ACS 4.1.1.24 to 5.2.0.26.3 Network Device Migration issue

Hello all.
I'm getting an error when I run the migration.bat script to migrate data from ACS 4.1 to 5.2 and analyse the Network Devices in the 4.1 database.
hqssec01
AnalyzeAndExport
Network Device
hqsvg22417k
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
hqsvg22418k
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
milswi1a1
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
DS2000_Storm_Standby
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
We use a common shared secret key for 253 devices to use for TACACS authentication.  Unfortunately ACS 4.1 allows you to use the " character in this key but 5.2 doesn't.  Is there a way of changing  the  key in the 4.1 database for all 253 devices without having to manually change all devices individually?
I can change the AAA client's key with various tools no problem, but the issue is the key stored on the ACS database.
Any help would be great!

Just to update.
RDBMS syncronization using csv files is only available on 4.2 so I updated from 4.1 to 4.2.
Using the accountActions.csv file, I made a copy accountActions2.csv and used the action id 225 to dump the NAS database to a file DumpNAS.txt.
I then imported the relevant fields from DumpNAS.txt into a new file accountActions3.csv and used action ID 224 to update the NAS database.
The issue I had was that the Value 3 field "Vendor ID" I could not locate the corrent string to use.
In the end I used the 'File Operations' function in ACS 5.2 and used the network device template to load the devices into ACS 5.2 with the new shared secret.  The only thing missing from was Network Device Groups, which had to be created manually and then manually move each device into the relevant NDG.
This may prove useful for anyone having a similar problem.

Similar Messages

  • How to stop ACS intergated AD users to login in AAA clients(network device)

    I have ACS 4.2 Appliance which is integrated with Active directory.
    AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

    These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
    What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
    For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
    aaa group server radius rad_admin
    server xxx.xxx.xxx.xxx
    aaa group server tacacs+ tac_admin
    server xxx.xxx.xxx.xxx
    If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

  • AAA authentication for networking devices using ACS 4.1 SE

    Hi!!!
    I want to perform AAA authentication for networking devices using ACS 4.1 SE.
    I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
    I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
    For all users i need to have different privilege levels based upon which access will be granted.
    could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

    Pradeep,
    Are you planning MAC authentication for some users while using EAP for others?
    For MAC authentication, just use the following in your AP.
    aaa authentication login mac_methods group radius
    In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
    In your SSID configuration, under client authentication settings,
    check "open authentication" and also select "MAC Authentication" from the drop-down list.
    If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
    Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
    You will not need to change anything in XP.
    NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
    HTH

