ACS 4.2 questions

Similar Messages

• ACS Server Install Questions

  I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
  1) What version should we be installing?
  2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have   to apply successive patches?)
  3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
  4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
  5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
  Thanks for any help you can give.
  RO

  I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:1) What version should we be installing?
  2)
  Where can we get a clean binary installer (or do we have to start with
  3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer,
  or do we have   to apply successive patches?)
  3)
  Cross-version replication? Current servers have Release 4.1(1) Build 23
  Patch 5-do these need to be upgraded to current version, or can we
  install latest & replicate from current?
  4) Is it
  possible to use different DNS name (ex rtpacs.corpnet2.com) for website
  than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
  5) How to use GSK-signed cert? Have tried previously & failed-anything special here?Thanks for any help you can give.RO
  Hi Richard,
  For your queries for replication ACS should be of same version then only you can replicate between the ACS patner,If you have the same version then your first and third query got the answer.
  For your fourth query you can use DNS server to host your web servers like when ever user acces your web site traffic will land in your DNS server where it will redirect to original server for that DNS server should be authoritive server for your website.
  For clear binary installation i would suggest check out the this link http://openacs.org/forums/message-view?message_id=1245671 hope this helps.
  If helpful do rate the valauable post.
  Regards
  Ganesh.H

• ACS SE upgrade questions

  We currently have an ACS SE 1112 version 3.3.4.12. Windows Active Directory is being used to authenticate users.
  We have a new ACS (1113 running 4.1.1.23.5) that will be replacing this one.
  Regarding the new install, do I need to install a new remote agent to use with Active Directory? Also, can I use the same IP address for the new ACS SE that is being used for the one that will be replaced? We didn't want to change our switch and router configs if it isn't necessary. If it's possible just to set up everything on the new ACS SE and then unplug the old one and plug in the new one.
  I am new to ACS and was not around when it was originally set up so sorry if these are dumb questions!
  Please advise. Thanks so much.

  It should work as long as you don't miss anything, and yes you are supposed to install an agent that matches the version you are running. You might want to go ahead and put the latest updates on the ACS before you put it into operation. The process is kind of different than other updates. You might want to read my other ACS posts. I recently killed one of my ACS boxes because I did not install the CSUPdate cumulative patch before installing the lastest patch of the same rev level. (i.e. read directions carefully). Make sure you do an FTP backup before updating the software. If anything goes wrong you could have to reimage the box. There were lots of bug fixes in the updates since 4.1.1.
  Randy

• ACS 5.1 questions

  Acs Experts,
  Need quick answers to few questions related to ACS 5.1 for a customer. I have not used the ACS5.1 yet so watch out for the easy questions
  1) Is it possible to generate report for the users who are inactive for say last 30 days? Customer is looking to audit these users to see if they really need access to any device.
  2) Are there any known issues while assigning the priviligaes level to users. In current implementation of this customer users are always logged into priv 1 though they are assigning the priv level of 5. I understand with ACS 4.x we can enable the exec process and assign the priv under user/group policy. What are the configurations that customer might be possiby missing in this case?
  3) Is there any SNMP or other notification available in ACS 5.1 where admin can be notified at the time a particulat set of user logs in.
  Thanks

  Hi,
  Please find answers inline:
  1) Is it possible  to generate report for the users who are inactive for say last 30 days?  Customer is looking to audit these users to see if they really need  access to any device.
  [ANS] You can generate user reports using several items including reports for the last 30 days:
  2)  Are there any known issues while assigning the priviligaes level to  users. In current implementation of this customer users are always  logged into priv 1 though they are assigning the priv level of 5. I  understand with ACS 4.x we can enable the exec process and assign the  priv under user/group policy. What are the configurations that customer  might be possiby missing in this case?
  [ANS] You can do exactly the same implementation in ACS 5.x. Simply create Authorization profiles to apply to the users that succesfully authenticate.
  3)  Is there any SNMP or other notification available in ACS 5.1 where  admin can be notified at the time a particulat set of user logs in.
  [ANS] You can create "Alarms" that will send notification via e-mail and/or to a syslog server:
  Monitoring and Reports >
  ... >
  Alarms >
  Thresholds >
  Add
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS 4.1 questions

  I executed the csutil -d to get a copy of the dump.txt for some scripting. It asked me for a password so I hit <enter> because I do not want it password protected. At this point, I cannot copy the file to anohter computer but yet I can copy it to the same server. Any ideas of how to get this done?
  Can I do a dump that is not password protected?
  Thanks
  DWane

  My apologies to all. I have one more question for you about the ACS 4.1 Appliance. I need to get gain access to the passed authentication logs and to be able to copy them to a test server that we have set up. Can this be done? How does one gain access to the 4113 SE Appliance?
  Thank you,
  DWane

