ACS Appliance 1112 version 4.1 Web Interface

Hi, I have an ACS 1112 appliance that is currently running on 4.1 and was brought up to patch level 4.1.1.23.3. We were attempting to install patch 4.1.1.23.4 through the Web Console when we lost connectivity and never got it back. After logging in through the serial console, it indicated that an 'upgrade was in progress'. I was able to successfully re-run the install for 4.1.1.23.4 through the serial interface, along with 4.1.1.23.5, however, even after several reboots, I still cannot gain access to the Web Console. I also confirmed that CSAdmin is up and running. Is there anything I can do to remedy this issue without rebuilding the entire device? Thank you.

Make sure that you have the Remote Agent matching you ACS Version 4.1.1.23.5.
I've seen issues where ACS was trying to contact RA and GUI became unresponsive.
Also, by default the ACS allows any TCP ports to be used for Administration HTTP Access, but this could be limited once you gain access.
My point here is that if the web access was working before, it might not be the case, but you could be blocked by a firewall/pix/asa...
Try from a different PC, and a different browser...

Similar Messages

ACS Appliance 1112 - Authentication Without Enable Secret

Hello Everybody
I have a ACS appliance 1112 to authenticate users by TACACS+ with Active Directory.
The users can access the privileged mode on network devices just with the user AD without typing a enbale secret but after a restart on appliance now the users are asked to typing a enable secret to access the privileged mode.
Is necessary change something on Network Devices or maybe a configuration on ACS ?
Thanks

Please go to the group that belongs to the user in question and make sure we have shell exec checked with priv 15
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Also check passed authenticate logs and make sure that user are mapped to the right group of acs.
Regards,
~JG
Do rate helpful posts

No access to serial console in ACS appliance 111

We have 2 Cisco ACS appliances running version ...
Cisco Secure ACS 3.2.2.5
Appliance Management Software 3.2.2.5
Appliance Base Image 3.2.2.1
The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
Kind regards.

Hi
I had similair problem being locked out of console after initial configuration wizard.
I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
deliverance1> start CSAgent
Starting service: CSAgent..
CSAgent is starting
CSAgent is running
Regards
Ian

ACS appliance -- AD -- RSA Securid Server

I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
Here's more info:
In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
In ACS appliance, remote agent was already pointed to AD.
No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
How can I manage to configure RSA SecurID Token Server in my ACS appliance?

Hello,
The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
One thing to point out straight away also mentioned in the document mabove:
Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
username: xxxx
password: xxxx
Password Authentication Protocol (PAP) is a better choice here.
This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
Hope this helps! Please rate all posts.
Regards, Martin

ACS web interface hangs on Network Device Group

We are facing problem of ACS web interface stop responding whenever a Network Device Group is edited/added/deleted. This happens regardless of whether the web interface is opened remotely or on the ACS server.
The session needs to be killed and then have to wait several minutes before attempting to edit NDG (although new session to ACS can be opened up almost immediately).
I have checked there are no proxy settings in the browser, no firewall in between, etc.
ACS is installed on Windows 2003 Server Enterprise Edition with SP1.
ACS installation on another server of same hardware specs and java version works fine. The difference is that the OS on the working ACS is Win 2K3 Ent Ed. without SP1. However, according to Cisco, WIN 2K3 Ent Ed with SP1 is a supported platform.
My ACS version is 4.0(1) build 27.
Any ideas?

I assume you have a java runtime installed?
alas in the "old days" you could troubleshoot this type of thing by looking in the windows registry. This is all internal to the ACS SQLAnywhere DB now :(
Darran

[ACS]Problem web interface after reboot

Hello,
After power outage, when my ACS reboots the web interface doesn't start.
When I connect to CLI with SSH, I enter the command :
sh acs-config-web-interface
This is the result :
ACS management must be running
Please issue 'acs start' CLI if stopped,
or wait for the ACS processes to come up
So I enter the command :
acs start
And it's OK.
What is the reason why the ACS doesn't start properly?
Thank you in advance for your response.
Regards.
Thomas.

Hi Thomas,
Which version of ACS you are running?
Regards
Najaf

Loss the "Deleted Items" folder on Exchange 2007 WEB interface and any Outlook with any version.

Hi,
My client had lost his "Deleted Item" folder in his outlook, and I try to used the WEB interface to help to check, also can't find out the "Deleted Item" folder.
Then we're try to used outlook 2003,2007 and 2013 also can't find that.
Could you mind let me know any solution we can solve this problem with my client?
Thanks

I believe the Deleted Items folder was just hidden from view, as I don't think a user can delete their Deleted Items folder. Here's a KB for the fix: Contacts or other default folder hidden, but shortcut works with Open in New Window Article ID: 924226
(http://support.microsoft.com/?scid=kb%3Ben-us%3B924226&x=12&y=12). In short, you need to change the PR_ATTR_HIDDEN value for the hidden folder, which in your case is the
Deleted Items folder.