  • ACS disconnects network devices randomly

    I've got a strange situation where our ACS seems to be disconnecting network devices periodically.  Some of the logs make me thinking there's an issue w/ our AD setup, others point to runtime issues w/ in the ACS.  Typically its just a quick drop and the other ACS picks up the load, but it seems to be happening more often.
    Anyone have any idea where I should start on this one?
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
    Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
    Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed...  Writing with retransmissiontime 60... : [2959]: cdp:infra: main.c[128] [daemon]:
    Nov 15 14:06:30 acs01 adclient[5099]: WARN  <fd:53 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:33 acs01 adclient[5099]: WARN  <fd:54 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:43 acs01 adclient[5099]: WARN  <fd:43 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:43 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:55 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:56 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:41 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:35 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:57 acs01 adclient[5099]: WARN  <fd:35 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:57 acs01 adclient[5099]: WARN  <fd:41 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:51 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:31 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:22 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:02 acs01 adclient[5099]: WARN  <fd:33 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:03 acs01 adclient[5099]: WARN  <fd:31 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:03 acs01 adclient[5099]: WARN  <fd:33 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[762] [daemon]: cdp version: 2
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[763] [daemon]: cdp time-to-live: 180
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[798] [daemon]: aifEntry->cdpInterfaceIfIndex=<2>
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[813] [daemon]: parse_cdp_packet(): cdp info code 256
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[814] [daemon]: parse_cdp_packet(): cdp info length 7424
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[815] [daemon]: parse_cdp_packet(): cdp info bytes left 163
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[828] [daemon]: parse_cdp_packet(): get CDP_DEVICE_ID_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[54] [daemon]: device name= svtcucm.westfieldgrp.corp
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[832] [daemon]: parse_cdp_packet(): get CDP_ADDRESS_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[156] [daemon]: cdp_parse_address(): num_addrs = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[161] [daemon]: cdp_parse_address(): parsing 0 address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[83] [daemon]: cdp_parse_ip_info(): PT = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[84] [daemon]: cdp_parse_ip_info(): PT length = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[94] [daemon]: cdp_parse_ip_info(): address length = 4
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[99] [daemon]: cdp_parse_ip_info(): got IP address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[109] [daemon]: cdp_parse_ip_info(): got IP address: 10.10.10.119
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[165] [daemon]: cdp_parse_address(): finished parsing 0 address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[837] [daemon]: parse_cdp_packet(): get CDP_PORT_ID_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[194] [daemon]: cdp_parse_port_id(): port_name = eth0
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[841] [daemon]: parse_cdp_packet(): get CDP_CAPABILITIES_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[215] [daemon]: cdp_parse_capabilities(): capability = 0x10
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[861] [daemon]: parse_cdp_packet(): get DUPLEX_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[341] [daemon]: cdp_parse_duplex(): is full duplex
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[845] [daemon]: parse_cdp_packet(): get CDP_VERSION_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
    Nov 15 14:07:06 acs01 adclient[5099]: WARN  <fd:40 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:31 rt_daemon(16882)> Failure while reading message: Incorrect data type
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:54 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:29 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:47 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
    Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed... Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
    Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
    Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
    Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed...  Writing with retransmissiontime 60... : [2959]: cdp:infra: main.c[128] [daemon]:
    Nov 15 14:06:30 acs01 adclient[5099]: WARN  <fd:53 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:33 acs01 adclient[5099]: WARN  <fd:54 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:43 acs01 adclient[5099]: WARN  <fd:43 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:43 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:55 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:56 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:41 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:54 acs01 adclient[5099]: WARN  <fd:35 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:57 acs01 adclient[5099]: WARN  <fd:35 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:57 acs01 adclient[5099]: WARN  <fd:41 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:51 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:31 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:06:58 acs01 adclient[5099]: WARN  <fd:22 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:02 acs01 adclient[5099]: WARN  <fd:33 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:03 acs01 adclient[5099]: WARN  <fd:31 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:03 acs01 adclient[5099]: WARN  <fd:33 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[762] [daemon]: cdp version: 2
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[763] [daemon]: cdp time-to-live: 180
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[798] [daemon]: aifEntry->cdpInterfaceIfIndex=<2>
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[813] [daemon]: parse_cdp_packet(): cdp info code 256
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[814] [daemon]: parse_cdp_packet(): cdp info length 7424
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[815] [daemon]: parse_cdp_packet(): cdp info bytes left 163
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[828] [daemon]: parse_cdp_packet(): get CDP_DEVICE_ID_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[54] [daemon]: device name= svtcucm.westfieldgrp.corp
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[832] [daemon]: parse_cdp_packet(): get CDP_ADDRESS_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[156] [daemon]: cdp_parse_address(): num_addrs = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[161] [daemon]: cdp_parse_address(): parsing 0 address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[83] [daemon]: cdp_parse_ip_info(): PT = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[84] [daemon]: cdp_parse_ip_info(): PT length = 1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[94] [daemon]: cdp_parse_ip_info(): address length = 4
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[99] [daemon]: cdp_parse_ip_info(): got IP address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[109] [daemon]: cdp_parse_ip_info(): got IP address: 10.10.10.119
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[165] [daemon]: cdp_parse_address(): finished parsing 0 address
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[837] [daemon]: parse_cdp_packet(): get CDP_PORT_ID_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[194] [daemon]: cdp_parse_port_id(): port_name = eth0
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[841] [daemon]: parse_cdp_packet(): get CDP_CAPABILITIES_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[215] [daemon]: cdp_parse_capabilities(): capability = 0x10
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[861] [daemon]: parse_cdp_packet(): get DUPLEX_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[341] [daemon]: cdp_parse_duplex(): is full duplex
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[845] [daemon]: parse_cdp_packet(): get CDP_VERSION_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
    Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
    Nov 15 14:07:06 acs01 adclient[5099]: WARN  <fd:40 rt_daemon(16882)> Failed to send message: Timeout during operation
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:31 rt_daemon(16882)> Failure while reading message: Incorrect data type
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:54 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:29 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:18 acs01 adclient[5099]: WARN  <fd:47 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
    Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
    Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed...

