Cisco Secure ACS Solution engine v3.2

Device equipment ACS Soultion engine by default comes with two network adapters. Can I configure it so a Nic on VLAN 30 and the other VLAN 50 network card?

VLAN 30 - will be the network who communicate or provide credentials for authentication of the ACS Remote Agent for Windows.

VLAN 50 - will be for authetication of network devices. RAIDUS or TACAUS.

This is not possible as single network adapter works both. (Look for the rear Control Panel items)

http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1046176

Kind regards

Mahmoud

Tags: Cisco Security

Similar Questions

  • Cisco Secure ACS Solution Engine ping

    1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

    2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

    By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

    For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

    http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

    Rgds,

    AK

  • Cisco Secure ACS vs IAS in Windows

    Hi all

    I need deploy an AAA for the following situations.

    (1) remote access via Cisco VPN Clients.

    (2) AAA for wireless windows PC in remote areas

    (3) AAA for Cisco switches and routers in remote areas

    (4) authentication with a windows domain

    The the Windows IAS would be virtually free that we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS might also be an option. Not all have experience in these two?

    What are the positives\negatives of each? and limits?

    Does anyone have any information on case study etc. in comparing the two?

    Your help is greatly appreciated.

    Kind regards

    Andy

    PS: There is a limitation in Windows 2003 Standard edition, which limits the number of Radius clients to 50. Although we have more than 50 potential clients in society, no site has more than 50 altogether.

    MS IAS allows you to implement the solution using only the RADIUS protocol

    ACS offers the feature to use RADIUS as well as GANYMEDE.

    Looking 4 solutions you want to implement, only 3rd solution will be a little easier with GANYMEDE, but even once it not something you can not implement using RADIUS.

    On the limitation of Radius client, ACS offers a large database that you can use for customers, so limiting to 50 customers. In addition many many features, you'll love to integrate into your network as the NAP/NAC implementation, made it easier.

    So you need to check if you have the budget, you can go to ACS, IAS on the other can work well for all solutions (except limitation of radius client, I m sure that MS can provide a workaround solution).

    the following link can help you with information on sales of ACS:

    http://wwwIn-nmbu.Cisco.com/thevault/files/1027/5/ACS4.1-Sales-guide%20April%204%202007.htm

  • Cisco Secure ACS 4.2 on VMware ESX 4.0.

    We must move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS for Windows version 4.2.

    This solution is compatible and supported by Cisco?

    Thank you.

    Andrea

    ACS Windows 4.2 is not supported by Cisco, when installed on VMWare ESX 4.0 in accordance with the following documentation:

    http://Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/device/guide/sdt42.html#wp37898

    Only ACS 5.1 is supported on ESX 4.0:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_vmware.html

  • CS ACS Solution engine with external AD database

    I have a client who has set up a CS ACS Solution engine (device). They currently have VPN tunnels that terminate on the SAA and the ACS provide authentication via an external database to the AD. I did the installation or configuration of the device and I'm new to ACS. There is a group in an ad that was created to allow access to the VPN, and it works. I created a second group in AD and a test user. The user account will not correctly authenticate when establishing a VPN session. I checked the agent ACS logs on the controller of the AD is to show that the user performs the authentication correctly, and it seems that the agent is not transmitting this information to the ACS. Alternatively, the ACS is ignorant. The GBA, the generated error is "external DB account Restriction." I can't find anything specific to this topic. I checked that the announcement represent works and can log on to a workstation. I checked the properties of account for the test account. I think it's related to the membership of the group. I have a group in ACS named exactly the same as the ad group and of the test account is a member of this group. I don't know where to start any help would be appreciated.

    You must map this group

    User to external databases > database group mapping > Datbase of Windows... section

    A group of ACS, naming the group exactly the same as the Windows AD Group ACS establishes no relationship between them.

    I guess that your all other combinations in the group mapping are mapped to one ' "group, OR to a group that is disabled.

    Please ensure that the mapping of good group on ACS for the new group you created on AD.

    If you move in the right direction, problem seems to reside in group mapping

    Kind regards

    Prem

  • With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

    I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
    and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

    I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
    When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
    on the field, etc.).

    I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

    If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

    02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

    I scoured google etc and just cannot come up with any reason why this should be the case.
    I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
    so am eager to know if someone can help me with this one!

    Thanks and greetings

    Sharan

    George,

    Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

    64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

    ACS 4.2.1.

    -Jesse

  • Is it possible to authenticate 2 or more domains Active Directory via acs solution engine v4.2?

    Hello

    Is it possible to authenticate ACS solution engine v4.2 against 2 or more Active Directory domains by using the generic LDAP configuration?  One scenario would be to geographic distribution where 1 area would be for the USA and the other would be an another say country Canada (e.g. US.corp and CA.corp).

    Thank you

    James

    Hi James,

    It is possible to configure multiple servers authentication LDAP, one for each area. I can tell you that it is much more efficient configuration and administration viewpoint experience and end-user to use AD as an external database Microsoft if your installation is actually all in the same namespace for example amer.CompanyName.com and canada.companyname.com.

