ACS 5.3 Config
while applying ACS 5.3 Config on Cisco Switches , due to partial config the username and password is not working ....
kindly guide how to recover the password ; even after reboot also we are not able to get access to device and ACS login also not working
I assume you have a username/password setup on the router,if so make the ACS inaccessible then by default you use the username on the router. If no username setup on router then will have to use the console connection
Similar Messages
-
ACS 3.3 Config Command Authorization
Hi,
I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
The debug says:
1w2d: AAA/AUTHOR: config command authorization not enabled
How can I enable this and how/where can I configure it on the ACS?
Thanks in advanceOn ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
aaa authorization config-commands
Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out. -
ACS : external database config. (AD)
Hello,
I installed the last version of Cisco ACS 4.0 and I have a problem with the "Windows database configuration". I want to authenticate users on an active directory, but when I want to configure it I have an error message:
"An error has occured while processing the Authen DLL
Default Group Page because of an internal error ..."
I tried to find why I have this error but until now I have nothing that can help me to solve this issue.
Who can help me?
Thanks in advance for any help.
RuiThe dll should be logging an error message into the csadmin service log
CSAdmin/Logs/admn.log
Sounds like something is broken - this will need TAC + escalated support I suspect.
Darran -
Hi,
Im trying to migrate VPNS from ACS to ISE but i cannot quite get used to the ISE.
Below is a picture of my Authentication rule id like replicating on ISE but so far i have had no joy. Any points would be greatly received.
If the network source IP is trusted Rule 1 is hit and ISS is just use AD
If the network source IP is untrusted Rule 2 is hit and ISS is just use OTP Then AD
Im not 100% on the authorisation aspect either.
I think im want something along the lines of Ad:Group/x/x/x/x and TunnelGroup xxx = Permit/Apply ACL else Deny
I can pass authentiation from the ASA to ISE, one thing i have noticed in the aaa report, in the AV pairs the tunnel group name is not listed.
Many thanks in advance
SHi
FYI
Cisco Secure ACS and Cisco ISE exist on different hardware platforms and have different operating systems, databases, and information models. Therefore, you cannot perform a standard upgrade from Cisco Secure ACS to Cisco ISE. Instead, the Cisco Secure ACS to Cisco ISE Migration Tool reads data from Cisco Secure ACS and creates corresponding data in Cisco ISE.
For migrating the policies, and all other information, please visit the following link particularly the chapter 3,4,5:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/migration_guide/ise_migration_guide/ise_mig_preface.html -
ACS primary/ secondary config
we have 4 ACS in the system:
+) In HQ, we have 2 ACS: 1 primary and 1 secondary ACS
+) In Branch office, we have 2 secondary ACS
I suppose Primary fail, could one of secondary ACS automatic become primary so all other ACSs can continues replicate from that one ?
If not, when primary fail, we have to go each secondary and deregister. After that we choose one of 3 ACS as primary and register to that one ?
Thanks
Duyen.Hey Duyen,
so you are only care about replication? right?
unfortunately if primary fails in replication there is no way for any secondary to take the role of primary and replicate to others (this is in ACS 4.x only. I don't know about 5.x).
So what you need to do is just what you metnioned, to go to each ACS server, configure one of the secondaries as primary and configure others to replicate from this new primary one.
Regards,
Amjad -
Hi,
I have a client who has a mostly Nortel network who requires a RADIUS and TACACS+ authentication system to work with Nortel and Cisco equipment to authenticate administrative logins.
Does any one know please if an ACS appliance or the Windows verison 4.2 will be able to provide RADIUS/TACACS+ to both Cisco and Nortel equipment without any major configuration work?
Thanks very much for your help.
DarrelOn ACS server, we have Radius[Nortel] Attributes.
You have to configure the " Nortel switches " as AAA client on ACS server. The configuration on switch config should be :
On ACS server > Network Config > under AAA client :
- AAA client name = Switch
- AAA client IP address = IP address of switch
- Shared secret key = secret key on switch
- Authentication Protocol = Radius[Nortel]
Then you need to enable nortel attributes
ACS--->Interface configuration--->Nortel. Enable attributes you need.
Now in group you need to check these attributes
Regards.
~JG
Do rate helpful posts -
Command Authotization on Pix 6.3 and ACS v3.3
Hi,
I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.
I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)
Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.
Thanks in advance!
JonathanHi
On the ACS side, the config you choose very much depends on the scale of your deployment.
If you have one or two users, you can define per-user command authorisation within ACS.
If you have many users, you should do this at group level.
Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.
This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.
You may also want to use NARs to prevent certain admins even being able to logon to the device.
