Ensure the redundancy of the ACS
Salvation;
What happens if my ACS only breaks down? ACS is active on my access switches.
What deployment scenario are we talking about here? For example, with 802.1 X deployments there a function (called inaccessible Authentication Bypass) that allows you to access a VLAN specific in the scenario where connectivity to the ACS server is compromised. Is that something can help you?
Tags: Cisco Security
Similar Questions
-
Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts
Hello
I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...
Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?
Thanks in advance
WM
I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system
In order to change the multiple/all documents for internal users, the following approach can be taken:
- Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
- Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
- To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish
Afetr imort is completed, all records of internal user should now display "Enabled".
-
ISE Migration tool: Unable to connect to the ACS
Hello
I try starting the Cisco migration tool to migrate data to ACS 5.2 to ISE 1.1.
When I run the migration.bat file, I get:
C:\migTool>migration.bat
log4j: WARN no such property [encoding] in com.cisco.acs.positron.migration.utils.Log4jTextAreaAppender.
INFO [main] MigrationApplicationDriver.main:56: applies from the main method.
Org.springframework.context.support.ClassPathXmlApplicat updating of INFORMATION [hand][email protected] / * /: start date [Thu Jul 11 16:46:09 CEST 2013]; root of context hierarchy
INFO [hand] loading XML bean definitions of resource path of class [conf/META-INF/beans.xml]
INFO [hand] instancing of the singletons in org.springframework.beans.factory.s[email protected] / * /: defining beans [exportAuthorizationProfileCache, exportConditionRightOperandCache, exportDevicesCache, exportEnumAttributeIdCache, exportEnumerationCache, exportGenericAttributesCache, exportIdentityAttr
ibuteCache, exportIdentityDictionaryCache, exportIdentitySourceCache, exportPredefinedDataCache, exportRADIUSDictionaryCache, exportServicesCache, exportManagerImpl, m
igrationApplicationManager, migrationPhaseStatefulComponent, stateManager, migrationProcedureModel, migrationApplicationGUI, defaultImportObjectHandlerFactory, import
AllowedProtocolCaching, importAuthZProfileCaching, importDateTimeCaching, importDevicesCaching, importEndPointCaching, importExternalIdentityStoresCache, importIdenti
tySourcesCaching, importPolicyElementsCache, importRadiusProxyCaching, importUsersCaching, importManagerImp, org.springframework.context.annotation.internalConfigura
tionAnnotationProcessor, org.springframework.context.annotation.internalAutowiredAnnotationProcessor, org.springframework.context.annotation.internalRequiredAnnot
ationProcessor, org.springframework.context.annotation.internalCommonAnnotationProcessor]; root of the hierarchy of the factory
[Main] INFO start parsing of the XML query...
[Main] INFO start the process XML analysis...
INFO [Thread-5] Start ACS5 IP connection
WARN [Thread-5] could not find the required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
ERROR [Thread-5] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-5] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-5] failed to connect to the DCC 5 to start exporting. Make sure that:1 migration interface is enabled on the ACS 5 server.
2 ACS 5 services run.
3 ACS 5 IP and username and password are correct.
4 ACS 5 has a compatible license installed.
INFO [Thread-6] Start ACS5 IP connection
ERROR [Thread-6] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-6] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-6] failed to connect to the DCC 5 to start exporting. Make sure that:1 migration interface is enabled on the ACS 5 server.
2 ACS 5 services run.
3 ACS 5 IP and username and password are correct.
4 ACS 5 has a compatible license installed.Then, I click on the export of ACS, and when I put my name to the ACS server and the password, I get:
"
ERROR [Thread-9] failed to connect to the DCC 5 to start exporting. Please ensure that: INFO [Thread-9] Start ACS5 IP connection
ERROR [Thread-9] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-9] error occurred during communication with ACS 5.x. (404) not found
ERROR [Thread-9] failed to connect to the DCC 5 to start exporting. Make sure that:1 migration interface is enabled on the server ACS5
2 ACS 5 services run
3 ACS 5 IP and username and password are correct
4 ACS 5 has a compatible license installed.
Can someone help me?
Best regards
David
You have activated the web interface of migration? Check that you have configured the computer source of Cisco Secure ACS 5.1/5.2 with a unique IP address. The migration tool may fail during the migration if each interface has multiple IP address aliases.
Document taken in charge:
http://www.Cisco.com/en/us/docs/security/ISE/1.0.4/migration_guide/ise10_mig_install.html
~ BR
Jatin kone* Does the rate of useful messages *.
-
lack the sign in seal (ensuring the validity) for the Yahoo email login page
The login-seal is an option that you generate for sign id and password for yahoo emails. It ensures the authenticity. It appears so, except on firefox. I'd appreciate your comments please.