• ACS external database question

  Hi,
  our customer need a security solution that enable the users to login to the wireless network with their usernames & the passwords which stored in the active directory not using the preshared key of the wireless.
  if we are using ACS server and integrate it with the active directory , this will enable the users to login with their usernames and the passwords or not ????
  Also our customer use D-Link access points . These access points must be replaced with cisco access points or it can be used with the ACS.
  please i need your help.
  regards

  Yes, that is possible with EAP.
  User---->Dlink AP---->ACS ---->AD
  This link explains about PEAP authentication,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp380605
  Regards,
  ~JG

• ACS 4.2 Question

  Can you import radius dictionaries into ACS 4.2 ? Currently We are running 4.2.0 in production. I need to add airspace attributes to the system. Can this be done or am I forced to upgrade to 4.2.1 code where I know the airspace dictionaries are that I need ?
  Michael 

  Hi Adhitya,
  Here are the commnands:
  Enter the number of times the server searches the list of TACACS+ servers before stopping.
  tacacs-server retransmit retries
  Set the interval the server waits for a TACACS+ server host to reply.
  tacacs-server timeout seconds
  Set the number of login attempts that can be made on the line.
  tacacs-server attempts count
  For more info:
  http://docstore.mik.ua/univercd/cc/td/doc/product/lan/c2900xl/29_35sa6/eescg/mascupf.htm#xtocid173290
  Default timeout value is 5 sec
  In order to calculate total delay before you are prompted for username/password; you would be require to run debugs on the device.
  Debug aaa authentication
  debug aaa authorization
  debug tacacs
  term mon
  Also provide the output of the below listed command
  sh run | in tacacs
  HTH
  Regards,
  JK

• ACS 4.2 Question about the Logs

  We use ACS quite abit in form of mapping back to AD for the user database, which can be some what cryptic in the ACS logs of trying to figure out who a username really is. There is a column for 'Real Name', has anyone figure out how to incorporate AD's userfield of Real Name to show up in the ACS log?

  ACS doesnt pull any data back from AD such as real name etc.
  It does (or used to) populate the "External DB Info" field with the name of the authenticating domain.
  If you need that level of audit it probably wouldnt be too hard to script an export of the user information from AD, format appropriately for RDBMS Sync and push it into ACS.
  RDBMS Sync action code 1 can set the User Define Fields, eg
  Action,UN,VN,V1,V2,AI
  1,fred,USER_DEFINED_FIELD_0,Fred Jones,TYPE_STRING,APP_CSAUTH
  Full info on RDBMS Sync at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RDBMS.html
  Assuming auditing your ACS logs is important to you... take a look at http://www.extraxi.com. We have tools for log harvesting and reporting!

• ¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

  Hello,
  I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).
  I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.
  Thanks for your help!
  Sergio

  Hi,
  This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
  "To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
  as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
  specify the authorization level for each RADIUS user."
  Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
  Regards,
  Kush

• Certificate on acs

  Hello Folks
  wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
  question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

  Hi Ibrahim,
  How are you?
  First, what 802.1X EAP are you using?What ACS rev are you on?
  I will assume PEAP.
  1) ACS Cert is requried. You have 2 options for a certifciate.
       a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
       Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
  Self-signed Certificate Setup (only if you do not use an external CA)
  Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
  Complete these steps:
  On the Cisco Secure ACS server, click System Configuration.
  Click ACS Certificate Setup.
  Click Generate Self-signed Certificate.
  Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
  Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
  Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
  Enter and confirm the private key password.
  Choose 1024 from the key length drop-down menu.
  Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
  Check Install generated certificate.
  Click Submit.
       b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
  Here is a link to read up on the CA certifciate.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  How and where to install the certs and how it works...
  1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
  So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
  When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
  So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
  Make sense?

• ACE ACS TACACS+ Key Mismatch issue

  Goodday,
  I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
  We have confirmed that the key we are using is the same on the ACE and on the ACS.
  The question I have is as follows:
  Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
  So config entered something like this:
  tacacs-server host 10.10.10.10 key mysharedkey
  aaa group server tacacs+ acs_pri
  server 10.10.10.10
  aaa authentication login default group acs_pri local none
  BTW, we are running version 2.1.4(a).
  Thanks for any assitance with this.
  Paul

  Hi Kevin,
  Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
  On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
  This is my concern.
  We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
  The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
  See my problem...
  Thanks again for the assistance and any further guidance would be appreciated.
  Paul.

• VPN filter per remote access user (via ACS)?

  Hello everyone,
  I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
  The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
  eg.
  access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
  username testvpn attributes
  vpn−filter value 103
  But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
  Please help me to find a method. Thank you very much.
  Regards,
  Hiep Nguyen.

