Import bulk of ACS - SE of AAA Clients

Similar Questions

• Import bulk of switches in the TAS

  I have a new ca 1120 running 5.1.0.44

  I have over 1,000 cisco switches to add to this (good thing I have unlimted lic).

  All switches are most of the time of the same type is there a way to bulk import of these switches in the ACS? Bascially saying hey 192.1.1.1 - 253 is a switch of some.

  The 2nd part of this issue is im sure that I will have to connect to never pass to config to talk to GBA anyway around that?

  Thanks for the help

  What you need to do is:

  1) go to

  Network resources > peripheral network and the AAA Clients. Devices can be imported from here

  (2) press operations on the files, and then add, then click Next and 'download 'Add' Template '.

  You will get a file similar to the following (this is what is displayed by default for ACS 5.1)

  name:String(64):Required,description:String(1024),subnets:Subnets(a.b.c.d/m;...):Required,"supportRADIUS:Boolean(true,false):Required",radiusSecret:String(32),"supportTACACS:Boolean(true,false):Required",tacacsSecret:String(32),"singleconnect:Boolean(true,false)","legacyTACACS:Boolean(true,false)",Location:String(256),Device Type:String(256)

  (3) this line should be kept as is for the first line of the import file and also defines the structure of each data record that corresponds to a device definitions. For devices that do it GANYMEDE what follows can be used to define an entry:

  DEVICE1,,1.2.3.4/32,false,,true,Cisco,false,false,all locations: US, all Types: switch of the device

  explanation

  DEVICE1, / / / name

  , / / / description, empty

  1.2.3.4/32, / / / subnet - it is in fact IP 1.2.3.4

  false, / / / does not support RADIUS

  , / / / empty, shared secret

  true, / / / support T +.

  Cisco, / / / T + shared secret

  false, / / / singleConnect

  false, / / / legacyTACACS

  All locations: US, / / location NDG

  All Types: switch of the device / / device Type

  Add a line for each device that you want to add duing the import process

  (4) now to import the new definitions

  Select operations on file then Add, then then and then can then set the file to import and then press "Finish".

• Wildcard AAA Client ACS4.1

  Hi I am trying to solve the following problem:

  I use ACS for authority accounting & administrative support to network devices, and I would like to distinguish which users have access to devices. I have about 2500 network devices in my network, and instead to add each one to the DB of the CSA, I created a generic client AAA with IP *. *. *. *.

  It has worked well so far, extremely simple installation, I know, but now I want to add FWs and other sensitive devices and restrict access using NAR. The idea was to create new AAA customers for each type of device and deny access to restricted groups with NAR. The problem is that when you define new groups of an IP address conflict is detected with generic AAA client.

  Is there another way to solve this problem outside the importation of all network devices and create NDG? That's what I wanted to avoid.

  Any help is greatly appreciated.

  Thank you

  Niels

  Niels,

  First of all, I would not recommend to have this kind of facility. Anyone can plug aaa-client and send many wondering of acs caused a delay in the processing of legitimate applications. It's like opening the doors of the CSA for everyone.

  For your question, there is no way that you can add separate IP since wildcard covers the full range.

  Best way is to download your aaa devices. You can use the RDBMS synchronization to download everything at once.

  Other easy way is to add networks like, 10.5. *. * / 30.34. *. * / 30.35. *. *

  Kind regards

  ~ JG

  Note the useful messages

• AAA clients

  Hello

  I am running CiscoSecure ACS v3.0 for Windows 2000/NT version 3.0 (1) build 40 in my environment. I have a problem when adding the AAA clients in a group of network devices, because it gives an error saying that the device already exist.

  I did a manual search of the device and it can not be found. Is there any other way to remove this device by its ip address, which the system think already exist.

  Diop

  Hmm, you enter the peripheral IPS, ranges or DNS names?

  Even an accidental overlap somewhere?

  You can use regedit to inspect the network configuration db. He lives under HKLM/SOFTWARE/Cisco/CiscoAAAv3.3/Hosts

  If you spot the duplicate, you can simply delete the subkey, and then restart all CS * services (including the CSAdmin) of the control panel.

