ACS 5.2 appliance cli access

Hi~
Could you please tell me how can I make user access for CLI (shell) on ACS appliance by means of WEB GUI. The point is that I have ACSAdmin as well as another administrator role users, but can't get access to appliance through SSH (Permission denied (publickey,password,keyboard-interactive).). I need to troubleshoot RADIUS requests from my APC Networc Management Cards, by means of some sort of tcpdump, becouse I dont get any logs in ACS from APC cards.

then either you need to enable more detailed logging on the ACS applicance
How can I do this?
or the RADIUS requests from the APC cards aren't reaching the ACS applicance
This is what I'm trying to find out.
Are there any firewalls, etc between the two devices that might be blocking RADIUS packets?
No man, there is a clear IP connectivity between, but problem is that I can't troubleshoot RADIUS requests/replies on this part of transmission nor from APC side neither from ACS. I check all possible log records in "Monitoring and Reports" tab, but didn't find any request from APC devices.
Also, if you have any configuration examples for APC (APC9630) devices RADIUS authentication by ACS 5.2 will be appreciated for the information. I have followed this  howto to configure VSA and apply policy, but still it doesn't work. I just want to verify are the RADIUS requests reach ACS or not.
Thank you.

Similar Messages

  • EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

    I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
    If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

    A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

  • What does acs 4.1 appliance join a domain????

    Hi all!
    I'm first do acs 4.1, i have a problem as What does acs 4.1 appliance join a domain????
    I lab with acs 4.1 on window server 2003 is ok, but when work with acs 4.1 appliance, i don't know join domain for this appliance so not use window database
    I want setup window database but not successful
    Please help me !!!!!!!
    thanks very much

    Hi,
    Use ACS appliance remote agent:
    ACS SE remote agent installation guide:
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp41/rase41/index.htm
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/remote_agent/ra.html
    ACS SE RA:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/LgsRpts.html#wp638135

  • Unable to register a secondary ACS 5.2 appliance

    Hello,
         I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
    This System Failure occurred:  Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
    I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
    Am I doing anything wrong?
    Is there any LOG I can check to troubleshoot this?
    Thanks a lot!!!
    Regards,
    Julio

    I finally found the problem. I was using admin user (super user priviledges). I created another user with all permissions and it worked.
    Thanks a lot.

  • ACS v4.0 - Appliance vs. Server

    With the appliance coming into line with the server version of the ACS, what are the advantages of one over the other? I know the advantage to the engine is security hardened device. This doesn't matter to me. I want to know the advantages you have found and or the bugs you've found in one or the other.

    I would 2nd that... and I used to work in ACS dev.
    Appliances are great for simple things. ACS is primarily application software with a complicated set of interfaces that were not designed with appliancing in mind.
    When (if?) Cisco ever get around to re-architecting ACS then it may be different story.

  • Cisco WAP121 CLI access

    Hello everyone,
    does anyone know if the WAP 121 offers CLI access or is it GUI only?  I seem to remember HATING the 500 series switches that only gave GUI access.
    Thanks in advance.  All replies rated.                  

    You need to move the thread to small business forum.
    Sent from Cisco Technical Support iPad App

  • Change IP Address ACS 4.2 Appliance

    Hello,
    I have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both of then working OK and Remote Agent, but we want to change the IP Address of the ACS 4.2 Appliance, What is the procedure to do this? have i install the certified again? i know that certified depend of hostname and ip address.
    Thank You
    Álvaro

    Hello,I
    have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both
    of then working OK and Remote Agent, but we want to change the IP
    Address of the ACS 4.2 Appliance, What is the procedure to do this?
    have i install the certified again? i know that certified depend of
    hostname and ip address.Thank YouÁlvaro
    Hi Alvaro,
    Best take the  serial console of the ACS Appliance and type set ip and follow the procedure to change the ip address
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • Is it posible? two ACS 4.2 Appliance with the same remote agent

    Hello,
    I have a ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent, i want to agregate another ACS 4.2 Appliance with the same configuration, the same Active Directory, CA. my question is: can i configure the another ACS with the same Remote Agent of the first? in other words ...
    i attach the diagram.
    Thank you

    I have a
    ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent,
    i want to agregate another ACS 4.2 Appliance with the same
    configuration, the same Active Directory, CA. my question is: can i
    configure the another ACS with the same Remote Agent of the first? in
    other words ...i attach the diagram.Thank you
    Hi,
    Maximum number of appliances supported—While a single Cisco Secure ACS Remote Agent can provide services to many Cisco Secure ACS Appliances, support is limited to five concurrent connections by the appliances served. For example, if you have three appliances that are primary Cisco Secure ACSes and three appliances that are secondary Cisco Secure ACSes used for failover purposes only, the remote agent can provide services to all six appliances and stay below the maximum of five concurrent connections.
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_guide_chapter09186a0080193aa1.html
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • ACS 4.2 appliance external database configuration with AD

    Dear All,
    How to configure external database in ACS 4.2 appliance for Windows Active Directory.Active Directory is configured in Windows 2012.ACS internal database is working fine without interruption.What configuration is requred to configure external database(Active Directory).It would be highly appreciated if you share your experience with me.
    Thanks,
    AS

    Please check
    Supported Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.2
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/device/guide/sdt42.html

  • ACS 4.1 Appliance

    I cant ping my ACS but i can access it through the web browser this prevents me from setting up a connection between the appliance and my ftp server for backups. When i console to the device and attempt to do backups manually i get an error message saying that it could not establish connection with the FTP server. I can ping any device on my network from the Appliance but not the other way..any suggestions on how to do backups for the appliance.