  Hi,
  I think this is what you are looking for
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
  You will need to setup the IETF like this
  filter-id=acl_name
  There is a good example right there (better than mine) let me know how it goes.
  Mike

• NAC Inband Layer 2 VG

  Hello Dear's,
  My company ordered NAC and ACS 1120 My question is Can i configure 802.1X security through ACS server and NAC in layer 2 Inband Virtual Gateway.for campus switches.
  Is it the good design to have double security for switch ports. 1st is 802.1X and 2nd is NAC in layer 2 INBAND VG
  Thanks.
  Message was edited by: estela mathew

  Hello Dears,
  Any suggestion please Experts,

• Common Services and device removal

  Hello group,
  Just joined our new Ciscoworks server to our ACS server per the documentation and everything went fine except for the device import from LMS to ACS. Anyway, I have gone through and added a bunch of our devices to ACS manually and now they show up in CS, RME, etc. However, there is now a disproportionate amount of devices that are not in ACS versus devices in ACS.
  My question is simply, can I remove those devices that are listed as "Not configured in ACS"? I tried to use the dcrcli command from the LMS server, but I get an error resembling a permission denied. Is a purge of devices possible?
  Many thanks in advance,
  AJ Schroeder

  Here is the error that I get when trying to remove devices from the dcrcli command (this is with the local admin account):
  Exception in thread "main" com.cisco.nm.dcr.DCRException: Authorization Failed
          at com.cisco.nm.dcr.LocalDCR.getMatchingDevices(Unknown Source)
          at com.cisco.nm.dcr.DCRProxy.getMatchingDevices_DIRECT(Unknown Source)
          at com.cisco.nm.dcr.DCRProxy.getMatchingDevices(Unknown Source)
          at com.cisco.nm.dcr.DCRcli.performDel(Unknown Source)
          at com.cisco.nm.dcr.DCRcli.start(Unknown Source)
          at com.cisco.nm.dcr.DCRcli.main(Unknown Source)
  I also tried with the system identity account and got rejected as well:
  Error in Delete Device: User is not authorized to perform the task on device.
  Hope this helps,
  AJ Schroeder

• Force WLAN client to renew ip on WLC with dynamic interfaces

  Hi there
  we would like to have a "two tier" authentication for the corporate WLAN clients:
  Requirements
  1. Machine Authentication
  The client gets machine authenticated based on the machine account in the Active Directory with PEAP. At this stage, the client will get a IP from VLAN A. VLAN A has limited access to the corporate infrastructure (DNS, AD, some volumes / shares, and so on). The filtering is done with an IP access list on the layer 3 VLAN interface on the core switches.
  2. User Authentication
  The users logs in on the client and gets user authenticated based on his user account in the Active Directory with PEAP - only users with a valid Machine Access Restriction (MAR) are allowed to login. Now the client is moved to another VLAN B. VLAN B has full access to the corporate infrastructure, here is no IP access list.
  Infrastructure
  We have the following:
  2 x WLC 5508 with 7.3.101.0
  2 x ACS 5.3.0.40.6
  Problem
  Now we have the problem, that the Windows client sometimes takes up to 3 minutes to connect to the WLAN after the users loggs in. In the debug, I can see that this happens because the client is stuck in DHCP renewal:
  1. After the machine has been authenticated it has an IP assigned from VLAN A. This works pretty well if the client gets rebooted.
  2. If the user loggs in the first time after the reboot, the users gets connected within 10 seconds, what is pretty good. The client has now an IP in VLAN B.
  3. Now the user logs out of Windows and I can see in the debug, that the client is putted into VLAN A (machine authentication) again, but the client still tries to DHCPREQUEST the IP address from VLAN B (user authentication). Because this request is sent out on the wrong dynamic interface on WLC, the DHCPREQUEST is not acknowleged an the client get stuck in this situation.
  4. If the user or another users logs in again shortly after the logout, the client still tries to DHCPREQUEST the IP of VLAN B and now the "3 times DHCP failure on WLC" comes into play, because WLC thinks that the DHCP server is not reachable -> but it only does not answer a wrong DHCPREQUEST.
  Question
  On ISE there is a way to force the client to renew the DHCP address (via CoA, but this has its limitations too --> need to install Active X or Java applet). I think there is now way to force the client to renew its IP with ACS, but my question is, is there a workaround and are there any others, that maybe already solved this problem?
  Alternative
  If there is now way to bring this to work with two different VLAN's, I could try to realize this with only one VLAN. After the machine authentication I could apply a WLC ACL to restrict access to the corporate infrastructure. If the user authentication happens, I could "remove" this ACL to grant full access for this user / client. But I am still interested in the other solution ;-)
  Thanks in advance for any advise and best regards
  Dominic

  Your second option is what you should do. Changing the vlan on a client that already has an IP address especially on wireless will not know it has been put in a different vlan and that's why it breaks. If There was a way to change the vlan and send something to the WLC to disassociate the client, that might work.
  Sent from Cisco Technical Support iPhone App