ACS 5.1 login snmp tracking

Hello sirs,
Could you please answer a little question.
Is it possible to track failed login attempts to ACS instances  (both on CLI and web GUI) by snmp?
Unfortunately i haven't found such option in
Monitoring and Reports >
Alarms >
Thresholds >

I've figured out how to monitor failed attempts via syslog. However there is another trouble. We've many servers in a distributed deployment. Syslog set to global on all servers through our primary server (syslog writes to the syslog server and log collector). Log collector placed on the secondary server. Syslog server receives log messages about administrator logins  to the primary server, but it hasn't received any messages from another servers in deployment. I've changed settings on the primary server and it seem's that on secondary servers this setting was changed automatically (according to GUI). What can be source of problem? All related ports on fw's are open.
And there is another issue. Is that possible to monitor CLI login attempts through syslog?
I've found only this messages in catalog:
10006     INFO     Administrator Authentication and Authorization     AAC     Administrator authentication failed
33103     INFO     Internal Operations Diagnostics     CLI     User login to ACS configuration mode failed
51000     NOTICE     Administrative and Operational Audit     Administrator-Login     Administrator authentication failed
Sorry for my poor English.

Similar Messages

  • Using Cisco ACS for Solaris login authentication

    Hi all
    I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
    Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
    Thanks, David

    Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

  • ACS Command line login..

    Hi
    I have a superadmin account in ACS.
    with this account i can able to login GUI but can't able to login CLI mode.
    what could be the problem ?

    Hello Tony,
    The ACS GUI Administrator accounts and CLI Administrator accounts are different. You cannot login with GUI accounts into CLI.
    You need to use CLI created accounts to access the ACS command line. You should have created one when first installing the ACS 5.x.
    If this was helpful please rate.

  • Customer login session tracking questions

    Hi,
    I work for a research support group at a university. We have a mixed platform environment. The nature of the services we provide requires that we bill for time spent on out compute devices.
    There are a couple of questions in this posting. The fundamental one though is -- for 10.4 and higher Macs running on Intel and non-Intel hardware what is the "best" solution to track login sessions for our customers? A session has to include the concepts of logging in and out from the console or remote (ssh) access to the machine(s).
    I am interested in Apple native and third party or open source solutions. I need to track/log that customer-X logged in to machine-M at dateTime-T and logged out at dateTime-T'. I also need to know if the machine was (re)booted or had some other action occur that would impact a customer login session.
    So the main question is, are there existing customer session tracking solutions?
    I have an existing home grown (non-Intel) solution that works well on non-Intel macs and other *nix boxes. It is a daemon that reads accumulated, rotated wtmp files and then "hangs" on the current wtmp file waiting for and processing session records as they arrive.
    This worked like a champ until we installed our first Intel Mac. I re-compiled the C code that uses the utmp.h include files and structs to get at the info but it silently fails. I received some advice on changing my make file and am currently using:
    # Mac OS
    CC = gcc -Wall -g
    CFLAGS = -I/usr/include/mysql -isysroot \
    /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386 \
    -framework CoreServices
    LDFLAGS = -L/usr/lib/mysql -lmysqlclient -lz \
    -Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk \
    -arch ppc -arch i386
    PLATFORM = osx
    wtmp_parser: wtmp_parser.c
    ${CC} ${CFLAGS} -o $@ $? ${LDFLAGS}
    /bin/mv $@ $@.${PLATFORM}
    Again, this compiles without error but silently fails. I don't know anything about compiling on any Macs, much less these new ones. Ideas are greatly appreciated.
    Lastly, I have started reworking the whole setup and may move it all to perl. Here I can read the wtmp files easily using unpack() even on the Intel Macs. I can daemonize the thing but I'm stumbling a bit on one issue.
    I have noticed in the past that there can be a sort of race condition during the wtmp rotation on some machines where the active wtmp gets rotated but the old logging still writes one or two records to the rotated file before switching to the new one. I was starting to look into a programmatic solution for this when I looked at the rotated wtmp files on this one machine and I see file dates of:
    Dec 5 15:29 wtmp
    Oct 1 01:47 wtmp.0.gz
    Aug 29 16:05 wtmp.1.gz
    Aug 1 05:29 wtmp.2.gz
    Jul 31 18:26 wtmp.3.gz
    May 31 2007 wtmp.4.gz
    Okee... I know there is a /etc/monthly script that should be doing the rotation but it looks like it is not doing what I expect. It seems that it is not rotating all the existing files correctly. Ideas?

