ACS maximum user ID..

Similar Messages

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• PRVF-4354 : Proper hard limit for resource "maximum user processes"

  Dear All,
  I am trying to install oracle 11g release 2 on solaris 10 operating system with x86 64 bit architecture for testing purpose.... I have completed all prerequisites for the installation but i am facing the following error..
  if anybody can guide me how to resolve this issue..
  Hard Limit: maximum user processes -
  This is a prerequisite condition to test
  whether the hard limit
  for "maximum user processes" is set to at least 16384.
  Expected Value  : 16384
  Actual Value  : 16341
   List of errors:
  PRVF-4354 : Proper hard limit for resource "maximum user processes" not found on node "db1"
  [Expected = "16384" ; Found = "16341"]  -
  Cause:  Hard limit for the resource does not meet the requirement on the specified node.  -
  Action:  Modify the resource limits to meet the requirement.

  Hi all,
  in my open source project I am doing the Solaris kernel modification with the following commands:
  # RAM_MB=`prtconf |grep Memory|awk '{print $3 }'`
  # echo $RAM_MB
  3072
  # SHMMAX=`expr $RAM_MB  \* 1024 \* 1024 \* 70 / 100`
  # echo $SHMMAX
  2254857830
  # projadd -U oracle user.oracle
  # projmod -s -K "project.max-sem-ids=(priv,100,deny)" user.oracle
  # projmod -s -K "process.max-sem-nsems=(priv,256,deny)" user.oracle
  # projmod -s -K "project.max-shm-memory=(priv,$SHMMAX,deny)" user.oracle
  # projmod -s -K "project.max-shm-ids=(priv,100,deny)" user.oracle
  # projmod -s -K "process.max-file-descriptor=(priv,65536,deny)" user.oracle
  # echo "set max_nprocs = 30000"  >> /etc/system
  # echo "set maxuprc = 16384"     >> /etc/system
  # init 6furthermore you can check the current max allowed user processes with a command like:
  # kstat |grep v_maxup
          v_maxup                         16384
          v_maxupttl                      29995Cheers,
  David
  OCP 9i
  http://www.oratoolkit.ch/otn.php

• How to compute maximum user per AP

  Hi Guys,
  Im setting up my WLAN, im confused because i dont know how do i compute the maximum user per client per AP. Im using AP 1020 series. For example if i have 20 clients if 802.11b,c,a how's the bandwith is being affected when the number of user is increasing.
  Thanks,
  Jong

  Hi Jong,
  Here is a cisco doc that relates to this question;
  Q. How many clients can associate to the AP?
  A. The AP has the physical capacity to handle 2048 MAC addresses. However, because the AP is a shared medium and acts as a wireless hub, the performance of each user decreases as the number of users increases on an individual AP. Ideally, not more than 24 clients should associate with the AP because the throughput of the AP is reduced with each client that associates to the AP.
  From this Q&A doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
  Have a look at this great thread that has some "Real World" answers from
  Scott,Matthew,Mark and Emily (one of my all time favourite questions);
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=WLAN%20Radio%20Standards&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddb85ec/0#selected_message
  Hope this helps!
  Rob

• GXD:auto logout (maximum user idle time excedded)

  Hi Gurus
  I am connecting to an PI System and an R/3 System through AT & T dialler network. after logging into the systems, i am going through different scenarios and code in the respective systems. Till 15 to 20 minutes it working fine, afetr that i am getting the following error "GXD:auto logout (maximum user idle time excedded)" and "BDV:auto logout (maximum user idle time excedded)".
  i have checked the profile parameetr instance "rdisp/gui_auto_logout" , In R/3 system it is given as 1800 and in PI system i do not have the authorization.
  Please help me to resolve the issue.
  I am working on client netowrk, shld i raise the issue with the basis Guys or it will be handled locally by the network guys.
  Please help
  Tahnking You

  Hi Arjun,
  You can contact your BASIS/ADMIN team and ask them to increase the time interval for rdisp/gui_auto_logout so that your login will remain for long time.
  Also check the link below for ref....
  http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
  Thanks and Regards,
  Naveen

• ACS Appliance User DB to new non-appliance ACS server

  Is it possible to replicate an ACS appliance user DB and replicate it on a new non-appliance ACS server. We're adding additional ACS servers and don't want to re-create all the groups and mappings. Think of it as ghosting an appliance and restoring it on a new server. Thx

  Here is the link,
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml
  Here is the troubleshooting check list, in case you face any issue,
  1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
  2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
  3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
  4) Ensure that the secondary server has it's replication scheduling set to "manual".
  5) Please verify that your servers are all running exactly the same ACS version and build.
  6) Also let me know if we have any firewall in between two acs servers.
  Regards,
  ~JG

• Maximum User Accounts supported by Windows-2003 server

  I want to know the maximum limit of User Accounts supported by Window 2003 Server Logically. I think physically it depends upon Hardware and network infrastructure. So want to know logical limit. I heard about window 2000, that it supports near about 16000
  and NT server 4.0 supports 40000 User accounts. But there is no source on the web to know about win2k3's Maximum Users account limit...
  Thanks...

