ACS Query

Similar Messages

• Cisco ACS Querying

  is there a way to query the database of cisco acs 3.3 by real name or description field?

  No, not directly to ACS. But you can import the db into aaa-reports! where it can be :)
  Once the db is imported we have several canned reports for stuff like account status, inactive users, password aging etc. Also a load of TACACS+ device admin reports but also our visual query builder allows you to build up SQL queries using a point & click UI.
  http://www.extraxi.com/aaa-reports.htm

• Unsucessful ACS to RADIUS token server exchange

  Hello team:
  We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
  When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
  In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
  (1) Framed-IP = 255.255.255.255
  (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
  We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
  So we are missing something.
  ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
  thank you very much in advance
  Rogelio Alvez
  Argentina

  Thanks for the interest Tarik!
  Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
  ACS Debug from a terminal monitor
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
  2w1d: AAA/AUTHEN (4096347873): status = GETUSER
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: RADIUS: ustruct sharecount=1
  2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
  2w1d:         Attribute 4 6 C0A800CB
  2w1d:         Attribute 5 6 00000007
  2w1d:         Attribute 61 6 00000005
  2w1d:         Attribute 1 15 63616D61
  2w1d:         Attribute 31 15 3139322E
  2w1d:         Attribute 2 18 893A4B64
  2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
  2w1d:         Attribute 18 12 52656A65
  2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
  2w1d: AAA/AUTHEN (4096347873): status = FAIL
  2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
  2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
  2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
  2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
  2w1d: AAA/AUTHEN/START (2072451976): found list pepe
  2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
  2w1d: AAA/AUTHEN (2072451976): status = GETUSER
  Freeradius Debug
  rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
      User-Name = "camara/829113"
      NAS-IP-Address = 192.168.0.3
      NAS-Port = 6372
      NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
      User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
  # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
  ++[auth_log] returns ok
  [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
  [IPASS] Found realm "DEFAULT"
  [IPASS] Adding Stripped-User-Name = "829113"
  [IPASS] Adding Realm = "DEFAULT"
  [IPASS] Authentication realm is LOCAL.
  ++[IPASS] returns ok
  [suffix] Request already proxied.  Ignoring.
  ++[suffix] returns ok
  ++[files] returns noop
  ++[control] returns noop
  rlm_perl: Response: 201: Succeeded
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  Found Auth-Type = Perl
  # Executing group from file /etc/freeradius/sites-enabled/vuserver
  +- entering group Perl {...}
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
    WARNING: Empty post-auth section.  Using default return values.
  # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
  Sending Access-Accept of id 23 to 192.168.0.3 port 3912
      Framed-IP-Address = 255.255.255.255
      Class = 0x434143533a302f3265662f37663030303030312f31383133
  Finished request 3.
  Going to the next request
  Waking up in 4.9 seconds.
  Cleaning up request 3 ID 23 with timestamp +575
  Ready to process requests.
  Inside the file archive.zip you`ll find
  cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
  captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
  If you need more information or output please let me know.
  Rogelio

• ACS Configuration Web Services: query problem

  I don't know if this is the correct place to ask, I couldn't find a specific ACS category.
  I am trying to do a query, according to chapter 4 in the ACS 5.3 Secure Access Control System 5.3
  My URL is:
  https://myurl/Rest/Identity/IdentityGroup/op/query
  doing a PUT request
  have a header of Content-Type: application/xml
  and my payload is:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:query xmlns:ns2="query.rest.mgmt.acs.nm.cisco.com">
      <criteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
          <simpleFilter>
              <propertyName>identityGroup</propertyName>
              <operation>EQUALS</operation>
              <value>AllGroups:Migrated_Group:NetworkEngineer</value>
          </simpleFilter>
      </criteria>
      <numberofItemsInPage>100</numberofItemsInPage>
      <startPageNumber>1</startPageNumber>
  </ns2:query>
  I get back:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:restResult xmlns:ns2="common.rest.mgmt.acs.nm.cisco.com"><errorCode>61000</errorCode><httpCode>400</httpCode><moreErrInfo>XML Parsing Error:  Unable to create an instance of com.cisco.nm.acs.mgmt.rest.query.AbstractFilter. </moreErrInfo><operationType>NOT_AVAILABLE</operationType><resourceType>NOT_AVAILABLE</resourceType><status>BAD_REQUEST</status></ns2:restResult>
  and a 400 Bad Request.
  Can you tell me what I am doing wrong?
  All I want to do is get a list of users who belong to that group?
  Jerry

