Issue of ACS UCP
I have ACS, IIS & UCP installed on the same Windows 2003 server. UCP has been installed recently. IIS configuration was made before the installation of the UCP.
After installation I tried to UCP accessing through the URL http://localhost/secure/login.htm
I get the login prompt. When I enter the user name and password, I get "cannot display page" Web page. Please let me know the resolution for the same thing.
1. make
2. make
3. making
4. make
5 fact
6 do
7. do
8 do
9 - restart windows 2003 Server
10 - from the ACS itself, server launch https://server/secure/login.htm
11 - the Cisco Secure ACS UCP Application looks:
12. Enter an ACS useraname user and password:
It is said:
The page is not found
The page you are looking for has been removed, had its name changed, or is temporarily unavailable.
Error HTTP 404 - file or directory not found.
Internet Information Services (IIS)
More ideas? Thank you.
Tags: Cisco Security
Similar Questions
-
CiscoSecure ACS UCP request help needed
I upgraded CiscoSecure ACS from 4.1 to 4.2, CiscoSecure ACS UCP running application that has been configured to install ACS 4.1, so I that I need to change the Application of UCP or it works perfectly?
I check the logs of database replication it says "cannot replicate to"wirelesspwd"- server replies do not.
Thank you
ALMAS Sangaré
Both should run on the same version so if you upgraded ACS version then you need to upgrade the UCP version too.
UCP 4.2 installation guide
Kind regards
Jousset
The rate of useful messages-
-
I'm about to upgrade the ACS servers two and I have a few questions. Both servers are running 4.0.27 and I'll take the last revision. I have all the files and the necessary appropriate "patches" in light of all that I read in the release notes. My questions are:
1. as long as I have move away a GBA work, is it one problem to another for the upgrade down?
2. is it all current server certificates that are installed stay or will they be reused after the upgrade?
3. the current certificate is issued by an IAS server and will expire soon. What is the procedure for me to apply the new certificate?
Thanx, Seth
Go ahead and take a look at this:
-
Hello
Just, we have improved our 3.3. ACS to the latest version without problem. I created the Remote Agent on GBA, but we I install the Agent on the Windows 2003 Server I get "could not initialize variables. Anyone? Thank you.
John
John,
-Log on to the computer as long as Local Administrator, preferably 'administrator' and then try to uninstall the Remote Agent & try and install back. Log on locally to the box and install the AR.
-If above does not work, you may need to manually uninstall the Remote Agent. After uninstalling, you can try to reinstall the latest version of the remote agent.
somishra
-
THE ISSUE WITH ACS REMOTE AGENT LOG
Hello guys,.
I installed a Cisco ACS SE with version 3.3. I try to configure for sendo journal acs agent remotely, but it does not work. I installed acs remote agent and I activated the registration service during the installation. ACS appliance may communicate with the remote agent, but ACS cannot write logs on the Remote Agent. If I look at logg on ACS its OK, but when I look at the logs on the Remote Agent Windows there is nothing there. Could someone help me?
Thank you
Hello
Please try logging configuration remotely as shown in the link:
Kind regards
Anisha
P.S.: ACS 3.3 is out of life and support. Please install the latest version.
-
Hello guys,.
actually, I was happy, founder of the RDBMS feature in AAA to enter my hundreds of aaa clients in the database, but now I'm stuck with the problem.
Let me summarize some devices in a single entry AAA aaa, which means that there will be multiple inside ip addresses.
According to the RDBMS feature, I can only add 1 IP per line-csv. Is there any work around to push more in the aaa entry without add them manually?
If I try using several lines of csv with the same name, but different ips, I just get an error.
Thanks for your help!
You cannot use several IP in an AAA client entry. But you have the following options
1. you can set a 'group of network devices' NDG and put the same type of the AAA client in the group.
Or.
2. you can use ' character generic asterisk "or range of IP addresses to include several IP address with an AAA client, such as * 10.1.1 or 10.1.1.1 - 10.1.1.100.
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
Hey all,.
I think it's a fairly straightforward issue of ACS. We are looking to set up a new installation of ACS5.2, and it was a question of whether or not we can use administrative accounts internal ACS (System---> accounts Administration) for you to connect to our network infrastructure devices.
I've been looking through the documentation, but I have not found a way to do this, and I'm not sure if this is done for security, IE, separate account / group depending on what you are trying to administer or if Miss me just something obvious...
Thank you-
Jon
Not the system administration account is used for authentication of the user interface of acs.
Sent by Cisco Support technique Android app
-
Join the ACS 5.4 AD strange question
Hello
We have two ACS boxes with the same version of software (5.4.0.46.0a), we have been able to join the domain a that only ACS and other ACS are given the error attached.
