primary and secondary. Should I buy 1 or 2 VMWare Software (s) (CSACS - 5.2 - VM - K9)?

    This is just sku which included another license that you purchase. You don't buy the software from us, license only. You can download more likey the software from cisco website.

    We currently have a device of 4.2 ACS on a platform of 1113, is there any option for ACS 5.2 upgrade device or ACS 5.2 VMWare Server?

    You answered your question on this one, there are an involved migration process that converts your old base of 4.2 to 5.2, take into account the fact that migration migrates only the hard parts such as: groups of network devices, internal users, ldap database configurations, network devices, sets of shell commands, to name a few. You will need to reconfigure the authorization policies since acs 5.2 takes on a different model of acs 4.x.

    But the Migration Document, said that the ACS4.x device must be restored to a windows ACS4.x server before migration and backup. This does not seem like an easy migration. Is there another solution?

    This isn't a bad solution, all you have to do is to deploy another server windows just to run acs for windows on, and then you use vnc to walk through the migration process. You will need to open a folder of tac for a person to publish the installation files and patches to put you on the same version.

    Is the new ISE product better for AAA / GANYMEDE + or I should have a separate ACS for AAA?

    ISE is a new product that migrates only 5.x databases. Right now ISE 1.0 not Ganymede support.

  • Cisco Secure ACS Solution Engine ping

    1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

    2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

    By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

    For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

    http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

    Rgds,

    AK

Maybe you are looking for