Redundancy of the ACS

Similar Questions

• Ensure the redundancy of the ACS

  Salvation;

  What happens if my ACS only breaks down? ACS is active on my access switches.

  What deployment scenario are we talking about here? For example, with 802.1 X deployments there a function (called inaccessible Authentication Bypass) that allows you to access a VLAN specific in the scenario where connectivity to the ACS server is compromised. Is that something can help you?

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• The ACS upgrade to 3.2

  Greetings,

  By opting for the ACS 3.2, all my settings and the securities will remain the same? If this isn't the case, I have a router connected to the server and I will get locked. I heard there is a specific order for the removal of the lines to avoid of locking me. Is this true?

  Thank you

  You will need to select the option "Yes, import the existing configuration", while improving the ACS software. Information on the upgrade of Cisco ACS software Preserving Configuration found in the documentation to

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/ACS32/win32sig.htm#9934

• Download the ACS software... ?

  I don't know about the 90-day trial; However, is there a way to download a full version for windows to the Cisco site. I am able to download the software so the isn't a problem. I don't see anywhere to download a full version and not only test 90 days?

  TKS-

  You must purchase the software to full version. It is only available on CD. When you buy the ACS software, it comes with a device (ACS1111). I do not see the neccessity or the advantage of Cisco made available for download on their website the version full of GBA.

• The ACS authentication

  We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.

  Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.

• The ACS trial version expired

  I know I should have remember, but I do not have...

  I have been using the ACS 90 day trial that expired before I bought a copy.

  I lose everything and how to go on product licenses now that I bought?

  Thank you

  Andrew

  Please mark it is resolved, so others can benefit from.

  Kind regards

  ~ JG

• AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

  Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

  WHA is missing here?

  enable AAA authentication login VTY P1_ACS local group

  Group default AAA authorization exec local P1_ACS authenticated by FIS

  AAA authorization exec CONSOLE none

  AAA exec by default start-stop accounting P1_ACS group

  AAA commands 5 default start-stop accounting P1_ACS group

  AAA commands 15 arrhythmic default accounting P1_ACS group

  Accounting logs command is stroed in the newspapers of the administration of Ganymede.

  There is also a known issue on ver 4.1.1 and we must

  apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  CCIE Security

• ICS error - "the service of the redundancy or the grope does not start.

  These days I was facing this problem on ICS. Whenever I try to share my internet connection with wifi, it gives an error saying: "the service of the redundancy or the grope does not start" I have reset the connection, disable on surroundings & & restart the system as well, but not the changes even error every time. Is there someone can help on this desire to please much appreciated.

  Hi kaliszewski,.

  Welcome to the Microsoft Community and thanks for posting the question.

  According to the description, it looks that you are facing with Internet connection sharing problems.

  Please follow the steps mentioned below that can help us to solve the cause of the problem.

  Method 1:

  Maybe not all services that run the Internet (ICS) ICS are enabled. I suggest to start over and make sure that the underside of addiction services are activated.

  1. click on Start, run, type services.msc and click OK.

  2. to activate a service, find in the right pane and double click on its entry.

  3. make sure that the Startup Type is set to Automatic , and then click OK.

   

  All the following services must be so configured to use ICS:

  Application Layer Gateway Service
  Network connections
  Knowledge of the network (NLA) locations
  Plug-And-Play
  Remote Access Auto Connection Manager
  Remote Access Connection Manager
  Remote procedure call (RPC)
  Telephony

  After checking and automatic startup for each of these services configuration, close the Services window and restart the computer before trying again to enable ICS.

  Method 2:

  To disable and then re-enable the Internet connection sharing on the Internet connection of the Windows 7 computer. If it asks you to select a private network connection, select the one that connects to the hub. Check the connections to the LAN on each computer:

  1. Press Windows Key + R.
  2. Type ncpa.cpl in the box and press enter.
  3. Right click on the connection to the local network, and then click status.
  4. Click on Details. It should show these values:
  • IPv4 address: 192.168. *. *
  • IPv4 subnet mask: 255.255. *. *

  If the values are not good, Internet connection sharing is not configured correctly.

  You can also consult the following link for troubleshooting Internet connection sharing problems:

  http://Windows.Microsoft.com/en-us/Windows7/using-ICS-Internet-connection-sharing

  Hope the above caliper problems

  If you need further clarification or additional assistance, please let us know, we will contact you as soon as possible.

  Thank you.

• To access the AIP-SSM-10 through the ACS

  Hye,

  Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.

  Thank you

  IPS module does not support authentication to the ACS server.

  Please find the only authentication method for IPS in the following document:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html

  Hope that answers your question.

• the ACS 5.1 and cisco ACE module

  Hello

  I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede?

  Thank you

  WM

  Here is the doc.

  Post edited by: jkatyal

• Administrator rights to the ACS using Active Directory groups

  Good afternoon

  We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

  Thanks in advance

  You can only use the locally stored accounts within the ACS.

• Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts

  Hello

  I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...

  Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?

  Thanks in advance

  WM

  I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system

  In order to change the multiple/all documents for internal users, the following approach can be taken:

  1. Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
  2. Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
  3. To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish

  Afetr imort is completed, all records of internal user should now display "Enabled".

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• The ACS replication ports

  Hello all, I have two ACS 3.3 and I try to replicate but it does not work. The topology is something like this:

  ACS1<->PIX525<->RouterTelmex - Internet - RouterTelmex<->ASA5540<->ACS2

  I test a lot of things, and I guess that the problem is in ASA5540. So the question is: is anyone know which ports need to be opened in ASA5540 to allow replication? I know there must be opening of port 2000, but I think there must be some ports more.

  Thank you very much.

  Gabriel

  Hello Gabriel,

  I know, you only need port 2000 to open for replication of the ACS.

  BTW, did you skinny inspection enabled on the ASA. The ACS replication is running on port 2000 who also happens be the same port as the Skinny Protocol. Make sure that he lean on the two firewall inspection is disabled and see if you can get the replication.

  no correction protocol 2000 skinny

  I hope it helps.

  Kind regards

  Arul

  * Please note all useful messages *.