ACS 4.2 users import

Similar Messages

• 802.1x auth via ACS through unknown user policy - multiple directories?

  A customer has an LDAP directory as well as a Novell NDS directory.
  MAC clients authenticate to IPlanet LDAP.
  Windows users authenticate to Novell NDS.
  Is there any way to use multiple SSIDs and the unknown user policy to authenticate users against their appropriate directories?
  Thanks,
  Tim

  Actually, you can. You can manually add users to the ACS database and specify which external database to use. Take a look at the URL below. It is on adding users to the ACS database using the CSUtil.exe program on the ACS server. The import file that is read allows you to specify which external database type to query for the users authentication.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/ae.htm#wp365101
  Steve

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• ACS support Kerberos User Database?

  Hi,
  I've a customer currently having kerberos user database. I proposed to him to implement ACS to enable 802.1x on wireless client. Can ACS support or integrate with Kerberos User Database? If yes, any user guide which list out the steps on doing so?
  I searched through Cisco website but failed to find any info related to the integration of ACS with Kerberos User Database.
  Thank.
  Delon

  For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.

• Knowledge Center User Import Utility Password Issue

  Hello,
  I have imported some users using an Text File but the users are having trouble logging into their accounts in the Knowledge Center.
  "Login Invalid. Please verify your Username and Password."
  I have already checked the user properties, and it's okay.
  The Text file looks like this:
  USERNAME
  PASSWORD
  FIRSTNAME
  LASTNAME
  MINIT
  EMAIL
  NTINTEGRATED
  USERGROUP
  upkuser
  user01
  Name
  Lastname
  L
  group01
  If I change the password in the user properties, the users can access Knowledge Center.
  Do I need to change the password for every imported user?
  Many thanks.

  Hello Sumeet,
  You are right in saying 'The issue happens when importing from a text file.  The User Import Utlity makes all passwords lower case.'
  Oracle accepted this as a bug and provided me with patch Oracle Knowledge Base with ID 18328709. and the issue is resolved.
  Thanks and Regards,
  Jayraj

• Knowledge Center User Import Utility

  Hello,
  I have imported some users using an Excel spreadsheet but the users are having trouble logging into their accounts in the Knowledge Center.
  "Login Invalid. Please verify your Username and Password."
  I have already checked the user properties, and it's okay.
  The excel spreadsheet looks like this:
  USERNAME
  PASSWORD
  FIRSTNAME
  LASTNAME
  MINIT
  EMAIL
  NTINTEGRATED
  USERGROUP
  upkuser
  user01
  Name
  Lastname
  L
  group01
  If I change the password in the user properties, the users can access Knowledge Center.
  Do I need to change the password for every imported user?
  Many thanks.

  Hello Sumeet,
  You are right in saying 'The issue happens when importing from a text file.  The User Import Utlity makes all passwords lower case.'
  Oracle accepted this as a bug and provided me with patch Oracle Knowledge Base with ID 18328709. and the issue is resolved.
  Thanks and Regards,
  Jayraj

• ACS for Windows, users never used!

  How can I create a report of inactive users?
  <br />Thanks.
  <br />Andrea.

  With aaa-reports! you can import the ACS database (package.cab or dump.txt) and then run an inactive user report against this and the accounting records imported.
  If ACS has the password ageing feature enabled we can see the last authenticated date/time stored in each ACS user account.
  Obviously the second method is the most accurate as doesnt require any accounting data.
  Darran

• Cisco ACS v4.1 - User Export incl. Authentication Method

  Hi,
  I wish to export a list of all our users, to include their group and more importantly, their password authentication method. We have a combination users that authenticate using both ACS internal database and also external RSA Secure ID database. Basically I need to identify all users who are NOT authenticating against Secure ID.
  I ran CSUtil.exe -u   , however this only gives me the user & group, doesn't list the authentication method per user.
  Thanks,
  Brian

  Brian,
  Unfortunately, CSUtil.exe will only list the users & group they are a member of. So the simple answer is no.
  If the goal is to set everyone to use token authentication, you could get export a list of all users with CSUtil.exe, then use the client import option to update database used for authentication of all users. Here is the url for documentation on this and other CSUtil.exe options.
  =====================
  Via Csutil
  Created a file in text format
  ONLINE
  UPDATE::EXT_SDI
  ADD::EXT_SDI:PROFILE:
  DELETE:
  csutil -i
  =====================
  If you feel adventerous, you could explore the contents of the dump.txt. by running csutil -d
  This file does contain the information you are looking for. However, there is no documentation or support available for reading or decrypt it.,
  Regards,
  Jatin
  Do rate helpful posts-