    We are using both EAP-TLS (Primarily for the wireless controllers)  <-- This is where we saw the ACS timing out more often.. I increased the wireless controller timeout from 2 sec to 5 sec yesterday.. see if that helps..  Not sure if users are actually getting dropped off or not.. What i'm seeing is the controller deactivating and reactivating the ACS radius servers because it wasn't getting a response.
    We've often been seeing radius calls taking up to 3-4 seconds.. which we're being told is expected after opening a case.
    We are using PEAP for our wired (Primarily switch based radius calls) <-- these rarely get knocked off, but it happens enough to warrant a look, where the switch will identify a radius (acs) as dead in the middle of the day.  The dot1x params on these switches are set to 5 seconds, so I'm assuming this is happening when the ACS is getting busy.. But this really shouldn't be happening with the load we are running,, Thats why i'm trying to investigate if there is another issue somewhere.

  • ACS web interface hangs on Network Device Group

    We are facing problem of ACS web interface stop responding whenever a Network Device Group is edited/added/deleted. This happens regardless of whether the web interface is opened remotely or on the ACS server.
    The session needs to be killed and then have to wait several minutes before attempting to edit NDG (although new session to ACS can be opened up almost immediately).
    I have checked there are no proxy settings in the browser, no firewall in between, etc.
    ACS is installed on Windows 2003 Server Enterprise Edition with SP1.
    ACS installation on another server of same hardware specs and java version works fine. The difference is that the OS on the working ACS is Win 2K3 Ent Ed. without SP1. However, according to Cisco, WIN 2K3 Ent Ed with SP1 is a supported platform.
    My ACS version is 4.0(1) build 27.
    Any ideas?

    I assume you have a java runtime installed?
    alas in the "old days" you could troubleshoot this type of thing by looking in the windows registry. This is all internal to the ACS SQLAnywhere DB now :(
    Darran

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • How do I restrict access to 4 devices using ACS

    Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
    We are now trying to implement 4 new users, however we only want them
    to have access to 4 devices-routers (4 IP addresses)-and only have
    basic level 1 functions in the router
    Is this done under Network Access Filter or Network Access Group?
    Do I need to create a new group or can I somehow implent that into

    I'm using ACS v 4.2 on windows server-TACACS
    Under NAF I have configured the IP's of the server I want them to access under Selected Items
    Under NAR I have permitted calling point
    with the NAF and  *  *
    Under the Group Settings
    Network Access Restrictions (NAR)
      Shared Network Access Restrictions
    Only Allow network access when
    All selected NARs result in permi
    all selected NARs result in permit..with the NAR i just configured in the selected NAR list

  • TACACS auth and RADIUS accounting with ACS

    I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

    Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
    Server Group - RADIUS
    Protocol - RADIUS
    Accounting Mode - Simultaneous
    Reactivation Mode - Timed
    Max Failed attempts - 3
    Two servers in the Server Group
    ACS - Not working
    Microsoft IAS - Working
    I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
    ACS is configured as follows
    Network Configuration
    AAA Clients - ASA authenticate using TACACS+
    AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

  • Authenticating against RADIUS *AND* TACACS

    G'day...
    Toys:
    Cisco Secure ACS 3.2
    Cisco 1242 Access Points
    I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
    The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
    Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
    Cheers,
    Andrew.

