HTTP on ACS server
Hello
I installed a Cisco ACS server. I am able to use the "remote desktop" to http to the server, however, what can I do if I wanted http in the application of GBA directly?
Rgds
Hello
http://: 2002
HTH
PJD
Tags: Cisco Security
Similar Questions
-
ACS server replication request
Hi all
I have two primary & secondary ACS server. New secondary to be deployed in the network server. My primary ACS server got 1000 clients AAA configured with 15000 user id configured in several group profile. My question here is when I have the database replication between primary and secondary, if any database is replicated from my primary server to the secondary as all customers AAA and configuation etc., otherwise it will be the end user interface, profile of the group, replication has restrictions of database.
Totally: AAA & ID customers user will be on the backup of a database or it will reside on different location
kindly clarify me here, thanks.
Hello
The entire database will be written more when a restore of the database.
The ACS database replication allows you to copy various components of the internal database of GBA in other ACSS. This method can help you plan a failover AAA architecture and reduce the complexity of your tasks of configuration and maintenance.
The components that can be replicated are:
User and group database
Database group only
Network device Configuration tables
WBS
Configuration of the interface
Interface security settings
Password validation settings
EAP-FAST master keys and policies
Network access profiles
Configuration of logging (enable/disable settings)
The following link will give you the details of database replication.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as solved if you feel that your query is resolved. Note the useful messages.
-
PIX 525 configured for authentication Ganymede + for telnet, ssh etc. access Pix... If Cisco ACS server is not available I can use the Local user database as I do in the world of router. I saw no reference to this
failback AAA was introduced in the 6.3 (4) BONE of PIX. This isn't something I've tried, but this excerpt from a discussion earlier can help you
See you soon
-
Why my internet has stopped working
My computer says that it is connected to the internet but the HTTP 500 Internal server Err error rises. How I get working again? I have another computer in the House and that works very well.http://support.Microsoft.com/kb/321448
In some cases, you must remove the cookie as well. -
SSH after ACS server "locked up" and had to be reconfigured is no longer works.
Hello
I have a VPN tunnel between an ASA5520, and a Cisco 891.
I had the 891 configured with the following text:
AAA server Ganymede group + VTY
Ganymede IP source-interface Loopback0
!
AAA server Ganymede group + GANYMEDE-ACS
Server 10.8.x.x
Server 10.16.y.x
!
AAA authentication login CONSOLE none
Connection authentication AAA VTY Ganymede + local group
VTY AAA authorization exec group Ganymede + local
AAA authorization commands VTY 0 group Ganymede +.
AAA authorization commands 15 VTY Ganymede group.
orders accounting AAA 15 VTY arrhythmic group Ganymede +.
orders accounting AAA 15 CONSOLE arrhythmic group Ganymede +.!
Ganymede IP source-interface Loopback0
!
RADIUS-server host 10.8.x.x touches yadayadayadayada 7
RADIUS-server host 10.16.y.x touches yadayadayadayada 7
RADIUS-server application made!
line vty 0 4
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transport
line vty 5 15
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transportI can't access device remotely. I'm sure it has to do with the ACS server, but don't know where to look.
Any help would be greatly appreciated.
Hello
When you say you cannot remote access device you are not able to ssh to the device or there is no rechablity itself?
Is ssh is the problem while you get a login prompt? Error message? Also have you checked ACS has no newspapers for all messages?
Concerning
Najaf
-
PuTTY and password change issue ACS server
When a new user is created with the checkbox 'Must change the password at the next logon' checked, ACS does not allow the user to change the password. The password prompt displays a message access denied. Could someone point me in the right direction to solve this problem?
I created a new account on cisco ACS server and check the box "user must change password at the next logon". I then used ssh to test the newly created using PuTTY user account. When I ssh to the cisco devices [switch or router] password prompt appears and ask me to type the new password. Once I did this I get a message access denied.
It worked well with secure CRT. But users do not have secure CRT, they are supposed to use PuTTY. Users can connect in devices using PuTTY. The problem is that when we try to change the password.
ACS Version: ACS 4.0
Thank you
Nachi
When a user connects in SSH to the system and uses an expired password GANYMEDE, he is prompted to change their password. However, this password change does not work correctly.
