ACS Replication Windows and Appliance

We have a situation where two existing 3.2.1 ACS servers are replicated. The boxes is to be replaced by ACS appliances running 3.3.2. The problem is however that we cannot replicate between different versions.
We are planning on upgrading the master server to 3.3.2, then removing the replicated host, installing the ACS applicance in its place and starting the replication again.
Anyone done this? Will it work, WIN -> ACSAppliance?
Also, is there a way the backup file on the WIN ACS can be restored to a ACSAppliance? Might be a cleaner solution to restore the backups of both boxes into the ACS appliance, that way we do not potentialy damage the live environment?
Any ideas greatly appreciated.

You can have database replication running between different versions, but the versions can only vary in minor versions, not major versions. For instance, you can replicate between a 3.2.2 and a 3.2.3 version, but you could not replicate between 3.2.x and 3.3.x.

Similar Messages

  • ACS for Windows vs ACS Appliance?

    First, the only thing I saw on the Appliance was that it was a 'hardened OS'. So I'm assuming like many of their other appliances that this is Windows 2003 locked down? Regardless if it is or not, are there any issues with the appliance being in a mixed environment with ACS for Windows and replication between the two?
    Thanks,
    Raun

    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawo.html
    When you use ACS for Windows, you install it on a member server, which can "relay" the auth requests to the domain controllers.
    ACS SE's are not a member in the domain, therefore you need to install the remote agent on a member/DC, so that it would act as a "relay agent" for the auth requests.
    You'll also need to manually create a workstation account in AD to allow auth requests from the ACS SE's.
    The default name used is "CISCO", but it can be defined differently.
    For this part, see
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476

  • Can Appliance 1113/1120 running ACS 4.1 replicate to ACS for Windows 4.2.1.15.2

    Anyone tested/tried to replication from ACS 4.1 (running on Appliance) to ACS for Windows 4.2(1)?

    Hi ,
    For replication to work between the two acs they should be on same version and patch level.
    Thanks
    Waris Hussain.

  • Replication issues with ACS for Windows 3.3.3 build 11

    I have built two ACS for Windows servers on Windows 2003 SP1. The AD environment is Windows 2003 SP1 as well. I have configured the two ACS servers on each box. However, when I go to replicate from box A to box B, the following error appears:
    Inbound database replication from ACS 'acsradius.asu.edu' denied - shared secret mismatch
    I have double checked the shared secret keys on both servers in the Network Configuration AAA servers section. Any idea what the issue is?
    Thanks.

    Do not run replication to a server installed on Windows 2003. Due to changes in the way Win2003 handles registry changes, each change can take up to 100 times longer and replication can fail and the server hang.

  • ACS 5.5 and Windows 2012 AD support

    Hi All,
    previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
    and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
    authentication.
    I have now upgraded the machine's domain to 2012 and  machine authentication works fine and user authentication
    also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
    out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
    even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
    The clients are all windows 8.1
    Has anyone encountered this scenario before ?
    TIA

    I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

  • ACS replication and IP pools server

    Hi, I have 2 ACS 3.3.2 with replication active and IP pools server function active.
    I know that the IP pools definitions are not replicated but the group associations with pools are.
    What's the best way to manage the IP pools on the 2 ACSs ?
    60% of the pool on the first and 40% on the second ?
    Or is there a way to infor the second ACS of the single IP assigned by the first ACS to avoid overlapping, in case of failure of the first ACS ?
    Thank you in advance
    greatings
    Renato

    IP pools are purposely not replicated automatically, no way around it. This is to avoid the situation where users authenticating to two different ACS servers get allocated the same IP address.
    Basically there's nothing in ACS where the primary and backups talk to each other about what IP addresses they've allocated (this woul be huge task and require some new sort of communication mechanism between servers). If the same IP pool is configured on all 3 servers, they'll just blindly allocate the next available IP address to users, and you'll run into scenario's where two (or more) users get given the same address.
    The pool is therefore purposely not replicated, which means you have to go in manually and configure it, making sure you configure a UNIQUE pool across the 3 servers. This only has to be done once and is then there forever.

