ACS 5.3 Config

while applying ACS 5.3 Config on Cisco Switches ,  due to partial config the username and password is not working ....
kindly guide how to recover the password ; even after reboot also we are not able to get access to device and ACS login also not working

I assume you have a username/password setup on the router,if so make the ACS inaccessible then by default you use the username on the router. If no username setup on router then will have to use the console connection

Similar Messages

  • ACS 3.3 Config Command Authorization

    Hi,
    I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
    The debug says:
    1w2d: AAA/AUTHOR: config command authorization not enabled
    How can I enable this and how/where can I configure it on the ACS?
    Thanks in advance

    On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
    On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
    aaa authorization config-commands
    Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

  • ACS : external database config. (AD)

    Hello,
    I installed the last version of Cisco ACS 4.0 and I have a problem with the "Windows database configuration". I want to authenticate users on an active directory, but when I want to configure it I have an error message:
    "An error has occured while processing the Authen DLL
    Default Group Page because of an internal error ..."
    I tried to find why I have this error but until now I have nothing that can help me to solve this issue.
    Who can help me?
    Thanks in advance for any help.
    Rui

    The dll should be logging an error message into the csadmin service log
    CSAdmin/Logs/admn.log
    Sounds like something is broken - this will need TAC + escalated support I suspect.
    Darran

  • ACS to ISE config issues

    Hi,
    Im trying to migrate VPNS from ACS to ISE but i cannot quite get used to the ISE.
    Below is a picture of my Authentication rule id like replicating on ISE but so far i have had no joy. Any points would be greatly received.
    If the network source IP is trusted Rule 1 is hit and ISS is just use AD
    If the network source IP is untrusted Rule 2 is hit and ISS is just use OTP Then AD
    Im not 100% on the authorisation aspect either.
    I think im want something along the lines of Ad:Group/x/x/x/x and TunnelGroup xxx = Permit/Apply ACL else Deny
    I can pass authentiation from the ASA to ISE, one thing i have noticed in the aaa report, in the AV pairs the tunnel group name is not listed.
    Many thanks in advance
    S

    Hi
    FYI
    Cisco Secure ACS and Cisco ISE exist on different hardware platforms and have  different operating systems, databases, and information models. Therefore, you  cannot perform a standard upgrade from Cisco Secure ACS to Cisco ISE. Instead,  the Cisco Secure ACS to Cisco ISE Migration Tool reads data from Cisco Secure  ACS and creates corresponding data in Cisco ISE.
    For migrating the policies, and all other information, please visit the following link particularly the chapter 3,4,5:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/migration_guide/ise_migration_guide/ise_mig_preface.html

  • ACS primary/ secondary config

    we have 4 ACS in the system: 
    +) In HQ, we have 2 ACS: 1 primary and 1 secondary ACS
    +) In Branch office, we have 2 secondary ACS
    I suppose Primary fail, could one of secondary ACS automatic become primary so all other ACSs can continues replicate from that one ?
    If not, when primary fail, we have to go each secondary and deregister. After that we choose one of 3 ACS as primary and register to that one ?
    Thanks
    Duyen.

    Hey Duyen,
    so you are only care about replication? right?
    unfortunately if primary fails in replication there is no way for any secondary to take the role of primary and replicate to others (this is in ACS 4.x only. I don't know about 5.x).
    So what you need to do is just what you metnioned, to go to each ACS server, configure one of the secondaries as primary and configure others to replicate from this new primary one.
    Regards,
    Amjad

  • Cisco ACS & Nortel Equipment

    Hi,
    I have a client who has a mostly Nortel network who requires a RADIUS and TACACS+ authentication system to work with Nortel and Cisco equipment to authenticate administrative logins.
    Does any one know please if an ACS appliance or the Windows verison 4.2 will be able to provide RADIUS/TACACS+ to both Cisco and Nortel equipment without any major configuration work?
    Thanks very much for your help.
    Darrel

    On ACS server, we have Radius[Nortel] Attributes.
    You have to configure the " Nortel switches " as AAA client on ACS server. The configuration on switch config should be :
    On ACS server > Network Config > under AAA client :
    - AAA client name = Switch
    - AAA client IP address = IP address of switch
    - Shared secret key = secret key on switch
    - Authentication Protocol = Radius[Nortel]
    Then you need to enable nortel attributes
    ACS--->Interface configuration--->Nortel. Enable attributes you need.
    Now in group you need to check these attributes
    Regards.
    ~JG
    Do rate helpful posts

  • Command Authotization on Pix 6.3 and ACS v3.3

    Hi,
    I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.
    I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)
    Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.
    Thanks in advance!
    Jonathan

    Hi
    On the ACS side, the config you choose very much depends on the scale of your deployment.
    If you have one or two users, you can define per-user command authorisation within ACS.
    If you have many users, you should do this at group level.
    Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.
    This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.
    You may also want to use NARs to prevent certain admins even being able to logon to the device.
    So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.
    Then get a copy of extraxi aaa-reports! to audit your ACS logs :)
    Darran

  • TACACS+ command authorization and ACS "Quirk"(?)