So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.
Then get a copy of extraxi aaa-reports! to audit your ACS logs :)
Darran -
TACACS+ command authorization and ACS "Quirk"(?)
Hi All,
I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
For the example, i'll use Vlan 101, which is one of my server networks.
My Command set says:
Command: switchport
Arguements: permit access, permit vlan, deny 101
Permit Unmatched Args is UNCHECKED.
When I debug the aaa authorization, i see this:
146425: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
146426: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
146427: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
146428: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
146429: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
146430: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
146431: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
146432: Mar 8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
I know I have the correct command set applied, because it blocks me appropriately for other commands.
146451: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
146452: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
146453: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
146454: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
146455: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
146456: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
146457: Mar 8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
Any thoughts why it's not working as expected?Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
ip tacacs source-interface gi 0/0
tacacs-server directed-request
tacacs-server key
tacacs-server host x.x.x.x
aaa new-model
aaa authentic login default group tacacs+ local
aaa authentic login no-tacacs none
aaa authentic enable default group tacacs+ enable
aaa author config-commands
aaa author exec default if-authenticated
aaa author commands 1 default if-authenticated
aaa author commands 15 default group tacacs+ local
aaa author console
aaa account exec default start-stop group tacacs+
aaa account commands 0 default start-stop group tacacs+
aaa account commands 1 default start-stop group tacacs+
aaa account commands 15 default start-stop group tacacs+
aaa account connection default start-stop group tacacs+
aaa account system default start-stop group tacacs+
aaa session-id common -
Network environment:
- Windows 2003 with enterprise CA
- Cisco ACS appliance 4.1.1.23
- Cisco 1240 AG series APs
Wireless clients:
- Windows XP SP2
Brief steps taken:
- Installed Enterprise CA
- Created copy of web server certificate with option âMark keys as exportableâ enabled. Certificate published.
- Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
- Generated certificate request from ACS (1024 key length).
- Submitted server request from ftp server - Submit a certificate request using base 64â¦
- Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
- CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
Brief cofig of ACS appliance
Global config
- PEAP -Selected âAllow EAP-MSCHAPv2â.
- LEAP - Allow LEAP (For Aironet only)
- Selected âAllow MS-CHAP Version 1 & 2 authentication
- Added AAA client (AP) with shared secret with authentication using âRadius (Cisco Aironet)
- Under External user DB//DB config/windows database, âEnable PEAP machine authenticationâ selected.
1240 series AP config
- Under Server Manager, ACS IP with shared secret entered as a Radius server.
- Selected EAP authentication.
- Under SSID Manager selected open Authentication with EAP & selected network EAP.
- Under Encryption Manager selected WEP Encryption & mandatory.
- Selected key 1 and entered 128 bit key
Client (windows XP SP2 domain member) config
- Connected to Enterprise CA web site, base64 encoding/download CA certificate
and installed it in local computer store.
- Under Network authentication selected open with WEP EAP type âprotected EAP (PEAP)
- Authenticate as a computer selected
- Selected my CA under âTrusted Certification Authorities
- Authentication method (EAP-MSCHAP V2)
Errors:
Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
Or
Computer doesn't have correct certificate
Used 43486, 64067, 71929
Any suggestions very much apretiated.ACS Agent is installed on two DC's as well and they are detected by ACS.
Thanks -
Parser Error Message: Unrecognized configuration section 'system.webServer'
at the time of rum show Error
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Unrecognized configuration section 'system.webServer'
Source Error:
Line 34: </httpModules>
Line 35: </system.web>
Line 36: <system.webServer>
Line 37: <validation validateIntegratedModeConfiguration="false"/>
Line 38: <modules>
Source File: c:\inetpub\wwwroot\ACS-Driver\web.config Line: 36
Version Information: Microsoft .NET Framework Version:1.1.4322.2379; ASP.NET Version:1.1.4322.2379my server :
os windown server 2003
iis 6.0 -
Wireless SSID with Certificate
Dear All,
I have a wireless network with cisco 5508 WLC for corporate network ,Cisco WLC for guest network, ACS 4.2, and 200 accesspoints.
Corporate SSID authentication- WPA1 & 2 with Dot1X(Via ACS)
Guest SSID authentication- Webauth with ACS
I need to configure an SSID for scanners.
Is there any way to configure the scanners wireless authentication via ACS with a trusted certificate?
Thanks in advance
SreelalHai,
Thanks for your reply.
Customer has one certificate server(CA). We need to generate the certficate from that CA .
Our scanner expert will load the generated certficate into the scanner
My Scanner supports EAP-FAST,EAP-TLS, LEAP,PEAP,TTLS
So Can I go with LEAP for scanners?