    I am done. Sorry for bothering

  • I have lost the ability to log into find my iPhone using my daughters iTunes login to track her while she's driving

    I have lost the ability to track my daughters phone using her log in for find my iPhone since updat

    Does she have her own iCloud account?  You can have more than one iCloud account installed on a device, and some users install a secondary iCloud account which is common to others in the family to allow "Find My iPhone" to be used from one account while keeping separate iCloud contacts, mail, etc.
    But with iOS 7 although you can still have multiple iCloud accounts installed, only the "primary" iCloud account supports "Find my iPhone".  So if her iCloud account is the primary, you can no longer track her from your iCloud account.  Is that what happened in your case?

  • Login modification Tracking

    Hi,
         In my environment One application user had Read access in a database, but all of sudden the access is revoked. I don't know how it happened. Other than me no one has Admin access in the server.. Is there any way to track when the
    change happened?

    -- Try this code....
    DECLARE @FileName
    VARCHAR(MAX) 
    SELECT @FileName
    = SUBSTRING(path,
    0, LEN(path)-CHARINDEX('\',
    REVERSE(path))+1) +
    '\Log.trc' 
    FROM sys.traces  
    WHERE is_default
    = 1; 
    SELECT  
         o.name,  
         o.OBJECT_ID, 
         o.create_date,
         gt.NTUserName, 
         gt.HostName, 
         gt.SPID, 
         gt.DatabaseName, 
         gt.TEXTData
    FROM sys.fn_trace_gettable(
    @FileName,
    DEFAULT ) AS
    gt 
    JOIN tempdb.sys.objects
    AS o  
         ON gt.ObjectID
    = o.OBJECT_ID 
    WHERE gt.DatabaseID
    = 2
      AND gt.EventClass
    = 46 -- (Object:Created Event from sys.trace_events) 
      AND o.create_date
    >= DATEADD(ms, -100,
    gt.StartTime)  
      AND o.create_date <=
    DATEADD(ms,
    100, gt.StartTime)
    Raju Rasagounder Sr MSSQL DBA

  • Cisco Secure ACS 5.4/Monitoring and Report Viewer - SNMP Settings

    Hello Everyone.
    I hope this is the right forum for my question.
    We just purchased 8 1121 ACS 5.4 appliances. I have some familiarity with the older 1113 and 1120 appliances running ACS 4.2. So I have a lot to learn.
    Right now I'm trying to understand the Monitoring and Report Viewer System Configuration. I set the SNMP V2 read comm. string to the same string I configured from the CLI.
    etc-labacsb1-1/admin# show runn | inc snmp
    snmp-server contact "ACS1121;XXXXX"
    snmp-server location "B1 Lab"
    snmp-server community XXXXXX ro
    1) It was not the same string as configured on CLI. Does setting this give me access to query more than system type or server type MIB objects.
    2) Can you provide an example? (for example to query a switch -  snmpwalk -v 1 -c XXXXXX hostname 1.3.6.1.4.1.9.9.43)
    3) What is the MIB object tree OID (1.3.6.1.4.1.9.???) for these ACS appliances?
    Thanks in advance.
    Ray Westphal
    EHI

    that's correct. here is what we have in ACS 5.4 for snmp.
    ACS 5.4 supports Simple Network Management Protocol (SNMP) to provide logging services. The SNMP agent provides read-only SNMPv1 and SNMPv2c support. The supported MIBs include:
    •SNMPv2-MIB
    •RFC1213-MIB (MIB II)
    •IF-MIB
    •IP-MIB
    •TCP-MIB
    •UDP-MIB
    •CISCO-CDP-MIB
    •ENTITY-MIB
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71020
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Accounting on ACS 3.3, doesn't seem to be working.