    I can access my appliance both through the web browser and the CLI,the only thing im having a problem with is the connection between the appliance and my FTP server,it keeps giving me an error about not being able to resolve a IP or Hostname,I've specified a DNS server on the device and when im on the CLI i can ping devices using both their hostnames and IP's,when i do backups from the CLI they go to the CSUtils folder on the program files and i cant event access this folder on the appliance.

  • ACS/ASA authentication for vpn access vs. console management access

    I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

    Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
    By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
    In your case it should be VPNUSERS group in ACS.
    HTH
    Ahmed

  • ACS v5 best practice w/ access policies.

    Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
    Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
    For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
    One Access Policy
    1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
    2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
    Or have two Access Policies, one dedicated to each device type?
    Access Services
    >VPN 3000
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Access Services
    >ASA 5500
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Just not sure which way to go. Any help is greatly appreciated.
    e-

    Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
    Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
    For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
    One Access Policy
    1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
    2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
    Or have two Access Policies, one dedicated to each device type?
    Access Services
    >VPN 3000
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Access Services
    >ASA 5500
    >Authorization
    1: IT Support memberOf=VPN User Allow Dial in=True
    Just not sure which way to go. Any help is greatly appreciated.
    e-

  • UCCX 8 CLI access to scripts and prompts

    Anyone know of a way to contol(download or delete or view ) scripts and prompts via CLI?

    Hi,
    I am not aware of any such CLI command on the UCCX 8 platform, but you can get read only access to the prompts using HTTP, with this URL: http://ipAddress:9080/Prompts/folder/file.wav
    You cannot just browse the prompts, you need to reference them by the file name. Otherwise you'll get a HTTP 404 error.
    G.

  • Passed Authentication Logs on ACS 4113 SE appliance

    I need to get a copy of all Passed Authentication logs from our appliance. Is there a way that I can ftp all those files to another device? Or is there another way that I can retrieve those files?
    Thanks
    Dwane

    Dwane,
    Yes, you can send logs to another system on the network using remote agent.
    Remote Logging for ACS SE with ACS Remote Agents
    The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.
    For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1
    Regards,
    ~JG
    Do rate helpful posts

  • ACS 4.2 Appliance integration with LDAP

    Hi,
    I would like to ask some question from the expert here.
    1. I'm building 802.1x infra for my customer.
    2. We are using ACS SE version 4.2
    3. We have successfully integrate the ACS with AD using Remote Agent.
    4. Using will authenticate using PEAP MS-CHAP v2.
    5. However, my customer dont want to use Remote Agent (RA) because the want the ACS talk to the external database directly.
    6. Their argument is, if they bought other Radius appliance for this project, the appliance should have the same function in order to authenticate the user.
    7. What are needed to complete this requirement?
    I saw in this table http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274 the LDAP does not support PEAP MS-Chap v2.
    Can any expert give opinion on this issue?

    Despite various efforts a few years back, LDAP vendors could not be persuaded to implement an MSCHAP interface - which is technically possible.
    That said ACS also has its Windows External Authenticator that will do MSCHAP just fine to a Windows AD Server (via a different interface).
    The old LEAP protocol was mschap inside EAP. EAP-FAST can also do mschap too.
    The key is not use the LDAP authenticator in ACS. If you really must use it, you'll have to make sure you use EAP-GTC inside your PEAP/FAST tunnel

Maybe you are looking for

  • How To Make Links In A .PDF Open In A New Window

    Hello, I am using Acrobat Pro 10 to create a fillable employment application. At the top of the main application, I want people to be able to click and be redirected to another .PDF file I have hosted on my site that they will need to fill out in add

  • Datetime not exporting correctly to excel

    HI I am having an issue when exporting to excel (recordToMSExcel) format. Where the date (2010-05-26 08:13:29) winds up in excel as (5/27/2014  8:13:29 AM) after export. It only seems to do it in this one format (recordToMSExcel)  pdf or the Excel wi

  • Urgent - Rescue and Recovery application affects CHKDSK function

    I hope this is the correct Forum/spot to post this: I have an IBM ThinkPad T23 with MS XP and SP2, with 640,MB of RAM. Previously, when I had ThinkVantage Rescue and Recovery application  loaded, I soon discovered it effected CHKDSK function, and wou

  • How to unlock Iphone4?? PlEASE READ

    Hey guys I have bought an Iphone4 from new zealand. All the phones brought from New Zealand are UNLOCKED. But then I had to get my phone replaced (from apple Australia) because my home button was not working well. It was all good till here, because i

  • Security sandbox question

    Hi everyone, I'm working on a project with a lot with external data (xml files, images, video), each time I publish a new swf, I have to right click in the flashplayer window and go to the settings manager page otherwise I get the SecurityError warni