Cisco ACS SE GANYMEDE + accounting fails
Hello
I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
When I enable aaa accounting debugging, I get the following logs on the switch.
001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)
001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS
001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
'show running-config '.
001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list 001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +) 001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS 001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port: ' configure terminal '.
001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list 001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +) 001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS 001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port: It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug. Is there something that I am missing? Thank you. ESD And what you get in the newspapers of Ganymede Administration? Kind regards Prem Tags: Cisco Security With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices Hi all I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are Juniper M10i running Junos 9.2, M120 M320 running Junos 8.5 Juniper Extremes of BD8810 and BD8806 running 12.4.1.17 XOS 3804 Alpine extreme Extremeware 7.8.3.5 running My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you / John John, We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example: set system login user uid of engineering 2000 define the system connection Engineering-class idle-timeout 15 We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject. Hope this helps. Derek Cisco ACS 5.8 CLI admin account lockout Hi all We recently deployed device Cisco ACS 3495 and running on a version 5.8. Everything seems well while our for the CLI admin account was locked out. Found a bug in Cisco for the same problem with version 5.5, but no solution yet... Hello Unfortunately, the only solution for this is the DVD of password recovery. Once fixed, you can increase the car locked out amounted to something greater than the default value of Cisco. Hello I currently have a Cisco ACS 3.3 Server. I want to upgrade the server to the latest version and cluster with one another so that we can have a redundant infrastructure because if one fails it also includes... Can provide you a solution for this? Thank you Hello The latest version is 4.1 ACS. You can upgrade 3.3.3 build 11 directly to 4.1. Then, you can install an another ACS 4.1 on a different machine and replication configuration between these two. In this way, you will need to make changes to only one that ACS and the secondary will be automatically updated. Once these two are defined, you can set both of these servers as a server Radius/Ganymede on devices and there will be a redundancy. Kind regards Vivek How can I use Cisco ACS to save Shell commands Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers. I have these lines on my router: ... AAA authorization config-commands AAA authorization exec default group Ganymede +. AAA authorization commands 15 default authenticated if AAA authorization network default group Ganymede +. ... It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this? ***************************************************** I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs. If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router. orders accounting AAA 15 by default start-stop Ganymede group. Problem with Cisco ACS and different areas Hello We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe: We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings. Then we have our Cisco switches with the following configuration, AAA new-model AAA-authentication failure message ^ CCCC Failled to authenticate! Please IT networks Contact Group for more information. ^ C AAA authentication login default group Ganymede + local AAA authorization exec default group Ganymede + local AAA authorization network default group Ganymede + local AAA accounting exec default start-stop Ganymede group. orders accounting AAA 15 by default start-stop Ganymede group. ! AAA - the id of the joint session But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure. There may be something wrong with the ACS? Thank you Jorge Try increasing the timeout on IOS device using radius-server timeout 10. Do we not have journaling enabled on the ACS server remotely? -Philou Cisco ACS 4.1 for external advertising for authentication Hello We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede. Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS. Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN. Could you please help us to isolate the problem. Thank you & best regards Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service. Kind regards ~ JG I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS? Hi Jessica,. I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA. I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases. ~ BR * Does the rate of useful messages *. How can I get a trial version of cisco ACS 5.4 Hi guys: I would get a trial version of GBA 5.4 for educational purposes (certification LAB). I know that it is possible to download the ISO file of www.cisco.com, but when a try to download the file with my cisco CCO get a message asking me "an additional fee required. Do you know how can I get this software? PD: I was able to download a trial of this software (file *.lic) license, but I want to install the ACS in a VMWARE server and play with him. I need the ISO file. Thank you very much for your help Kind regards. Martin CCNA-CCNP-CCGD Certified Engineer Cisco limited offer of trial copies of some of its products. Those that are linked from here: http://www.Cisco.com/go/nmsevals In General, if it is not there, it is not available as a trial version. It is usually not Cisco policy to provide all the software trial for teaching and laboratory use. If you are working with a Cisco or a partner account manager, you will get an exception on a case-by-case basis. Hello I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users. I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green. Any help would be much appreciated. Concerning AR Hey,. What is the report on GBA? "RAIDUS AAuth in green" If so, a pcap help between the two. Concerning Ed Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices. I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15. When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only). Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices. Has anyone ever experience this problem? Help, please! Thank you neocec This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices. Thank you Tarik Hello I wonder if anyone can help me? Our server team recently installed the Cisco ACS (version 5.6) on a VM server. I can connect to the Web GUI OK account using the account ACSAdmin. The team of the server informed me that they scheduled the same password for the CLI admin account as they did on behalf of GUI ACSAdmin, but I get "access denied" when I try to SSH to the server (with the username admin). I looked at different messages and documentation, but it seems to me that the CLI SSH account can be managed via the Web UI? Does anyone know a way to hack the account SSH, or should I just ask the server to be rebuilt? I can see some tips of password recovery, but this seems to apply to a physical server not a VM. Thank you very much Hello Boot from iso GBA 5.6 and reset the console password Thank you John Cisco ACS - determine who was in a particular device Hello How can I determine who was in a particular to a specific date and time device? Hi Steve,. You can use 'query and run' inside Ganymede on 5 ACS or radius Accounting section. Accounting exec provides information on Terminal sessions user EXEC (user shells) on the network access server, including the user name, date, start and stop times, the IP address of the access server. If you want to see what changes have been made by a specific user, then that can be verified if the accounting command is enabled on the network access device. Accounting command provides information about the shell EXEC to a specified privilege level commands that are running on a network access server. Each command accounting record includes a list of the commands executed for this level of privilege, and the date and time that each command was executed, and the user who executed. Don't forget the accounting command is only supported by Ganymede +. Kind regards Jatin kone * Does the rate of useful messages *. Cisco ACS 3.1 and Logging of Nortel Passport CLI commands Good afternoon We try to log commands CLI Cisco ACS version 3.1 of Nortel Passport 8600. The version of the code that runs on the Passport does not support Ganymede +. Passports authenticate OK but don't sign any order information. I "think" the problem is maybe that the VSA Radius of Nortel for cli-commands-attribute, 195, is not collected by ACS. Does anyone know how I would go to get this added to the existing list of Radius (Nortel) VSA? Thank you very much Kind regards Flett. Foisy, You must add the attribute Nortel 193-195 to activate the posting of the order. Unfortunately you can't download on code 3.x, you will need to upgrade acs to the 4.x code. Kind regards ~ JG Note the useful messages Cisco ACS 4.2: The most important to back up files? Dear Sir Can you tell me what are the most important files to back up in the Cisco ACS directory? Currently, I am only backup (with Symantec Backup Exec): C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups * But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...) * The Cisco ACS there change in the Windows registry? * Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc. I ask this question because it takes time to install the patches... * Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup? Thank you very much for giving me your experience about it. Kind regards You should back up the files that come from ACS backups, i.e. System configuration > backup GBA, the location that is specified in this section. And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups" In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings. When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation. Kind regards Prem Please rate if this can help! How to disable the bookmark open in the sidebar? I clicked on a button to allow bookmarks to open in the sidebar instead of in a tab. I didn't know what it meant and now I cannot find the way which stops. What on Earth happened to the ability of the application of the MLB to fast forward and rewind? Swipe left and right are simply ignored. I use the latest Apple TV app and MLB. This is a bug killer! Battery se - Satellite U500 - 11 c I've got Toschiba Satellite U500 - 11 c PSU5EEReleases the battery itself for about 10% per night! I checked USB Sleep & Charge optional BIOS and disabled. And what is happening all the time. Laptop have only a 15 days so is this normal? I do not. I Toshiba Camileo H20 - slow focus - firmware needed Hello As I read on the internet there are many users who complain about the development slow on this point, as the Toshiba says 'top model' of the Camileo series.The focus is extremely slow. I and other users like to see a firmware that corrects this Satellite A100-775 wake mode not sleep by call or fax "Nine" Satellite A100-775 (core 2 dual multiprocessor) wakes up mode not sleep by call or fax (ISDN Controller):AVM FRITZ! X USB with corresponding power management features). BIOS and software patches are up-to-date, motherboard already changed by TSimilar Questions
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class class
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configuration
Jatin koneMaybe you are looking for