MARS 5.2.7 integration with ACS 4.1

Similar Messages

• Cisco Prime NCS integration with ACS 5.1

  Hello,
  We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully.  In  ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message:
  There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well. What could be a possible reason of this behaivour?  Thanks!
  Our ACS v
  Version 5.1.0.44.X
  And NCS
  Version : 1.1.2.X

  this question should be moved to the Security > AAA forums as this sounds more like an ACS issue than NCS.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• LMS PRIME 4.2 integrating with ACS 4.2

  Hello,
  i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
  is there document or user guide for this version of lms?
  Thanks in advance.
  Marwan

  IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
  Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
  For more details check :
  Authentication Using Login Modules - Overview
  -Thanks

• Cisco Works LMS 3.1 Integration with ACS v5.2

  Hello Experts,
  our customer has a working integration with the Cisco Works LMS 3.1 and an ACS v3.3 as it is described in this document:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Now we are changing the old ACS Servers to the new ACS v5.2 platform. Is it possible to integrate the LMS to the new ACS Server? We want to use a granular user access restriction for SuperAdmins, Hotline Users an so on...
  Thanks,
  Florian

  Hi Florian,
  actually the ACS 5.2 is not supported in CS 3.2
  here is a list of the supported ACS servers under LMS 3.1
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp865998

• All the devices not showing after CSM integration with ACS

  Hi all
  I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

  Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• LMS 3.2 integration with ACS 5.1

  Hi
  Is it
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
  Here is a link to how to do it with ACS 4.X:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Regards
  Reidar

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

• LMS 3.1 Slow after integrating with ACS

  Dear All, have any one faced issue of slowness after integrating LMS3.1 with ACS4.2. I dont know how can I resolve this issue. Is there any patch to resolve it...
  Any kind of help will be very helpful.

  I'm using LMS 3.2 into ACS 4.0 and it actually seemed a bit faster after ACS integration. Nothing I measured but subjectively it seems faster. Both my servers are on Windows and the ACS is across the WAN from my CiscoWorks.
  How do your devices fare with their ACS? You can debug tacacs at the router/switch level as one tool. I'm sure one of the cisco guys on here will point you to one of the many logs that LMS generates, possibly with debugging activated, to dig deeper there also.

• Cisco Security Manager integration with ACS

  Has anybody got this working yet.
  I have tried but as yet have been unsucessful in registering csm with the ACS server.
  I am following the the instructions however, nothing seems to work all i get is failed to registar.
  Any help would be appreciated
  Regards
  Jason

  Check out this link...
  http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guide_chapter09186a00806e23e3.html

• Ciscoworks 3.2 login issue with ACS

  Hi All,
  I am facing an issue with login into Ciscoworks portal from the LMS server, which is integrated with ACS tool.
  Now I am unable to login to the portal with the username and password, which is already configured in the ACS server.
  I have ended up with reinstalling the ciscoworks software and restored the backup, still problem persists. Please let me know how to fix it.
  If I again reinstall it, how would I restore the backup - since back restoration again gives the login issue.
  If Im using only the dcrcli exported devices list after the reinstallation, all the devices gets stuck in DFM question status, hence I restored the proper backup. Now I am stuckup. please help.

  You need to sort out your DNS get the lookup and reverse lookup working.
  Say your device is a box with
  Fa 0/0 10.10.1.1
  Lo 0    172.32.1.1
  If you get you dns to resolve the address of port Fa 0/0  (10.10.1.1)  to the DNS "name adevice.yournetwork.com".
  Next you get your DNS to resolve the name "adevice.yournetwork.com" to 172.32.1.1 with happens to be to Lo0 interface of the device
  Then you can get LMS to use the address you want as it is configured in DNS
  Cheers,
  Michel

• ACS 5.3 Integration With RSA

  Hi People,
  I have Integrated the ACS 5.3 with AD.
  Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
  The enable privilege level should come from the RSA Token OTP.
  Is it possible to do such a thing with ACS 5.3???
  If so how could i do it???
  Thanks,
  Manoj