    Hi All,
    I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
    For the example, i'll use Vlan 101, which is one of my server networks.
    My Command set says:
    Command: switchport
    Arguements: permit access, permit vlan, deny 101
    Permit Unmatched Args is UNCHECKED.
    When I debug the aaa authorization, i see this:
    146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
    146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
    146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
    146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
    146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
    146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
    146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
    146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
    I know I have the correct command set applied, because it blocks me appropriately for other commands.
    146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
    146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
    146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
    146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
    146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
    146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
    146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
    Any thoughts why it's not working as expected?

    Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
    ip tacacs source-interface gi 0/0
    tacacs-server directed-request
    tacacs-server key
    tacacs-server host x.x.x.x
    aaa new-model
    aaa authentic login default group tacacs+ local
    aaa authentic login no-tacacs none
    aaa authentic enable default group tacacs+ enable
    aaa author config-commands
    aaa author exec default if-authenticated
    aaa author commands 1 default if-authenticated
    aaa author commands 15 default group tacacs+ local
    aaa author console
    aaa account exec default start-stop group tacacs+
    aaa account commands 0 default start-stop group tacacs+
    aaa account commands 1 default start-stop group tacacs+
    aaa account commands 15 default start-stop group tacacs+
    aaa account connection default start-stop group tacacs+
    aaa account system default start-stop group tacacs+
    aaa session-id common

  • ACS appliance setup help

    Network environment:
    - Windows 2003 with enterprise CA
    - Cisco ACS appliance 4.1.1.23
    - Cisco 1240 AG series APs
    Wireless clients:
    - Windows XP SP2
    Brief steps taken:
    - Installed Enterprise CA
    - Created copy of web server certificate with option “Mark keys as exportable” enabled. Certificate published.
    - Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
    - Generated certificate request from ACS (1024 key length).
    - Submitted server request from ftp server - Submit a certificate request using base 64…
    - Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
    - CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
    Brief cofig of ACS appliance
    Global config
    - PEAP -Selected “Allow EAP-MSCHAPv2”.
    - LEAP - Allow LEAP (For Aironet only)
    - Selected “Allow MS-CHAP Version 1 & 2 authentication
    - Added AAA client (AP) with shared secret with authentication using “Radius (Cisco Aironet)
    - Under External user DB//DB config/windows database, “Enable PEAP machine authentication” selected.
    1240 series AP config
    - Under Server Manager, ACS IP with shared secret entered as a Radius server.
    - Selected EAP authentication.
    - Under SSID Manager selected open Authentication with EAP & selected network EAP.
    - Under Encryption Manager selected WEP Encryption & mandatory.
    - Selected key 1 and entered 128 bit key
    Client (windows XP SP2 domain member) config
    - Connected to Enterprise CA web site, base64 encoding/download CA certificate
    and installed it in local computer store.
    - Under Network authentication selected open with WEP EAP type “protected EAP (PEAP)
    - Authenticate as a computer selected
    - Selected my CA under “Trusted Certification Authorities
    - Authentication method (EAP-MSCHAP V2)
    Errors:
    Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
    Or
    Computer doesn't have correct certificate
    Used 43486, 64067, 71929
    Any suggestions very much apretiated.

    ACS Agent is installed on two DC's as well and they are detected by ACS.
    Thanks

  • Parser Error Message: Unrecognized configuration section 'system.webServer'

    at the time of rum show Error 
    Configuration Error
    Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. 
    Parser Error Message: Unrecognized configuration section 'system.webServer'
    Source Error: 
    Line 34:     </httpModules>
    Line 35:   </system.web>
    Line 36:   <system.webServer>
    Line 37:     <validation validateIntegratedModeConfiguration="false"/>
    Line 38:     <modules>
    Source File: c:\inetpub\wwwroot\ACS-Driver\web.config    Line: 36 
    Version Information: Microsoft .NET Framework Version:1.1.4322.2379; ASP.NET Version:1.1.4322.2379

    my server :
    os windown server 2003
    iis 6.0

  • Wireless SSID with Certificate

    Dear All,
      I have a wireless network with cisco 5508 WLC for corporate network ,Cisco WLC for guest network, ACS 4.2, and 200 accesspoints.
    Corporate SSID authentication-   WPA1 & 2  with Dot1X(Via ACS)
    Guest        SSID authentication- Webauth with ACS
    I need to configure an SSID for scanners.
    Is there any way to configure the scanners wireless authentication via ACS with a trusted certificate?
    Thanks in advance
    Sreelal

    Hai,
    Thanks for your reply.
    Customer has one certificate server(CA). We need to generate the certficate from that CA .
    Our scanner expert will load the generated certficate into the scanner
    My Scanner supports  EAP-FAST,EAP-TLS, LEAP,PEAP,TTLS
    So Can I go with  LEAP for scanners?
    Do you have any document or steps for completeing this task?
    SSID config on WLC?
    ACS 4.2 Config?
    On PC side what config we need to do (If we are connecting a PC to the same SSID)?
    Once again thanking you !!

