Cisco ACS 5.2 VMware 'Management' process hangs

Similar Questions

• With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

  Hi all

  I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

  Juniper M10i running Junos 9.2, M120

  M320 running Junos 8.5 Juniper

  Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

  3804 Alpine extreme Extremeware 7.8.3.5 running

  My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

  / John

  John,

  We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

  set system login user uid of engineering 2000
  Set system login user engineering genius-class class
  set the connection user uid to NOC 2001 System
  Set system login user AC AC-class class

  define the system connection Engineering-class idle-timeout 15
  define a connection system class engineering-class permissions all
  define the system connection AC-class idle-timeout 15
  define the connection class AC system class view permissions
  Set connection AC-class permissions see the system configuration

  We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

  Hope this helps.

  Derek

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

  Hello

  I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

  Kind regards

  RAM

  + 6 012-2918870

  Hello

  It is not possible.

  You cannot push the ACL in the NAC manager.

  If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

  Using the Radius attributes you can then map users to roles.

  Please, take a look at this:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• How can I get a trial version of cisco ACS 5.4

  Hi guys:

  I would get a trial version of GBA 5.4 for educational purposes (certification LAB). I know that it is possible to download the ISO file of www.cisco.com, but when a try to download the file with my cisco CCO get a message asking me "an additional fee required. Do you know how can I get this software?

  PD: I was able to download a trial of this software (file *.lic) license, but I want to install the ACS in a VMWARE server and play with him. I need the ISO file.

  Thank you very much for your help

  Kind regards.

  Martin

  CCNA-CCNP-CCGD

  Certified Engineer

  Cisco limited offer of trial copies of some of its products. Those that are linked from here:

  http://www.Cisco.com/go/nmsevals

  In General, if it is not there, it is not available as a trial version. It is usually not Cisco policy to provide all the software trial for teaching and laboratory use.

  If you are working with a Cisco or a partner account manager, you will get an exception on a case-by-case basis.

• connection via Cisco ACS 5.0 limit

  Hi all

  My infrastrucer wireless a few days ago I deploy Cisco ACS 5.0 with Active directory integration. My wireless users are connecting through web authentication process. The authentication process is gone through AD & his works very well. But I want to work on my 5.0 ACS that a user cannot simultaneously connect several devices at a time.

  Hello Sabine,.

  'max sessions' featre introduced acs 5.3.

  Maximum user sessions

  For optimal performance, you can limit the number of concurrent users to access the network resources. ACS 5.3 imposes limits on the number of simultaneous sessions of service by the user.

  The limits are defined in several different ways. You can set limits to the user level or at the level of the group. Depending on the configurations of the user's maximum session, the session number is applied to the user.

  IMPORTANT: for maximum sessions work for access of the user, the administrator must configure RADIUS account management.

  You can go through the link listed for more information below:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1176806

  The code that you're using now ACS 5.0 is not recommended for a production environment. You need to upgrade the ACS to achieve the functionality of session max.

  Jatin kone
  -Does the rate of useful messages-

• Cisco ACS 5.3 patch 8 Volume OPT

  Hello

  We currently have 12 ACS unit with one of them being a dedicated newspaper collector. We have authentication of 802. 1 x configured for network and Wi - Fi ports. We are authenticating desktop, laptops, smart phones, etc. on our network.

  The problem we have is the volume of the OPT exceeding 30% volume size recommended by Cisco TAC after a few months. We have recently added more resources on our network (fusion). We are now on the size of 30% in about 1 month.

  In the past, we called Cisco TAC when we had problems with performance Log Collector. It's time was also authenticate clients 802.1 x. We have added a new device and is a dedicated Log Collector. They would check the volume of the OPT and to find that it was about 70% use the size. They launch the Console Root patch and delete the DB and then re-create. We did about 2 times before starting to monitor the size of the volume OPT.

  This last time, we ran in the 30% the size of volume more rapid then we had previously. I got a Cisco TAC volume of the OPT to delete and recreate it.

  Cisco TAC recommended that we reduce the amount of logs that are sent to the collector of the newspaper. We are currently investigating this option.

  The questions I have is:

  What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?

  Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?

  We have data purge set to 30 days. We are complete and incremental database backups. We also have local send logs to a Syslog server.

  We test them make changes to send only AAA Audit logs and statistics system of Log Collector.

  Thank you

  In the distributed configuration, its recommended to set up a secondary server dedicated as a collector of newspaper. However you have a large deployment, so I'm sure that authentication rate would be too high causing Dungeon size view-basic data on the increase.

  In order to avoid running out of disk space, we need to manage. This means identifying the files that are created and written by processes on the system, allocate a budget to space them as if the files remain in their budget all the services can be supported without interruption, then define and implement the necessary facilities so that these files in their budget.

  There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.

  1. air scan: this mechanism the data will be purged based on the retention period of data configured or arriving at the upper limit of the database.  In Patch 6 new provided option to demand purging as well.

  2. compress: this mechanism frees up unused space in the database without deleting all records. Before the compress option can only be performed manually.  GBA 5.3 Patch 6 there are improvements so it will automatically work every day at a preset time, when specific criteria are met.

  What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?

  The TAC recommendations are right. You will be able to use all the ACS function if / opt is less than 30%.

  Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?

