Replacement of Cisco ACS Solutions 4.2 engine

Similar Questions

• Cisco Secure ACS Solution Engine ping

  1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

  2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

  By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

  For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

  http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

  Rgds,

  AK

• CS ACS Solution engine with external AD database

  I have a client who has set up a CS ACS Solution engine (device). They currently have VPN tunnels that terminate on the SAA and the ACS provide authentication via an external database to the AD. I did the installation or configuration of the device and I'm new to ACS. There is a group in an ad that was created to allow access to the VPN, and it works. I created a second group in AD and a test user. The user account will not correctly authenticate when establishing a VPN session. I checked the agent ACS logs on the controller of the AD is to show that the user performs the authentication correctly, and it seems that the agent is not transmitting this information to the ACS. Alternatively, the ACS is ignorant. The GBA, the generated error is "external DB account Restriction." I can't find anything specific to this topic. I checked that the announcement represent works and can log on to a workstation. I checked the properties of account for the test account. I think it's related to the membership of the group. I have a group in ACS named exactly the same as the ad group and of the test account is a member of this group. I don't know where to start any help would be appreciated.

  You must map this group

  User to external databases > database group mapping > Datbase of Windows... section

  A group of ACS, naming the group exactly the same as the Windows AD Group ACS establishes no relationship between them.

  I guess that your all other combinations in the group mapping are mapped to one ' "group, OR to a group that is disabled.

  Please ensure that the mapping of good group on ACS for the new group you created on AD.

  If you move in the right direction, problem seems to reside in group mapping

  Kind regards

  Prem

• Is it possible to authenticate 2 or more domains Active Directory via acs solution engine v4.2?

  Hello

  Is it possible to authenticate ACS solution engine v4.2 against 2 or more Active Directory domains by using the generic LDAP configuration?  One scenario would be to geographic distribution where 1 area would be for the USA and the other would be an another say country Canada (e.g. US.corp and CA.corp).

  Thank you

  James

  Hi James,

  It is possible to configure multiple servers authentication LDAP, one for each area. I can tell you that it is much more efficient configuration and administration viewpoint experience and end-user to use AD as an external database Microsoft if your installation is actually all in the same namespace for example amer.CompanyName.com and canada.companyname.com.

  To configuration LDAP multiple databases, go to the external user databases > generic LDAP > create a BITTER called, then do the same for CANADA.

  Cordially, Jeremy

• Cisco ACS and the domain controller

  Hello

  We are currently using the Cisco ACS 3.2.3.11 solution engine and using a Windows domain as a remote agent controller.

  We now have the ACS to 4.1

  1. do I need to upgrade the remote agent on the domain controller as well?

  2. any computer on the network can be used as a Distribution Server?

  3. after an initial backup and upgrade then to 3.3.3.3 I make another backup before the upgrade to 4.1?

  You can use any PC in the network as a Distribution Server.

• Cisco ACS 4.1 for external advertising for authentication

  Hello

  We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

  Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

  Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

  Could you please help us to isolate the problem.

  Thank you & best regards

  Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

  Kind regards

  ~ JG

• Cisco ACS 4.2 1113 Recovery DVD

  Nice day!

  We have CSACSE-1113-k9 Cisco ACS 4.2 device 1113. And we need to reimage (restore the device to its original state). Can enyone help me with the correct link software.cisco.com image recovery DVDs?

  I'm trying to find it, but I can't see recovery dvd:

  Home downloads Products Clouds and systems management Security and identity management Cisco Secure Access control server products Cisco Secure Access Control Server Solution engine Cisco Secure Access Control Server Solution engine 4.2

  Hello

  As far as I know, you don't have the possibility to download cisco.com ACS recovery DVDs. You can contact Cisco TAC and they can publish the software for you.

  Note If useful...

  Kind regards

  Kush

• With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

  Hi all

  I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

  Juniper M10i running Junos 9.2, M120

  M320 running Junos 8.5 Juniper

  Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

  3804 Alpine extreme Extremeware 7.8.3.5 running

  My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

  / John

  John,

  We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

  set system login user uid of engineering 2000
  Set system login user engineering genius-class class
  set the connection user uid to NOC 2001 System
  Set system login user AC AC-class class

  define the system connection Engineering-class idle-timeout 15
  define a connection system class engineering-class permissions all
  define the system connection AC-class idle-timeout 15
  define the connection class AC system class view permissions
  Set connection AC-class permissions see the system configuration

  We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

  Hope this helps.