  • Issues with ACS replication

    We have 2 ACS appliances that are separated by a WAN.
    Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
    When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
    If I try replication in the other direction, I get the same error.
    I can ping both appliances and access the web interface from both subnets.
    There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
    I ran a sniffer on the receiving appliance's port and got the following:
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
    10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
    10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
    Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
    Thanks.
    Jason

    One update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
    While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
    I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
    Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
    Thanks.
    Jason

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • ACS replication issue on VMware ESX 3.5

    I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
    Thanks.

    Hi,
    I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
    The primary server must be configured as an AAA server and must have a key.
    The secondary server must have the primary server configured as an AAA
    server and its key for the primary server must match the primary servers own
    key. The shared secret key should be same on the both the ACS's.
    I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
    am sure this example with screen shots gives you better understanding.
    Please visit the below suggested ULR:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
    _example09186a00800e518a.shtml
    If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
    HTH
    JK
    -Plz rate helpful posts-

  • ACS 4.0 and RSA Token Server problem

    Hi,
    We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
    Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
    I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
    When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
    After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
    Any help or advice appreciated.
    Thanks

    Hi,
    The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
    Following link talks about the same.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
    Regards,
    ~JG

  • ACs For Windows 4.1.(1) build 23

    Hi.
    We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
    Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
    It´ll be enough?
    Many thanks.

    Hi.
    We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
    Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
    It´ll be enough?
    Many thanks.

  • ACS External Windows Authentication: Pre-Windows 2000 name only works

    Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name).
    If I use the Windows 2003 login name, I get a 529 error in the event viewer, stating the username/password is incorrect. This error appears on the Windows 2003 SP1 server running ACS.
    Curiously, if I authenticate using the down-level name, the successful event shows the same authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) and "Workstation" and "Login Process" name (CISCO).
    I cannot determine if this is an ACS or Windows problem. Any one have a clue?

    Win2003 logon name: [email protected]
    A Pre-Windows2000 name: [email protected]
    Interestingly, the down-level name will authenticate, but the "up-level" name will not.
    Here are excerpts from AUTH.log:
    Failed up-level name:
    AUTH 01/19/2006 07:52:04 I 4817 3604 Attempting authentication for Unknown User '[email protected]'
    AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
    AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
    AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
    AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain COMPANY
    AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
    AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
    AUTH 01/19/2006 07:52:04 I 2124 3604 Unknown User '[email protected]' was not authenticated
    Passed down-level name:
    AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
    AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bsmith
    AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by WINDC02)
    AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user bsmith from WINDC02

  • ACS database users and passwords.

    Hi, i need to get all users and passwords from a acs 3.3 database unencrypted.
    How can i do it?
    Could you help me ?

    To get a list of the USers in the ACS database use the CSUTIL tool on Windows platform.
    go to bin directory under the ACS install folder and do
    CSUtil.exe -u
    this will generate a file "users.txt" in the same folder.
    But I dont think you can get the password in unencrypted form.

  • ACS Group mapping and restrictions

    hi,
    I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
    ACS Groups
    Netadmin - need telnet/ssh/vpn/wireless
    wireless - only wireless authentication
    vpn - only vpn authenticaiton
    I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
    Also please note that one user can be belongs to all three groups in ACS/AD.
    thanks in advance.

    In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
    In this scenario, it is very important to understand how ACS group mapping works.
    Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
    Select the AD group NetworkAdmin and map it to ciscosecure group 1
    select the AD group RouterAdmin and map it to ciscosecure group 2
    select the AD group Wireless and map it to ciscosecure group 3
    Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
    Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
    You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
    SCENARIO:
    Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
    NOTE:
    If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
    routers and switches.
    IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
    username is to go to usersetup find that user and delete it manually.
    ACS will not support the following configuration:
    *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
    *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
    However there if your mappings are in below order...
    NT Groups ACS groups
    A,B,C =============> Group 1
    A =============> Group 2
    B =============> Group 3
    C =============> Group 4.
    You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
    This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
    You can create a rule for users in group A (Group 2)
    You can create a rule for users in group B (Group 3)
    You can create a rule for users in group C (Group 4)
    Regards,
    ~JG
    Do rate helpful posts