To resolve this problem, you must have the SSH v2 with "Keyboard interactive" authentication for SSH v2 game. Cisco bug ID CSCin91851 addresses this problem.
Symptom:
When you use the router as a ssh server is authenticating with a normal SDI/RADIUS, work of authentication backend. However, neither the new BUGS mode or mode next token dialogues completes successfully.
Conditions:
Problem only occurs in mode again PIN or next token dialogue mode.
Specific SSHv2Workaround solution:
Use telnet for authentication or to define vty lines to authenticate against RADIUS
(non - SDI) server instead.Other Description of the problem:
Not all ssh clients are supported the dialogue for the new PIN mode or next token to work.
-
Enable AAA fails on the second ACS server
I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?
Thank you
Vivek
Hello
Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."
-Jesse
-
Design of ACS server question 4.2 - role - based is a limit?
Currently, I've implemented this ACS server.
An ACS group maps to a group of active live in AD. For example, the Group ACS router_access maps to AD group called $f (gbr) raccess. If the user tries to connect to a router and it has this group in its profile AD, that it will be accepted and if not rejected.
If for example, I want to revoke, allow access to some features I use NARS (for example accept connections from devices switch and router).
It works - but this apparently isn't the way I do things.
The best way is to have a group of ads by device group.
EG for access to the router, you must $g (t) of group routers in your AD profile
To get access to switch the Group $g (t) must spend in your AD profile
Now, we hit the problem - the EC will use the first group in your AD profile to apply for pass/fail.
Let as well as John has $g routers and switch (t) $g (t) group in its AD profile. When he tries to connect to a switch, the ACS attempts to use routers $g (t) because it's the first ACS AD Group in his profile. Subsequently, it fails, which means that ACS will not look through several AD strategies.
I hope this makes sense.
Anyway, I can't get it to work because it keeps failing!
Hi Will,
This is a limitation of how ACS 4.x performs operations. It defines everything based on your local user group on ACS as opposed to your ad groups - so the mapping of the group comes first and then everything else comes later.
If you use Radius (this does not apply to the GANYMEDE) you may be able to use the network access profile feature to substitute some access. If for example you can tell if the user is in the local group, but authentication comes from a certain type of device, you can transmit different attributes. However, in terms of blocking, it is always based on the local group you are a member. He can do some additional checking of LDAP group, but I don't know if that will solve your problem.
Is 5.x ACS to a new level - the entire platform is built as the network access profiles - so you can make rules as granular as you want - that is to say: If you are in a specific ad group (do not need to map - we can draw external groups) and it is a router then go down a permission set with a Pass. If it is a different ad group (or a different device type), then send a failure.
Thank you
Nate
-
AAA / adding additional ACS server
Hello guys,.
You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.
Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.
Hope you could understand my needs and the current configuration. PFA...
Thanks in advance!
Best regards
Anurag.K
Hi Anurag,
You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.
10.16.2.10 RADIUS server host
10.16.2.8 RADIUS server host
10.16.2.9 RADIUS server host
GANYMEDE server key xxxxx
If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.
AAA server Ganymede group + Group1
Server 10.16.2.8
Server 10.16.2.9
AAA server Ganymede group + group2
Server 10.16.2.10
AAA authentication login default group GROUP1 GROUP2 line
I want to knoiw if you have doubts.
~ BR
Jatin kone* Does the rate of useful messages *.
-
local user name and password if the ACS server fails
Hello
I have every router and switch configuration for authentication of the connection via the ACS server. I used these 12 lines below and it works very well. Each engineer has their own account.
AAA new-model
AAA of default login authentication group Ganymede + activate
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA - the id of the joint sessionRADIUS-server host x.x.x.x
RADIUS-server application made
radius-server key, regardless of----------------------------------------------
I would add to this a local username and password so that if the ACS server was offline engineers have yet to connect with a knowledge of username and default password
username privilege 15 secret mypassword MYUSERNAME
line vty 0 4
local connectionQ. How do I make ACS a first preference and connection server only local users username and password if the ACS server is down?