  I think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
  (this is not tested and based on my recollection so would need your verification)
  1) Create a custom condition for the service attribute in TACACS+ dictionary
  Policy Elements > Session Conditions > Custom
  Create: Dictionary: TACACS+ ; Attribute:Service
  2) Utilize in a rule in Device Admin identity policy
  Access Policies > Access Services > Default Device Admin > Identity
  Sselect a rule based
  Customize based on condition in 1
  Create a rule for when Service is "Enable". Select identity source as RSA in this case

• ACS Express integration with Active Directory

  Hello,
  I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
  I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
  DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Output of AD Domain Diagnostics:
  IP Diagnostics
  Local host name: he-zfm-acs-01
  Local IP Address: 172.31.67.10
  Not found in DNS!Make sure it is in Reverse Lookup Zone.
  FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
  Domain Diagnostics:
  Domain: 172.24.2.93
  Subnet site:
  WARNING! Unable to locate computer's subnet site in Active Directory.
  Ask your Active Directory administrator to add this computer's subnet
  to the appropriate site.
  DNS query for: _ldap._tcp.172.24.2.93
  Found no SRV records!
  Computer Account Diagnostics
  Not joined to any domain
  AD Agent Process Status: Not joined to any domain
  DIAGNOSTIC USING THE AD REALM:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Output of AD Domain Diagnostics:
  IP Diagnostics
  Local host name: he-zfm-acs-01
  Local IP Address: 172.31.67.10
  FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
  Domain Diagnostics:
  Domain: CLAROCR.AMERICAMOVIL.CA1
  Subnet site: TELECOM
  DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
  Found SRV records:
  rom-pro-dc-03.clarocr.americamovil.ca1:389
  Testing Active Directory connectivity:
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
  ldap: 389/tcp - good
  ldap: 389/udp - good
  smb: 445/tcp - good
  kdc: 88/tcp - good
  kpasswd: 464/tcp - good
  ntp: 123/udp - good
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
  Domain controller type: Windows 2003
  Domain Name: CLAROCR.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Forest Name: AMERICAMOVIL.CA1
  DNS query for: _gc._tcp.AMERICAMOVIL.CA1
  Testing Active Directory connectivity:
  Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
  gc: 3268/tcp - timeout
  No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
  Global Catalog: rom-amv-dc-02.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
  gc: 3268/tcp - good
  Global Catalog: rom-amv-dc-01.americamovil.ca1
  gc: 3268/tcp - good
  Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: TELECOM.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: CLAROCR.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: TELECOM.AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
  Domain controller type: Windows 2003
  Domain Name: AMERICAMOVIL.CA1
  isGlobalCatalogReady: TRUE
  domainFunctionality:
  forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
  domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
  Forest Name: AMERICAMOVIL.CA1
  Computer Account Diagnostics
  Not joined to any domain
  AD Agent Process Status: Not joined to any domain

  Dennis,
  TIme in sync on the ACS and AD servers?
  Faisal

• Cisco Works Integration with MARS

  Can cisco works be integrated with MARS. I mean cisco works is acting as a syslog server for some switches. Can mars pull the records from Cisco Works and use it for its co-relation

  As Michael pointed out, configuring two syslog destinations on your switch is possible, and allows the switch to send to both CiscoWorks and CS-MARS simultaneously.  This affords the safety that should one system be down, the other system will continue to receive syslog events from the switches.  Should you not wish to configure two logging destinations on your switch, you could configure your switches to send their syslogs to CS-MARS and configure CS-MARS to relay the received syslog messages to CiscoWorks.  This options is outlined in the CS-MARS user guide:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wpmkr181270
  Scott

• Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range).

  Hello Everyone,
  Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
  Thanks,
  Rishi

  Rishi,
  Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
  Thanks,
  Tarik Admani

• Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

  How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

  You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
  Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
  Let me know if you have any doubts.
  Regards,
  Jatin