  Mounira

• How to count the number of AAA clients

  Hello

  As we know, ACS5.2 is necessary with a basic license - 500 devices support network.

  Sometimes, there are a lot of AAA clients or network devices that are authenticate simultaneous. So my question is, how to count network devices allowed to auth on ACS5.2? This only includes network, including network devices, or the AAA clients or devices?

  Rgds,

  Laowu5017

  Hello

  ACS 5.x counts the number of AAA clients that are configured on the ACS.

  Please note that clients and network devices of AAA is the same and they conform, switches, routers, WLCs, or any other device configured under

  Network resources >

  ... >

  Network devices and the AAA Clients

  The AAA Clients aren't the AAA suplicants.

  End-user PCs customers are the AAA suplicants, and for this, there is no limit to number.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Internal DB ACS4.2 replication - do not replicate the AAA clients

  I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)

  Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.

  Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.

  Master is set to send, new slave set to receive:

  User and group database

  Network device Configuration tables

  WBS

  Configuration of the interface

  Interface security settings

  Password validation settings

  I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.

  I need my replicated AAA clients.  Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?

  Hello

  Please apply patch 12 on slave ACS as well.

  Try the replication and let me know the results.

  Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.

  Kind regards

  Anisha

• ISE has not found any AAA Client or network devices

  During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address.  Could it be the cause of the problem?

  Here is the config of the port that I have tested on:

  interface GigabitEthernet1/0/9
  switchport access vlan 9
  switchport mode access
  switchport voice vlan 8
  IP access-group ACL-LEAVE in
  SRR-queue bandwidth share 1 30 35 5
  queue-series 2
  priority queue
  authentication event fail following action method
  action of death event authentication server reset vlan 4
  action of death event authentication server allow voice
  the host-mode multi-auth authentication
  open authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  MLS qos trust device cisco-phone
  MLS qos trust cos
  dot1x EAP authenticator
  dot1x tx-time 10
  Auto qos voip cisco-phone
  spanning tree portfast
  service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  Regardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.

  If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).

  Thank you for evaluating useful messages!

• ACS 4.1 forces Clients to use certificates for PEAP-MSv2

  I have a test WLAN I want to log on a user/pass field domain users, but also force them to use the public key of a self-signed cert from the AAA server.  Right now, I can get this working, if for example a windows client will connect to the WLAN if you set it to authenticate the server cert in the PEAP protocol options.  Unfortunately I can't prevent connection customers who have a valid user/pass but do not set or cannot set the cert to authenticate.  This would allow employees who have to say, an android or iPhone just to enter his user/pass combo and get an IP on the WIFI network.

  Can ACS be denied to all customers who themselves are not connected with the certificate of service installation?

  Authentication side certificate made by the PEAP Protocol Server is completely client-side.  It is a sad reality and a good reason to put in place things like on the desktop group policy to prevent users to bypass this security check.  The problem is in fact common to all technologies that rely on the trust of the certificate system. Who do you trust? What is the basis of your confidence? It is based on your list of root certification authorities trust that in an Active Directory environment can be controlled by policy.

  The main objective of the authentication server with the PEAP Protocol is to validate the client sends identifying information to someone he trusts. If the customer decides blindly trust everybody, there's not much you can do.  I don't know policies similar to those enforcement mechanisms available with active directory on iphone or other mobile devices.

  Because PEAP protects mainly the users to communicate their passwords to a man in the Middle, you could implement a security mechanism, incorporating the RSA tokens or another technology that ensures the password will be useless if intercepted.  Another option would be to provide a wireless connection more open then requiring these devices to establish a VPN connection.

• Import bulk and keep records - always through iPhoto?

  Hello

  I am someone help import their photos in pictures for Mac. They have been using Picasa and have kept their photos in a series of folders.

  Obviously, they'd like to keep this intact folder structure. I am aware that there are no 'files' or 'events' in Photos for Mac, but function of the albums in the same way. I also know that you cannot import multiple files together and kept in separate albums on the way.

