ACS 4.2

Similar Messages

• ACS 5.3 Default Backup Password

  When doing a backup on any of the ACS 5.x appliances by default the backup is encrypted with PGP. What password is used for that? Is it configurable?

  It is not configurable and that information wasnt made public. However, when you restore it should be able to decrypt it just fine.
  You can try opening a TAC case but when I was in TAC wasnt able to find that key either.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to migrate multiple ACS database into one ACS database ?

  Hey All,
  we just purchased several companies and as IT/network department, we need to consolidate all the ACS from the HQ and the purchased company into one ACS,  I read the cisco docs. mentioned, I can export the migration file from the old acs and upload it into the new acs serve.
  but my concern is we have multiple acs server, will the the muliple acs migration files overwrite each other during the upload into the new server.
  thanks

  Raghavender -
  I am not an expert on MySQL migration, but you would look to migrate the database to a local Oracle Database and then move that to your Database Cloud Service.  However, keep in mind that at this time you can only access the Database Cloud Service from outside the Cloud via RESTful Web Services, so you might have to modify the application that accesses the database.  Hope this helps.
  - Rick Greenwald

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Can I obtain access token from ADFS 3.0 based on OAuth ACS-token that I already have?

  Hello!
  I have the following setup: iOS device, ACS/WAAD is IDP and ADFS 3.0 as RP, securing access to WIF web service.
  I want iOS application users to be able to access ADFS-protected web-service.
  I have created some users in WAAD, configured trust between ACS IDP and ADFS RP.
  ADFS is registered in WAAD with AppID = ADFSAppID
  I am doing the following request in order to obtain authorization token for iOS app user from ACS:
  const string issuerName = "[email protected]";
  const string issuerPassword = "Password!23";
  var authContext = new AuthenticationContext("https://login.windows.net/ADFSAppID");
  var uc = new UserCredential(issuerName, issuerPassword);
  var result = authContext.AcquireToken("http://adfs.appdomain.com/adfs/services/trust",
  "ADFSAppID",
  uc);
  _authHeader = result.CreateAuthorizationHeader();
  So, I have a token from ACS in JWT format.
  Now I need to present this token to ADFS in order to obtain a new token that I can use to access the web-service. I am trying the following POST-query:
  https://adfs.appdomain.com/adfs/oauth2/token?grant_type=authorization_code&code={0}&client_id=ADFSAppID&redirect_uri=http://web_service_url
  However, when I try accessing web service with that token, I am getting 403:unauthorized and redirected back to ADFS.
  I have already tries lots of code solutions, such as
  http://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/
  http://www.cloudidentity.com/blog/2013/07/30/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana/
  http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
  But somehow the problem remains: I cannot get such authentication token from ADFS that it is accepted by my webservice as a valid token.
  Can anybody provide any links or code samples of token exchange between ACS and ADFS?

  Yes, it is. I was able to authenticate normally, if I am using ADFS as IdP for WIF RP.
  But when Azure is IdP for ADFS-protected WIF WS, I am unable to get tokens that would be accepted by WIF WS

• ACS SHAREPOINT AZURE ACTIVE DIRECTORY

  Hi, 
  I am trying to get this scenario working, I have a Sharepoint front end and a service webapi backend, I have my web API protected using AAD as IDP. And because Sharepoint only supports SAML 1.1 I had to use ACS to be the federation provider as ACS gives SAML1.1.
  Now my question is how can I get a JWT token to access my backend from Sharepoint which has access to the SAML1.1 token which it got when user initially authenticated himself. 
  Any help will be really appreciated as I have been stuck on this for 4 days or so.
  Thanks,
  Bala
  Bala

  Looks like it is working fine. Steps 1) User redirected to ACS when logs into sharepoint configured with ACS as the provider. 2) Chooses AAD as the IDP 3) logs into AAD, gets redirected back to ACS and gets the SAML 1.1 token. 4) Now when I redirect my browser
  from inside sharepoint to AAD requesting a token for the user requesting an Authorization code I get it from AAD.
  Here the bit I think why it does work is my browser has the cookies that have fedAuth cookies which AAD had issued in the first place. Can someone confirm that it is actually the case. For now I think it is working this way for me.
  Bala

• Help adding new WLC to existing ACS

  Hi All,
  I need help with this.
  This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.
  I need to add a new WLC.
  I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.
  The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.
  I want to know if somebody can point me out in the right direction to solve this.
  There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.
  The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash.  We don't get this information on the non-working WLC (attached document shows both)
  Also in the attached document, I'm sending the errors I get no the WLC2 controller.
  Any help is greatly appreciated.
  Federico.

