ACS 5.4 experiences?

Similar Messages

• TACACS enable password is not working after completing ACS & MS AD integration

  Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
  1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
  2. Enable password is not working (using the same user password configured in MS AD.
  3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
  Switch Tacacs Configuration
  aaa new-model
  aaa authentication login default none
  aaa authentication login ACS group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec ACS group tacacs+ local 
  aaa authorization commands 15 ACS group tacacs+ local 
  aaa accounting exec ACS start-stop group tacacs+
  aaa accounting commands 15 ACS start-stop group tacacs+
  aaa authorization console
  aaa session-id common
  tacacs-server host 10.X.Y.11
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key gacakey
  line vty 0 4
   session-timeout 5 
   access-class 5 in
   exec-timeout 5 0
   login authentication ACS
   authorization commands 15 ACS
   authorization exec ACS
   accounting commands 15 ACS
   accounting exec ACS
   logging synchronous
  This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
  Regards,

  Hi Edward,
  I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
  1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
  2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
  Note:
  I also attached here the captured screen and debug result for the "shell profiles"

• ACS 5.x with either AD or RSA Authentication depending on user

  I am trying to implement RSA two-factor authentication for our company for access to secure resources.
  Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
  I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
  We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
  I cannot figure out how to configure this.  With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against.  Not as easy with 5.x
  I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found.  This broke VPN completely.
  From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
  Anyone know how to accomplish this?
  I am running 5.4 with the latest patches.

  Hope you're well!
  I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
  Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
  1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
  2. Enable password is not working (using the same user password configured in MS AD.
  3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
  Switch Tacacs Configuration
  aaa new-model
  aaa authentication login default none
  aaa authentication login ACS group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec ACS group tacacs+ local 
  aaa authorization commands 15 ACS group tacacs+ local 
  aaa accounting exec ACS start-stop group tacacs+
  aaa accounting commands 15 ACS start-stop group tacacs+
  aaa authorization console
  aaa session-id common
  tacacs-server host 10.X.Y.11
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key gacakey
  line vty 0 4
   session-timeout 5 
   access-class 5 in
   exec-timeout 5 0
   login authentication ACS
   authorization commands 15 ACS
   authorization exec ACS
   accounting commands 15 ACS
   accounting exec ACS
   logging synchronous
  This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
  Regards,

• ACS v4.x to v5.2 experiences

  aloha!
  i am putting the request out there to get some feedback on people's experiences when upgrading from ACS v4.x to v5.2. anything you ran into that blindsided you, etc.... features not working as expected, etc.
  thanks!
  ben

  Ben,
  Here is a link for the features that were in 4.2 but no longer available in 5.2 -
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp122068
  Also here is a link for the new features in ACS 5.2 -
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp71092
  Hope this provides a good start.
  Thanks,
  Tarik

• WLC 7.4 with ACS 4.1

  Hi All
  Has anyone any experience of using a Cisco 5508 controller (code version 7.4.100.0) with an ACS appliance running version 4.1 or 4.2?
  I've found that the ACS constantly reports a 'Bad request from NAS' (Invalid message authenticator in EAP request). message. This usually indicates a mismatched shared secret but this isn't the case.
  The controller works fine opposite a Microsoft NPS Radius Server.
  Regards
  Roger                  

  By default the NAS-ID on the WLAN is the hostname of the WLC.  If that is changed and the WLC was rebooted, then the NAS-ID that will be seen by the radius is that under the WLAN.  The Radius server Overwrite interface will change the NAS-ID to the dynamic interface and not the management interface.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

  Hello.
  Have some issues, with ssl vpn on ASA 5515-X.
  I have ASA (9.1) connected to the  ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.
  So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.
  My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.
  For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.
  As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

  Hello Ivan,
  You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.
  Steps on ACS:
  1- Defined AD groups:
  2- Define the authorization profile under the Policy Elements tab:
  3- Create the Authorization policy and access criteria:
  Then, on the ASA:
  1- Create a group-policy and name it it.
  2- Through the ASDM, create and assign the bookmarks to this group-policy.
  3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".
  4- The ASA looks for the group-policy it and assigns it to the user's session.
  Let me know if you have any questions.
  HTH.
  Please rate any helpful posts.