Unable to Access CSACS 5.3 Web Interface...

Hi Everyone,
I wanted to note an issue I ran into today with our MS Windows 7 workstations and 2008 servers being unable to access the web management interface on our instance of ACS 5.3 and its solution, which is outlined below:
###      The Problem      ###
When I tried accessing the web management interface on our ACS 5.3 appliance, the browser was unable to connect. NMS applications showed that the device was up and I was able access it via SSH. I then tried connecting to 443 via telnet on my workstation and was successful in establishing a connection. I proceeded to issue the "show application status acs" command showed all associated processes running. I had a co-worker attempt to access it and he ran into the same issue. I then proceeded to restart the ACS application by stopping and starting the associated processes. After the processes were back up, attempts to connect to the web management interface still failed. I then proceeded to reboot the appliance. Again, after the applicance and processes were back up, attempts to connect continued to fail. As a last ditch effort I used a portable version of Firefox to connect and was then successfully able to connect.
###       The Source        ###
After additional troubleshooting, it was discovered that the MS Internet Explorer patch associated with MS Security Advisory 2661254 just so happened to be the culprit. This restricts the use of certificates with RSA keys less than 1024 bits in length. The default management certificate just so happens to be 512 bits in length.
###          The Fix           ###
Using FireFox, I navigated to System Administration > Configuration > Local Server Certificates > Local Certificates. I then proceeded to add a certificate in the following steps:
Select Generate Self Signed Certificate & click next
Populate the Certifcate Subject field with the appropriate DN information of the ACS server.
Change the key length to 1024 or above.
Check "Management Interface: Used to authenticate the web server (GUI).
Check "Replace Certificate".
Click Finish.
The ACS server should then generate the new certifcate, replace the existing management certificate, and restart the ACS processes. After everything is back up, you shouldn't have any issues in accessing the web interface.
Cheers,
Dan

Hello Dan,
Thank you for trying to share the information you have.
Note please if you want to share information you can post a document, not a discussion.
You can convert this discussion into a document from the right pane menu.
Greetings,
Amjad
Rating useful replies is more useful than saying "Thank you"

Apply patch to acs Appliance

I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
Some were I read that is necessary a tomcat server?
Please help
adi

Hi,
ACS v4.1.1.23 patch 5 is available so go for this new patch.
You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
Follow the steps below on the PC:
[1] Extract zipped file
[2] Look for ?autorun.exe? file and double click on it
[3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
SE ip address :
Provide in the ACS SE ip address and press ?Install?
[4] It will prompt for ACS admin username and password as shown below :
Provide in the username and password and login.
[5] Then it bring up ACS GUI, then go to
System Configuration > Appliance Upgrade Status > Download,
Then we?ll get a screen where it will ask for ip address of Install Server :
Provide in ip address of system from where we are applying this patch, in our case our
desktop ip address, then click connect.
[6] It will show us following screen :
Click on ?Download Now?
Then it?ll show us this screen :
Press ?Refresh? Till we see following screen :
[7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
Press ?Upgrade?, then we?ll get information regarding the patch.
Click ?Yes?.
It?ll take few minutes to apply that patch on appliance.
Then it?ll show us a confirmation message :
Press ?Done?, then system will reboot.
To confirm that patch has been applied successfully, goto
System Configuration > Appliance Upgrade Status
After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
if you want to apply this patch on some more appliance click on ?Install Next?
Hope this helps.
~Rohit

ACS Appliance Upgrade

I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

Hi,
Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
If I am not mistaken, the error you're getting was due to unavailability of distribution server.
If you stuck with the image transfer, try to use CLI/console mode.
Typicall upgrade method has 3 steps:
1. Load new image (download from Cisco or using CD) onto a distribution server.
2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
Refer to the following url for complete upgrade processes & options:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
Rgds,
AK

Trunked connections to ACS appliance

We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
We went with the hardened Linux option for the underlying OS.
Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.

