Duplicate the user in the ACS 3.3 database

Similar Questions

• AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

  Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

  WHA is missing here?

  enable AAA authentication login VTY P1_ACS local group

  Group default AAA authorization exec local P1_ACS authenticated by FIS

  AAA authorization exec CONSOLE none

  AAA exec by default start-stop accounting P1_ACS group

  AAA commands 5 default start-stop accounting P1_ACS group

  AAA commands 15 arrhythmic default accounting P1_ACS group

  Accounting logs command is stroed in the newspapers of the administration of Ganymede.

  There is also a known issue on ver 4.1.1 and we must

  apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  CCIE Security

• local user name and password if the ACS server fails

  Hello

  I have every router and switch configuration for authentication of the connection via the ACS server.  I used these 12 lines below and it works very well.  Each engineer has their own account.

  AAA new-model
  AAA of default login authentication group Ganymede + activate
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default authenticated if
  AAA authorization commands 15 default group Ganymede + authenticated if
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  Default connection accounting AAA power Ganymede group.
  AAA - the id of the joint session

  RADIUS-server host x.x.x.x
  RADIUS-server application made
  radius-server key, regardless of

  ----------------------------------------------

  I would add to this a local username and password so that if the ACS server was offline engineers have yet to connect with a knowledge of username and default password

  username privilege 15 secret mypassword MYUSERNAME

  line vty 0 4
  local connection

  Q. How do I make ACS a first preference and connection server only local users username and password if the ACS server is down?

  Kind regards

  Kevin

  Now you have the password to enable as the fall back method:

  AAA of default login authentication group Ganymede + activate

  Change 'enable' for 'local' and the local (to the router) database of user names and passwords is used.

  The same works to activate authentication (the second line "authentication, aaa... ("in the config that you posted).

• Features of the ACS

  I have a few questions about ACS.

  A-I see what others did on the configuration of the router? If so, he will show me when it has been modified?

  B - use a WLAN can I have some kind of authentication on my ad? or by using a digital certificate?

  C if someone need Conect on my network at home, ACS can authenticate this remote user? How is that possible?

  I thank all those who can help.

  Hello

  A we can see what commands when entered on a device if we order accountants helped this topic

  B we cannot authentication user WLAN via ACS to AD. It can be done using digital certificates.

  C - ACS can VPN authentication and remote access to users. How depends on what device the user connects to.

• Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts

  Hello

  I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...

  Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?

  Thanks in advance

  WM

  I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system

  In order to change the multiple/all documents for internal users, the following approach can be taken:

  1. Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
  2. Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
  3. To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish

  Afetr imort is completed, all records of internal user should now display "Enabled".

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• Level of privilege of the ACS and sets of commands

  Hi all

  I was in charge of the implementation of 5.6 ACS in order to allow members of the groups of domain security MS Access of specific order to our equipment. I the area association and groups added, I have an access policy with a rule that works so my field trial account can connect to the switch and perform only the commands in my command set.

  The problem is that when I assign a Shell profile with privilege level 7 min/max to the rule and the user logs on with this level, they are unable to see the commands that I welcomed in the Set command. Is it possible to have the ACS to say IOS to automatically change the visible commands to a specific privilege level when the user connects, even if they are not at this level of privilege?

  Any help greatly appreciated,

  Chris Menuey

  Because you're using command authorization and restrict the user to some orders, why do we use privilege 7 and not 15?

  ~ Jousset

• Change IP of a device of the ACS

  What will break if I change the IP address of the device TO 4.2? I need a few of them to assume the IP addresses of our existing production boxes. Apart from the re-manual setting the IP SE through the console, reconfigure the AAA/replication server and the ACS Agent Config provider IPs, is there something that is "lost" permanentnly broken when you reset the IP address?

  Thank you!

  Yes, dynamic mapping is created when the user connects, but this will be a default mapping. All users will be mapped to the default group.

  Incase you have permission set up on the basis of the group, it will not run.

  If you have all the users that are not mapped to the default group, then no need to worry.

  Kind regards

  ~ JG

  Note the useful messages

• Failure of the ACS migration tool

  Hi, I am running the migration tool, the following request:

  Make sure that the database is running.

  ACS DB 4.x is unavailable, enter ACS 4.x database password (encrypted)

  :[******]

  With the password of database simple, used during the installation of the ACS, I get a fatal error at the end of the procedure like this: "Fatal Error! -Unable to connect to ACS 4.x DB! »

  Where can I find the password for the encrypted database ACS?

  After the migration log:

  07/10/2011-11:41:31 MigrationApplicationCLI.getUserInformation (MigrationApplicationCLI.java:953) ERROR - not read invoke ACS 4 password system. Error on line C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c 1265, calle API

  07/10/2011-11:46:52 MigrationApplicationCLI.getUserInformation (MigrationApplicationCLI.java:953) ERROR - not read invoke ACS 4 password system. Error on line C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c 1265, calle API

  07/10/2011-11:58:08 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - cannot find the required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.

  07/10/2011-11:58:28 ACS4Connector.checkDBConnectivity (ACS4Connector.java:137) FATAL - Fatal Error! -Unable to connect to ACS 4.x DB!

  java.sql.SQLException: [Sybase] [ODBC driver] [Adaptive Server Anywhere] ID invalid user or password

  at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection (Native Method)

  at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)

  at java.sql.DriverManager.getConnection (unknown Source)

  at java.sql.DriverManager.getConnection (unknown Source)

  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)

  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)

  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)

  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)

  I use the migration on a VMware machine clone tool, from the console.

  Thanks in advance

  Creation date: November 8, 2011 14:47 created by: James, Edward C(EDWJAMES,338460) migrating the 4.x to 5.x database

• 4.2 of the ACS and Kaspersky antivirus

  Hi all

  I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.

  It is aplicable or not?

  Thanks in advance,

  Ayman Yehia

  Hi Ayman,

  As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.

  In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.

  Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.

  As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Access to the ACS SPECIFIC group router

  I want allows you to control access to all of our routers and switches Cisco GANYMEDE. I have a Cisco ACS device that can be used for centralized management accounts of the engineer. The ACS server, however, also used to store our business users VPN accounts.

  Can I restrict access to routers and switches only to users in the Group of engineers on the ACS server?

  Hello

  If you use ACS 4.x, limiting access through Restrictions on access network (NARS) could help you:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

  I would like to know if this helps, or alternatively if you use DCC 5 (in which case the scenario is a little different).

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• 3.3 of the ACS, changed the password of domain and ACS beat

  I do not set up the GANYMEDE. I want to disable the AD administrator account, but it seems to require ACS.

  I changed the admin PW and GANYMEDE stop. ACS windows services all begin to use the administrator account. If I change to use a different domain administrator account, they start, but disabling administrator again breaks GANYMEDE.

  Ideas?

  Thank you

  I'm not sure your point.

  Yet once, your windows services ACS are led by administrator Windows AD account. ACS will use this account to connect to AD for authentication of the user. If you disable the window AD admin account or change its password, ACS could not access AD to authenticate the user. This is probably the reason that GANYMEDE authentication failed after you changed windows AD admin account. In configuration of the ACS external DB user, you should see the windows of the AD.

• Why the ACS is blocking my connection to the Console?

  I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.

  My config is attached and debug aaa authorization.

  These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.

  Telnet access

  Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1

  Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

  Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)

  Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).

  Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service

  Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service

  Access to consoles (work of Pentecost the ACS user)

  Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15

  Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

  Access console (not working whit the local user)

  Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

  Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

  Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

  Thanks for your help.

  Change your orders

  AAA of default login authentication group Ganymede + activate

  the AAA authentication enable default group Ganymede +.

  TO

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  Kind regards

  Prem

  Please if it helps!

• Configuring the ACS server on windows server

  Hello

  I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.

  I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.

  I checked the accessibility of the ACS server to client router and vice versa and also configuration.

  The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.

  Help PLZ.

  Configuration of my router from AAA.

  ===============================================

  AAA new-model
  !
  !
  AAA authentication login default group Ganymede + local
  exact AAA authentication login group Ganymede + local
  AAA authorization exec default local

  RADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)

  line vty 0 4
  exact connection authentication

  ================================================

  I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.

  When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user

  Please help me.

  reports and activity--> passed authentication

  reports and activity--> failed attempts

  Rating of useful answers is more useful to say "thank you".

• 802. 1 x with the ACS and Windows AD

  Hello

  Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

  I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

  Marco

  Hi Marco,.

  I guess you missed a mapping configuration in the Section of access policy.

  Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

  You will see the new service click on identity.

  Select the source of the identity you have created, then save.

  Click permission

  Select an access permission by default authorization rule and save.

  Create a Service access rule name 802. 1 x

  Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

  then you can try again.

  concerning

  Alex