    Hi,
    The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
    If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
    I am using the same approach to authenticate remote access clients and network admin in my Access Server.
    Rgds,
    AK

  • ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

    Hi All
    Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
    Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
    I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
    Thanks
    pato

    Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
    server stuff has recently upgraded the Domain Controllers to 2008r2 and
    turned off the 2003 servers. This didn't make our ACS 4.1.4 really
    happy.I've read now serveral posts regarding issues with ACS and
    Server 2008r2 and hope to find a solution (besides switching to LDAP,
    yukk).Thankspato
    Hi Pato,
    Just check out the below link hope that help.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
    As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
    Hope to Help !!
    Remember to rate the helpful post
    Ganesh.H

  • ACS 5.3 - Error when changing Device group or Location

    I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
    This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
    it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
    Cisco Application Deployment Engine OS Release: 1.2
    ADE-OS Build Version: 1.2.0.228
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2009 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: ACS1
    Version information of installed applications
    Cisco ACS VERSION INFORMATION
    Version : 5.3.0.40
    Internal Build ID : B.839
    I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
    I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
    ACS1/admin# show application status acs
    ACS role: PRIMARY
    Process 'database'                  running
    Process 'management'                running
    Process 'runtime'                   running
    Process 'view-database'             running
    Process 'view-jobmanager'           running
    Process 'view-alertmanager'         running
    Process 'view-collector'            running
    Process 'view-logprocessor'         running
    Mel

    Does this happen to small number of network devices or the whole set
    If the former then I found the following CDETS
    CSCtw59271    Random Network Device corruption after upgrade from ACS 5.2 to 5.3
    Which includes the following workaround
    Symptom 1: Delete and re-add the AAA client
    Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
    >>>> Use case where TACACS+ was used
    There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch

  • ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

    Hi,
    We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
    below is the logs in ACS server.
    Logged At:        September 4,2012 4:10:26.250 PM
    RADIUS Status: Authentication        succeeded
    NAS Failure:
    Username: knpdtf
    MAC/IP Address:
    Network        Device: Test-PS : 10.187.115.83:
    Access Service: Radius Network
    Identity        Store: Internal Users
    Authorization Profiles: Permit Access
    CTS        Security Group:
    Authentication Method: PAP_ASCII
    By
    Karthik

    Hi,
    Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ACS 5.3 WLC Certificates RADUIS Active Directory

    Hi,
    I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
    I have setup ACS to connect to AD.
    I have added the local certificate with my company's CA
    acs.blah.com
    acs.blah.com
    SubCA3-1
    09:50 28.09.2012
    09:50 28.09.2018
    EAP, Management Interface
    I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
    Authentication Summary
    Logged At:
    October 2,2012 3:06:37.996 PM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    blah\Eddy
    MAC/IP Address:
    18-3d-a2-26-7f-b9
    Network Device:
    L39-WC-5508-01 : 10.49.2.150 :  
    Access Service:
    WirelessAD
    Identity Store:
    AD1
    Authorization Profiles:
    Wireless AD
    CTS Security Group:
    Authentication Method:
    PEAP(EAP-MSCHAPv2)
    I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
    any help would be great happy to send screen shots of my setup.
    Cheers
    Eddy

    Hi Guys,
    Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
    Logged At:
    October 12,2012 2:50:17.866 PM
    RADIUS Status:
    Authentication failed : 15039 Selected Authorization Profile is DenyAccess
    NAS Failure:
    Username:
    blah\eddy
    MAC/IP Address:
    00-21-6a-07-31-88
    Network Device:
    -WC-5508-01 : 10.10.2.10 :  
    Access Service:
    WirelessAD
    Identity Store:
    AD1
    Authorization Profiles:
    DenyAccess
    CTS Security Group:
    Authentication Method:
    PEAP(EAP-MSCHAPv2)
    I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24416  User's Groups retrieval from Active Directory succeeded
    24101  Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
    24420  User's Attributes retrieval from Active Directory succeeded
    24402  User authentication against Active Directory succeeded
    22037  Authentication Passed
    Evaluating Group Mapping Policy
    11824  EAP-MSCHAP authentication attempt passed
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12314  PEAP inner method finished successfully
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    12306  PEAP authentication succeeded
    11503  Prepared EAP-Success
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    any ideas guys?
    thanks for the help.