  It seems that you use most of the features/mechanisms to have / low opt. However, you may be interested to read more about scrub data and data compression improvements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

  S ' Please use System Administration > Configuration > journal Configuration > Logging categories > Global to configure only the logs required the sending to the ACS View log-collector.

  -Provide the cool screenshot of the page Configuration Monitoring > System Operations > Data Management > removal and backup.

  -With the below listed command you can check real and physical terrain database size

  ACS-config

  Username: acsadmin

  Password: *.

  acsview show-dbsize

  There are some known defects on the same subject. However, the version you use improves database management process.

  CSCto47203: ACS 5 runs out of disk space

  CSCua51804: see backup fails even when there is disk space

  Jatin kone

  -Does the rate of useful messages-

• How can I use Cisco ACS to save Shell commands

  Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

  I have these lines on my router:

  ...

  AAA authorization config-commands

  AAA authorization exec default group Ganymede +.

  AAA authorization commands 15 default authenticated if

  AAA authorization network default group Ganymede +.

  ...

  It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

  *****************************************************

  I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

  If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

  orders accounting AAA 15 by default start-stop Ganymede group.

• 5.4 double certificate option Cisco ACS

  Hello Experts

  I wonder if anyone knows if I can get two certificates on my Cisco ACS 5.4 server. The documentation says I can have it as long they have different 'from' and 'to' dates with a same name CN. However, this is a production server and wanted to if sure before I make changes. I currently have a certificate installed and everything works well but need to add a second for migration purposes.

  Hovsep Armeni
  LAN, UK

  A certificate can be linked to these two services (HTTP and EAP), however, each service can only be associated with a single certificate. Thus, for example, you cannot have two certificates that are related to the EAP process.

  Thank you for evaluating useful messages!

• How to restore the password on Cisco ACS 5.4

  Hello!

  Try to restore the Cisco ACS 5.4 password installed on vmware. Where can I get the password recovery DVDs? There is no software in the list on the site.

  TAC may provide to you. You will need to open a folder and the application.

  HTH

• Cisco ACS 4.2 1113 Recovery DVD

  Nice day!

  We have CSACSE-1113-k9 Cisco ACS 4.2 device 1113. And we need to reimage (restore the device to its original state). Can enyone help me with the correct link software.cisco.com image recovery DVDs?

  I'm trying to find it, but I can't see recovery dvd:

  Home downloads Products Clouds and systems management Security and identity management Cisco Secure Access control server products Cisco Secure Access Control Server Solution engine Cisco Secure Access Control Server Solution engine 4.2

  Hello

  As far as I know, you don't have the possibility to download cisco.com ACS recovery DVDs. You can contact Cisco TAC and they can publish the software for you.

  Note If useful...

  Kind regards

  Kush

• Cisco ACS 5.6

  Hello

  I wonder if anyone can help me? Our server team recently installed the Cisco ACS (version 5.6) on a VM server. I can connect to the Web GUI OK account using the account ACSAdmin. The team of the server informed me that they scheduled the same password for the CLI admin account as they did on behalf of GUI ACSAdmin, but I get "access denied" when I try to SSH to the server (with the username admin).

  I looked at different messages and documentation, but it seems to me that the CLI SSH account can be managed via the Web UI?

  Does anyone know a way to hack the account SSH, or should I just ask the server to be rebuilt? I can see some tips of password recovery, but this seems to apply to a physical server not a VM.

  Thank you very much

  Hello

  Boot from iso GBA 5.6 and reset the console password

  Thank you

  John

• Cisco ACS 5.5

  Hello

  I just installed Cisco ACS 5.5.0.46.  We managed to get Juniper devices to authenticate using RADIUS.

  The problem is that the authentication logs are empty.

  I intend to patch the ACS of Update Rollup 4 for tonight, hoping that it can fix the problem.

  Can someone advise?

  Concerning

  Vijay

  Good to hear your issue was resolved. Also, thank you for taking the time to come back and post the solution to the problem! (+ 5 from me). Now, if your issue is resolved, please check the thread as "answered" :)

• [Cisco ACS] Memory usage limit

  Hello

  We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10

  The main server manages authentication 20000 + per day.

  Its memory usage is growing every day.

  It's now 83%

  Is there a limit?

  What happens when memory use reaches this limit?

  What can we do to purge the memory usage? (reboot, restarting the service...)

  Thanks for your help

  Patrick

  Check the secondary collector newspaper. This will help to balance the load between the two nodes and you will see the memory usage decreases.

  Thank you

• Does Cisco ACS 1113 v4.2 device work with Windows 2008

  Hello

  I have a wireless currently in production infrastructure. All my Cisco LWAP is managed by Cisco WLC. Authentication is done via RADIUS through my device Cisco ACS 1113 running on version 4.2. The Cisco ACS 1113 device communicates with my Windows 2003 Active Directory. Everything is good now.

  Next month, we plan to update Active Directory from Windows 2003 to Windows 2008? Will be all fine and good, or will it be questions? Please advice kindly.

  I saw another post in this community that the States https://supportforums.cisco.com/thread/1003597?tstart=0. I am now confused. Help, please.

  Kind regards

  RAM

  + 60122918870

  ACS 4.2 does not work with Windows 2008R2.  I had a case of TAC open about this, and basically, they told me that I had to switch to 5.2 ACS.   I've been doing demonstrations there and it authenticates with Windows2008R2 very well.