Hi,
ACS v4.1.1.23 patch 5 is available so go for this new patch.
You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
Follow the steps below on the PC:
[1] Extract zipped file
[2] Look for ?autorun.exe? file and double click on it
[3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
SE ip address :
Provide in the ACS SE ip address and press ?Install?
[4] It will prompt for ACS admin username and password as shown below :
Provide in the username and password and login.
[5] Then it bring up ACS GUI, then go to
System Configuration > Appliance Upgrade Status > Download,
Then we?ll get a screen where it will ask for ip address of Install Server :
Provide in ip address of system from where we are applying this patch, in our case our
desktop ip address, then click connect.
[6] It will show us following screen :
Click on ?Download Now?
Then it?ll show us this screen :
Press ?Refresh? Till we see following screen :
[7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
Press ?Upgrade?, then we?ll get information regarding the patch.
Click ?Yes?.
It?ll take few minutes to apply that patch on appliance.
Then it?ll show us a confirmation message :
Press ?Done?, then system will reboot.
To confirm that patch has been applied successfully, goto
System Configuration > Appliance Upgrade Status
After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
if you want to apply this patch on some more appliance click on ?Install Next?
Hope this helps.
~Rohit

DCNM Web Interface. Not enough Access

When I log into the DCNM Web interface, and click on 'Admin -> Data Sources' I get prompted with a window stating 'User does not have enough righ for the page'
I've got DCNM authenticating via ACS v5.3 & I've created the shell profile for the AV-Pair. Also when I view the ACS logs I see the proper authorization profile getting assigned.
Screen shots attached. Any thoughts?
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

It took a lot of trial and error, but I eventually found that this works -- I'm using DCNM version 6.2(5):
Attribute: cisco-av-pair
Requirement: Mandatory
Attribute Value: Static
Value: shell:roles="network-admin"
...although if you want a non-admin or DCNM "User" role, you would use the following instead:
Value: shell:roles="network-operator"
Here's a useful link for more info: http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bf5512.shtml

Cisco ACS Appliance

I'm trying to customize the Appliance, which is running ACS 3.3.2.1, via the web interface. When I click on Interface configuration, only "User Data Configuration" and "Advanced Options" selections are displayed. We are customizing this appliance as a Tacacs Server. The "TACACS+ (Cisco IOS)" selection is missing or hidden. How do I get this selection to appear under Interface Configuration?

You need to have a device configured in the network section to use TACACS+ for auhtentication before this option appears.

ACS appliance 3.3 - user with mulptile static IPs

Hi,
currently we are using ACS Unix. There it os possible to assign static IPs to a user based on the radius dictonary.
e.g.
NAS1- Ascent Max uses dictionary Ascend gets 10.1.1.1
NAS2- VPN 3000 uses IETF gets 10.1.2.1
Any ideas how this could be resolved on an ACS appliance?
Regards, Celio

Following installation and initial configuration, see the User Guide for Cisco Secure ACS Solution Engine Version 3.3 for information on how to use a browser and the HTML interface to fully configure your Cisco Secure ACS Solution Engine to provide the AAA services you want from this installation.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080235f77.html

ACS appliance setup help

Network environment:
- Windows 2003 with enterprise CA
- Cisco ACS appliance 4.1.1.23
- Cisco 1240 AG series APs
Wireless clients:
- Windows XP SP2
Brief steps taken:
- Installed Enterprise CA
- Created copy of web server certificate with option âMark keys as exportableâ enabled. Certificate published.
- Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
- Generated certificate request from ACS (1024 key length).
- Submitted server request from ftp server - Submit a certificate request using base 64â¦
- Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
- CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
Brief cofig of ACS appliance
Global config
- PEAP -Selected âAllow EAP-MSCHAPv2â.
- LEAP - Allow LEAP (For Aironet only)
- Selected âAllow MS-CHAP Version 1 & 2 authentication
- Added AAA client (AP) with shared secret with authentication using âRadius (Cisco Aironet)
- Under External user DB//DB config/windows database, âEnable PEAP machine authenticationâ selected.
1240 series AP config
- Under Server Manager, ACS IP with shared secret entered as a Radius server.
- Selected EAP authentication.
- Under SSID Manager selected open Authentication with EAP & selected network EAP.
- Under Encryption Manager selected WEP Encryption & mandatory.
- Selected key 1 and entered 128 bit key
Client (windows XP SP2 domain member) config
- Connected to Enterprise CA web site, base64 encoding/download CA certificate
and installed it in local computer store.
- Under Network authentication selected open with WEP EAP type âprotected EAP (PEAP)
- Authenticate as a computer selected
- Selected my CA under âTrusted Certification Authorities
- Authentication method (EAP-MSCHAP V2)
Errors:
Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
Or
Computer doesn't have correct certificate
Used 43486, 64067, 71929
Any suggestions very much apretiated.

ACS Agent is installed on two DC's as well and they are detected by ACS.
Thanks

ACS Appliance 1112 version 4.1 Web Interface

Similar Messages

Maybe you are looking for