  So my question is this, are the opinion of people who like to keep intact records when they do a bulk import that they must first configure things in iPhoto, with each case being a separate event?

  I know that an import of iPhoto will keep every event as a separate album but I check if there is a cleaner way.

  The next question is, if I first import into iPhoto, can I use iPhoto on the latest OS - 10.11.2?  If not, how far to go, or what other techniques people use to run iPhoto?

  Any advice greatly appreciated.

  Best,

  CM

  See old Toad post here: link to this post

  have albums created for them with the same name as the event.  You will need to use this Applescript in the Photos for Mac usage tips section: Photos for Mac: File Import of Image files in the library as Albums

• Refuse the AAA Clients to a specific group of users GBA v4.1

  With the help of 4.1 is there a method 'simple' simply deny a user group the ability to connect to specific clients of AAA? Customer has a group of phones they want to allow them to Telnet and check in all routers of the voice, but not other routers, they have sets of orders and that the installation but I wanted to see if a way to push this group simply to voice only routers?

  Thanks in advance,

  Dave

  You can configure using NAR GBA.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

  Kind regards

  ~ JG

  Note the useful messages

• After importing bulk - query performance initially very badly but ok next day?

  Hello
  
  We noted two times so far, that after the creation of a new schema and data on the spatial tables queries import block are very slow.
  (We will not check the non-space tables however). After you import the data, indexes and statistics are created.
  All the data is quite low (less than features 250'000 spread over several tables). This slowdown was evident hours after creating indexes and statistics. But after returning back to the work of the performance of the queries next day was good - as originally planned. No one does something in the meantime. Database is 11 GR 2.
  
  I vaguely remember I read that statistical etc. could not be used immediately after the creation/update but I didn't know there are so many kick. Is there an explanation of the behavior? It isn't really a problem for us, but I would like to know why this happens,
  
  Thank you, Rob

  Rob,

  Note that since 10g there is an automated collection of statistics DBMS_STATS work that takes place during the night. It seems that this creates appropriate statistics that result in a plan of execution. Take a look in Enterprise Manager to see the details of this work.

  You mentioned that collect you statistics after execution of your loading mass - I guess the problem is that you are not with the same characteristics as night work. Can you put the command you run to collect the statistics after bulk loading?

  John

• How to import bulk layers in a psd?

  I have a PSD with many layers/groups etc, and I need to bulk import a folder of jpeg images as a new group in the psd file. I would like a simple/fast way to do instead of placing the images one by one.

  In Photoshop CS5 or later only, you can drag files from the Finder from Mac or Windows Explorer directly on your image open.

  They will import one by one and you have to press enter or return to Photoshop to place the next photo.

  But they will be separate layers. They will not be in a group and NOT, by dragging a folder will not work.

  I just tried this by dragging10 jpg all at the same time and it works, hit just enter or return after each photo.

  But this only works in Photoshop CS5 or later version.

  On Mac, it works the same, but you need a computer to Intel chip (anything in the last 5 years) so no computer chip Power PC.

• How to use QPXVBLK: PS: import bulk of price list?

  Hello
  
  I'm trying to create a script for import price lists. I read that this program simultaneous ' QPXVBLK: PS: bulk import price list ' is what I need. I was able to successfully create the script to populate the tables of the interface:
  
  QP_INTERFACE_LIST_HEADERS
  QP_INTERFACE_LIST_LINES
  QO_INTERFACE_PRICING_ATTRIBS
  
  but I get an error message.
  
  3436374, CTR, QP_INTERFACE_LIST_HEADERS, 24934 cannot run Insert, because no record with orig_sys_header_ref 24934 already exists for the list_source_code.
  
  I thought it has something to do with the columns ORIG_SYS_HEADER_REF, ORIG_SYS_LINE_REF, and ORIG_SYS_PRICING_ATTR_REF.
  
  Here are the values that I'm currently passing.
  