  I learned that a simple filter does not need the ... bracketiing, so this would work:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
              identityGroup
              EQUALS
              AllGroups:Migrated_Group:NetworkEngineer
      100
      1
  - See more at: https://supportforums.cisco.com/message/3863518#sthash.PpJTEbyv.dpuf

• ACS server replication Query

  Hi All ,
              I have two ACS server primary & secondary server . New secondary server to be deployed into network . My primary ACS server has got 1000 AAA clients configured with 15000 user id configured in multiple group profile . My question over here is when i do database replication between primary and secondary ,whether entire databse will be replicated from my primary server to secondary server like all AAA clients and end user , group profile , interface configuation etc , else it will replication has got restriction for database .
  Totally : AAA clients & User ID will be on one database backup   or it will reside on differnt location
  kindly clarify me over here ,Thank you .

  Hi,
  The entire Database will get over written in case of database restore.
  You use ACS Database Replication to copy various  components of the ACS internal database to other ACSs. This method can  help you plan a failover AAA architecture, and reduce the complexity of  your configuration and maintenance tasks.
  The components that can be replicated are:
  User and group database
  Group database only
  Network Configuration Device  tables
  Distribution table
  Interface configuration
  Interface security settings
  Password validation settings
  EAP-FAST master keys and policies
  Network Access Profiles
  Logging Configuration  (Enable/Disable Settings)
  The following link will give you details of the database replication.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as resolved if you feel your query is resolved. do rate helpful posts.

• Query on CW ACS & NCM sync with IBM Netcool

  Hi Expert,
  Does Cisco Works ACS and NCM support re-synchronisation of events when they integrate with IBM Netcool.
  Thanks in advance
  Rgds,
  Kumar

  Lance,
  What is the url set to in for the sftp repository, is it the ip address or is it the hostname, here is a thread that may help:
  https://supportforums.cisco.com/thread/2139851
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• ACS Upgrade query

  Hi
    I have upgraded ACS solution engine from 4.2.0 to 4.2.1 successfully.I have upgraded ACS software and appliance mangement software.Should i upgrade base image also?.I didnt find base image in the cisco download session of ACS
  Thanks in advance
  Anvar

  Hi Anvar,
  You dont need to upgrade the base image as the most current i guess is 4.2.0
  Thanks
  Waris Hussain.

• Upgrade ACS V3.2 - V4.0 Tacacs/Radius Key Query

  Hi All
  I am in the process of upgrading my ACS server from V3.2 to V4.0
  I have a Production Server which will be replaced by the New Production Server and A Test Server for upgrading the ACS Database.
  I have successfully upgraded from V3.2 to V3.3 then to V4.0 on my test server.
  My original plan was to upgrade the database with my Test Server and Restore it to my New Production Server.
  just copy the new V4.0 database to the New Production Server and change the ip address to the old servers address.
  However looking through the database there are sections which are hardcode with the test servers hostname.
  This has forced me to rethink my original plan and to use the original servers hostname.
  This also got me thinking what else is hardcoded in the database.
  My question is - When I installed V3.2 on my test server
  Under the Tacacs+ or Radius Key section - do I need to put the same key as the original V3.2 database or will this key change when I come to restore the original database on the test server ?
  I am just concerned that my radius/tacacs clients will not authenticate with the new server when it is put in to production with the new V4.0 database.
  Thanks in Advanced

