Duplicate the user in the ACS 3.3 database
I use ACS to authenticate the mac address. It's on a device. I created a user with the user name and password as the mac address and now it is listed twice! Can I delete a single entry, but not the other. What can I do to clear it out of the database?
Hello
Please use the dbcompact via the serial console command to fix.
Here is the link for the procedure of execution of dbcompact.
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA
PP33/install/admap.htm#wp1058379
That should fix it.
Kind regards
Jagdeep
Tags: Cisco Security
Similar Questions
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
local user name and password if the ACS server fails
Hello
I have every router and switch configuration for authentication of the connection via the ACS server. I used these 12 lines below and it works very well. Each engineer has their own account.
AAA new-model
AAA of default login authentication group Ganymede + activate
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA - the id of the joint sessionRADIUS-server host x.x.x.x
RADIUS-server application made
radius-server key, regardless of----------------------------------------------
I would add to this a local username and password so that if the ACS server was offline engineers have yet to connect with a knowledge of username and default password
username privilege 15 secret mypassword MYUSERNAME
line vty 0 4
local connectionQ. How do I make ACS a first preference and connection server only local users username and password if the ACS server is down?
Kind regards
Kevin
Now you have the password to enable as the fall back method:
AAA of default login authentication group Ganymede + activate
Change 'enable' for 'local' and the local (to the router) database of user names and passwords is used.
The same works to activate authentication (the second line "authentication, aaa... ("in the config that you posted).
-
I have a few questions about ACS.
A-I see what others did on the configuration of the router? If so, he will show me when it has been modified?
B - use a WLAN can I have some kind of authentication on my ad? or by using a digital certificate?
C if someone need Conect on my network at home, ACS can authenticate this remote user? How is that possible?
I thank all those who can help.
Hello
A we can see what commands when entered on a device if we order accountants helped this topic
B we cannot authentication user WLAN via ACS to AD. It can be done using digital certificates.
C - ACS can VPN authentication and remote access to users. How depends on what device the user connects to.
-
Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts
Hello
I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...
Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?
Thanks in advance
WM
I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system
In order to change the multiple/all documents for internal users, the following approach can be taken:
- Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
- Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
- To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish
Afetr imort is completed, all records of internal user should now display "Enabled".
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
Level of privilege of the ACS and sets of commands
Hi all
I was in charge of the implementation of 5.6 ACS in order to allow members of the groups of domain security MS Access of specific order to our equipment. I the area association and groups added, I have an access policy with a rule that works so my field trial account can connect to the switch and perform only the commands in my command set.
The problem is that when I assign a Shell profile with privilege level 7 min/max to the rule and the user logs on with this level, they are unable to see the commands that I welcomed in the Set command. Is it possible to have the ACS to say IOS to automatically change the visible commands to a specific privilege level when the user connects, even if they are not at this level of privilege?
Any help greatly appreciated,
Chris Menuey
Because you're using command authorization and restrict the user to some orders, why do we use privilege 7 and not 15?
~ Jousset
-
Change IP of a device of the ACS
What will break if I change the IP address of the device TO 4.2? I need a few of them to assume the IP addresses of our existing production boxes. Apart from the re-manual setting the IP SE through the console, reconfigure the AAA/replication server and the ACS Agent Config provider IPs, is there something that is "lost" permanentnly broken when you reset the IP address?
Thank you!
Yes, dynamic mapping is created when the user connects, but this will be a default mapping. All users will be mapped to the default group.
Incase you have permission set up on the basis of the group, it will not run.
If you have all the users that are not mapped to the default group, then no need to worry.
Kind regards
~ JG
Note the useful messages
-
Failure of the ACS migration tool
Hi, I am running the migration tool, the following request:
Make sure that the database is running.
ACS DB 4.x is unavailable, enter ACS 4.x database password (encrypted)
:[******]
With the password of database simple, used during the installation of the ACS, I get a fatal error at the end of the procedure like this: "Fatal Error! -Unable to connect to ACS 4.x DB! »
Where can I find the password for the encrypted database ACS?