    Hi Guys,
    I have following 6 lines configured on our Cisco gears, switches, router & ASA.
    However our ACS 3.3 ver does not seems to be capturing commands used by CLI users.
    1
    2
    3
    4
    5
    6
    aaa authentication login default group tacacs+ local
    aaa authentication login VTYLogin group tacacs+ local
    aaa authentication login CONLogin group tacacs+ local
    aaa authentication enable default enable
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    These 13 lines of configuration I have on our ASA 8.2
    1
    2
    3
    5
    6
    7
    8
    9
    10
    11
    12
    13
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host x.x.x.19
     timeout 30
     key cxxxxxxxr
    aaa-server RADIUS (inside) host x.x.x.20
     key cxxxxxxxr
    aaa-server SDI protocol sdi
    aaa-server SDI (inside) host x.x.x.64
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication http console RADIUS
    aaa authentication telnet console RADIUS LOCAL
    aaa authentication secure-http-client
    These 15 lines of configuration, I have used before at other organisation that I have worked at.
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    aaa authentication login default line
    aaa authentication login VTYLogin group tacacs+ line
    aaa authentication login CONLogin group tacacs+ line
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 4 default group tacacs+
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    Your input is highly appreciated and rated.

    Hi Javier,
    Thank you very much for taking the time to reply to my post.
    I tried below both lines as well, and then I still I don't see any used commands are being recorded in ACS server.
    aaa authorization commands 15 default group tacacs+ if-authenticated 
    aaa accounting commands 15 default start-stop group tacacs+
    To be more precious, I copied all below lines as well and switch did accepted them without any issue, and yet I don't see used commands are being recorded in the ACS.
    aaa authentication login default line
    aaa authentication login VTYLogin group tacacs+ line
    aaa authentication login CONLogin group tacacs+ line
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 4 default group tacacs+
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    Thanks
    Rizwan Rafeek.

  • Acs admin via external database?(MS AD)

    Is it possible, and if so, where would i go about doing it, to set ACS up so that it pulls from AD for ACS admins. For example, I create an AD group called ACSADMIN, and therefore everyone in that group has ACS admin rights

    Hi Tuyen,
    The feature you're looking for has been introduced in ACS 5.4. You may go through the below listed link:
    Check Release notes of ACS 5.4 under System Administration Enhancements
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp71092
    If you've ACS 5.4 running in your setup and you'd like to configure this feature, please refer the below listed link:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_admin.html#wp1089044
    Summary of steps you need to perform:
    1. Define ACS as a AAA/tacacs client in ACS
    2. Login to the ACS CLI through SSH or console session and execute a command
       - aaa authentication tacacs+ server key
    3. Go to System Administration || Administrative Access Control || Identity || Select AD as a Identity source.
    4. Click on Authorization || create a new rule || select the username from AD that you want to login with || select the       role that you want to assign to user. You may first create a user with super-admin role
    5. Save the changes, logout and login again with the ad account.
    NOTE: If you're not comfortable with the above changes, you may open a TAC case.
    Hope it helps.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Customizing the Monitoring and Report Viewer - ACS 5.2

    Is there a way to modify the columns shown in the monitoring and reporting viewer so that I can see all of the relevant columns in one screen, similar to the ACS 4.x view?  I would like to view things at a glance, rather than having to click into each item.  Thank you for your help in advance.

    that's correct. here is what we have in ACS 5.4 for snmp.
    ACS 5.4 supports Simple Network Management Protocol (SNMP) to provide logging services. The SNMP agent provides read-only SNMPv1 and SNMPv2c support. The supported MIBs include:
    •SNMPv2-MIB
    •RFC1213-MIB (MIB II)
    •IF-MIB
    •IP-MIB
    •TCP-MIB
    •UDP-MIB
    •CISCO-CDP-MIB
    •ENTITY-MIB
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71020
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ACS 4.2 (Trial) User Group Restrictions?