• ACS 5.2 Sync with Windows 2008 AD but cannot see the Groups

  Hi Pals,
  Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition  (x64).
  I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
  So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.
  Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
  Any Idea??
  Thanks in Advance.
  Jose M Cortes H

  Hi Jose,
  This should generally work.
  From what I could read, you cannot list AD groups when trying to select them under an authentication/authorization rule.
  What about when trying to list them under the AD configuration?
  Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
  Unfortunately, without more details on a specific error message, it would be hard to tell where the root cause could lie.
  We could collect some initial logs from ACS 5.2, in order to start isolating the issue:
  1. Log in to the ACS command line and enable the following debugs:
  admin# acs-config
  Escape character is CNTL/D.
  Username:
  Password:
  acsadmin(config-acs)# debug-adclient enable
  acsadmin(config-acs)# debug-log mgmt level debug
  acsadmin(config-acs)# debug-log runtime level debug
  2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under
  Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
  3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under
  Troubleshooting > ACS Support Bundle
  Please be sure of collecting the support bundle while checking the following options:
  Include full configuration database = Unchecked
  Include debug logs = All
  Include local logs = All
  Include core files = All
  Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day
  Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• ACS 4.2 authentication using multiple external databases

  Hi there.
  We currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
  1) VPN client (via ASA5510)
  2) Wireless (EAP-PEAP)
  For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
  We would like to try achieve the following in ACS:
  IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is.
  IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
  Does anyone have any best practice guidance, configuration guides or previous experience in differentiating the request sources and how they are handled by ACS?
  Many thanks

  Hello Malcom,
  If you have ACS 4.2 you might want to implement Network Access Profiles:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1128143
  or
  http://tools.cisco.com/squish/5F591
  This should be the best approach for you if using ACS 4.x.
  If this was helpful please rate.
  Regards.

• ACS 5.4 and machine authentication

  Hi,
  I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
  I have Authorization profile created as shown in attachement.
  Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
  Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
  As soon as I disable this condition, user gets connected
  I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
  Any Suggesions?
  Regards,
  Shivaji

  Shivaji,
  The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
  When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
  In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
  I hope this bring some clarification to Edward's recommendation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• Cisco ACS 5.4 problem

  Hello
  Did anyone experience problem with Service Selection Rules in Cisco ACS. When I click this tab ( it only works for me in google Chrome), configuration is normally opened. But when I want to edit one of two default rules (rules that match radius and tacacs) nothing happens. If I want to add new rule, popup window in normally opened but I am not able to add any conditions or results. It is just nothing to choose from. I have some attributtues under "customize window". It looks like some gui problems.
  I am using
  acs/admin# sh application version acs
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.0a
  Internal Build ID : B.221
  with trial license. I am running ACS on vmware player  (1 GB of RAM and 1 proc).
  Thanks in advance
  General
  Name:
     Status:
  Enabled Disabled Monitor Only 
  The Customize button in the lower right area of the policy rules screen controls which policy conditions and results are available here for use in policy rules.
  Conditions
  Results

  When dealing with Cisco ACS and Cisco ISE you have to be very careful with your web browsers. For example there's a major bug when using Cisco ISE 1.1.x and Chrome.
  Back to ACS, please refer to the release notes to see the validated web browsers.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp222016
  I have used ACS and ISE a lot, and we had many problems when using Internet Explorer and Chrome. That's why I prefer Firefox, but even with firefox we had little problems once in a while.
  Please rate if this helps

• Upgrade from ACS 5.4 patch 6 to ACS 5.5 patch 4 advice

  Hi,
  I have a pair of ACS 5.4 patch 6 running on VMWare as primary/secondary with Active Directory integration
  working without any issues.
  I would like to upgrade them to ACS 5.5 patch 4.  Here is my plan:
  1- De-register the Secondary ACS 5.4 patch 6
  2- shutdow the de-register Secondary ACS 5.4 patch 6
  2- Take a backup of the Stand-alone Primary ACS 5.4 patch 6
  3- shutdown the Primary ACS 5.4 patch 6,
  4- build a brand new ACS 5.5 with the same name and IP address as the previous Primary ACS 5.4 patch 6
  5- patch the ACS 5.5 with patch 4,
  6- perform a restore of the old ACS 5.4 patch 6 backup on the Primary ACS 5.5 patch 4,
  7- Re-join the ACS 5.5 patch 4 with Active Directory,
  8- build a brand new ACS 5.5 to be with the same name and IP address as the previous Secondary ACS 5.4 patch 6
  9- patch the new Secondary ACS 5.5 to be with patch 4,
  10- join the new Secondary ACS 5.5 patch 4 with Active Directory,
  11- join the new ACS 5.5 patch 4 in step 4 as the Secondary ACS,
  12- validate
  Anyone see any issues with this?  I used the same steps when I upgrade from ACS 5.2 patch 3 to ACS 5.4 patch 6
  Thanks in advance

