ACS 5.4 Management-if

Similar Messages

• WLC 4404-100/ACS 3.2/Windows 2003 ADS/ WLAPP AP1231

  Equipments:
  1. WLC4404-100
  2. AP 1231 WLAPP
  3. ACS 3.2
  4. Windows 2003 ADS
  We want to created dynamic VLANs, based on user's Web login authentication it'll place them to the correct VLAN.
  We have one single broadcase SSID "SCHOOL" which faculty, student and guest will use to gain wireless access. I want to use ACS as the management inferface for management.
  Please provide any helpful links?
  THanks!
  ~GM

  Hi David,
  Check this link for AAA override feature which will let you configure dynamic vlans based on user's web login authentication.
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40sol.htm#wp1124844
  Check this link to configure WEB LOGIN AUTHENTICATION
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  Check this link to configure basic WLANs
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40wlan.htm
  To have a look at the complete configuration guide for 4400 controller have a look at this link
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/index.htm
  HTH
  Ankur
  *Pls rate helpfull post

• Cannot upgrade ACS 5.1.0.44 to 5.1.0.44.X

  I have a licensed ACS version 5.1.0.44 (VM image) installed and working. I am trying to upgrade to the latest version but I keep getting the following error:
  ciscoacs/admin# patch install 5-1-0-44-6.tar.gpg upgrade
  Do you want to save the current configuration ? (yes/no) [yes] ? yes
  Generating configuration...
  Saved the running configuration to startup successfully
  % Manifest file not found in the bundle
  I tried using early patches to no avail. On a quick google search, I can only find reference to upgrading an ACS Express 5.0 to 5.1 where the Manifest error appears.
  Here is my show version:
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.146
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ciscoacs
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.1.0.44
  Internal Build ID : B.2347.EVAL
  Strange how it shows eval, even though I loaded the VM image from an offical disk and I have applied my License.
  ciscoacs/admin# show inventory
  NAME: "Cisco-VM chassis", DESCR: "Cisco-VM chassis"
  PID: Cisco-VM-SPID     , VID: V01 , SN: Cisco-VM-SN
  Total RAM Memory: 516164 kB
  CPU Core Count: 1
  CPU 0: Model Info: Intel(R) Core(TM) i5-2500S CPU @ 2.70GHz
  Hard Disk Count(*): 1
  Disk 0: Device Name: /dev/sda
  Disk 0: Capacity: 107.30 GB
  Disk 0: Geometry: 255 heads 63 sectors/track 13054 cylinders
  NIC Count: 1
  NIC 0: Device Name: eth0
  NIC 0: HW Address: 00:0C:29:74:CC:49
  NIC 0: Driver Descr: eth0: registered as PCnet/PCI II 79C970A
  (*) Hard Disk Count may be Logical.

  Sigh. Using FTP instead of TFTP solves the issue. Weird, because I am using a Linux based TFTP server that has a patch to get passed the 64Meg limitation. Meaning, It can serve up files larger than 64 Megs with no issue at all to my other Cisco devices.
  Oh well....
  ciscoacs/admin# acs patch install 5-1-0-44-6.tar.gpg repository upgradeftp
  Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
  Stopping ACS.
  Stopping Management and View...........................................
  Stopping Runtime...............................
  Stopping Database...
  Cleanup.....
  Stopping log forwarding .....
  Installing patch version '5.1.0.44.6'
  Installing ADE-OS 1.2 patch.  Please wait...
  About to install files
  Removing old war
  Removing old war
  Removing old war
  Removing old war
  /opt/CSCOacs/patches/5-1-0-44-6
  Patch '5-1-0-44-6' version '5.1.0.44.6' successfully installed
  Starting ACS ....

• ACS handing out duplicate addresses

  folks
  we have an acs server which manages a number of dsl terminations
  three of the vpns are having trouble logging on and the when looking at the acs box for the problem vpns it seems to be handing out duplicate IPs and those handed out are only from the higher end of a 24bit mask, i.e. 172.17.10.250 - 254
  has anyone seen this before?
  thanks to anyone taking the time to reply

  Hi,
  We must configure the accounting for the users who are fetching IP address from the ACS server, otherwise ACS would never know when that user logged in or logged out and according to that IP address would be freed or assigned to the user.
  HTH
  Parminder

• Devices Behind Firewall ACS 4.0 Local

  All,
  I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks

  Hi,
  TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
  For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
  Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
  Hope this helps.
  Rgds,
  AK

• Adding devices behind firewall

  i have just installed an AirPort Extreme and want to add my thermostat so i can access them remotely.  Do i need to add the MAC address and or IP Address of the thermostats?  How do i do this and where?