  Federico,
  I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?
  Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.
  HTH
  Regds,
  JK
  Do rate helpful posts-

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

• ACS 5.3 - Backups fail to TFTP, work to DISK

  Hi All,
  I'm configuring ACS for the first time and the config is complete and working, except backups of the view database. I've created a TFTP repositiory and if I perform a manual backup or wait for a scheduled one to occur it fails. I do get a .tar.gpg file in the TFTP server (but can not restore from it as it's not listed in "Restore" as a backup).
  It works fine if I create and use a local disk repository. I get a .tar.gpg but also a catalog.xml and repolock.cfg file (which I don't in TFTP). Looking at the logs on the TFTP server I can see it tries repeatedly to read the catalog.xml file but fails:
  Read request for file <DB/catalog.xml>. Mode netascii [15/07 16:05:52.167]
  File <DB\catalog.xml> : error 2 in system call CreateFile The system cannot find the file specified. [15/07 16:05:52.167]
  That seems correct, the file doesn't exist. However it never seems to try and create it.
  (I've created 4 or 5 TFTP repositories testing this, all behave the same)
  Any ideas?
  Paul

  Paul,
  TFTP will not work because the protocol doesnt support directory listing, what the ACS is trying to do is determine if a backup is currently running by looking into the repolock.cfg file. It also tries to see the contents of the catalog.xml file so that when a incremental backup is triggered it will add a line of the first full backup followed by all the incremental backups. Your best bet is to use ftp as the backup and this will fix the issue you are facing.
  thanks,
  tarik Admani

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ACS 5.3 confusion

  Hi all,
  I have some dial up users that will connect to my portal and will access my internal resources. We want to give them initial password but want to force them through a prompt to change their password on first login. Can this be done in acs 5.x ?
  Kindly guide me

  Jonn,
  What are you using as far as dial up do you know what protocol is being used for the authentication protocol? Are they using PPP?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ACS 5.3 connected to AD

    So we have this problem that just started, I can replicate the issue as well, if a user makes a mistake on typing there password after 1 attempt ACS sends 3 to AD locking out the user.
    In a putty or secureCRT session after 1 password failed attempt, I am unable to retry with that same session. Any thought suggestions.
    The issue seems to be that after 1 bad password attempt, from the client side I am unable to get another try.
  Jeff                  

  HI Jeff,
  We have a bug filed for this issue and it is fixed in 5.3.patch 3
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCtz03211
  Regards,
  ~JG
  Do rate helpful posts

• ACS 5.3 - Error when changing Device group or Location

  I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
  This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
  it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ACS1
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40
  Internal Build ID : B.839
  I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
  I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
  ACS1/admin# show application status acs
  ACS role: PRIMARY
  Process 'database'                  running
  Process 'management'                running
  Process 'runtime'                   running
  Process 'view-database'             running
  Process 'view-jobmanager'           running
  Process 'view-alertmanager'         running
  Process 'view-collector'            running
  Process 'view-logprocessor'         running
  Mel

  Does this happen to small number of network devices or the whole set
  If the former then I found the following CDETS
  CSCtw59271    Random Network Device corruption after upgrade from ACS 5.2 to 5.3
  Which includes the following workaround
  Symptom 1: Delete and re-add the AAA client
  Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
  >>>> Use case where TACACS+ was used
  There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch

• Acs 5.3 - wireless conversion from 4.0

  Hi All
  As previous posters may have noticed i have been given the task of moving the ACS
  from 4.0 to 5.3 which turns out to be considerably different.
  Sadly i have nothing to test with at the moment so am trying to work it out as best i can
  before the abbreviated period of cutover begins.
  I have a Service Desk group setting in 4.0
  Under groups i have the group settings  and down the bottom i have the following -
  (ticked )  Wireless-WCS HTTP
  (ticked ) Custom Attributes
  Then in the box -
  virtual-domain0=CRUK
  role0=LobbyAmbassador
  task0=Configure Guest Users
  task1=Lobby Ambassador User Preferences
  Fine but that doesnt translate directly into any 5.3 settings.
  I assume that i would do the following
  In policy elements create a shell profile (Service Desk) with the following settings -
  Privilege level 0
  Custom attributes
  Manually entered -   
  attribute              requirement              Value
  virtual-domain      mandatory               virtual-domain0=CRUK
  role                    mandatory               role0=LobbyAmbassador
  task0                 mandatory               task0=Configure Guest Users
  task1                 mandatory               task1=Lobby Ambassador User Preferences
  submit that and then go to  -
  Access Policies/default device admin/Authorisation
  Create a new Rule
  Add  the correct AD group in compound condition AD-AD1   attribute ExternalGroups  value static
  in NDG:Device Type -  reference the WLC (previously created as device type with ip address)
  Then in Results reference the above shell profile - Service Desk.
  Sorry about the longevity but if this looks ok or rubbish can someone let me know as i wont
  have much time to get it working with the real wireless
  Thanks in advance
  Steve

  Steve,
  The process is correct.. However Iam pointing out the following mistakes
  It should not be
  virtual-domain      mandatory               virtual-domain0=CRUK
  rather it should be
  virtual-domain0      mandatory               CRUK
  In 4.x , virtual-domain0=CRUK means virtual-domain0 is the attribute and CRUK is the value.. Pls follow the same for all the AV pairs listed above..
  -Mani

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.