Kind regards
Kevin
Now you have the password to enable as the fall back method:
AAA of default login authentication group Ganymede + activate
Change 'enable' for 'local' and the local (to the router) database of user names and passwords is used.
The same works to activate authentication (the second line "authentication, aaa... ("in the config that you posted).
-
Configuring the ACS server on windows server
Hello
I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.
I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.
I checked the accessibility of the ACS server to client router and vice versa and also configuration.
The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.
Help PLZ.
Configuration of my router from AAA.
===============================================
AAA new-model
!
!
AAA authentication login default group Ganymede + local
exact AAA authentication login group Ganymede + local
AAA authorization exec default localRADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)
line vty 0 4
exact connection authentication================================================
I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.
When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user
Please help me.
reports and activity--> passed authentication
reports and activity--> failed attempts
Rating of useful answers is more useful to say "thank you".
-
Whence the ACS server get the DNS Info for the IP pools?
I'm changing the DNS servers that my VPN users are assigned from the pools of IP on the ACS server. Where IP pools Gets the DNS server information. I changed the IP addresses of the DNS on windows server and rebooted. But VPN clients are always assigned the old DNS servers.
ACS ip pools do not grow the DNS server information
It is either transmitted from the setup of group for the VPN concentrator or
It is to be send to the setup of the user/group ACS > attributes Radius (VPN 3000) > [026/3076/005] primary DNS.
I hope this helps.
Concerning
Rohit
-
HTTP 500 INTERNAL SERVER ERROR
Hello team,
I get this error HTTP 500 Internal Server Error whenever I try to access our predetermined (2).
I can access the other 3 very well.
Two of my other coworkes can access ALL predetermined very well. It just seems to be local to my machine.
I still am able to confduct exports and scripts for action for the hierarchy with no problems.
Anyone have any ideas?
Thank you very much!
Not the console config, Event Viewer Windows and then locate the application logs. Click Start and search for Event Viewer.
Thank you
Denzz
-
Tried everything: 1 address, but not able to connect via HTTPS to the server:
Hello
I am trying to connect to the third of the OSB business service web service.
objective WS is protected with SHA1 base 64 encoded password.
I am able to connect to the service target of SOAP UI. I am also able to Telnet to my server for dev to the URL of the WS.
But when connecting from OSB BS I'm tried them all: 1 address, but not able to connect via HTTPS to the server: error.
Can you please help me solve the problem.
I tried different policies, but still does not work.
Kind regards.
Problem solved. We need to use the proxy server.
-
ACS server installation issues
I have a client of the remote site that is replacing their ACS servers and several questions:
(1) what version we should be installed?
(2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)
(3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?
(4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?
(5) how to use GSK signed cert? Have previously tried & failed - something special here?
Thanks for any help you can give.
RO
I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
1) What version should we be installing?
2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have to apply successive patches?)
3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
Thanks for any help you can give.
RO
Hi Richard,
For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.
For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.
For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.
So useful note valauable post.
Concerning
Ganesh.H
Maybe you are looking for
-
my file, display, Favorites, help and tools toolbar is missing, how do I get it back?
I upgraded to mozilla and now the toolbar file, view, Favorites, support and tools is missing. This has happened Each time Firefox opened Is a month ago
-
How can I remove Access Manager of programs that have been adopted by it, if I don't know the password. I tried to reset the administrator password, but still cannot access Manager to meet my administrator password? [Moved from comments]
-
How can I avoid duplicate emails in my Inbox O.E.?
duplicate emails How can I avoid duplicate emails in my Inbox O.E.. I also receive emails in BT Yahoo Mail but only one every time. Thank you. Brian
-
almost complete original image
Have a Windows Vista PC and Norton 360 antivirus and my original Image file is almost full. How to remove unnecessary data originally my problem. How can I determine what should be there and what is not? Any help is appreciated. Thank you.
-
Not able to download reports or generate graphs in ISV Portal
I have a problem in the ISV portal. I'm not annex reports power download or generate graphs. Whenever I take these pages, 'Select the Type of chart' and 'Select 1 to 5 products' trying to load indefenitely but found nothing. Same thing happens on ind