  • ACS authenticating Windows DB

    Hi everybody,
    I've a server running ACS for windows 3.3 used for 802.1x authentication. I only have 1 local ACS account (test) and I use an external DB to authenticate other users.
    I asked Windows Domain administrator to create 3 groups:
    - VLAN1 with 2 users
    - VLAN2 with 2 users
    - VLAN3 with 2 users
    I configure "unknown user policy" to check windows db if the user is not locale, and I configured the domain and mapped the ACS groups in the following way:
    - ACS group VLAN1 is mapped to Windows leaf VLAN1 of domain ESMLAB
    - ACS group VLAN2 is mapped to Windows leaf VLAN2 of domain ESMLAB
    - ACS group VLAN3 is mapped to Windows leaf VLAN3 of domain ESMLAB
    /Default DB is mapped to <no-access>.
    The strange thing is that ACS first choice is to use /Default so user don't access the network! I tried to map /Default to VLAN1 and users access the network and was associated to correct VLAN. In this way I check that the ACS correctly connect to DB to authenticate the user.
    Which could be the cause that ACS first seems to use /default instead of the correct mapping? What I forget? Is the windows DB configured correctly?
    Thanks
    Regards
    Roberto

    Mappings are checked from a top-down perspective, so if you have the \DEFAULT domain appearing below the ESMLAB domain then this should be OK. What's probably happening is that ACS is unable to get any of the users windows group mapping properties and therefore doesn't know that they're in the VLANx Windows group. Because of this ACS always maps them through to the catch-all \DEFAULT group and they get no access accordingly.
    As for why ACS can't get the users group mappings from Windows is usually a permissions problem, specifically in what user the CS services are running under on the ACS device, most often even a domain administrator doesn't have the right permissions. You don't mention if ACS is running on a DC or just on a member server. Running it on a DC usually resolves most permissions problems, particularly on an AD.
    You can try the following to set the permissions correctly:
    Instructions for changing privileges:
    1) on the AD, go to Administrative Tools -> Domain Security Policy ->
    Security Settings -> Local
    Policies -> User Rights Assignment and
    a) double click on "Act as part of the operating system"
    b) check the "Define these policy settings" checkbox
    c) Click add and enter : "domain\adminstrator"
    d) Click Ok
    e) double click on "Log on as a service"
    f) check the "Define these policy settings" checkbox
    g) Click add and enter : "domain\administrator"
    h) Click Ok.
    (Note: do the same for "Log on Locally")
    2) Right click on "Security Settings" header and choose "Reload"
    3) log into the ACS Machine with user = domain\administrator (please note that
    the user must be
    administrator and not another Domain Admin user).
    4) Change the ACS Services to run under domain\administrator and restart them
    all.
    If that doesn't work, enable Full Logging under System Config - Service Control page, and restart the ACS services. Then try an authentication request, and check the latest auth.log file under the Program Files\CiscSecure ACS v3.3\CSAuth\Logs, there'll probably be some errors about not getting RAS permissions. You may need to send this to the TAC for further analysis.

Maybe you are looking for

  • Some component eat my F8 key

    Hello, I've got the problem with some component in my app. In menu bar I've got accelerators for F5, F6, F7, F8. what is funny F5 and F7 works, but F6 and F8 are eaten by some component. I've seen similar problems on Forum (with i.e. Ctrl-C issue) On

  • Is there a way to force enable wmode=direct for all Flash content on all webpages ?

    I need a way to force enable wmode=direct for all Flash content that's running regardless of the webpage the Flash content is runing on. If there isn't a way to do so now, please enable this as fast as you can in the next version of Flash. I've read

  • Dynamic Pagination Scheme

    Greetings, I'm custom building a slidetable in pl/sql with a selectable number of images per page. Always 4 per row. I've gotten to the point where I have several hundred images, and I want to be able to jump to a specific page of images. This might

  • IPhone blocked after call reject

    Hi, I have a little problem with my iPhone. When I reject a call in sleep mode (pressing twice the sleep button), the iPhone screen doesn't respond correctly, I have to lock and unlock again to respond the call.

  • Persistence error  in EP7.0 to create a new user in portal

    Hi all, I have installed CRM5.0 and EP7.0 with same Database. i am able to logon to portal through new user created through backend system by SU01 with role sap_j2ee_admin but i am creating a new user in portal the error is showing : "An error occurr