  • TACACS+ and authorization "conf-t" commands (IOS)

    Hi
    Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?
    Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.
    For example tac_plus.conf:
    I need something like this (fictional syntax):
        service = configure {
           cmd = interface { permit FastEthernet .* }
           cmd = switchport { deny access .* }
    it's already works well:
        service = exec {
           priv-lvl = 3
        cmd = ping { permit .* }
        cmd = wrire { deny memory }
    Thank you for any ideas.

    Hi Oleg,
    here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
    "acs#aaa authorization config-commands"
    now after giving you can give any global configuration commands like
    "acs(config)#interface FastEthernet "
    either you permit or deny.this command gets  authorizes with tacacs+ server.
    -thanks,
    Rajiv

  • Command Authorization Set Show Run Permissions Only

    Hi All,
    I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
    I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and this doesn't work as intended.
    I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges!  I guess this is because I am specifying level 1 access but that's what the doc says to do.......
    My config is as follows:
    Cisco 2811 Router
    aaa new-model
    aaa authentication login defaut group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    ACS 4.2 Config
    Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
    User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
    Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
    Thanks in advance
    David

    All,
    I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

  • Acs 5.3 and wlc 2504 config with restricted network access

    Hello,
    i submit you the following issue that i'm actually facing:
    i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
    the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
    i followed the procedure below to configure it:
    -- creating user identity groups;
    -- creating users and assigning them to the groups;
    --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
    --- assigning the authorization profiles to the identity groups under access policies.
    after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
    i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
    Please can someone provide with the right steps to follow to achieve this kind of config.
    tkx in advance

    Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • ACS will not save the config changes to reports

    I have configured a very old ACS appliance, 4.1.  At this time this is what I we have to use.   The authentication is working fine, the reports for accounting, TACACS+ accounting is only saving the login and logout of the users and not any config changes that are being made. 
    I'm hoping that someone may have an idea of what accounting command I am using or if this older version has some changes that need to be done as the config/aaa lines I use today and work on newer version work. I was under the impression that this line "aaa accounting exec default start-stop group tacacs+"  would send every command to the tacacs server?
    aaa new-model
    aaa authentication login default group tacacs+
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ none
    aaa authorization commands 0 default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 2 default group tacacs+ none
    aaa authorization commands 7 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    any ideas would be3 appreciated.  thanks for reading
    Yvon

    Hi martijn,
    Are there some custom fields in this list or some duplicate columns? Please have a check.
    For more information about the possible reasons and solutions, see
    http://social.technet.microsoft.com/Forums/en-US/sharepointcustomizationprevious/thread/ae946f73-3126-41ad-833b-25e4cc2b7723#e22af3fe-8203-45c4-8d19-e18041a048e2
    http://social.technet.microsoft.com/Forums/en-US/sharepointgenerallegacy/thread/59895a6b-7f61-431f-a762-e3fd9d81fe34
    http://social.technet.microsoft.com/Forums/en/sharepointcustomizationprevious/thread/eba4cd7e-498a-465f-adea-decae44d7a8c
    Regards,
    Kelly Chen

Maybe you are looking for

  • Folder view in iTunes

    Is there a way to browse my music files in a folder view rather than one huge list? I just added about 4000 .mp3 files to my library (first time using iTunes) and the only way I know of to add songs to my iPod is to scroll through this huge list wher

  • Show cfdiv and cfinput in the same row

    Hi, I have some probloms on the layout when using "ColdFusion.navigate". For example, I use function checkClosingDate() {      ColdFusion.navigate('cfc/value_validation.cfc?method=checkDate&date='+document.getElement ById('inputdate').value,'dateErro

  • Simple Dense_rank Question

    Hi, Where am I going wrong here.. SELECT AAFRM_ID, AGENCY_AGY_CODE, DENSE RANK() OVER( PARTITION BY AGENCY_AGY_CODE ORDER BY AAFRM_ID ASC NULLS LAST) DENSE_RANK FROM agency_application_form WHERE AGENCY_AGY_CODE IN (6412,7911);and I am getting this e

  • Rehiring Contingent Workers Programatically

    All, We are developing an HR Data Interface to transfer information from a source system to Oracle HR. As part of this interface, we need to be able to terminate and rehire contingent workers. We know how to rehire contingent workers from the front e

  • 3GS froze, then said Activation required, now fails to restore with unknown error (1)

    My 3GS froze while using Navigon, then showing a pop-up saying "Activation required". When tapping the pop-up, an unusual white question box regarding location service shows up, after tapping "next" the process hangs. Connected to iTunes later, same