    To configuration LDAP multiple databases, go to the external user databases > generic LDAP > create a BITTER called, then do the same for CANADA.

    Cordially, Jeremy

  • Cisco Secure ACS 5.3 SNMP agent does not

    Hello

    I have problems with the SNMP on Cisco Secure ACS 5.3 agent (patch level 5) stop, is there a quick way to restart the SNMP daemon via the command line?

    Robert,

    I understand where you come, I encountered the following bug:

    CSCte39351

    The process of the SNMP agent in demon device ACS stops.

    and reboot the box will bring him back to the top and after about 3 days, he'd stop. I just want to see if it's the same bug that could be back in patch 5. The best thing to do at this stage is to plan a quick down and restart the box to see if the snmp process starts again. If this then gives IT a week to see if the snmp Protocol falls down. If it does then make reference to this bug and open a new case of tac for repair. If not, then you should be in the clear.

    Thank you

    Tarik Admani

  • Cisco Secure ACS 4.2 Windows authentication of different domain

    Hello

    I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.

    Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.

    Hello

    First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:

    -Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.

    -Change the domain membership, and then restart.

    -follow the missions post-disiez for ACS (see this link): http://tiny.cc/zr6huw.

    -Configure the external database again on GBA (group mapping, strategy unknown user... etc).

    You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Cisco Secure ACS appliance - impossible to edit... Reason: The host no longer exists.

    Hi team,

    I have 2 camera which I am not able to remove a group of network devices home device.

    When I try to remove the device after error is thrown

    Impossible to edit INMUM-VPE-T1-3rdFloor-3750-S...  Reason: The host no longer exists.

    Running on Version: Cisco Secure ACS4.2.0.124

    One would come in all of these issues. someone knows the solution.

    Concerning

    Vineeth

    Hi Vineeth

    Yes, you can do through GUI.

    The GUI:

    1 ACS gui > network configuration > click on 'Search', then click 'Search' again.

    2. complete list of all network devices. On top, you will see an option "Download".

    Download the complete file.

    Let me know if it helps.

    Thank you

    Nelson Saha

  • Cisco Secure ACS 5.1 and strong authentication ACS administrators?

    Hello

    Is it possible to authenticate administrators using an RSA SecurID token?

    There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

    (I'm under Server Secure ACS 5.1.0.44)

    Thank you

    Christophe

    Hi Christophe,

    Unfortunately not.

    The DB supported only for accounts of Administractors is the internal DB of GBA.

    I hope this helps.

    ARO
    Tiago

  • DISCONNECTED in Cisco Secure ACS AD

    We have ACS

    5-3-0-40-8

    As disconnected Active Directory showing connectivity

    We faced the same problem when he was 5.x, we went to

    5-3-0-40-8

    After 2.5 months now, we have faced this problem. Permanent any solution for this.

    Restarting the service got suspended and where we rebooted the server to fix.

    Please help on this as soon as possible.

    Thank you best regards &,.

    Sakthivel M

    You questions'are running one of the code and patch of ACS more stable if we are talking about ACS - AD. I don't know that it should not be a problem with the ACS. Something is not configured correctly. Most likely a problem of DNS or NTP.

    In order to deepen and to know what might be the causes, you will need to provide some information and newspapers when it happens again.

    1.] we have ACS currently running on the machine or Vmware?

    2.] when you say that it is in the disconnected state, you see do both authentication failed or it shows just disconnected status. In case of failure, what is the error, we get in the section logging ACS? In addition, you can see test connection arrive at positive results?

    3.] what is the status of the customer-ad on the CLI service, can be verified with "view the status of the acs application" when you say its disconnected?

    4.] in addition, when you try to join again while it is disconnected, you see an error? can you share?

    5.] more importantly, debug level logs would tell us the real story. Before you reproduce the problem, we must look at the newspapers to the debug level. (If this can not be reproduced then wait the issue reproduce)

    Go to the ACS CLI:

    ACS / admin # acs - config

    Escape character is CNTL/D.

    Username: acsadmin

    Password: XXXXXXXX

    ACS/admin(config-ACS) #.

    Set newspapers ACS desired debugging level.

    ACS/admin(config-ACS) # debug level to debug-log duration

    ACS/admin(config-ACS) # enable debug-adclient

    NOTE: once you have finished, put newspapers.

    Generate the support beam and download it here. Talk about the timestamp when the questions has been reproduced, it will help me track down the newspapers concerned.

    Jatin kone
    -Does the rate of useful messages-

  • Cisco Secure ACS 3.3 (1)-> 4.0 upgrade problems (1)

    Hi all!

    I have problems updating my primary ACS since version 3.3-> 4.0

    I always get the following error message, then it does the upgrade:

    "The record of the CiscoSecure ACS seems to be blocked by another application: C:\Program Files\CiscoSecure ACS v3.3.

    Please close all applications... blabla... »

    The thing is, I have improved my ACS backup first, and this upgrade worked like a charm.