  This article documents the scalability limits of Active Directory, including W2k3:
  https://technet.microsoft.com/en-us/library/cc756101.aspx
  Per the article, the maximum number of security principals (total of all users, groups, computers, and all objects with SIDs ever created) in Windows Server 2003 AD is 2^30 or 1,073,741,823.
  Richard Mueller - MVP Directory Services

• Maximum users on ACS Solution Engine 3.3

  Hello,
  I need to know the maximum supported number of users in the local database of the CiscoSecure ACS Solution Engine 3.3 (the appliance) ?
  Is there a document about this ?
  Thank you !
  Patrice

  The client version of Mac OS X supports a maximum of 10 AFP clients. It's always been that way.
  If you want more than 10 AFP clients you need to move to Mac OS X Server (unlimited) which can support any number of concurrent users.

• ACS INTERNAL USER issue with 4.2.(1) build 15

  Hi all,
              I am facing an issue with my ACS server, nothing to difficult,but which bug me. I have an internal user, this user is able to access some cisco devices and can't access some. There is no Network access Restrict set for the username. The log shows when access is granted to a device, the server map the user to correct user group; however,when the user fails authentication the log shows default user group! which indicate that the user not always map to the correct user group.
  Thanks for the help,
  Jean Paul---

  The problem you're running in clearly indicates that either Network access restriction or Network access policies is configured for an user or group. Since you're positive that there is nothing configured on the NAR, lets narrow it down via logs.
  Duplicate the issue again with both the devices (working and non-working)
  With working devices, you would get the passed attempts >> copy and paste the log attempt as it is.
  With Non-working device, you would see failed attempt >> copy and paste the log attempt as it is.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS External User Databases - Empty NT Group List

  I have a production ACS system that has multiple external NT domains for authenticating users.
  We are bringing up a new ADS domain that I need to authenticate against. We have created the trust. The domain shows up in the domain list. When I go to map a NT group to a ACS group, the NT group list is empty.
  The other domains show their NT groups.
  What is also noteworthy is that when I log into the ACS server desktop and try to the see the foreign domain groups via user manager, I get a "domain cannot be found". When the server admin logs in (he administers both domains), he get a list of the foreign groups in the user manager.
  What could be preventing ACS from see the groups in the external domain?
  Thanks for any assistance.
  Dan

  Hi,
  Try to set all ACS Services to "Log on As" using a domain admin account.
  Regards,
  Vivek

• ACS database users and passwords.

  Hi, i need to get all users and passwords from a acs 3.3 database unencrypted.
  How can i do it?
  Could you help me ?

  To get a list of the USers in the ACS database use the CSUTIL tool on Windows platform.
  go to bin directory under the ACS install folder and do
  CSUtil.exe -u
  this will generate a file "users.txt" in the same folder.
  But I dont think you can get the password in unencrypted form.

• Intergrating ACS with user database in windows DC

  Please,
  I just installed and configured ACS on window 2003 server on my network. The next task is to integrate the user database in my DC with the ACS. I need you to tell me in steps what else that need to be done.The documentaion is not specific.
  (I heard about 'remote agent' please what is this,and is it required?)

  I think you can map your DC groups to ACS group
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940538
  M.

• Maximum users, array members and applications

  Is there a limit for the following:
  Maximum concurrent users connected to an SSGD array?
  Maximum person objects in ENS?
  Maximum configured applications in ENS?
  Maximum applications linked to a profile?
  Maximum applications shown on the webtop?
  Maximum members of an SSGD Array (1 primary and x secondairies)?
  Thanks,
  Remold | Everett

  Is there a limit for the following:
  Maximum concurrent users connected to an SSGD array?no hard limit, max concurrent users is based on resources, RAM, CPU, networking.
  Maximum person objects in ENS?no hard limit again, with the use of Directory Servers, there is really no need to create person objects anymore. We have seen upto 3000 person objects in ENS before. No major problem seen.
  Maximum configured applications in ENS?no hard limit.
  Maximum applications linked to a profile?no hard limit, we've seen 100s of links in a profile before.
  Maximum applications shown on the webtop?no hard limit, but the more objects you have in webtop the more JVM Heap that will be consumed.
  Maximum members of an SSGD Array (1 primary and x
  secondairies)?rule of thumb is to try to keep it to 10 or less in an array. 1 primary (dedicated, no webtops or emulator sessions hosted off primary) and 9 secondary servers.
  You are alway better off using fewer larger capacity servers than many smaller capacity servers.
  >
  Thanks,
  Remold | Everett

• ACS Unknown User Discovery

  All,
  Can ACS send an event/snmp trap when it discovers unknown users?
  How will ACS administrators get notified when ACS discovers unknown users?
  Stephanie

  Hi Stephanie,
  Unfortunately there is no way to do this ACS use SNMP only for logging.
  ACS does not have this kind of alert. I will suggest to contact your account manager and open a new feature request.
  Regards,

• Disable caching ACS dynamic users

  Hi all!
  I have an ACS 3.3(2)b2 what use AD as an external DB. I experianced, that dynamic users created after successful authentication from the AD, and these users don't purge themself from the ACS internal DB. I did a test environment, and the same thing happened. I upgraded the ACS to 4.0, and the same thing happened.
  I find a mention in the ACS4.0 user guide, what says the following:
  "Users that are dynamically mapped will keep on being dynamically mapped even when their group
  mapping settings are modified to a group which is set to Disable caching of dynamically mapped users."
  So my question is, where can I disable caching of dynamically mapped users?
  Thanks a lot for the answers!
  By(e)
  Miki

  Miki,
  This is a feature that is added on ACS 4.2 see the release notes below:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html#wp90436
  Option of disabling caching of dynamic users-Administrators can determine whether they want to disable the creation of dynamic users while using an external database for authentication. Minimal performance disruption occurs when disabling caching of dynamic users.