  Derek

• Cisco ACS server

  Hello

  I currently have a Cisco ACS 3.3 Server. I want to upgrade the server to the latest version and cluster with one another so that we can have a redundant infrastructure because if one fails it also includes...

  Can provide you a solution for this?

  Thank you

  Hello

  The latest version is 4.1 ACS. You can upgrade 3.3.3 build 11 directly to 4.1.

  Then, you can install an another ACS 4.1 on a different machine and replication configuration between these two. In this way, you will need to make changes to only one that ACS and the secondary will be automatically updated.

  Once these two are defined, you can set both of these servers as a server Radius/Ganymede on devices and there will be a redundancy.

  Kind regards

  Vivek

• Cisco ACS 5.8 CLI admin account lockout

  Hi all

  We recently deployed device Cisco ACS 3495 and running on a version 5.8.

  Everything seems well while our for the CLI admin account was locked out.

  Found a bug in Cisco for the same problem with version 5.5, but no solution yet...

  ACS 5.5 CLI Admin account locked and no Log Message
  CSCur37203
  Someone out there who might have encountered the same issue and can help advise?
  Thank you and best regards,
  NDA

  Hello

  Unfortunately, the only solution for this is the DVD of password recovery.

  Once fixed, you can increase the car locked out amounted to something greater than the default value of Cisco.

• restore the configuration of the cisco ACS 1121 ver 5.2 to SNS 3425 ver 5.6

  Dear all,

  We currently have Cisco ACS 1121 ver 5.2 in our production, then we will replace it with the new devices using SNS 3425 ver 5.6.

  Please good to want to help someone can tell you how to restore all the old configuration of devices (ACS 1121 ver 5.2) for the new Member States?

  Best regards

  Yudibagam

  Hello! You must upgrade the current device to a min of v5.4 for restoration work and be supported.

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-6/release/notes/acs_56_rn.html

  However, if you're going to go through the upgrade problems then I would say that you upgrade all the way to 5.6 just to be sure :)

  I hope this helps!

  Thank you for evaluating useful messages!

• Cisco ACS 5.5

  Hello

  I just installed Cisco ACS 5.5.0.46.  We managed to get Juniper devices to authenticate using RADIUS.

  The problem is that the authentication logs are empty.

  I intend to patch the ACS of Update Rollup 4 for tonight, hoping that it can fix the problem.

  Can someone advise?

  Concerning

  Vijay

  Good to hear your issue was resolved. Also, thank you for taking the time to come back and post the solution to the problem! (+ 5 from me). Now, if your issue is resolved, please check the thread as "answered" :)

• Cisco ACS 4.1 - user profile changes

  There is no option in Cisco ACS 4.1 Solution where we can specify the option that "user must change password on the next logon" as it used to be in Cisco ACS 3.X ".

  Is it possible same functionality can be enabled on Cisco ACS 4.1

  Concerning

  Sohail Sarwar

  Hello

  That option does not exist in ACS 4.x.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Cisco ACS, multiple CA, assignment of VLAN relevant to the domain

  Hi all

  I searched for a solution to a specific customer requirement.

  I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field?  Ideally, using the same SSID and a Cisco ACS server.

  Is this possible?  Has anyone seen that it works?

  I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?).  And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes.  But I am not sure that these parts would fit together?

  Would appreciate some advice!

  Thanks in advance

  Rob

  Hello

  Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.

  You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.

  GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.

  And you can assign the vlan and use only one ssid as well.

  I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.

  Nicolas

  ===

  Remember responses of the rate that you find useful

• Cisco ACS AD authentication

  Hello!

  IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.

  I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.

  OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.

  A simpler explanation is as follows.

  E.t.c groups are ficitonal

  I have group in AD called "Engineers" that contains 2 users, user A and user B.

  Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.

  However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.

  What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."

  I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?

  Im a bit confused as you can see it...

  Any help will be greatly appreciated!

  Thank you!

  Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.

  ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.

  If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.