    In both cases, both for the primary and backup I do a takeover with Dameware remote, copied the ACS 4 folder on the hard disk of the server and make the upgrade of this folder.

    As I said, the upgrade of backup server worked without a hitch.

    That's what I tried:

    1. I checked that NO application use the 3.3 ACS file and no Explorer window is open on this folder or subfolders.

    I checked using a small program called Filemon.exe from Sysinternals. According to this program, anything accessed said folder.

    I also checked it again by renaming actually ACS 3.3 file once I stop all services of the ACS. I could not rename the folder if the services have been started.

    2. I tried to stop the ACS services first and then make the configuration, got the same error.

    3. I have disabled the antivirus software, got the same error.

    Basically I am at my wits end now...

    However, I have two options:

    1. uninstall ACS 3.3, do a clean install of ACS 4.0 and import the data of all the GBA backup.

    Who would not raise by the primary association with the ACS configuration backup? So I think I will need to go on it later and make changes, if necessary?

    2 make a backup of the ACS 3.3 with csutil b

    Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil - r

    Would this work? I've seen conflicting information here in this forum, some say that it works, the other say it's not.

    I'm a little confused why it worked so well the GBA backup but fails on the primary ACS.

    Any help would be greatly appreciated!

    Thank you!

    Ivar Thorolfsson

    Hello

    Folder lock message often appears if newspapers located in the directory of the ACS are too big.

    Move the logs of the following directories: -.

    CSAdmin\Logs

    CSAuth\Logs

    CSDBSync\Logs

    CSLog\Logs

    CSMon\Logs

    CSRadius\Logs

    CSTacacs\Logs

    Newspapers

    Then try to upgrade.

    Kind regards

    Vivek

  • Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

    Hello

    I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

    I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

    I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

    Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

    Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

    Default: refuse

    In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

    But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

    My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

    The stages of monitoring:

    Measures

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - NetOp/NetAdm service policy

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - server RSA

    24500 Authenticating user on the server's RSA SecurID.

    24501 a session is established with the server's RSA SecurID.

    24506 check successful operation code

    24505 user authentication succeeded.

    24553 user record has been cached

    24502 with RSA SecurID Server session is closed

    Authentication 22037 spent

    22023 proceed to the recovery of the attribute

    24628 user cache not enabled in the configuration of the RADIUS identity token store.

    Identity sequence 22016 completed an iteration of the IDStores

    Evaluate the strategy of group mapping

    15006 set default mapping rule

    Authorization of emergency policy assessment

    15042 no rule has been balanced

    Evaluation of authorization policy

    15006 set default mapping rule

    15016 selected the authorization - DenyAccess profile

    15039 selected authorization profile is DenyAccess

    11003 returned RADIUS Access-Reject

    Thank you

    Christophe

    I think you need to do is to create a sequence of identity with RSA as a selection in

    Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

  • Cisco Secure ACS 4.1 - blocking attempts to authenticate to a specific host

    We use the application of RADIUS of ACS 4.1 for both wireless 802. 1 x and for our old PIX 515E authentication, as well as a few other features.

    We try to migrate users off the PIX and want a method of disabling their ability to connect through the PIX once we have them migrated to the new method of remote access.

    Authentication in ACS logs show the IP address of our PIX under "NAS-IP-Address" as the source of the authentication attempt.

    Is there a relatively simple/easy way to block this IP address attempts (which causes these attempts fail) all by allowing wireless systems and others to proceed as usual on a per user basis?

    Brian:

    If I have understood correctly, you must allow users to connect to the wifi but prevent users to connect via PIX.

    What you can do is to create a configuration of access network (OAN) Restriction under the config görüş (or under Configuration user if each user).

    See this image:

    If you don't see the network access restrictions config under the user and/or group config, you can activate the Interface-> advanced options configuration.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

Maybe you are looking for

  • Satellite L735-11 d - repair windows 7 OS through the recovery

    Hey No way to repair my windows 7 OS without formatting my laptop I want to just install a new copyfiles of windows 7 without losing my files and programs? Windows vista has this option called repair that work like this hope that someone will help :(

  • problems with Windows xp

    I desktopand laptop with xp it keep giving the error message that my hard drive is full Although my d drive (hard disk partition is empty) I tried the formate my portable hard drive with the disk it came with cd rom toshibaback error message I get do

  • Delete the mail

    How can I delete all my mail every day? Previous mail enabled me to bulk delete by pressing day. seems not to work in the latest version

  • M14x R1 camera / microphone does not

    Hello I installed windows 7 on my PC and installed all the drivers present on the Dell CD, but my camera and microphone don't work anymore... I tried to install the driver: "Dell Alienware M14x caméra Firmware, v.1627, A01" but he said: "no device! I

  • Enter username and password in the URL, 4400g, v5.2?

    Hello I try to view the contents of a Web site that requires me to connect whenever I go out of the Web page. Is it possible to include the user name and password in the url itself or there at - there a way to change the DMP web account to match the