Thanks in advance...See also:
The problems of connection attached: https://help.yahoo.com/kb/yahoo-account/SLN2676.html
-
Original title: unable to print. Reference Dell 944 communication usb port is not available.
Message says 'check your firewall settings to ensure the printer communication is not blocked. Printer has worked faithfully until the problems started with the XP Home operating system. To cut a long story short ram upgraded to 2 GB, all unnecessary programs identified and technician Microsoft contacted to solve problems. I was informed of problems caused by 3rd software party conflicts. Kaspersky was apparently the culpit. Dell Inspiron 32 now much faster but the printer will not work little matter what I do. I tried to reload with drivers & utility CD, drivers uninstalled & reinstalled on the site of all nothing is? Can someone help?
DavidNicholsonXN,
How to download and install drivers in the correct order
also try to read...
The owners of all-in-one printer Dell 944 thread (W7)
Let the printer after Kaspersky
Rick
-
Is there a problem with accounting and 4.1 of the ACS
Good day to all,
I just installed a new server with ACS 4.1.
This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.
At this point, the only problem I have with ACS 4.1 is with the accounting.
For example:
I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.
Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.
There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.
Y at - there anyone out there who could do 4.1 ACS to process accounting properly?
Any idea will help you.
Thank you
Frank
Here is my config:
AAA new-model
AAA authentication login default group Ganymede + local
connection of AAA No.-AUTH authentication no
AAA authorization exec default group Ganymede + local
AAA authorization commands start-stop Group 1 Ganymede +.
AAA authorization commands start-stop group 15 Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
AAA accounting command 15 by default start-stop Ganymede group
!
192.168.100.16 host key radius-server *.
(the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)
RADIUS-server application made
Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
Don't forget to download the readme text also.
Rate me if it helps.
-
Greetings,
By opting for the ACS 3.2, all my settings and the securities will remain the same? If this isn't the case, I have a router connected to the server and I will get locked. I heard there is a specific order for the removal of the lines to avoid of locking me. Is this true?
Thank you
You will need to select the option "Yes, import the existing configuration", while improving the ACS software. Information on the upgrade of Cisco ACS software Preserving Configuration found in the documentation to
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/ACS32/win32sig.htm#9934
-
Download the ACS software... ?
I don't know about the 90-day trial; However, is there a way to download a full version for windows to the Cisco site. I am able to download the software so the isn't a problem. I don't see anywhere to download a full version and not only test 90 days?
TKS-
You must purchase the software to full version. It is only available on CD. When you buy the ACS software, it comes with a device (ACS1111). I do not see the neccessity or the advantage of Cisco made available for download on their website the version full of GBA.
-
We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.
Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.
-
I know I should have remember, but I do not have...
I have been using the ACS 90 day trial that expired before I bought a copy.
I lose everything and how to go on product licenses now that I bought?
Thank you
Andrew
Please mark it is resolved, so others can benefit from.
Kind regards
~ JG
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
To access the AIP-SSM-10 through the ACS
Hye,
Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.
Thank you
IPS module does not support authentication to the ACS server.
Please find the only authentication method for IPS in the following document:
http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html
Hope that answers your question.
-
the ACS 5.1 and cisco ACE module
Hello
I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:
= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede? Thank you
WM
Here is the doc.
Post edited by: jkatyal
-
Administrator rights to the ACS using Active Directory groups
Good afternoon
We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible. If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?
Thanks in advance
You can only use the locally stored accounts within the ACS.
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
Maybe you are looking for
-
Touchpad - after the last update, weird grey circle icon
X201s Win 7 32, update After the last set of updates, my touchpad to display a fixed grey circle/swirl took half the time when I tried to move the cursor. Seemed to happen less if I moved very slowly. I turned off the scroll (again), and he disappear
-
lack of most of the DLLs and isetup.dll unregistered so what to do
also do not know why the dll is missing... I never deleted and also why it sys this dll are not registered and how to register the dll. files
-
Whenever I try to install a new version of Java, but also apply for income tax, my computer basically freezes and I have to stop it manually after that I finally get the message "cannot access the windows service install. This can happen if windows i
-
Ive been doing a lot of blue screens lately. It seems to have started when nvidia updated to driver 320.49 for gpu. I've rolled back to the previous driver and get bsod every day now. Could someone please look at my dump files and tell me what to do.
-
I'm on Windows 10, InDesign Creative Cloud.InDesign was working fine, but now crashes every time that I run. I've uninstalled and reinstalled it, no joy. Please can someone help. I'm not a technology person so need very simple instructions.