Do you have any document or steps for completeing this task?
SSID config on WLC?
ACS 4.2 Config?
On PC side what config we need to do (If we are connecting a PC to the same SSID)?
Once again thanking you !! -
TACACS+ and authorization "conf-t" commands (IOS)
Hi
Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?
Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.
For example tac_plus.conf:
I need something like this (fictional syntax):
service = configure {
cmd = interface { permit FastEthernet .* }
cmd = switchport { deny access .* }
it's already works well:
service = exec {
priv-lvl = 3
cmd = ping { permit .* }
cmd = wrire { deny memory }
Thank you for any ideas.Hi Oleg,
here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
"acs#aaa authorization config-commands"
now after giving you can give any global configuration commands like
"acs(config)#interface FastEthernet "
either you permit or deny.this command gets authorizes with tacacs+ server.
-thanks,
Rajiv -
Command Authorization Set Show Run Permissions Only
Hi All,
I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and this doesn't work as intended.
I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges! I guess this is because I am specifying level 1 access but that's what the doc says to do.......
My config is as follows:
Cisco 2811 Router
aaa new-model
aaa authentication login defaut group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
ACS 4.2 Config
Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
Thanks in advance
DavidAll,
I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place -
Acs 5.3 and wlc 2504 config with restricted network access
Hello,
i submit you the following issue that i'm actually facing:
i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
i followed the procedure below to configure it:
-- creating user identity groups;
-- creating users and assigning them to the groups;
--- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
--- assigning the authorization profiles to the identity groups under access policies.
after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
Please can someone provide with the right steps to follow to achieve this kind of config.
tkx in advanceYes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x. I would also try to not enable everything that you have just to start from the basic and make sure it works first. The WAP Authentication Method might or might not work for you. Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
ACS will not save the config changes to reports
I have configured a very old ACS appliance, 4.1. At this time this is what I we have to use. The authentication is working fine, the reports for accounting, TACACS+ accounting is only saving the login and logout of the users and not any config changes that are being made.
I'm hoping that someone may have an idea of what accounting command I am using or if this older version has some changes that need to be done as the config/aaa lines I use today and work on newer version work. I was under the impression that this line "aaa accounting exec default start-stop group tacacs+" would send every command to the tacacs server?
aaa new-model
aaa authentication login default group tacacs+
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 2 default group tacacs+ none
aaa authorization commands 7 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
any ideas would be3 appreciated. thanks for reading
YvonHi martijn,
Are there some custom fields in this list or some duplicate columns? Please have a check.
For more information about the possible reasons and solutions, see
http://social.technet.microsoft.com/Forums/en-US/sharepointcustomizationprevious/thread/ae946f73-3126-41ad-833b-25e4cc2b7723#e22af3fe-8203-45c4-8d19-e18041a048e2
http://social.technet.microsoft.com/Forums/en-US/sharepointgenerallegacy/thread/59895a6b-7f61-431f-a762-e3fd9d81fe34
http://social.technet.microsoft.com/Forums/en/sharepointcustomizationprevious/thread/eba4cd7e-498a-465f-adea-decae44d7a8c
Regards,
Kelly Chen
Maybe you are looking for
-
Is there a way to browse my music files in a folder view rather than one huge list? I just added about 4000 .mp3 files to my library (first time using iTunes) and the only way I know of to add songs to my iPod is to scroll through this huge list wher
-
Show cfdiv and cfinput in the same row
Hi, I have some probloms on the layout when using "ColdFusion.navigate". For example, I use function checkClosingDate() { ColdFusion.navigate('cfc/value_validation.cfc?method=checkDate&date='+document.getElement ById('inputdate').value,'dateErro
-
Simple Dense_rank Question
Hi, Where am I going wrong here.. SELECT AAFRM_ID, AGENCY_AGY_CODE, DENSE RANK() OVER( PARTITION BY AGENCY_AGY_CODE ORDER BY AAFRM_ID ASC NULLS LAST) DENSE_RANK FROM agency_application_form WHERE AGENCY_AGY_CODE IN (6412,7911);and I am getting this e
-
Rehiring Contingent Workers Programatically
All, We are developing an HR Data Interface to transfer information from a source system to Oracle HR. As part of this interface, we need to be able to terminate and rehire contingent workers. We know how to rehire contingent workers from the front e
-
My 3GS froze while using Navigon, then showing a pop-up saying "Activation required". When tapping the pop-up, an unusual white question box regarding location service shows up, after tapping "next" the process hangs. Connected to iTunes later, same