    I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.
    So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.
    For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?

    Yogesh:
    To move existing users from one group to another you can:
    - go manually to each user and change its group membership. OR:
    - Use RDBMS synchronization where you can fill a CSV file with the actions that you want (change group membership in your case) and import that to the ACS.
    For RDBMS sync you can read the user guide:
    http://tiny.cc/n13b1w
    This config example may also be useful about how to import the csv file:
    http://tiny.cc/533b1w
    I suggest that you read the guide and come back to ask here if you have any concern.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Different Source Address for a SNMP trap paquet

    We use a common platform to manage the CISCO routers for several customers. We are using to manage the devices w/ a loopback address as source of snmp paquet.
    We use something like this ...
    Router(config)#snmp-server host 172.25.1.1 ORATRAP
    Router(config)#snmp-server trap-source loopback0
    Router(config)#end
    Now, there is some customers that request us to receipt the snmp-traps w/ an ip source of their own ip space (192.168.2.x/24).I cannot imagine how this can be achieve?... Please any idea?. Thks. Eduard.

    Thks., for your help. This is important matter to us. We also working in the idea of snmp track collector close to our own NMC... but this may cost also money... . So, we are going to try another approach first..
    Somewhat like this below....
    snmp-server enable traps
    snmp-server informs
    snmp-server source-interface traps
    snmp-server source-interface informs
    snmp-server host traps version 1 community string publicCust
    snmp-server host informs version 2 community string publicBT
    For the get's every MNC sends to the declared IP, so We thing that will use the same IP in answer.
    I will let you know. Eduard.

  • ACS Unknown User Discovery

    All,
    Can ACS send an event/snmp trap when it discovers unknown users?
    How will ACS administrators get notified when ACS discovers unknown users?
    Stephanie

    Hi Stephanie,
    Unfortunately there is no way to do this ACS use SNMP only for logging.
    ACS does not have this kind of alert. I will suggest to contact your account manager and open a new feature request.
    Regards,

  • How we can do SWAP VIP with multiple ACS configuration?

    Hi,
    We are using Azure ACS in our application, Also we have used customized ACS page as login form. now whenever we are deploying it to staging, settings available in customized ACS page works fine. but when we switch it to production then web config and
    login page settings are not changing. How we can change it or is there any other to implement ACS?
    Thanks & Regards
    Sachin Jain