  Hi,
  TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
  For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
  Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
  Hope this helps.
  Rgds,
  AK

• AAA configuration on switches 2960

  Hi
  I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
  but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
  Is needed some additional configuration of AAA in switches 2960?
  Thanks.
  tacacs-server host y.y.y.y
  tacacs-server key xxxxx
  aaa new-model
  aaa authentication login acceso-consola group tacacs+ line
  aaa authentication login acceso-telnet group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  login authentication acceso-consola
  line vty 0 4
  login authentication acceso-telnet

  Maria
  Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
  Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
  I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
  If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
  HTH
  Rick

• How device select tacacs-server

  Hi Guys,
  We have Existing tacacs configuration form our devices and pointed the 2 ACS server. the acs server are manage with other vendor which the acs server is located at their site. Now were planning to manage the acs server. We Installed a new acs server from our location, we have thousand of devices, if we migrate to the new server can we just add the 2 acs server from the device? are the new acs server will able to comunicate from the device? how does a device select which primary or secondary acs server?  please advise.
  Old config
  aaa new-model
  aaa authentication login vtymethod group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 0 default group tacacs+ local if-authenticated
  aaa authorization commands 15 default group tacacs+ local if-authenticated
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  ip tacacs source-interface Loopback0
  tacacs-server host 10.x.x.x
  tacacs-server host 10.x.x.x
  New config
  aaa new-model
  aaa authentication login vtymethod group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 0 default group tacacs+ local if-authenticated
  aaa authorization commands 15 default group tacacs+ local if-authenticated
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  ip tacacs source-interface Loopback0
  tacacs-server host 10.x.x.x
  tacacs-server host 10.x.x.x
  tacacs-server host 100.x.x.x <-- new
  tacacs-server host 100.x.x.x <-- new

  Hi,
  in your way above the TACACS+ servers will be used in order.
  You can group TACACS+ servers together and choose to use servers in that group only:
  aaa group server tacacs+ Test
  server 10.10.10.10
  aaa authentication login vtymethod group Test local
  under the vty lines config:
  login authentication vtymethod
  in the above example, only the server in the group Test; which is 10.10.10.10 will be used in authentication.
  HTH,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• RME 4.1.1 - PSIRT and EoS/EoL reports authorization failure

  Hello group,
  I have RME 4.1.1 installed and I am attempting to generate either a PSIRT or an End Of Sale/End Of Life report. I start the report from RME->Reports->Report Generator and input all the appropriate information (CCO user/pass, email, etc) and then click "Finish". I get the popup that says to get Report Jobs for the status of the report, and as fast as I can navigate to Report Jobs I see that the job failed.
  So I check invreports.log and this line stands out in particular:
  [ Fri Oct 01  13:45:38 CDT 2010 ],ERROR,[main],com.cisco.nm.rmeng.inventory.reports.job.JobExecutor,runReport,773,Authorization failure for ajschroedercom.cisco.nm.rmeng.util.NotAuthorizedUserException: ajschroeder
  I do have my Ciscoworks server integrated with ACS, so I reregistered my apps with ACS, and restarted ACS and Daemon Manager with no luck, I even applied the patch described in the following doc: https://supportforums.cisco.com/docs/DOC-9080
  I am confident that I am missing something, but I have no idea what. I have attached my invreports.log
  As always, any help would greatly be appreciated,
  AJ Schroeder

  This is CSCsm77700 which is fixed in RME 4.2.  I highly recommend you download the upgrade to LMS 3.2 from http://www.cisco.com/go/nmsevals .  However, a patch is available for RME 4.1.1 if you contact TAC.
  http://wwwin.cisco.com/ios/cets/pdi/cbms/cdets/legend.shtml

• More issues with 5.2.0.26.3 - wrong version number reported?

  Fresh build, patched to 5.2.0.26.2 no problem.
  Then, patch the box to 5.2.0.26.3:
  exc2-acs-1402/admin# acs patch install 5-2-0-26-3.tar.gpg repository networktools-patch
  Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
  Stopping ACS.
  Stopping Management and View.......................
  Stopping Runtime......
  Stopping Database....
  Cleanup.....
  Stopping log forwarding .....
  Installing patch version '5.2.0.26.3'
  About to install files
  Removing old war
  Removing old war
  Removing old war
  /opt/CSCOacs/patches/5-2-0-26-3
  Patch '5-2-0-26-3' version '5.2.0.26.3' successfully installed
  Starting ACS ....
  To verify that ACS processes are running, use the
  'show application status acs' command.
  exc2-acs-1402/admin# show application status acs
  ACS role: PRIMARY
  Process 'database'                  running
  Process 'management'                running
  Process 'runtime'                   running
  Process 'view-database'             running
  Process 'view-jobmanager'           running
  Process 'view-alertmanager'         running
  Process 'view-collector'            running
  Process 'view-logprocessor'         running
  Reload, have a look at show version:
  exc2-acs-1402/admin# show version
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.182
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: exc2-acs-1402
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.2.0.26.2
  Internal Build ID : B.3075
  Patches :
  5-2-0-26-3
  5-2-0-26-2
  Have a look at the version number - patch successful but version shows 5.2.0.26.2?
  Thanks
  Rob

  It shows that patch 3 is installed, but as you point out, the version is reported as 5.2.0.26.2
  What does the GUI show?
  It may be a cosmetic big, you should open a TAC case so we can confirm.