  Thank you for confirming this.  I've had horrible experiences with in-place upgrade many times so I just do not trust the in-place upgrade.
  I went back and look at my note and I think this will work, assume prod-acs1 is the Primary and prod-acs2 is the Secondary ACS:
  a- de-register the prod-acs2
  b- take a backup of prod-acs1
  c- rebuild the prod-acs2 with the same hostname and IP address of the old prod-acs2 for ACS 5.5 patch 4
  d- do a restore on prod-acs2 with the backup in step b,
  e- re-register prod-acs2 with Active Directory.  Now I have two instances of prod-acs1 and prod-acs2 with different databases but it still works because network devices on the don't know that.
  f- validate that prod-acs2 is working properly by shutting down prod-acs1
  h- Once prod-acs2 is working properly, rebuild prod-acs1,
  i- re-register prod-acs1 with Active Directory,
  j- join prod-acs1 as Secondary ACS to prod-acs2,
  k- validate that proc-acs1 is working properly by shutting down prod-acs2,
  l- now make prod-acs1 Primary and prod-acs2 Secondary,
  I just want to make sure that I can "restore" ACS backup from 5.4 patch 6 to ACS 5.5 patch 4 without any issues.
  comments?

• Upgrade 4.2.0 Build(124) Patch17 to 4.2.1 - ACS folder locked

  I try to upgrade ACS 4.2.0 to 4.2.1. When installation program tries to uninstall current version of ACS it fails with message "The CiscoSecure ACS folder appears to be locked by another application"
  - ACS is installed on Win 2003R2 server.
  -There is no antivirus program installed on the server
  -All application windows (Explorer,...) are closed
  -I'm the only user working on this server
  -ACS log files are reduced to 3 days history.
  ACS is integated with RSA SecurID. Could this be the cause? Should I unistall RSA SecurID?
  Petr

  As per my experience, we generally see this error due to huge accumulation of logs  in ACS installation folder / Install directory.
  Please remove or relocate all the file from following location of ACS install directory and then try to upgrade again
  Once deleted, we can recover these logs again.
  \CSAuth\Logs
  \CSRadius\Logs
  \CSTacacs\Logs
  \CSLog\Logs
  \CSMon\Logs
  \CSAdmin\Logs
  \CSDbsync\Logs
  Also, did we have ACS set to full logging in past?
  Jatin Katyal
  - Do rate helpful posts -

• ACS 4.2 to 4.2.1 Upgrade Questions

  I have been tasked to upgrade our four ACS servers from
  4.2.1.15 to the latest version.  The ACS servers are
  applianced based.  I have browsed the download software page
  of cisco.com and have found this file:
  app/Acs_4.2.1.15.11.zip (ACS SE 4.2.1.15.11 cumulative
  patch).
  Can someone confirm if this is the latest/best file to download
  the latest 4.2 release of hardware based Cisco Secure ACS?
  For those who have upgraded to this latest release, can you
  comment on your experience regarding the upgrade process or
  ACS performance post-upgrade?  Any issues/caveats about the
  process or performance post-upgrade?
  Thanks in advance for any helpful information you can
  provide for this?
  Adil

  Hi Adil
  ACS  provides a migration utility to transfer data from migration-supported  versions of ACS 4.x to any ACS 4.x machine. The ACS migration process  requires, in some cases, administrative intervention to manually resolve  data before you import it to ACS.
  The Migration utility completes the data migration process in two phases:
  •Analysis and Export
  •Import
  In  the Analysis and Export phase, you identify the objects that you want  to export into 4.x. The Migration utility analyses the objects,  consolidates the data, and exports it.
  After  the Analysis and Export phase is complete, the Migration utility  generates a report that lists any data compatibility errors, which you  can manually resolve to successfully import these objects into new ACS.
  The  Analysis and Export phase is an iterative process that you can rerun  many times to ensure that there are no errors in the data to be  imported. After you complete the Analysis and Export phase, you can run  the import phase to import data into ACS.
  For complete step by step configuration, please go through this link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html