ACS-1120 version 5.2

Similar Messages

• Does ACS 1120 5.0 version support RSA?

  Hi all,
    We are using Cisco ACS 1120 with 5.0 base licenced for TACACS , does ACS 5.0 support RSA server as external database for authenticating the users as we do in the previous versions of 4.2,4.0.
  If so kindly let me know how we can do it ? or do we have any document?
  Regards
  Sreekanth

  This is supported in ACS 5.1. ACS 5.1 can be downloaded from CCO and can upgrade ACS 5.0 to ACS 5.1
  The RSA SecurID Agent is built in to ACS 5.1. Through the ACS GUI you can perform all the required configuration items to activate and configure the agent. This includes setting the:
  agent record (sdconf.rec)
  load balancing data (sdopts.rec)
  node secret (securid)
  agent status file (sdstatus.12)
  For more details, see http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1134728

• Windows ACS 4.2.0 backup database on acs 1120 appliance 4.2.1.15

  Hi All ,
              I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto  4.2.0.124 ,step by step by upgrade process
  1) acs 3.3.3.14---> 4.1.1.24
  2) acs 4.1.1.24 ----> 4.2.0.124 .
                now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable  on 90 days evalution package of 4.2.0.124 of windows platform .
             can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
                      I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1),kindly suggest on this

  Hi Anisha\Devashree ..
                     Awsome !!!!!!!!!!!!!!!!!!!!! Thanx for your great support on this , I will try to restore database directly to my appliance running 4.2.1.15.3 and let you know if i find any diffuculties ....
                     My databse is about 15MB, if i found any diificutlies during restoring , i will downgrade my appliance to  base version of  4.2.0.124 then i will restore my 4.2.0.124 database by enabling restore option from 4.2.0.124 to 4.2.1. And i will apply the patch , Thank you .
  Devashree : There should not be any problem right ?? by enabling restoring option from 4.2.0.124 to 4.2.1 during system restore , if your appliance is running acs version 4.2.0.124 as a operating one

• Acs 1120 license

  Hi team
  we have an  acs  1120  which is not in production  , (1) what i need to know is  how  can i retrieve its license .
  its not under support . I dont  have  the license any where else to search the box it self .
  (2) second  challenge is  that  i dont know the ip address configured on the box . is their any management interface with some default ip , that allows me to login ?
  3) if i restet  the appliacne  to  factory defaults   will i  loose  my  license ?
  thanks  , help is appreciated.

  Question: 1
  We have an ACS 1120 which is not in production, what I need to know is how I can retrieve its license. It’s not under support. I don’t have the license anywhere else to search the box itself?
  Please check the Following Link for ACS 1120 End of life and license information.
  Link-1: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/end_of_life__C51-633515.html
  Link-2:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/eol_c51-693439.pdf
  Question: 2
  Second challenge is that I don’t know the ip address configured on the box. Is there any management interface with some default ip that allows me to login?
  You can access and reset the ACS through CLI and Serial Console and can perform following task:
  Logging In to the CSACS 1120 from a Serial Console
  Determining the Status of CSACS 1120 System and Services from a Serial Console
  Tracing Routes
  Stopping ACS Services from a Serial Console
  Starting ACS Services from a Serial Console
  Restarting ACS Services from a Serial Console
  Backing Up ACS Data from the Serial Console
  Restoring ACS Data from the Serial Console
  Reconfiguring CSACS 1120 System Parameters
  Resetting the CSACS 1120 Administrator Password
  Resetting the CSACS 1120 CLI Administrator Name
  Resetting the GUI Administrator Login and Password
  Reconfiguring the CSACS 1120 IP Address
  For Complete Configuration guide, Please check the following link
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/csacs_1120/CSACS1120_42.pdf
  Question: 3
  if I restet  the appliance  to  factory defaults   will i  loose  my  license ?
  By resetting your appliance, Licenses information will not be lost. After checking the above links which, you will be more clear about ACS licensing.

• ACS-1120 Large Deployment License

  Hi,
  i  have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I  want to add a license in order for the ACS to support more than 500  networks which includes in the base license.
  As I understand this is the license required : L-CSACS-5-LRG-LIC=
  Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is.
  for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC=  (one for each environment, one license will serve 2 X ACS in Primary  and Backup) or I need to purchase 4 licenses each for each ACS ? – I  understand that one license will serve deployment of two ACS in primary  and active scenario.
  Appreciate your help,

  The large license is required for ACS 5.2 with more than 500 devices
  You need one license for each primary; so in your case two license are required