When we checked "main-acs-01 / admin # acs troubleshooting adcheck
, he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed." principal-acs-01 / admin # acs troubleshooting adcheck<>
This command is only for advanced troubleshooting and could suffer a lot of network traffic
Do you want to continue? (yes/no) Yes
OSCHK: Check that it is operating system: pass
PATCH: Patch Linux check: pass
PERL: Check that perl is present and is a good version: pass
SAMBA: Inspection of the installation of Samba: pass
SPACECHK: Check if there is enough space in/var/usr/tmp: pass
HOSTNAME: Check the hostname parameter: pass
NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass
DNSPROBE: Probe Server DNS 172.24.1.1: pass
DNSPROBE: Probe Server DNS 172.24.1.2: pass
DNSCHECK: Analyze the health of DNS servers database: pass
WHATSSH: Is it a SSH DirectControl works perfectly with: pass
SSH: SSHD version and configuration: Note
: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
DOMNAME: Check that the domain name is reasonable: pass
ADDC: Search for domain controllers in the DNS: pass
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Failed : Could not resolve the IP address of xxxx.hmc.org.qa.
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Warning : One or several ports did not respond correctly. Either:
(: a) the domain controller is offline
(: b) a firewall prevents access to a port
: The following is a list of ports has failed:
: ldap 389/udp - timeout
: 445/tcp smb - denied
: ldap 389/tcp - denied
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Failed : Could not resolve the IP address of airportdc1.
. ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: WARNING : One or several ports did not respond correctly. Either:
(: a) the GC is offline now
(: b) a firewall prevents access to a port
: The following is a list of ports has failed:
: gc 3268/tcp - denied
ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Scan of Port GC xxxx
: pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADGC: Check Global catalog servers: spend
DCUP: Search for operational controllers
: pass SITEUP: Check DCs for
in our site: go DNSSYM: Check the symmetry of DNS server: pass
ADSITE: Verify that the subnet of this machine is in a site known as AD: pass
GSITE: See if we think it is the correct site: pass
TIME: Synchronization of clocks Check: pass
2 serious issues have been encountered during the audit. These must be fixed before proceeding
2 warnings were encountered during the audit. We recommend that you check these before proceeding
principal-acs-01 / admin #.
The one facing this problem before and grateful if someone can tell how to solve this problem.
It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS
Since you're under 5.4 ACS, it should not trigger.
CSCtx53223 After update 5.3 ACS fail to join the domain AD - lack of license Centrify
Symptom:
After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:
Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test
Conditions:
Move from 5.2 to 5.3. Restart the services thereafter.
Workaround solution:
Save the ACS db and recreate the picture on the box to 5.3
How upgrade to 5.4 ACS
1.] updated to 5.3 to 5.4 using the upgrade package.
2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.
I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]
~ BR
Jatin kone* Does the rate of useful messages *.
-
ACS 5.1 user password expire does not work
Hi, I set up under policies of Administration password on the password length, the elements being rolled as number, letters and so on.
on the second tab is the password expire for users, and I configured to expire after 90 days.
I even tried to create a new user and change a password for a user existing Apache TOMCAT WAR
I checked the GBA unit's CLOCK and NTP high on our internal NTP servers
Likewise, I create a new user or change the password of Admin user interface, or I change the password for the user via Apache TOMCAT WAR, I the user being disabled in a few minutes, half an hour.
Last, with CISCO AnyConnect is possible to warn the user about the password is expireing and if yes, change could be led through AnyConnect or that it is absolutely necessary a hand of the user task on the portal from Apache TOMCAT upward with the application of GBA WAR?
Last last, I can't disable the logon on the ASA 5510 8.3 IOS AVOIDING user to connect through the AnyConnect application download (on the portal of the ASA)?. This is to avoid people to connect from Internet Cafe' and other facilities puglic not having the AnyConnect application installed from a USB device or local DISK?
I think you hit a known issue with ACS 5.1:
CSCtf06311: all internal users automatically disabled after you be connected to a single user
This is fixed in a hotfix for ACS 5.1. Hotfix Rollup 5.1.0.44.3 which can be downloaded from CCO
If you decide to download a version of patch, it may be useful to take the latest cumulative hotfix for ACS 5.1: 5.1.0.44.6
-
Problem with shell command authorization
I came across this issue with ACS 3.1 and 3.2 of the ACS
A shell command authorization set is created under the profile shared with the following components:
Unmatched orders: refuse
Permit of unmatched Args: UNCHECKED
The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.
This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."
Select this group option is set to 'Max privilege for any customer of AAA, level 15.
This configuration is then tested against two IOS switches, with orders from aaa as follows:
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?
commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.
Router > sh priv
Current privilege level is 1
Router >
Router >
Router > show arp
Protocol of age (min) address Addr Type Interface equipment
Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0
Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0
Router >
Router >
-
Updated VM of ACS 5.4 a space issue warnings
Updated to 5.4 last night and ran into several caveats regarding the storage space. Here are the specific message:
Warning: [acsDiskSizeCheckUtil.sh] Patch of 1079 M size exceeds the quota allowed 1000 M. it will not prohibit hotfix installation process as long as there's enough disk space. Please note that this indicates that you should consider moving ACS to a superior machine of disk space
I note also that records 5.5 upgrade to do you have 500GB or more available for the upgrade.
