ACS - AD interaction

Similar Messages

• ACS 5.3 SSH Access

  I have recently virtualised an ACS 5.3 on ESX 3.5 to trial before upgrading our old 3.3.
  Problem is when I come to sync the ACS with a time server I discovered I can't login directly.
  I can login to the webinterface with out any problems but not when SSH'd
  login as: acsadmin
  Using keyboard-interactive authentication.
  Password:
  Access denied
  Using keyboard-interactive authentication.
  Password:
  Am I missing something...

  The username for ssh is admin (unless you specified a different name), also the password can be different. It is based on how you entered it in the installation script.
  default superadmin account for web is acsadmin however the two accounts are not synced and neither are the databases. You create an account for GUI access, it doesn't get cli access and vice versa.
  Thanks,
  Sent from Cisco Technical Support iPad App

• Interactive report - order column by other column values

  Hi Oracle experts,
  could you please advise how to order column A by values of column B in Interactive report ?
  When clicking on header of "Countries" column in order to sort it acs/desc I would like to order it by values of column "Sort_order" which stores values from 1 to 100.
  The goal is to order "Countries" not alphabetically, but according to values of "Sort_order" column.
  Any ideas?
  Thanks in advance for your help.
  Best regards,
  Konrad

  962622 wrote:
  Hi Oracle experts,Welcome to the forum: please read the FAQ and forum sticky threads (if you haven't done so already), and update your profile with a real handle instead of "962622".
  When you have a problem you'll get a faster, more effective response by providing as much relevant information as possible upfront. This should include:
  <li>Full APEX version
  <li>Full DB/version/edition/host OS
  <li>Web server architecture (EPG, OHS or APEX listener/host OS)
  <li>Browser(s) and version(s) used
  <li>Theme
  <li>Template(s)
  <li>Region/item type(s) (making particular distinction as to whether a "report" is a standard report, an interactive report, or in fact an "updateable report" (i.e. a tabular form)
  With APEX we're also fortunate to have a great resource in apex.oracle.com where we can reproduce and share problems. Reproducing things there is the best way to troubleshoot most issues, especially those relating to layout and visual formatting. If you expect a detailed answer then it's appropriate for you to take on a significant part of the effort by getting as far as possible with an example of the problem on apex.oracle.com before asking for assistance with specific issues, which we can then see at first hand.
  could you please advise how to order column A by values of column B in Interactive report ?
  When clicking on header of "Countries" column in order to sort it acs/desc I would like to order it by values of column "Sort_order" which stores values from 1 to 100.
  The goal is to order "Countries" not alphabetically, but according to values of "Sort_order" column.
  Any ideas?I'm not an expert on Interactive Reports, so there may be a less brute force method using the built-in features, but here's an approach that's worked in the past.
  Modify the query to generate the column as:
  '<!-- '|| to_char(sort_order, '009') || ' -->' || countryi.e. prefix the country name with an HTML comment containing the required ordinal number. This won't be visible in the report, but will be considered when sorting in SQL.
  In the IR Column Attributes set the column's Display Text As property to Standard Report Column so APEX won't escape the HTML tags.
  This method has side effects: some IR filters won't work; aggregate calculations can't be applied to the column; and report exports contain the HTML rather than the expected value.
  Edited by: fac586 on 02-Oct-2012 13:28
  From APEX 4.2 IR columns have support for HTML Expressions, so Re: Report formatting/sorting issue using a hidden column and HTML Expression should be used, as it's purely declarative and provides better separation of concerns. (Still a problem on report exports though. Whilst the sort column can be suppressed using a condition, the hidden column can't be "unhidden" to replace it.)

• Acs 5.1 first timer

  Good day to you all, this is actually my first time configuring the acs device. I have gone through the documentations, userguide and some other stuff but cant still find my way around the box. I wan to integrate the box on our network but i'm still testing its operation in a lab. How do I configure this box to interact with the hosts? are there any configuration examples or work through guide I can use?
  I have defined host and users but the host don't get authenticated by the acs box. is there anything I am supposed to do on the acs box to identify this host?
  HOST CONFIGURATION.
  enable password cisco
  username xxxx password yyyy
  tacacs-server host x.x.x.x key cisco
  aaa-new model
  aaa authentication login default group tacacs local enable
  aaa authentication login group console none
  line vty 0  4
  login authentication group tacacs
  exi
  line con 0
  login authentication console
  exi
  ON ACS 5.1 BOX.
  I define user, user password.
  i defined the host using the mac-adress of the host.
  now when i try to telnet, I get authenticated using the local database.
  what am I actually supposed to do on the acs box? are there any videos or slides i can use?
  PLEASE HELP

  On the ACS box a few things need to be done.
  1) Define the host via IP under the Identity group and selec the protocol you want to use
  2) Define a policy either under default device admin for tacacs or default network access for radius
  3) Add a local user to the ACS

• ACS 5.1.0.44 GUI login failed!!

  Dear guys,
  I'm trying to setup Cisco ACS (5.1.0.44) in VMware work station for a  testing/study purpose. Installation went fine. I can login through SSH,  but GUI login failed with the same credential. Please find the attached  images.
  Any help will be highly appreciated!!
  login as: admin
  Using keyboard-interactive authentication.
  Password:
  Last login: Tue Oct 30 17:31:24 2012
  ACS-LAB/admin# show running-config
  Generating configuration...
  hostname ACS-LAB
  ip domain-name testlab
  interface GigabitEthernet 0
    ip address 10.10.10.50 255.255.255.0
  ip name-server 8.8.8.8
  ip default-gateway 10.10.10.254
  clock timezone UTC
  username admin password hash $1$HRi10i.R$LHqyKJWVqDxfrcmaWGPOM1 role admin
  service sshd
  password-policy
    lower-case-required
    upper-case-required
    digit-required
    no-username
    disable-cisco-passwords
    min-password-length 6
  logging localhost
  logging loglevel 6
  cdp timer 60
  cdp holdtime 180
  cdp run GigabitEthernet 0
  icmp echo on
  ACS-LAB/admin#
  Thanks.

  Hi there,
  The first time you access the ACS GUI you need to use the default credentials:
  Username: acsadmin
  Password: default
  After this the server will ask you to change the password. Please give it a try and let me know how it goes.

• ACS v. 5.1.0.44."Runtime" Execution failed or not monitored after patching

  Hello,
  I've installed on my ACS appliance the following patches:
  5-1-0-44-1
  5-1-0-44-2
  5-1-0-44-3
  5-1-0-44-4
  The installation of the fourth one was interrupted - I don't know why - and since then, the Process 'runtime' shows the status Execution failed or Not monitored.
  The system logs are:
  Aug 13 15:16:12 ACS03 sshd[14948]: Accepted keyboard-interactive/pam for admin from 10.250.131.250 port 53196 ssh2
  Aug 13 15:16:12 ACS03 sshd(pam_unix)[14951]: session opened for user admin by (uid=0)
  Aug 13 15:16:12 ACS03 debugd[2774]: hangup signal caught, configuration read
  Aug 13 15:16:12 ACS03 debugd[2774]: successfully loaded debug config
  Aug 13 15:16:12 ACS03 debugd[2774]: [14956]: utils: cars_shellcfg.c[118] [admin]: Invoked carsGetConsoleConfig
  Aug 13 15:16:12 ACS03 debugd[2774]: [14956]: utils: cars_shellcfg.c[135] [admin]: No Config file, returning defaults
  Aug 13 15:16:22 ACS03 admin: info:[ACS start-stop-process] CLI is called: 'acs stop runtime'
  Aug 13 15:16:22 ACS03 admin: info:[ACS start-stop-process] Stopping runtime
  Aug 13 15:16:22 ACS03 monit[4589]: monit daemon at 4589 awakened
  Aug 13 15:16:22 ACS03 monit[4589]: Awakened by User defined signal 1
  Aug 13 15:16:49 ACS03 admin: info:[ACS start-stop-process] CLI is called: 'acs start runtime'
  Aug 13 15:16:49 ACS03 admin: info:[ACS start-stop-process] Starting runtime
  Aug 13 15:16:49 ACS03 monit[4589]: monit daemon at 4589 awakened
  Aug 13 15:16:49 ACS03 monit[4589]: Awakened by User defined signal 1
  Aug 13 15:16:49 ACS03 monit[4589]: 'runtime' start: /opt/CSCOacs/bin/exec_wrapper.sh
  Aug 13 15:16:49 ACS03 ACS runtime INFO: executing /opt/CSCOacs/runtime/bin/run.sh start
  Aug 13 15:16:49 ACS03 ACS runtime INFO: Checking core files. Total size 90 M
  Aug 13 15:16:49 ACS03 ACS runtime INFO: Core cleanup complete.
  Aug 13 15:16:49 ACS03 ACS runtime INFO: iAnywhere Solutions, Inc. One Sybase Drive, Dublin, CA 94568, USA
  Aug 13 15:16:49 ACS03 ACS runtime INFO: Copyright (c) 2001-2007, iAnywhere Solutions, Inc. Portions copyright (c)
  Aug 13 15:16:49 ACS03 ACS runtime INFO: 1988-2007, Sybase, Inc. All rights preserved. All unpublished rights reserved.
  Aug 13 15:16:49 ACS03 ACS runtime INFO:
  Aug 13 15:16:49 ACS03 ACS runtime INFO: LD_LIBRARY_PATH is set to: /opt/CSCOacs/runtime/lib:/opt/CSCOacs/db/dbsrv/lib32:/opt/CSCOacs/db/dbsrv/jre150/lib/i386/client:/opt/CSCOacs/db/d
  bsrv/jre150/lib/i386:/opt/CSCOacs/db/dbsrv/jre150/lib/i386/native_threads:/opt/CSCOacs/db/dbsrv/lib32:/opt/CSCOacs/runtime/lib:/opt/CSCOacs/db/dbsrv/lib32:/opt/CSCOacs/runtime/lib:/opt/C
  SCOacs/db/dbsrv/lib32:/opt/CSCOacs/runtime/lib:
  Aug 13 15:16:49 ACS03 ACS runtime INFO: starting rt_daemon in /opt/CSCOacs/runtime/bin
  Aug 13 15:16:49 ACS03 ACS runtime ERROR: /opt/CSCOacs/runtime/bin/run.sh: line 96: ./rt_daemon: Permission denied
  Aug 13 15:16:49 ACS03 ACS runtime INFO: Waiting for rt_daemon to come up..
  Aug 13 15:16:49 ACS03 ACS runtime INFO: Number of rt_daemon processes running is 0
  Aug 13 15:17:07 ACS03 last message repeated 9 times
  Aug 13 15:17:09 ACS03 ACS runtime INFO: .
  Aug 13 15:17:09 ACS03 ACS runtime INFO: rt_daemon failed to start
  Aug 13 15:17:09 ACS03 MSGCAT58007: rt_daemon failed to start
  I already tried to remove the patches, install next patches, rename patch n°4.
  Nothing changes.
  Could you please tell if there is a solution before I re-install everything with the DVD?
  Thanks,
  Best regards,
  Patrick

  Hi,
  I had no error message except for patch 4 for which I get a message:
  Patch '5-1-0-44-4' is already installed.
  % Error: Failure to open / validate the patch
  That's why I did change the name to patch_5-1-0-44-4.tar.gpg.
  The install went well, but the problem is still there
  Rgds,
  Patrick

• LMS/ACS account keeps locking out

  Hi
  Our LMS environment is integrated with ACS 4.1 for RSA authentication purposes.
  We have a ACS account which is used by LMS to run administrative jobs on end devices.  Periodically this account will appear with 'CS Account expired' or 'CS PAssword invalid'.  This is a machine/system account so should never have an incorrect password.
  Is there any circumstances why this account would lockout when connecting to end devices. This is not limited to the time of day or the types of devices or networks being accessed.
  Has anyone come across this type of issue before ?
  Many Thanks