• Cisco acs 1120 upgrade to 4.2.1.15 help

  Hi All,
              I have cisco 1120 appliance downgrade from acs 5.0 to acs 4.2.0.124 , I need to upgrade to acs 4.2.1.15 . Does cisco 1120 acs appliance supports 4.2.1.15 , How can i upgrade to 4.2.1.15 from 4.2.0.124 .
              It requires any distribution server for upgrade process . Please suggest on this , Thank you

  Yes, you can upgrade it to 4.2.1.15 and you can download the version from the below listed link;
  http://tools.cisco.com/squish/d4e4A
  Here are the files you need to download:
  ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
  ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
  NOTE: Please apply the management upgrade first and then software upgrade. ..
  Distribution server is a machine from where you can upload the patch onto the Cisco Secure ACS Appliance so If you will download the version on your laptop and upload it from there then that would be distribution server (Nothing special)
  Upgrade an appliance to 4.2.1.15
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1148376
  Hope this helps.
  Rgds,  Jatin
  Do rate helpful posts~

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• Problem in installing ACS trial version

  Hi,
  I am having problem in installing ACS 4.1 trial version. On invoking the progem after installation completion, I get the web page "CiscoSecure ACS Trial 127.0.0.1:2002" opened.
  Appreciate your advise, why I am getting this web page and how to fix it.
  Thanks
  Any

  You need to add the site 127.0.0.1 (or localhost) to the trusted sites list in IE then when you open the link you will get the ACS welcome page. (Make sure you install the Java runtime as well).

• How many concurrent connections that an ACS server version 4.2 latest patch can handle?

  I have about 50 routers and layer-3 switches that autheticate via tacacs+.  The AAA server used to be on a Linux machine running open-source tacacs+ built by me.  I have a perl script that will log into all 50 devices at the same time to collect statistics.  This script is multi-threaded.  Everything is working fine so far.
  I recently out-sourced the AAA function to a 3rd party company, not by my choice.  The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection.  Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
  I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server.  If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail.  If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away.  The minute I switched back to the
  new ACS server, the issue came back.  If I modified the script to hit one device at a time, it works fine.  I think it is the ACS server can not handle a lot
  of AAA requests at the same time.
  Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle?  I can't seem to find this anywhere on Cisco website.
  Thanks in advance.

  No, Im not saying ACS cannot cope.
  Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
  Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
  If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
  If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?

• ACS VM version migration to ISE

  Hi,
  If a customer bought ACS on VMWare (2 x LCSACS-51-VM) in the past and are interested in migrating to ISE. They would like to consider moving 1 x LCSACS-51-VM to a similar VM based image and the other to an appliance based system. Both act as a redundant pair.
  The ordering guide seems unclear on how to handle this scenario. The customer has an SAS support contract.

  Have you already gone through this guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1/migration_guide/ise_mig_undst_tool.html#wp1027036
  Should you've any specific questions regarding migration from ACS 5.x to ISE 1.x, let us know.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cat 2940 ACS problem Version 12.1(22)EA6

  I have 2 2940 Version 12.1(22)EA6 that after i put int the tacs+ commands it will not let me back into the switch from anywhere. When I try to login in it tells me that the password is wrong, when i know it is correct.

  Hi
  Can you paste the relevant TACACS+ config commands taken from your switch here ?
  Also are you seeing any kinda logs in your syslog server or in ur switch related to the access attempts ?
  regds

• Cisco ACS 1121 version 5.3 - Logging

  Hi There
  I'm new to Cisco ACS 5.X. From what I have read, the Cisco ACS can act as a Logging Server. Does this mean, all the syslog messages from all the other ACS and network devices can be stored by ACS? I'm a bit confused on this part.
  Lastly, I understand that Cisco ACS has many or maybe 2 instances? When do we use these instance? What is this instance?
  Regards,
  Ram

  In the distributed deployment, you should specify one acs server as the Logcollector. All other servers send logs to the Logcollecter.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/logging.html
  In distributed deployment, each acs server is one instance. So you have one primary instance and multiple secondary instances.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/introd.html#wp1058054
  Sent from Cisco Technical Support iPad App

• Cisco ACS register to primary with different acs versions

  Hello, I've updated a backup unit of two acs to  version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
    And I get this error
  This System Failure occurred:  com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
  What can I do to solve it?
  Kind regards

  The primary and secondary should be running on the same code.
  Jatin Katyal
  - Do rate helpful posts -

• ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

  Hi All ,
           I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
  Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

  Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
  you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

• Account disablement on specific date feature on ACS 5.2

  Hi All ,
           I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
  I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5 ,please let me know on this .
  With out this feature this set , i cannot ensure ID are revoked automatically ,when specifc date come in to end user . 

  Account expiration is available in acs 5.3
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores_ps9911_TSD_Products_User_Guide_Chapter.html#wp1287418
  Check table 8-3