ACS appliance setup help

Similar Messages

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• ACS Appliance - Where is the bulk import?

  On the Windows version there is the command line utility which allows for the bulk import of users and clients. With over 250 TACACS+ client to install on an ACS appliance I do not want to have to add them in manually, one by one, but don't seem to be able to find the way to import them. Can anyone help?

  On the appliance the only way is to use RDBMS Sync.
  The ACS quick help and online docs all have quite good documentation about how to create the account actions transaction table so I wont describe it here.
  You can actually set more device params via RDBMS sync than you could csutil.
  I doubt its been updated for the new device parameters you can manually setup in ACS v4.1 though.

• ACS Appliance 1112 - Authentication Without Enable Secret

  Hello Everybody
  I have a ACS appliance 1112 to authenticate users by TACACS+ with Active Directory.
  The users can access the privileged mode on network devices just with the user AD without typing a enbale secret but after a restart on appliance now the users are asked to typing a enable secret to access the privileged mode.
  Is necessary change something on Network Devices or maybe a configuration on ACS ?
  Thanks

  Please go to the group that belongs to the user in question and make sure we have shell exec checked with priv 15
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Also check passed authenticate logs and make sure that user are mapped to the right group of acs.
  Regards,
  ~JG
  Do rate helpful posts

• Apply patch to acs Appliance

  I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
  Some were I read that is necessary a tomcat server?
  Please help
  adi

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• RDBMS Synchronization problem in ACS Appliance 3.3

  Hi,
  I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
  Thanks in advance
  Best Regards,
  Ahmed

  The format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
  I have attached a sample accountsAction.csv file for you.
  (i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
  (ii) The NDG michasisX has been added.
  (iii) The device C7609-X has been added to the NDG michasisX
  Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
  Then you can add the devices as per the sample file attached.
  Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
  Hope this helps,
  Soumya

• Trunked connections to ACS appliance

  We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
  We went with the hardened Linux option for the underlying OS.
  Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
  I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• Cisco ACS Appliance and Passed Authentication Logs

  I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
  When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
  Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
  Thanks for any suggestions!

  What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

• ACS Appliance 1113 with v4.2

  I have ACS appliance 1113 with v4.2 software. How do I tight this into Active directory? Do I have to run some software on the DC server?
  Thanks,

  You need to install remote agent on member server. The software will facilitate communication between acs and AD.
  Here is the link,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html
  Regards,
  ~JG
  Do rate helpful posts

• ACS appliance and remote agent testing

  Having problems with integrating ACS appliance with Active Directory. Have installed the remote agent on a member server and from the ACS appliance can enumerate the Active Directory groups correctly so there is at least some communication happening.
  Looking at the remote agent logs whenever a request for the AD groups comes through you see corresponding log entrys. When a user tries to authenticate though there are no logs coming through to the remote agent. So maybe it is not being sent to remote agent?
  In the failed authentications log on the ACS the error is unknown user, it does show the correct username + domain as the person trying to authenticate.
  The Windows server is setup for unknown user policy.
  ACS version is 4.1.1.23, Remote Agent is latest version available.
  Any ideas or things to check?

  Hi,
  As per your last line, It seems that ACS and RA ver are not same. Please note that ACS appliance and RA software ver has to be same else it won't work.
  Regards,
  ~JG

• ACS Appliance "ADClient"

  Hello,
  We have been continously getting the below messages on ACS appliance.
  monit[4578]: 'adclient' process is not running
  monit[4578]: 'adclient' trying to restart
  monit[4578]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  ACS adclient INFO: Run, Initializing DB query...
  ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Also we have been facing issues where intermittently clients are not able to authenticate. We are using WPA2/802.1x. The ACS appliance is running on 5.1.
  Any help appreciated.
  Thank you.

  Hello,
  I am experiencing the same problem with a secondary ACS running in a virtual appliance. The ACS version is 5.2.0.26.6. Rebooting the VM didn't solve the problem. I'm still able to collect some logs and here is what I found :
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' process is not running
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' trying to restart
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient INFO: Run, Initializing DB query...
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Oct  6 18:50:48 ACSSLAVE2 monit[5031]: 'adclient' failed to start
  Did you manage to solve your problem and make the "adclient" process started?
  Thanks,
  Vincent

• ACS Appliance "ADClient" process

  Hello,
  We have been continously getting the below messages on ACS appliance.
  monit[4578]: 'adclient' process is not running
  monit[4578]: 'adclient' trying to restart
  monit[4578]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  ACS adclient INFO: Run, Initializing DB query...
  ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Also we have been facing issues where intermittently clients are not able to authenticate. We are using WPA2/802.1x. The ACS appliance is running on 5.1.
  Any help appreciated.
  Thank you.

  Hello,
  I am experiencing the same problem with a secondary  ACS running in a virtual appliance. The ACS version is 5.2.0.26.6.  Rebooting the VM didn't solve the problem. I'm still able to collect  some logs and here is what I found :
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' process is not running
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' trying to restart
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient INFO: Run, Initializing DB query...
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Oct  6 18:50:48 ACSSLAVE2 monit[5031]: 'adclient' failed to start
  Did you manage to solve your problem and make the "adclient" process started?
  Thanks,
  Vincent

• ACS Appliance - Advance filtering

  Hi all
  Quick question about my NAC setup on the ACS appliance.
  I have create a number of Network Access Profiles from the templates that ACS provide. All is working fine but my question is in regards to the Advanced Filtering under the NAP.
  When I created a template to support L2-802.1x users it placed the following attributes into my advance filter
  [026/009/001]cisco-av-pair not-exist aaa:service
  [006]Service-Type != 10
  And when I created a template to support mac-auth-bypass it placed these following attributes into my advance filter
  [026/009/001]cisco-av-pair not-exist aaa:service
  [006]Service-Type = 10
  What does the following line do?
  [026/009/001]cisco-av-pair not:exist aaa:service
  And what do these 2 lines do exactly.
  [006]Service-Type != 10
  [006]Service-Type = 10
  Thanks
  Dale

  "cisco-av-pair not:exist aaa:service"
  means to match, the incoming request must NOT include a cisco-av-pair VSA attribute that contains the value "aaa:service=........"
  remembering that the cicso-av-pair is like a container for TACACS+ style attributes of the form "protocol:attr=value" eg "ip:addr=1.2.3.4"
  RADIUS Service-Type 10 is "Framed Routing" which has been reused for some purpose by the NAC people. Not sure what it denotes but your filters are looking this attribute != (not equal to) and equal to this value.

• Installing Cert on ACS Appliance

  I am trying to install a Cert on an ACS Appliance V3.2. I have created the cert using a MS CA on our network but when I try and install it says that the Private Key file cannot be blank. Any help would be appreciated.
  -clyde

  I had the same problem. Cisco's only help was to tell me that ACS Ver 3.2.3 only supported key sizes of 1024 bits minimum.(our root CA had a key size of 512)
  I resolved this by uninstalling the ACS then installing the root CA certificate on the server, next I made an enrollment request to the CA for the ACS's own certificate which was subsequently downloaded and installed.
  After re-installing the ACS server, I just selected "use certificate from storage" rather than "use certificate from file"

• For those having EAP auth issue using the ACS appliance

  Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
  We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
  After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
  I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
  I hope this helps someone!
  Jeff

  The document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
  http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm