Cisco ACS 3.1 and Logging of Nortel Passport CLI commands
Good afternoon
We try to log commands CLI Cisco ACS version 3.1 of Nortel Passport 8600. The version of the code that runs on the Passport does not support Ganymede +.
Passports authenticate OK but don't sign any order information. I "think" the problem is maybe that the VSA Radius of Nortel for cli-commands-attribute, 195, is not collected by ACS.
Does anyone know how I would go to get this added to the existing list of Radius (Nortel) VSA?
Thank you very much
Kind regards
Flett.
Foisy,
You must add the attribute Nortel 193-195 to activate the posting of the order.
Unfortunately you can't download on code 3.x, you will need to upgrade acs to the 4.x code.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
Cisco ACS 5.1 and RSA Authentication Manager 6.1
Hi all
We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support
Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.
I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).
I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.
Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.
Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?
Hoping that you guys help me as usual when I'm in a hurry...
Sree
Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?
If you go to
Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?
-
Version of Cisco ACS 1121 5.3 - logging
Hello
I am new to Cisco ACS 5.X. What I've read, the Cisco ACS can act as a logging server. Does this mean, all messages from syslog to all other network and ACS devices can be stored by ACS? I'm a little confused on that part.
Finally, I understand that Cisco ACS has many or perhaps 2 instances? When we use these instance? What is this instance?
Kind regards
RAM
In the deployment, you must specify an acs as the Logcollector server. All other servers send the logs to the Logcollecter.
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...
In a distributed deployment, each acs server is an instance. If you have a main instance and multiple secondary instances.
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...
Sent by Cisco Support technique iPad App
-
Cisco ACS 5.4 and VPN 3000
Hello
I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.
I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.
Any help would be much appreciated.
Concerning
AR
Hey,.
What is the report on GBA?
"RAIDUS AAuth in green"
If so, a pcap help between the two.
Concerning
Ed
-
Cisco ACS 5.2 and IOS XR
We deploy devices with IOS XR and I was wondering if anyone has experience their deployment with GANYMEDE authenticate on the Cisco ACS 5.x platform. If so, can you give some examples of how you have mapped the groups predefined by the user.
Thank you
Here's an example of how to do that crs to ensure share you the correct tasks under the profile of the shell.
Thank you
Tarik
-
Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password
Hello
Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?
PS.
I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password
Thank you
The default password is marked as disabled after expiry
I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:
CSCtk32168: Add an option to change the password when the password expires (T + and Radius)
After you install this hotfix, you get an option to the user authentication settings is:
-Disable the user account
-Expire the password
When the expiration period is exceeded
If password is expired then user will be asked to change password next authentication
Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative
-
Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB
Hello
I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.
Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB
Is this possible?
I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.
Bind test succeeds (> 100 groups and > 100 subjects.)
EAP MSCHAP v2 is not taken in charge with LDAP by ACS
You can use EAP GTC
You should a begging utility that supports PEAP (EAP-GTC)
such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants
Open the new thread for cause of Apple
------------------------------------------------------------------
Be sure to note the correct answers and report this thread as answered
-
Cisco ACS 4.0 and HTTPS
New to ACS, is there a way to require (or even simply permit) https to access the administration web site?
Thank you
Tim
Hello
Yes there is:
Administration control then the access policy. Check the box ' use HTTPS Transport for Admin Access.
You need a good first server cert. The CERT management pages are Config system.
Mounira
-
How can I use Cisco ACS to save Shell commands
Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.
I have these lines on my router:
...
AAA authorization config-commands
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 default authenticated if
AAA authorization network default group Ganymede +.
...
It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?
*****************************************************
I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.
If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.
orders accounting AAA 15 by default start-stop Ganymede group.
-
Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions
Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.
I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.
When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).
Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.
Has anyone ever experience this problem? Help, please!
Thank you
neocec
This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.
Thank you
Tarik
-
RADIUS does not not on Cisco ACS SE v4.1 (1)
Hello
I have a CiscoSecure ACS version 4.1 (1) build 23.
I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.
I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.
Thanks for any help.
Jutta Kullmann
Jutta,
Good to know it works very well. Please mark this thread as solved so other can benefit from.
Kind regards
~ JG
-
Cisco cisco ACS patch location site
Hello
I want to install cisco Acs 4.1 and I'm looking for the location on the Web site for patches can you please give the path?
Thank you
For ACS for windows:
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
For ACS SE:
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
Kind regards
Prem
-
Cisco ACS 5.3 several AD domains
Hello everyone
I have a quick question about Cisco ACS 5.3 and multi domain authentication. How exactly is it treated?
Can I join more than one field with the ACS server? Or do I still need to configure this two-way trust between forests AD relationship (even with GBA 5.3)?
Thank you
Markus
Hello
You can join only acs to a single domain. Here's a thread that will help you identify the confidence you will need to get this working.
https://supportforums.Cisco.com/thread/2162234
Thank you
Tarik Admani
Please evaluate the useful messages
Sent by Cisco Support technique iPad App
-
Problem with Cisco ACS and different areas
Hello
We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:
We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.
Then we have our Cisco switches with the following configuration,
AAA new-model
AAA-authentication failure message ^ CCCC
Failled to authenticate!
Please IT networks Contact Group for more information.
^ C
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization network default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.
There may be something wrong with the ACS?
Thank you
Jorge
Try increasing the timeout on IOS device using radius-server timeout 10.
Do we not have journaling enabled on the ACS server remotely?
-Philou
-
Cisco ACS and the domain controller
Hello
We are currently using the Cisco ACS 3.2.3.11 solution engine and using a Windows domain as a remote agent controller.
We now have the ACS to 4.1
1. do I need to upgrade the remote agent on the domain controller as well?
2. any computer on the network can be used as a Distribution Server?
3. after an initial backup and upgrade then to 3.3.3.3 I make another backup before the upgrade to 4.1?
You can use any PC in the network as a Distribution Server.
Maybe you are looking for
-
Please help me! My account is in perfect condition, but when I try to call through my Skype to Go, the only thing I hear is,"this number has been disconnected, altered or is no longer in service. » Please let me know what happens. I'm so frustrated.
-
Acer Aspire R13 backlight keyboard issues
I got the R13 Aspire (317 t) a few days before, and while I really enjoy there are some problems with the keyboard. The first is that is it possible to completely disable the backlight on the keyboard? I'm tired of having to manually use the functio
-
HD with two partitions, H:Basic in C:Basic with NTFS and Fat32
My office have unique u HD with two partitions. H: 6.99 GB with FAT32 and the C: with 143 GB and NTFS system. My system works only on drive H: it almost full during the 6.60 GB GB C: 3 busy with that and the rest empty.I already have the Win XP SP2 s
-
Hi, I just noticed that I have port 10080 open on my router (wrt160nv3). Port forwarding is not configured and web administration access is only allowed over https (443). DDNS is also disabled, I was wondering why this port is open. Does anyone else
-
I can't print my screen says replace 940 black basket. I replaced it and the error will not go away. I tried the power switch off and clean the print heads, but I get the same message and could not print or clean the heads. Any suggestions befor