  • ACS 5.3 - comman sets not working

    We installed ACS 5.3 on Vmware -cent os ,  and a cisco router is configured to authenticate to this TACACS+ server , 
    i am able to login to router using the specified TACACS username ./ password and able to see the hits also as below in the policy ,
    But the Command sets are not working as definded, pls help me to find the problem..
    Filter:
    StatusNameIdentity GroupNDG:LocationNDG:Device TypeTime And DateCommand SetsShell ProfileHit Counts
    Match if:
    EqualsNot Equals
    EnabledDisabledMonitor Only
    Status
    Name
    Conditions
    Results
    Hit Count
    Identity Group
    NDG:Location
    NDG:Device Type
    Time And Date
    Command Sets
    Shell Profile
    1
    RO ACCESS
    in All Groups:READ ONLY ACCESS
    in All Locations
    in All Device Types
    -ANY-
    READ ONLY POLICY
    RO SHELL
    10
    2
    RESTRICTED ACCESS
    in All Groups:RESTRICTED ACCESS
    in All Locations
    in All Device Types
    -ANY-
    RESTRICTED USER POLICY
    Permit Access
    1
    3
    SUPER ADMIN ACCESS
    in All Groups:FULL ACCESS
    in All Locations
    in All Device Types
    -ANY-
    PERMIT ALL POLICY
    Permit Access
    0

    Logs for such a RO-read only user login
    AAA Protocol > TACACS+ Authentication Details
    Date :
    August 27, 2012
    Generated on August 28, 2012 7:13:37 AM UTC
    Authentication Details
    Status:
    Passed
    Failure Reason:
    Logged At:
    Aug 27, 2012 12:18 PM
    ACS Time:
    Aug 27, 2012 12:18 PM
    ACS Instance:
    acsserver
    Authentication Method:
    PAP_ASCII
    Authentication Type:
    ASCII
    Privilege Level:
    15
    User
    Username:
    muthu
    Remote Address:
    172.20.1.25
    Network Device
    Network Device:
    Default Network Device
    Network Device IP Address:
    192.168.251.26
    Network Device Groups:
    Device Type:All Device Types, Location:All Locations
    Access Policy
    Access Service:
    TAFE POLICY1
    Identity Store:
    Internal Users
    Selected Shell Profile:
    RO SHELL
    Active Directory Domain:
    Identity Group:
    All Groups:READ ONLY ACCESS
    Access Service Selection Matched Rule :
    Rule-2
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Internal Users, Internal Users
    Query Identity Stores:
    Selected Query Identity Stores:
    Group Mapping Policy Matched Rule:
    Default
    Authorization Policy Matched Rule:
    RO ACCESS
    Authorization Exception Policy Matched Rule:
    Other
    ACS Session ID:
    acsserver/132692348/212
    Service:
    Login
    AV Pairs:
    Response Time:
    4
    Other Attributes:
    ACSVersion=acs-5.3.0.40-B.839
    ConfigVersionId=97
    Protocol=Tacacs
    Type=Authentication
    Action=Login
    Port=tty194
    Action=Login
    Port=tty194
    UserIdentityGroup=IdentityGroup:All Groups:READ ONLY ACCESS
    Authentication Result
    Type=Authentication
    Authen-Reply-Status=Pass
    Steps
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication START Request
    Evaluating Service Selection Policy
    Matched rule
    Selected Access Service - TAFE POLICY1
    Returned TACACS+ Authentication Reply
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Evaluating Identity Policy
    Matched Default Rule
    Selected Identity Store - Internal Users
    Looking up User in Internal Users IDStore - muthu
    Found User in Internal Users IDStore
    TACACS+ will use the password prompt from global TACACS+ configuration.
    Returned TACACS+ Authentication Reply
    Get TACACS+ default network device setting.
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Evaluating Identity Policy
    Matched Default Rule
    Selected Identity Store - Internal Users
    Looking up User in Internal Users IDStore - muthu
    Found User in Internal Users IDStore
    Authentication Passed
    Evaluating Group Mapping Policy
    Matched Default Rule
    Evaluating Exception Authorization Policy
    No rule was matched
    Evaluating Authorization Policy
    Matched rule
    Returned TACACS+ Authentication Reply
    Additional Details
    Diagnostics ACS Configuration Changes