The virtual machine was thin supplied with 512 GB drive and shows only 84 GB actually used, so a few questions.
- Is the underlying operating system used by ACS smart enough for me to simply increase the underlying capacity of the virtual disk and do recognizes this new capacity?
- Are there of the CLI commands in ACS that will allow me to see/manage the underlying disk capacity?
- The documentation says to increase the ability to be either "redefining" the virtual machine or install a completely new instance and restore the backup of the original. What exactly does Cisco means "re-Imaging"? They refer to storage vMotion, where can I change the disk during a migration?
Thank you for all time.
My comments:
Is the underlying OS used by ACS smart enough for me to simply expand the capacity of the underlying virtual disk and have it recognize this new larger capacity
-Unfortunately, the answer is 'No' I tried to increase the capacity of a disc in ISE and ACS with root privileges and both times have been a complete failure. Now maybe it was because of my low Linux skills but... in any case, the answer is really 'no' If you want that more disk space you must re-create the VM of the CSA and then restore/re-build your config
Are there any CLI commands in ACS that will let me view/manage the underlying disk capacity?
-Have you tried to display the records
The documentation says to increase the capacity be either "re-imaging" the vm or installing a totally new instance and restoring the backup from the original. What exactly does Cisco mean by "re-imaging" ? Are they referring to storage vMotion where I can change the disk during a migration?
-Related to the #1 issue. Basically, you blow the current VM and build a new one. Then you restore your configs.
Thank you for evaluating useful messages!
-
Experts of the Association,
Need quick answers to issues related to GBA 5.1 for a customer. I haven't used the ACS5.1 still so watch out for the easy questions
(1) is it possible to generate the report for users who are inactive for 30 days? Customer looking for these users to see if they really need access to any checking device.
(2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?
(3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.
Thank you
Hello
Please find answers inline:
(1) is it possible to generate the report for users who are inactive for 30 days? Customer looking for these users to see if they really need access to any checking device.
[YEARS] You can generate reports of user using several elements, including reports for the last 30 days:
(2) are there any known issues affecting the level of priviligaes users. In the current implementation of that client users are always connected in 1 even private if they are affecting the 5 private level. I understand with ACS 4.x, we can activate the exec process and assign priv under user/group policy. What are the configurations that the client might be missing in this case possiby?
[YEARS] You can do exactly the same implementation GBA 5.x. just create permission authenticate profiles to apply to users with success.
(3) are there any SNMP or other available in 5.1 ACS notice where admin can be notified at the time where a set of particulat user connects.
[YEARS] You can create "Alarms" which will send an e-mail notification or a syslog server:
Monitoring and reports > ... > Alarms > Thresholds > Add HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
ACS server installation issues
I have a client of the remote site that is replacing their ACS servers and several questions:
(1) what version we should be installed?
(2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)
(3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?
(4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?
(5) how to use GSK signed cert? Have previously tried & failed - something special here?
Thanks for any help you can give.
RO
I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
1) What version should we be installing?
2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have to apply successive patches?)
3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
Thanks for any help you can give.
RO
Hi Richard,
For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.
For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.
For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.
So useful note valauable post.
Concerning
Ganesh.H
-
ACS remote 4.1 change password issued.
I need assistance with obtaining changes remote working password. The user gets challenged to change his password and confirm the new password, but it fails to connect to the switch. I check the ACS and he says that his account is expired. I use ssh entry transport on the vty lines I don't know if this is the problem?
Help, please!
SSH password aging, unique password change etc are supported by bug CSCin91851.
The fix is included in the version 12.4 (10.01) T.
http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCin91851&SUBM
He = search
Kind regards
~ JG
Note the useful messages
Maybe you are looking for
-
I need HD to a TV station ads using their output requirements: Video: I guess that the transport (unspecified by the station) 4:2:2@HL 16: 9 (1920 x 1080) 45 Mbps Audio: Audio MPEG, or PCM 2 channels 384 Kbps 48 kHz I use episode, because it is easy
-
HP Mini 210-3067sz PC: HP Mini 210-3067sz PC 8 characters password BIOS
Hi Master, My client has, of Switzerland, a laptop HP Mini 210-3067sz PC that will require a password for Admin/market with 8 characters (BIOS messages in Spanish). When inserts wrong move 3 times it shows Sistema desactivado ("System Halt" means) [6
-
emails are sent from my computer adverstising ' *' Associates RX.
I have run virus scans scheduled AND just run a sweep of micro-soft. All scans show repairs and/or viruses. How can I stop this. ? should I close my msn account?
-
key error 43, I need help I want to install the trial version of adobe first pro, I use a pc windows ultimate
-
There is text on my photo, but there is no text layer in the layers panel. What is everything?