After the migration log:
07/10/2011-11:41:31 MigrationApplicationCLI.getUserInformation (MigrationApplicationCLI.java:953) ERROR - not read invoke ACS 4 password system. Error on line C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c 1265, calle API
07/10/2011-11:46:52 MigrationApplicationCLI.getUserInformation (MigrationApplicationCLI.java:953) ERROR - not read invoke ACS 4 password system. Error on line C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c 1265, calle API
07/10/2011-11:58:08 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - cannot find the required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
07/10/2011-11:58:28 ACS4Connector.checkDBConnectivity (ACS4Connector.java:137) FATAL - Fatal Error! -Unable to connect to ACS 4.x DB!
java.sql.SQLException: [Sybase] [ODBC driver] [Adaptive Server Anywhere] ID invalid user or password
at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection (Native Method)
at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
at java.sql.DriverManager.getConnection (unknown Source)
at java.sql.DriverManager.getConnection (unknown Source)
at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)
at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)
I use the migration on a VMware machine clone tool, from the console.
Thanks in advance
Creation date: November 8, 2011 14:47 created by: James, Edward C(EDWJAMES,338460) migrating the 4.x to 5.x database
-
4.2 of the ACS and Kaspersky antivirus
Hi all
I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.
It is aplicable or not?
Thanks in advance,
Ayman Yehia
Hi Ayman,
As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.
In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.
Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.
As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Access to the ACS SPECIFIC group router
I want allows you to control access to all of our routers and switches Cisco GANYMEDE. I have a Cisco ACS device that can be used for centralized management accounts of the engineer. The ACS server, however, also used to store our business users VPN accounts.
Can I restrict access to routers and switches only to users in the Group of engineers on the ACS server?
Hello
If you use ACS 4.x, limiting access through Restrictions on access network (NARS) could help you:
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
I would like to know if this helps, or alternatively if you use DCC 5 (in which case the scenario is a little different).
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
3.3 of the ACS, changed the password of domain and ACS beat
I do not set up the GANYMEDE. I want to disable the AD administrator account, but it seems to require ACS.
I changed the admin PW and GANYMEDE stop. ACS windows services all begin to use the administrator account. If I change to use a different domain administrator account, they start, but disabling administrator again breaks GANYMEDE.
Ideas?
Thank you
I'm not sure your point.
Yet once, your windows services ACS are led by administrator Windows AD account. ACS will use this account to connect to AD for authentication of the user. If you disable the window AD admin account or change its password, ACS could not access AD to authenticate the user. This is probably the reason that GANYMEDE authentication failed after you changed windows AD admin account. In configuration of the ACS external DB user, you should see the windows of the AD.
-
Why the ACS is blocking my connection to the Console?
I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.
My config is attached and debug aaa authorization.
These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.
Telnet access
Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1
Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot
Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)
Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).
Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service
Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service
Access to consoles (work of Pentecost the ACS user)
Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15
Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service
Access console (not working whit the local user)
Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service
Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service
Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service
Thanks for your help.
Change your orders
AAA of default login authentication group Ganymede + activate
the AAA authentication enable default group Ganymede +.
TO
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Kind regards
Prem
Please if it helps!
-
Configuring the ACS server on windows server
Hello
I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.
I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.
I checked the accessibility of the ACS server to client router and vice versa and also configuration.
The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.
Help PLZ.
Configuration of my router from AAA.
===============================================
AAA new-model
!
!
AAA authentication login default group Ganymede + local
exact AAA authentication login group Ganymede + local
AAA authorization exec default localRADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)
line vty 0 4
exact connection authentication================================================
I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.
When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user
Please help me.
reports and activity--> passed authentication
reports and activity--> failed attempts
Rating of useful answers is more useful to say "thank you".
-
802. 1 x with the ACS and Windows AD
Hello
Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.
I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.
Marco
Hi Marco,.
I guess you missed a mapping configuration in the Section of access policy.
Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish
You will see the new service click on identity.
Select the source of the identity you have created, then save.
Click permission
Select an access permission by default authorization rule and save.
Create a Service access rule name 802. 1 x
Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.
then you can try again.
concerning
Alex
Maybe you are looking for
-
Dear Firefox,I tried to download your latest version tonight on my eMac. In doing so, I lost my old firefox icon on my desktop and got another icon of firefox that does not allow me to access the firefox. I want to just my old firefox icon back if my
-
where can I get plugins to watch videos of synchronized office
When I insert a bookmark of my synchronized desktop to my Tablet get messagesaying I need plugin. but does not say what plugin or where
-
Is there a "download page" where you can choose the download you want? The "automatic" is always bad.
-
I have an older 952C printer and a new Pavilion laptop with windows 8. When I connect with the usb cable, the laptop acknowledges that a printer is in the usb port, but I looks like I'm unable to print. What gives? I tried to download the latest d
-
Mail electronic-Windows - lost my personal folders in the Windows Messaging
I lost my personal folders in the Windows Messaging, I think they are still on the computer that I don't know where to look or how to get Windows e-mail to reattach them?