• ACS 5.2 - User accounts File Update is not working as expected

  Hello, I have serious problem with importing Fixed IPs to User accounts in ACS 5.2.
  Because this attribute can't be migrated directly I try it via "File Operations --> Update". I have created file according to Update template but entered IP addresses are not imported - every other attribute can be changed without problem.
  If I will try "File Operations --> Add" it is working well, but I can't use this option.
  IPv4 address atribute in "System Administration --> Configuration --> Dictionaries --> Identity --> Internal Users" is added properly and appropriate field is present in Users accounts.
  Do you have any idea what can be wrong?

  Hi Michal,
  yes I filed this as a bug very recently. It happens after a migration from ACS 4.
  CSCtk05027 : users custom fields after migration - import/update doesn't work
  Try to modify one of your user entry. Just add an ip address manually there for example. Then do the file update. It will work for that user and it will update the ip address.
  The workaround is to exports all your ACS 5 users. Then delete them from the database then do a file import "add" instead of update. A bit of a silly workaround but the bug should be fixed in future patches (no information on that yet).
  Regards,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• OIA 11gR1 + OIM 9.1.0.2 (BP12) Websphere class not found error user import

  Hi All,
  I am integrating OIA (11gr1) with OIM 9.1.0.2 (BP12) patch and have followed the steps mentioned in the Sys Integration. However when importing users from OIM, the following error is thrown - OIM is on Websphere, OIA is on Tomcat - Thanks for your inputs!!
  rg.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: java.lang.NoClassDefFoundError: com/ibm/websphere/security/auth/callback/WSCallbackHandlerImpl]
       at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
       at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
  Caused by: java.lang.NoClassDefFoundError: com/ibm/websphere/security/auth/callback/WSCallbackHandlerImpl
       at Thor.API.Security.LoginHandler.websphereLoginHandler.login(Unknown Source)
       at Thor.API.Security.ClientLoginUtility.login(Unknown Source)
       at Thor.API.tcUtilityFactory.<init>(Unknown Source)
       at com.vaau.rbacx.iam.oracle.OIMIAMSolution.getUtilityFactory(OIMIAMSolution.java:2542)
       at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readResources(OIMIAMSolution.java:402)
       at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importResources(RbacxIAMServiceImpl.java:469)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)

  (Because no1 else has given you a reply I will try and help ;-) )
  Its obvious that you are missing a jar file, check if you have any of the following missing (This is for the 11g product though this could resolve your issue)
  xlAPI.jar
  xlAuthentication.jar
  xlCache.jar
  xlCrypto.jar
  xlDataObjectBeans.jar
  xlDataObjects.jar
  xlLogger.jar
  xlScheduler.jar
  xlUtils.xls
  xLVO.jar -----> All from WebSphere directory into the WEB-INF/lib
  Check the documentation also and see if you were meant to transfer the right .jar files over
  Regards,
  Daniel
  Edited by: Daniel Redfern on Feb 7, 2011 2:28 PM

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• ISync palm conduit in 10.5 - won't work under user imported from 10.4?