  Hi,
  The "hard-coded" things will change automatically once the database is restored on the new server.
  The only thing which you woul dneed to take care of is the change in Ip address such that the clients send the request to the right ACS.
  Regards,
  Vivek

• Need Help With ACS LDAP setup to Query AD

  I have 2 Win 2003 ADs, one of them is configured and working under Windows Database (using remote agent) configuration. I am trying to setup the second AD with Generic LDAP setup. I want to know what exactly I should use in the fields UserObjectType and Class, and GroupObjectType and Class for Windows 2003 AD. All Cisco documents give example of Netscape LDAP syntax. I was told by our server admin. what to put under Admin DN, CN=myid,OU=mygroup,OU=myorg,DC=mydomain,DC=com
  I have both user & group directory subtree fields filled with DC=mydomain,DC=com.
  I am using the ip address for Primary LDAP server, and port is 389, LDAP version 3 is checked.
  Is any of these DC, OU, etc. case sensitive?
  With all entries that I have tried, when I go to map a group, I am getting error "LDAP server NOT reachable. Please check the configuration". My ACS can ping the domain controller's IP address fine.
  Please help. Thank you in advance,
  Murali

  Murali,
  These references may help...
  http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-4574-8a27-67e89c206a54/uldap.doc
  http://www.microsoft.com/technet/archive/winntas/plan/dda/ddach02.mspx?mfr=true
  http://technet.microsoft.com/en-us/library/aa996205.aspx
  Regards,
  Richard

• ACS authorization query

  Hi,
  I would like to know what are the configurations required in Cisco ACS for authorization.
  I have done the foll configurations in the switch.
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  radius-server host 10.240.252.247
  radius-server key greenland.123
  Thanks.
  Rgds.,
  Sack

  Hi Narayan,
  Sorry, I pasted the wrong configurations in the forum.Actual configurations in the device are as follows:
  aaa authorization config-commands
  aaa authorization exec default group radius local
  radius-server host 10.240.252.247
  radius-server key xxx
  I would like to know what are the configurations required in the ACS server with respect to authorization as we are using radius.Do we need to add anything else apart from adding the client in ACS..?
  Thanks.
  Rgds.,
  Sachin

• Can I obtain access token from ADFS 3.0 based on OAuth ACS-token that I already have?

  Hello!
  I have the following setup: iOS device, ACS/WAAD is IDP and ADFS 3.0 as RP, securing access to WIF web service.
  I want iOS application users to be able to access ADFS-protected web-service.
  I have created some users in WAAD, configured trust between ACS IDP and ADFS RP.
  ADFS is registered in WAAD with AppID = ADFSAppID
  I am doing the following request in order to obtain authorization token for iOS app user from ACS:
  const string issuerName = "[email protected]";
  const string issuerPassword = "Password!23";
  var authContext = new AuthenticationContext("https://login.windows.net/ADFSAppID");
  var uc = new UserCredential(issuerName, issuerPassword);
  var result = authContext.AcquireToken("http://adfs.appdomain.com/adfs/services/trust",
  "ADFSAppID",
  uc);
  _authHeader = result.CreateAuthorizationHeader();
  So, I have a token from ACS in JWT format.
  Now I need to present this token to ADFS in order to obtain a new token that I can use to access the web-service. I am trying the following POST-query:
  https://adfs.appdomain.com/adfs/oauth2/token?grant_type=authorization_code&code={0}&client_id=ADFSAppID&redirect_uri=http://web_service_url
  However, when I try accessing web service with that token, I am getting 403:unauthorized and redirected back to ADFS.
  I have already tries lots of code solutions, such as
  http://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/
  http://www.cloudidentity.com/blog/2013/07/30/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana/
  http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
  But somehow the problem remains: I cannot get such authentication token from ADFS that it is accepted by my webservice as a valid token.
  Can anybody provide any links or code samples of token exchange between ACS and ADFS?

  Yes, it is. I was able to authenticate normally, if I am using ADFS as IdP for WIF RP.
  But when Azure is IdP for ADFS-protected WIF WS, I am unable to get tokens that would be accepted by WIF WS

• ACS 5.3 Dot1x for Wired/Wireless

  Hi Community,
  I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
  My questions are
  1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
  2.       If Yes can someone point out to any good docs that can help  ?
  Regards,
  Hammad

  Hi Jatin,
  Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
  I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
  I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
  #$cation sessions interface tenGigabitEthernet 1/1/12
             Interface: TenGigabitEthernet1/1/12
           MAC Address: 28d2.4421.109c
             IP Address: 10.160.193.100
             User-Name: ABC\shuser
                 Status: Authz Success
                 Domain: DATA
       Security Policy: Should Secure
       Security Status: Unsecure
         Oper host mode: multi-auth
       Oper control dir: both
         Authorized By: Authentication Server
          Vlan Policy: N/A
               ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
       Session timeout: N/A
           Idle timeout: N/A
     Common Session ID: 0AA000010000010548A006AC
       Acct Session ID: 0x000007A4
                 Handle: 0xA1000106
  Runnable methods list:
         Method   State
         dot1x   Authc Success
  CS01#
  CS01#
  CS01#$cation sessions interface tenGigabitEthernet 1/1/12
             Interface: TenGigabitEthernet1/1/12
           MAC Address: 28d2.4421.109c
             IP Address: 10.160.193.100
             User-Name: host/TESTPC01.sportshub.com.sg
                 Status: Authz Failed
                 Domain: DATA
       Security Policy: Should Secure
       Security Status: Unsecure
         Oper host mode: multi-auth
       Oper control dir: both
         Authorized By: Authentication Server
           Vlan Policy: N/A
       Session timeout: N/A
           Idle timeout: N/A
     Common Session ID: 0AA000010000010648A11C04
       Acct Session ID: 0x000007AD
                 Handle: 0x61000107
  Runnable methods list:
         Method   State
         dot1x   Authc Success
  ================================
  SWITCH PORT CONFIG:
  int ten1/1/9
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  authentication host-mode multi-auth
  authentication violation restrict
  dot1x timeout tx-period 10
  dot1x timeout quiet-period 20
  authentication timer reauthenticate server
  dot1x max-reauth-req 3
  Regards,
  Hammad

• ACS 5.3 - comman sets not working

  We installed ACS 5.3 on Vmware -cent os ,  and a cisco router is configured to authenticate to this TACACS+ server , 
  i am able to login to router using the specified TACACS username ./ password and able to see the hits also as below in the policy ,
  But the Command sets are not working as definded, pls help me to find the problem..
  Filter:
  StatusNameIdentity GroupNDG:LocationNDG:Device TypeTime And DateCommand SetsShell ProfileHit Counts
  Match if:
  EqualsNot Equals
  EnabledDisabledMonitor Only
  Status
  Name
  Conditions
  Results
  Hit Count
  Identity Group
  NDG:Location
  NDG:Device Type
  Time And Date
  Command Sets
  Shell Profile
  1
  RO ACCESS
  in All Groups:READ ONLY ACCESS
  in All Locations
  in All Device Types
  -ANY-
  READ ONLY POLICY
  RO SHELL
  10
  2
  RESTRICTED ACCESS
  in All Groups:RESTRICTED ACCESS
  in All Locations
  in All Device Types
  -ANY-
  RESTRICTED USER POLICY
  Permit Access
  1
  3
  SUPER ADMIN ACCESS
  in All Groups:FULL ACCESS
  in All Locations
  in All Device Types
  -ANY-
  PERMIT ALL POLICY
  Permit Access
  0

