ACS Appliance rejects users from Cisco 4400 WCS

Similar Messages

• ACS Appliance - Local User Password Changing Options

  I am configuring a pair of 1113 appliances running ACS 4.2. The client wants to only user local user accounts stored in the ACS database for AAA on devices and LMS and Ops Manager logins. There are configurable password aging settings for users and groups. The question that I have is how are the users notified that their passwords are expired and ow can they change them? The customer uses only ssh for device management. Is the UCP utility still a requirement if an appliance is used as opposed to a standard Windows ACS installation. I also came across this bug:
  SCsj50218 Bug Details
  Password expiry feature should be support for users local to ACS
  Symptom:
  ACS currently does not support password expiry / password management feature for locally configured users.
  Conditions:
  users are configured locally on ACS as opposed to an external database such as active directory.
  Workaround:
  user external database / server where user profiles are setup.

  ACS supports Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session.
  You can also control whether Cisco Secure ACS propagates passwords changed by this
  feature.
  UCP is used in both appliance and window.
  Regards,
  ~JG
  Do rate helpful posts

• Assigning IP addresses to VPN users from Cisco ISE

  Hi all,
  I would appreciate if anyone could share his experience in assigning ip addresses (not static ones, but from a pool) to VPN users. The Radius is Cisco ISE and I am trying to configure this in the Authorization Results Tab. VPN gateway is ASA 8.4.
  Thanks in advance,
  Lora

  Hi Lora,
  Try going through the following link, might be helpful.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1252535

• ACS appliance 4.1 - machine authentification from trusted Domain failed

  We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
  User's and Computer's are able to authenticate without any issue on X domain.
  We have recently add a trusted Y domain on this X domain.
  User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
  03/14/2011
  10:44:32
  Authen failed
  host/FLADWS0072.Ydomain
  Default Group
  00-26-82-d6-9b-3f
  (Default)
  External DB user invalid or bad password
  Machine use is the following settings to authenticate :
  EAP type : EAP (PEAP) 
  Authentification method : EAP-MSCHAP v2
  On Y domain active directory :
  Remote access permission is ok for machine
  On ACS applicance :
  "Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
  Any idea where is should start to invetigate ?
  Tks in advance for your help

  Dear Valued Cisco Customer,
  I will be out of the office from 03/20/2010 until 04/04/2010. During
  this time, I will have no access to email or voicemail. If you require
  assistance during my absence, please contact Manivannan Srinivasan via
  phone at 469-255-4806 or via email at [email protected] and this
  engineer will continue to work any immediate concerns you may have at
  this time. If this issue can wait until my return on 04/05/2010, I will
  be glad to continue working with you. If you require assistance outside
  of our business hours (10:00am - 7:00pm CST), please contact the TAC by
  calling 1800-553-2447 or email [email protected] and request to have the
  service request re-assigned.
  Best Regards,
  Abhishek Neelakanata

• ACS appliance 3.3 - user with mulptile static IPs

  Hi,
  currently we are using ACS Unix. There it os possible to assign static IPs to a user based on the radius dictonary.
  e.g.
  NAS1- Ascent Max uses dictionary Ascend gets 10.1.1.1
  NAS2- VPN 3000 uses IETF gets 10.1.2.1
  Any ideas how this could be resolved on an ACS appliance?
  Regards, Celio

  Following installation and initial configuration, see the User Guide for Cisco Secure ACS Solution Engine Version 3.3 for information on how to use a browser and the HTML interface to fully configure your Cisco Secure ACS Solution Engine to provide the AAA services you want from this installation.
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080235f77.html

• Windows Update for Cisco ACS appliance

  Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

  If the patch is necessary on acs appliance then they will be releasing it soon.
  As of now we can't apply any windows patch on appliance.

• ACS Appliance User DB to new non-appliance ACS server

  Is it possible to replicate an ACS appliance user DB and replicate it on a new non-appliance ACS server. We're adding additional ACS servers and don't want to re-create all the groups and mappings. Think of it as ghosting an appliance and restoring it on a new server. Thx

  Here is the link,
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml
  Here is the troubleshooting check list, in case you face any issue,
  1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
  2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
  3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
  4) Ensure that the secondary server has it's replication scheduling set to "manual".
  5) Please verify that your servers are all running exactly the same ACS version and build.
  6) Also let me know if we have any firewall in between two acs servers.
  Regards,
  ~JG

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Supported devices/users on Cisco ACS 4.2

  Hi,
  Does anyone know how many devices/users does Cisco ACS  4.2 support ?
  I need to know this information for a very large deployment.
  Regards,           