  My Palm m500 was syncing fine with my PowerBook G4 running Mac OS 10.4
  I recently got a spiffy new MacBook Pro (Penryn) with 10.5, and although the Palm does communicate and sync via Palm Desktop, it no longer syncs via iSync with iCal & Address Book. I keep getting the following in the hotsync log:
  < snip >
  OK Install
  iSync Conduit starting 3/13/08 10:38:34 PM
  iSync Conduit: received NULL message, disconnecting...
  OK iSync Conduit
  </ snip >
  ==========
  Other info:
  I imported the user info for my main user from the old 10.4 installation using Migration Assistant.
  • Deleted old Palm HotSync & Desktop files from the username:Library:Application Support, as palm preference files from username:Library:Preferences
  • Copied the old user folder to an alternate location, and removed the Palm folder from username:Documents:
  • Re-installed Palm Desktop 4.2.1 under main user (authorized as an "administrator" temporarily)
  • Sync worked (no data on Palm Desktop, but everything backed up ok), HotSync even recovers and creates a new user based on the data on the device, and even backs up all the programs.
  • Enabled Palm Os Syncing from within iSync (works fine, so long as the account being used has read/write permissions to HD:Library:Application Support:Palm HotSync:Conduits)
  • "Enable iSync for this palm device" from the iSync conduit within HotSync Manager.
  During a sync, iSync kicks in and "connects", but can't get past AddressBook syncing, and never actually sends info to the Palm device. Presumably, this is where the "NULL message" is received and syncing stops. When I specify "Erase data on device then sync" in iSync (for first syncronization), it does indeed erase address book data on the device, but never sends anything to replace it, but also does not touch the calendar data on the palm device.
  Furthermore, I tried the same procedure when logged in as another administrator account (what is normally the main administrator account on this computer), and synced first without iSync, then enabling "iSync for this Palm device". Under this other account, the syncing works. I can add events to iCal, and contacts to address book, and they are transferred sucessfully and synced with the palm device. But it still does not work when logged in as the main user (even when administrator privileges are enabled, which I normally don't want), which actually has all my iCal and Address book data (which syncs successfully through .Mac with my computer at work).
  There should be plenty of free space on the device for all my calendar & contact data (3MB).
  Given that syncing DOES work for one administrator user (which was never before set-up for this), but not for the user that was imported from 10.4 and was syncing successfully before, I have a suspicion that there's either some leftover files that I missed, or a permissions conflict within the user's home folder that I am missing. Has anyone else been able to resolve this issue, or have any suggestions based on this information?
  Much appreciated.

  Experimentation reveals that:
  • replacing the old addressbook data with blank allows syncing to work without problems.
  • having multiple groups causes the same error: BUT only on the first sync (set to “Erase data on device then sync”, but also if set to “merge”). Adding groups after a successful initial sync did not interfere with further syncs.
  • deleting groups from existing AddressBook data does allow a successful first sync.
  • but adding them back in again breaks the sync.
  Having no groups would seem to allow a successful sync.
  see http://discussions.apple.com/thread.jspa?messageID=6805570&#6805570
  I don’t want to have to limit myself to this. I do use groups rather a lot and it would be frustrating to have to give up using them just so I can sync my Palm in Leopard.
  The following does NOT solve the problem:
  1. Move old Address Book data to a backup location (after exporting AddressBook library)
  2. do a first sync
  3. re-import full Address Book data from archive
  4. continue with regular syncs.
  • only sync one Group still leads to the same error.
  • iSync 2 doesn’t run under Leopard (error message along the lines of “You can’t use this software with this version of Mac OS”).
  • I also tried to use the previous iSync palm conduit (v3.0.2 instead of v3.1.0), but got the same errors.
  For now, I removed all the groups and synced my contacts to my Palm, but I then turned off syncing for contacts within iSync, so I could recover all my Address Book Groups. Fortunately, I need to update Calendar information more often than contact info, and I won’t be able to change contact info on the Palm device. When I do want to do a periodic update to my Palm device, I will have to:
  1. Backup my address book
  2. Delete all groups (but not the contacts within them, which stay in the library itself)
  3. Turn contact syncing on in iSync
  4. Sync the Palm device
  5. Turn contact syncing OFF in iSync
  6. Recover my Address Book Library & groups from backup
  Not as simple as I would expect from Apple software ... I hope this issue gets fixed in iSync 3 (Leopard).

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• "Role not defined for individual users" on user import

  Hello,
  I am trying to import a certain user from one portal to another and I get this warning message:
  "Role <pcd_role_path> not defined for individual users."
  This role is assigned to this user at the 1st portal and exists at the 2nd portal at the same location.
  What does it mean and what do I need to do in this case?

  hi Roy,
  just check one thing ....
  please check wether the user have permissions to those roles.
  please go to the PCD location, where the roles have defined.
  right click on the role and check permissions.
  see if the user you are using is mentioned there. if no, add your user with read/write end user permission.
  i hope this will help you .
  Regards,
  Sujay

• ACS 5 Limited user account

  Hi, i have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
  how can i achieve this ?
  thanks                  

  Hi,
  You can not do per-commadn authorization.
  But You can assign some of the pre-defined roles to the admin.
  check this:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_admin.html#wp1068641
  Reards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"