  Logs for such a RO-read only user login
  AAA Protocol > TACACS+ Authentication Details
  Date :
  August 27, 2012
  Generated on August 28, 2012 7:13:37 AM UTC
  Authentication Details
  Status:
  Passed
  Failure Reason:
  Logged At:
  Aug 27, 2012 12:18 PM
  ACS Time:
  Aug 27, 2012 12:18 PM
  ACS Instance:
  acsserver
  Authentication Method:
  PAP_ASCII
  Authentication Type:
  ASCII
  Privilege Level:
  15
  User
  Username:
  muthu
  Remote Address:
  172.20.1.25
  Network Device
  Network Device:
  Default Network Device
  Network Device IP Address:
  192.168.251.26
  Network Device Groups:
  Device Type:All Device Types, Location:All Locations
  Access Policy
  Access Service:
  TAFE POLICY1
  Identity Store:
  Internal Users
  Selected Shell Profile:
  RO SHELL
  Active Directory Domain:
  Identity Group:
  All Groups:READ ONLY ACCESS
  Access Service Selection Matched Rule :
  Rule-2
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Internal Users, Internal Users
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Default
  Authorization Policy Matched Rule:
  RO ACCESS
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  acsserver/132692348/212
  Service:
  Login
  AV Pairs:
  Response Time:
  4
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839
  ConfigVersionId=97
  Protocol=Tacacs
  Type=Authentication
  Action=Login
  Port=tty194
  Action=Login
  Port=tty194
  UserIdentityGroup=IdentityGroup:All Groups:READ ONLY ACCESS
  Authentication Result
  Type=Authentication
  Authen-Reply-Status=Pass
  Steps
  Get TACACS+ default network device setting.
  Received TACACS+ Authentication START Request
  Evaluating Service Selection Policy
  Matched rule
  Selected Access Service - TAFE POLICY1
  Returned TACACS+ Authentication Reply
  Get TACACS+ default network device setting.
  Received TACACS+ Authentication CONTINUE Request
  Using previously selected Access Service
  Evaluating Identity Policy
  Matched Default Rule
  Selected Identity Store - Internal Users
  Looking up User in Internal Users IDStore - muthu
  Found User in Internal Users IDStore
  TACACS+ will use the password prompt from global TACACS+ configuration.
  Returned TACACS+ Authentication Reply
  Get TACACS+ default network device setting.
  Received TACACS+ Authentication CONTINUE Request
  Using previously selected Access Service
  Evaluating Identity Policy
  Matched Default Rule
  Selected Identity Store - Internal Users
  Looking up User in Internal Users IDStore - muthu
  Found User in Internal Users IDStore
  Authentication Passed
  Evaluating Group Mapping Policy
  Matched Default Rule
  Evaluating Exception Authorization Policy
  No rule was matched
  Evaluating Authorization Policy
  Matched rule
  Returned TACACS+ Authentication Reply
  Additional Details
  Diagnostics ACS Configuration Changes

• ACS 5.3 Incremental BackUp Issue

  We have ACS 5.3 and it turns back to "Off" by itself and doesn't perform incremental backup. I turned it "On" several times, but it keeps on turning "Off"
  Version : 5.3.0.40.8 in VM Enviroment.

  Hi Kumar2000,
  I tried to answer anas query here, you may want to go through the same.
  https://supportforums.cisco.com/discussion/12142716/acs-inceremental-backup-turns
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Private key file from acs 3.3

  Hi All ,
             I have my SSL server certficate on my old acs 3.3.along with private key file , How i can export this private file with .pem extension from windows 2000 server , This private key file is not identified under certficate mmc console  , Because my acs application is being installed on a separate hardisk partion under D drive .
  file path : d:\Certificates\bh02cacsw02.pem
               how i can export this.pem from that particular folder , Thank you

  Hi,
  i see that you have mentioned the path d:\Certificates\bh02cacsw02.pem.
  The private key will have an extension of .pvk.
  are you aware of the location where private key is stored?? if yes, you can directly copy the private key and export.
  I am bit confused of you requirement.. do you want to export the cert with the private key??
  You can check the cert in the ACScertStore folder in MMC.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Calibri","sans-serif";}
  MMC > Click on File > Add/Remove Snap-in > Add > Certificates > Add > Computer Account > Local Computer > Finish > Close > OK.
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.