  • ACS 5.3 userbased/custom enable passwords

    Hello,
    I've installed Cisco ACS 5.3. After I created several internal users (defined password and enabled password), Identiy Groups, Access Polices, Network Devices and AAA Clients (e.g. Cisco 1841) for Radius and configured my Router like this:
    aaa authentication login VTY group radius local-case
    aaa authentication enable default group radius enable
    Now I'm able to login successful using my internal User. But if I try to use enable to enter the enable level I'll receive the message "% Error in authentication." when I use the defined enable password.
    In the ACS logging I'll can see that "$enab15$" is missing.
    If I setup a user name "$enab15" I can login to enable level, but what have I to do, to use the custom enable passwords?
    Kind regards
    Kai
    === Correct answer ===
    Hello,
    please see the attachment.
    Step 1.2 - 1.5 is requiered for both (Radius and Tacacs). Then you have to  switch to 2.1-2.7 for Radius or 3.1 - 3.7 for Tacacs authentication.
    The document shows you all steps you have to take. The box on the right  side shows to you in the headline "Requiered for".This should help you the find  out why this is configured and where you will need in future steps. or "Provided  by" should tell you where you have configured it.
    But I'm sure, you will make it.
    I've testet it with the following hardware:
    Cisco Router:
    600 ,800 ,1800 ,1900 ,2600 ,2800 ,2900, 3900, 4000, 7200 ,7300 Series
    Cisco Switches:
    2900, 2950, 2960, 3550, 3560, 3750, 4500, 6500, Nexus 5500 Series
    Cisco Unified Communicaton:
    Call Manager Express, UC560
    Hewlett-Packard Switches:
    1700, 1800, 2500, 2600, 3500, 5400, 8100 (out of sale) Series
    Yes, working in a datacenter is fine for testing

    Hi Kai,
    can you share the configurations for TACACS? 
    Thanks

Maybe you are looking for

  • How do I create a new emkey for Enterprise Manager Database Control?

    Hi, I just installed 11gR2. I am evaluating it. How do I create a new emkey for Enterprise Manager Database Control? I tried various combinations of this command: emctl config emkey I did find a probable bug: $ emctl config emkey -emkey -emkeyfile em

  • Automatic, recurring payments on Muse

    We have a need for our clients to sign in, add credit card or bank routing numbers to pay for a recurring monthly service. What is the best way to do this? And does anyone use a specific service, like PayPal or another that works well for them? We do

  • Please recomend a good book to create art in Photoshop?

    I want to learn to create menus and artwork in photoshop and Illustrator. I have seen many books but they tend to work with manipulating photographs. I want to create pictures and menus.... Can anyone recommend a good book (available in UK) to teach

  • Making image change according to what words are clicked without page reload

    So I had all the ideas for my web page laid out and I finally started building it and got stuck in one area. I wanted to make two boxes next to each other... one with text and the other with just large image that changes according what text in the ot

  • Cache problem question. What am I doing wrong?

    index.html page has ENTER button that leads to content.html. Content.html holds > content.swf.  I will be updating the content.swf file regularly so want content.html to always display latest content.swf file. Btw content.html is just a blank page wh