  It is a bit of a tricky one because the majority of jobs succeed and then the odd job may fail because of this credential issue and its not necessarily the same device as this may pass the next time.  Obviously logs on the devices won't give any further information either as authentication did not pass.
  This almost makes me wonder whether its a timeout issue from when the credentials are entered to authenticating with the ACS server.  Just trying to understand how a machine account could get a password wrong as there is no human interaction involved.
  Are there any audit logs\tools available in LMS that may provide further info on a failed instance or is the ACS logs the most info you can get other than putting a sniffer trace on ? With a sniffer trace, chances are the device would work the next time around.

• Automate actions in ACS 5

  Hello,
  I wanted to know how to automate actions in ACS 5. In many areas of the UI, we can either create new entries or import many entries with csv files. I wanted to know if it is possible to automate these actions such that the ACS, at regular basis, automatically import new and updated csv files. This will allow to keep the ACS synchronized with other database or files generated by other tools.
  Is there a way to script on ACS to do that ?
  Thanks a lot,
  David

  Hi David,
  Unfortunately as far as I know this is know possible. I checked the programming guide, and it seems mac addresses in end station filters is not an object that is importable:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/sdk/cli_imp_exp.html#wp1060859
  The only option I see here is to make a pseudo web client which would interact with ACS thru HTTP, but this could be a bit long to develop.
  Regards,
  Bastien

• Errors in ACS View Server in ACS 5.2

  Hello,
  I have deployed 7 appliances 5.2.0.26.4 CSACS-1121-K9 whose 6 are performing AAA authentications while the last one is is the primary and is the master for configuration and log collector.
  Since this morning, I cannot access anymore the view where I can see all Radius authentication for today. I obtain the following message:
  The server workspace storage for on demand transient reports is full, please try again later or contact administrator to increase on demand transient report storage capacity
  I could not find any indication how to solve that issue.
  Moreover, if I generate other report, I have the message:
  18002: iPortal generate report failed.
  I could find some information which makes references to a Cisco bug CSCtb98071, as below:
  Launching a shared report in the ACS 5.1 Monitoring and Report Viewer displays an iportal error for a particular scenario.
  Symptom: You will see the following iportal error message when you launch a shared report:
  iPortal generate report failed.
  Conditions: This error occurs when you add a report to a group in the interactive viewer and save it as a shared report.
  Workaround: Avoid using the option Add Group from the interactive viewer for hyperlinked column entries when you save the report as shared
  However, I am not adding any report to any group, so I don't understand why this error appears and how to solve it.
  Thanks a lot for your help,
  With my best regards.

  David,
  Since your environment consists of 7 ACS instances in which 6 are in a secondary configuration. Please move the log collection over from the primary to one of the secondary instances.
  We have seen issues where this is recommended not only the configuration guide but also as been seen in other TAC cases.
  Thanks,
  Tarik

• ACS 5.2 appliance cli access

  Hi~
  Could you please tell me how can I make user access for CLI (shell) on ACS appliance by means of WEB GUI. The point is that I have ACSAdmin as well as another administrator role users, but can't get access to appliance through SSH (Permission denied (publickey,password,keyboard-interactive).). I need to troubleshoot RADIUS requests from my APC Networc Management Cards, by means of some sort of tcpdump, becouse I dont get any logs in ACS from APC cards.

  then either you need to enable more detailed logging on the ACS applicance
  How can I do this?
  or the RADIUS requests from the APC cards aren't reaching the ACS applicance
  This is what I'm trying to find out.
  Are there any firewalls, etc between the two devices that might be blocking RADIUS packets?
  No man, there is a clear IP connectivity between, but problem is that I can't troubleshoot RADIUS requests/replies on this part of transmission nor from APC side neither from ACS. I check all possible log records in "Monitoring and Reports" tab, but didn't find any request from APC devices.
  Also, if you have any configuration examples for APC (APC9630) devices RADIUS authentication by ACS 5.2 will be appreciated for the information. I have followed this  howto to configure VSA and apply policy, but still it doesn't work. I just want to verify are the RADIUS requests reach ACS or not.
  Thank you.