• Monitoring VPN Sessions

  Hi,
  I have configured Remote Access IPSEC VPNS on my Cisco 5510 Security plus firewall now i need to monitor all remote access VPN session records and activities of VPN users as its need.
  Kindly suggest the best solution.
  Regards,
  Arshad Ahmed

  Arshad,
  Just to add my two cents, to Collin´s post (5 stars).
  ASA/PIX: Pass-through Traffic Accounting for VPN Clients Using ACS Configuration Example
  Managing Accounting in NPS
  HTH.
  Portu.
  Please rate any helpful posts and mark this question as answered if you do not have any further questions.

• NAC/AAA solution basic requirements?

  Experts,
  Network with almost 50-60 cisco devices (router/switches/fw). All the gear currently using local user authentication. Wondering what is the minimum required s/w to manage the gear thru ACS (TACACS) considering we have the server (primary/backup) hardware. Need to control network admins access to the gear thru ACS/basic password management/accounting etc. Nothing to do anything with regular user community.
  What would be the approx $ cost for this?
  Thanks in advance.
  MS

  Hi Gautam,
  The network in your design will still be operational if the MPLS link or router goes down. In other words, when traffic stops being directed to the CAS module in your 2811, end users will still be able to reach your network via the ISDN link.
  Hope this helps.
  Paul

• PPP over L2TP with RADIUS Failed

  Hi, I'm getting a CodeRej when I try do a PPP over L2TP dynamic using a Radius in a debian OS.
  Regards

  Ok, Ok i admit it was my fault to not use that common and sometimes strangely new feature probably older than me called "SEARCH"
  I checked another discussion regarding the same subject and it turned out by their knowledge that ACS 5.x manage
  TACACS+ only for Device Administration
  RADIUS for Network Access
  Any other way doesn't work...any other opinion? ( i just can't help the fact that Cisco doesn't let use TACACS+ for PPP Authentication...does anybody knows why?)

• We are unable to manage our ACS

  Accidentally the power to the ACS server was switched off and then on again. But after the power on though the device came up successfully; we are not able to manage it.
  We are unable to manage our ACS. We have a configuration back-up.
  1)       by HTTPS. The cert can not be added manually on the browser in any way. Looks like an application error. Tried several different browsers.
  ACS details:
  CSACSE-1113-K9    Cisco secure ACS 4.x solution engine 1113 Appliance    CSACSE-1113-K9v01
  when i try https:abc001:2002/
  I get he following pop up error message:
  Secure connection failed.
  an error occurred during connection to abc001:2002. certificate type not approved for application.(Error code:sec_error_inadequate_cert_type)
  .the page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  .please contact the web site owners to inform this problem. Alternatively, use the command found in the help menu to report this broken site.
  2) by SSH. xxxxx is the administrator account.
  We can login but there are no commands available
  abc001>help
  command                             Description
  ?                                List commands
  exit                             Log off
  help                             List commands
  csdbsync -syncnow                RDBMS synchronization
  abc001>?
  command                             Description
  ?                                List commands
  exit                             Log off
  help                             List commands
  csdbsync -syncnow                RDBMS synchronization
  2)Tried with a serial cable, but we only get some rubbish on the screen. We tried different serial cables. These cables work on other appliances (WLC controller and Cisco switches) but not on the ACS

  Hi,
  The issue which you are facing comes when you the certificate installed on the ACS is either not correct or has gone corrupt. You would not be able to install a fresh certificate on the ACS Appliance through console or SSH.
  You can open a TAC case and send a backup of the ACS database, they might be able to correct the database. Otherwise the only other option is to reimage the ACS Appliance.
  To access an ACS Appliance from the console, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/instalap.html#wp1065399
  To administer the ACS Appliance, take a backup etc., you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html
  Regards,
  Kush

• Mac based security managed centrally (Acs or whatever)

  I have a project My customer
  want to use Mac Address based Security on their whole network.They want only specific mac addressed pc/notebooks can be connected to their network.But they dont want configuration per switch basis.They wan centralized management.
  We first looked for ACS.But we realized that ACS supports only Wireless access point for this kind of purpose.I also found that there is a ACS feature called NAR(Network Access Restriction) Can i use this feature?
  They don’t want additional integratio n(Active directory or etc.) and don’t install any software to their pc/notebooks.Because of this i cant use EAP solution.
  They have app 300 pc’s and they will enter whole mac address list to ACS and only this PC’s will be connect to network.Is it possible ?
  Best Regards

  I wouldnt recommend this as a strong security solution, but it could be done - in theory.
  Customers devices need to be configured to initiate a PAP authentication using pre-configured credentials (a'la NAC auth bypass).
  ACS will have this username+password configured plus a network access restriction that lists the allowed set of macaddrs.
  While this may work for 300 users, NARs are not that easily scalable.