  QP_INTERFACE_LIST_HEADERS TABLE
  -ORIG_SYSTEM_HEADER_REF = LIST_HEADER_ID
  
  QP_INTERFACE_LIST_LINES TABLE
  -ORIG_SYS_LINE_REF = LIST_LINE_ID
  -ORIG_SYS_HEADER_REF = the folder LIST_HEADER_ID parent in the TABLE QP_INTERFACE_LIST_HEADERS
  
  QP_INTERFACE_PRICING_ATTRIBS TABLE
  -ORIG_PRICING_ATTR_REF = PRICING_ATTRIBUTE_ID
  -ORIG_SYS_LINE_REF = the folder LIST_LINE_ID parent in the TABLE QP_INTERFACE_LIST_LINES
  -ORIG_SYS_HEADER_REF = the folder LIST_HEADER_ID parent in the TABLE QP_INTERFACE_LIST_HEADERS
  
  If this is not correct, what values should be passed on this column?
  
  Thank you
  Allen

  Allen

  Seems that the reference you use already exists in the system. Or use a fixed value for test purposes and assign it to list_header_id.

  First of all serve the table for any info that does not import to avoid duplicates. Check the value for INTERFACE_ACTION_CODE you use (INSERT, UPDATE, DELETE), use an id header different.

• Problem importing users in ACS 5.0.0.21

  Hello.  We will have some difficulties to install import users via csv import in our new CAs 5.0.0.21.

  I downloaded the template for the page "Import" and wrote a script that populated the .csv with all the necessary data, but it seems to fail every time on the membership group.

  At first I thought it was because the groups were not in the system already so I added manually each group.  I retried the import, and it does not always work with the message:

  2010-08-12 05:56:47: a Record number: 1, the internal user : import failed
  2010-08-12 05:56:47: : referenced object not found
  IdentityGroup:.

  This is repeated for all users and changes of name of group based on the group, that we need to add.

  From what I see, there is extra line breaks or extra characters no matter where in the csv file then I don't understand what could possibly be the cause of import fails.

  Any idea would be appreciated.

  Thank you!

  You must have the full path of the identity groups. Since she is hierarchical it includes all names

  parents separated by nodes: For example, if you created "Test Group" under "all groups".

  string to import a file then appears in the form:

  Dave, TRUE, FALSE, 1234, all groups: Group Test

• Importing bulk data into Oracle - with restrictions

  Hello
  
  I am trying to insert data from a stream (inside the ETL tool) of bulk in Oracle via a stored procedure, but under many restrictions. Hope you can help.
  
  Oracle 10 g database is.
  
  There is up to 1 000 000 records of about 100 bytes each, through delivery, to about 200 000 000 per day.
  
  Target table:
  
  CREATE TABLE TBL_STG
  ("KEY", NUMBER (13.0),)
  "ATT_1" NUMBER (1.0).
  NUMBER (14.0) "TIMESTAMP."
  "ATT_2" NUMBER (14.0).
  "ATT_3" NUMBER (14.0).
  "ATT_4" NUMBER (2.0).
  "ATT_5" NUMBER (1.0)
  )
  
  I can easily convert the stream of input documents in a collection (list separated by commas, for example) with the ETL tool that I use. I then call the stored procedure with the collection of records (delimiter: comma) as one of the parameters.
  
  The problem is that I am using the ETL tool in slightly modified middle (emulation of continuous treatment) which greatly limits my possibilities to load data into Oracle.
  
  Basically, I can't use utilities (for example, SQL * Loader), except when writing to disk first! Neither the tool provided support for the api.
  
  I'm now calling a stored procedure with a collection set however it gives the problem types are NOT taken in charge the following data:
  
  Nested table, VARRAY/ANYTYPE: gives an error of type 108 unknown column
  index - by table (old style): unknown col.tp. 152
  Clob/NCLOB: unkn.col.tp 112
  BLOB: 113
  
  All I have left is the stored procedure:
  
  LONG BELIEVED, GROSS, LONG.
  
  These data types are not recommended, but at least still supported by 10g.
  
  So where did that my question, in these circumstances, could you provide me with assistance towards passing the RAW collection /... and interpreting it as a digital table in Oracle. Your help is greatly appreciated.
  
  Thank you

  (deleted - double post)

  Edited by: nthomas on January 6, 2009 14:43