  Hello,
  The following items are general answers to common system-performance questions. The performance of ACS in your network depends on your specific environment and AAA requirements.
  •Maximum users supported by the ACS internal database—There is no theoretical limit to the number of users the ACS internal database can support. We have successfully tested ACS with databases in excess of 100,000 users. The practical limit for a single ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated ACS instances.
  •Transactions per second—Authentication and authorization transactions per second depend on many factors, most of which are external to ACS. For example, high network latency in communication with an external user database lowers the number of transactions per second that ACS can achieve.
  •Maximum number of AAA clients supported— ACS has been tested to support AAA services for approximately 50,000 AAA client configurations. This limitation is primarily a limitation of the ACS memory.
  System Performance Specification.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp827669
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Migrating from Windows to the ACS appliance

  I'm in the process of migrating ACS from Windows to an appliance. I did a recovery and I chose to restore the DBs and the system config. However, I'm getting emails from the appliance with the name of the old windows machine where ACS was running. I guess this a result of restoring the system config. Does anyone know how to configure the emails to be sent with the current appliance name? And it is not possible, how can I restore the appliance to factory defaults so I can do the recovery again only for the DBs? Many thanks,

  well ... the easy way out is to re-image the ACS appliance and then replicate between the Windows server and the appliance . This will replicate all your settings from the windows ACS to appliance except the external database configuration that you need to manually configure.
  Note : for replication both the ACS for windows and the appliance should be on the same version .

• Problem Exporting Backups from Cisco Prime LMS 4.2 deployed as software appliance

  Hi,
  I'm trying to backup a Cisco Prime LMS4.2 based on soft appliance. I have the backup stored on destination disk://localdisk/backup/, but i can't export it via FTP to external server. When I perfrom the transfer only the folder is stored in the destination path, the files aren't included. I think that i have to compress files on the backup folder as .tar file using linux shell, but i can´t find the backup folder from this shell.
  It´s correct my procedure, if not What is the procedure and commands to export a backup to external server via FTP?
  Thanks,

  Hi Dave,
  If your Goal is to upgarde the IOS of  the devices via LMS  then  MANUALLY download the IOS Image from cisco.com
  and use the FILE SYSTEM option to add the Image in the Software Repository
  Then try to upgrade the IOS and see how it works.
  Thanks
  Afroz

• Cisco ACS Appliance and Passed Authentication Logs

  I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
  When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
  Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
  Thanks for any suggestions!

  What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

• User from certificate with Cisco VPN client and ASA (and radius)

  Hello,
  we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
  Thanks!
  Santiago.

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• Import local net users to Cisco Prime 1.2

  Hi,
  We have 4400 WLC that has about 400 local users configured under local net users and we are deploying Cisco Prime 1.2 in our company. Does anyone know how to import these users to Cisco prime? I was told that it could only be done manually like re entering all 400 entries to Cisco Prime! if this is the case it 'll be tedious.
  Thanks for any help.

  Hello,
  Complete the following steps to migrate data from WCS:
  1. Place the WCS export ZIP file (for example, wcs.zip) in a repository or folder (for example, repositories).
  2. Log in as the admin user and stop the Cisco Prime Infrastructure server by entering the ncs stop  command. Configure the FTP repository on the Cisco Prime Infrastructure  appliance using the repository command as shown in configuration  snippet below:
  pi-appliance/admin# configure
  pi-appliance/admin(config)# repository pi-ftp-repo
  pi-appliance/admin(config-Repository)# url ftp://209.165.200.227/backup
  pi-appliance/admin(config-Repository)# user ftp-user password plain ftp-user
  Note: Make sure the archived file is available with the show repository command.
  3. Enter the ncs migrate command in order to restore the WCS database.
  pi-appliance/admin# ncs migrate wcs-data wcs.zip repository pi-ftp-repo
  4. By default, no WCS events are migrated. Enter the ncs start  command in order to start the Cisco Prime Infrastructure server after  the upgrade is completed. Log in to the Cisco Prime Infrastructure user  interface with the root login and the root password.
  For mmore information you can refer to the cisco prime infrastructure deployment guide:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/deployment_guide_c07-721232.html#wp9000654

• ACS Appliance Hardware functionality

  Just received a new ACS Appliance and in testing out the functionality I've encountered a couple of curious issues...
  Shutdown -- Have tried doing shutdown from both HTTP and Serial connections. Command is accepted and the hard drive light flashes for a bit and then nothing. It does not power off, don't get a message on the serial console saying it is OK to power off. Waited 20 minutes then used the power button. Seems to conflict with the doco.
  Can we/How do we use the second Ethernet port? Don't see anything about how to configure it in the doco but when I plug a cable in I do get lights indicating it is active.
  I have been able to complete basic configuration and do have connectivity and authentication against Internal User, still fiddling with getting communication with our LDAP User database, So the unit does function.

  For the 2nd ethernet connection, the doco here (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1040777) gives the answer:
  Ethernet Connectors
  Your system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. Cisco Secure ACS Solution Engine supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.
  Each NIC is configured to automatically detect the speed and duplex mode of the network.
  Note The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported.
  For the shutdown issue, not sure, haven't seen that before.