• ACS 4.1 PEAP using public signed certificate (verisign)

  Hi,
  Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.
  Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.
  kind regards
  Boris

  hi there ..
  First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.
  The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.
  Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.
  Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.
  I hope this helps ..
  Please support the rating system if you find any of this helpful!

• Multiple publishing pionts / text options for Interactive Server

  : Flash Media Interactive Server.
  Hi, Im curious if we can publish on multiple sites, I have 5 websites all password protected for members, and I want all 5 members areas to be able to view my live video as I publish it. So can I embed the flash player on all 5 sites and have it pick up the same live feed.
  Also was wondering if interactive server supports or has a chat box, so students can type questions as I am explaining things live.
  And One last question Can I stream my video from different computers or can I only use one ( the one I register it on ) I want other teachers to be able to use thier webcams from there homes and publish live videos as I do on my sites. ( At different times of course )
  Thanks for any help
  M

  The first important thing to understand is that FMS has nothing to do with your website. Any .swf on any html page can connect to any FMS application. The two are completely separate
  As to your specific questions:
  I have 5 websites all password protected for members, and I want all 5 members areas to be able to view my live video as I publish it. So can I embed the flash player on all 5 sites and have it pick up the same live feed.
  Yes, but keep in mind that password protecting the HTML content does not protect the FMS application. If you need to protect the video stream itself, you'll need to employ some sort of user authentication on the FMS side.
  Also was wondering if interactive server supports or has a chat box, so students can type questions as I am explaining things live.
  That type of functionality is supported, but it isn't automatically available. You'll need to develop an application to support text chat. There is a prefabricated chat component available at http://www.adobe.com/support/flashmediaserver/downloads_updaters.html (look for the flash communication server authoring components), but it's really oudated... the communications components haven't been updated since 2003.
  Can I stream my video from different computers or can I only use one ( the one I register it on ) I want other teachers to be able to use thier webcams from there homes and publish live videos as I do on my sites. ( At different times of course )
  You can publish from any computer to an FMS application.

• ACS 5.3 Default Backup Password

  When doing a backup on any of the ACS 5.x appliances by default the backup is encrypted with PGP. What password is used for that? Is it configurable?

  It is not configurable and that information wasnt made public. However, when you restore it should be able to decrypt it just fine.
  You can try opening a TAC case but when I was in TAC wasnt able to find that key either.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• A problem with hyperlinks in my Interactive PDF on smartphones...

  I hope someone can help...  I exported both an interactive and for print PDF from inDesign.  When I view the PDFs on my pc the hyperlinks that I've made in the document work perfectly fine.  When I view the PDFs on my smartphone, the hyperlinks don't work.  I've gone through many forums to make sure all my settings were correct and have tried many different things to try to get them to work, but still no luck.  Has anyone come across this issue?  Is there any way to get these hyperlinks to work on a smartphone?

  Interactive PDFs on mobile devices are nothing short of a crapshoot.
  The readers are hit or miss and the better ones require payment.
  I wish I had better news for you but right now, that’s the way it is.
  Bob

• Open document from interactive report

  Application Express version 4.0.2.00.07.
  In apex I am trying to accomplish the following:
  1. create a link to a pdf or Word document stored on local network using the file browse button.
  2. store the link to that file in my table but not store the actual document in the oracle table.
  3. open the document from link in interactive report.
  My dba does not want to store anymore documents into oracle because of performance issues we are experiencing with current applications that do this. Does anyone know the where to find sample code that will accomplish this task or will load the linked document into the oracle table but delete the document from the blob when the document is closed.

  You're probably looking to use the BFILE functionality - a pointer to a LOB on the filesystem.
  Try looking at some of the following sources for guidance
  http://docs.oracle.com/cd/B10501_01/appdev.920/a96591/adl12bfl.htm
  APEX BFILE
  http://monkeyonoracle.blogspot.com.au/2009/10/storing-images-outside-oracle-xe-with.html
  Scott