    After implementing approach defined in
    http://www.cloudidentity.com/blog/2011/05/31/EDIT-AND-APPLY-NEW-WIF-S-CONFIG-SETTINGS-IN-YOUR-WINDOWS-AZURE-WEBROLE-WITHOUT-REDEPLOYING/, I was unable to modify the web config. May be I missed some part or Azure is not allowing it. So
    I modified it little bit and it worked with following steps:
    Step1) Here I am assuming that you have created staging environment in Azure portal and also you have configured it in Azure ACS. I have used Azure ACS customized Login page and asp.net MVC form authentication. First we will modify our code
    to read the settings from service configuration file and we will add the Staging GUID url and actual production URL into web config, under Audience URI section. Finally it will be uploaded to Azure portal into staging environment. In the Azure management
    portal, we will change the login url settings from configuration tab then save it. Finally we will SWAP both the environments. while browsing application during VIP swap you might get Cryptographic exception which you also need to handle.
    Step2) Whenever you download the customized login page from ACS portal then you will find script tag as shown below:
    <script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2f127.0.0.1%3a81%2f&amp;reply_to=http%3a%2f%2f127.0.0.1%3a81%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage"type="text/javascript"></script>
    Step3) Now replace the above code with the following code snippet and here we are trying to pick the login url from service configuration file:
    <script src="@ViewBag.LoginURL" type="text/javascript"></script>
    Step4) Now go to your controller and try to read the login url settings from service configuration file as shown below:
    ViewBag.LoginURL = RoleEnvironment.GetConfigurationSettingValue("LoginURL");
    Step5) Now open the service definition file and add setting for LoginUrl under configurationSettings tag as shown below:
    <ConfigurationSettings>
    <Setting name="LoginUrl" />
    </ConfigurationSettings>
    Step6) Open the Service configuration file and add the value for login url as shown below:
    <ConfigurationSettings>
    <Setting name="LoginUrl" value="https://xxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&amp;reply_to=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage" />
    </ConfigurationSettings>
    Step7) you can get Login Url value from Azure ACS Integration tab which provides the above url. While copying the URL replace & with "&amp;" otherwise you will get build error.
    Step8) Now add the staging Guid Url and actual production url in web config file under <AudienceURI> section as shown below:
    <audienceUris>
    <add value="http://Production.cloudapp.net/" />
    <add value="http://StagingGUID.cloudapp.net/" />
    </audienceUris>
    Step9) Publish the application to staging environment and test it. After testing go to configuration tab in azure portal and change the login url with the production URL. (Do not modify the URL or do not change & with &amp;)
    <script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2fProduction.cloudapp.net%2f&amp;reply_to=http%3a%2f%2fProduction.cloudapp.net%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage"type="text/javascript"></script>
    Step10) Save the changes and Swap the environment. Now if you get cryptographic exception then you should handle it.
    • Either change the machine key and explicitly define it into web config.
    • Catch the exception and logout the user from application and not from windows live id, so that user can be forced to work on new version of application by using following code in Global.asax file:
    protected void Application_Error(object sender, EventArgs e)
    var error = Server.GetLastError();
    var cryptoEx = error as CryptographicException;
    if (cryptoEx != null)
    FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
    Server.ClearError();

  • ACS - Invalid Administration Connection

    I'm having a problem logging on to my ACS gui, I get the message above. No changes have been made to my system or the ACS since it was working last week. It's not that I am coming from an invalid IP address, as we have not set this to filter by IP. Nor is it that we use a proxy server.
    I have tried other browsers but that also doesn't work.
    Any ideas?

    For issue on 5.1,I suggest you try the following commands from the CLI to see if they can help:
    acs-config (then login with ACS administrator username and password)
    access-setting accept-all     /// opens up all IPs for web access
    If this still doesn't work can also try the following command:
    reset-management-interface-certificate
    BTW, before you saw this problem did you make any changes to access settings (
    System Administration > ... >
    Administrators >
    Settings >
    Access) or the server certificate assigned for management access

Maybe you are looking for

  • Yoga 3 pro : problem connecting to HD TV with micro/mini HDMI to HDMI

    I purchased a YOGA 3 PRO (512GB) and couldn't be happier with how light and slim this jewel is. The CPU works fast and overall it's a gret UltraBook. BUT I just can't connect my Yoga 3 Pro to my TV. I purchased this Ultra Book at BEST BUY (this model

  • Qosmio X770: 4 nVidia HD audio devices in device manager

    So i have a few questions... In my device manager i have [this (screenshot)|http://i.imgur.com/NfH5E7p.jpg]. So i have (!) 4 nvidia hd audio and 1 hd realtek audio. I usually update my nvidia video driver and nvidia hd audio driver is updated every t

  • Win 7 pro sends incorrect username when attempting to connect to another machine on lan

    Under 'Network -- when typing name such as \\computer0: Cannot successfully login/join/access xp pro machine on lan under win 7 PRO sp1 (\\computer1) but CAN do so under win 7 home premium sp1 (\\computer2). Looked at credential manager (on both comp

  • How to use Filters in FileDialog class

    Hi! I want to get the open dialog of FileDialog window with filters eg, *.java. Could any one help me out to get the solution.... Regards Shan [email protected]

  • Blank Report in IE9

    Hi all, I have an Asp.Net page that displays a crystal report. I am using VS2010 targeting to .net framework 4.0. The report was actually created in VS 2008 .net 3.5 and now I have upgraded to CR2011. I opened the report and modified it then when run