ACS Server Rights

Similar Messages

• How enable read only access for ACS server itself

  Hi,
  We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
  We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
  We are using ACS4.0 verison. Please let me know whether its possible.
  Thanks
  Nachi

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.

• WLC 5508 and ACS server

  Hi,
  Apologies if this has been answered before. I did a search, but unable to find anythimg.
  What I would like to do is be able to have a WLC 5508 as the local RADIUS DB and authenticator, but then be able to have an ACS server in a central location as a backup and then replicate between them.
  In other words set up groups for my remote sites in the central ACS server, which then replicates only the correct group to the remote sites. This allows less adminstrative overhead, as we just update the central one.
  Is this possible and how would I configure the WLC to do this ?
  Thanks

  Hi,
  if I understood your request, you want to replicate user information between an ACS and a WLC right ?
  That's impossible.
  ACS can only replicate with other ACS running the same version. No other ways of synchronization exists.
  Regards,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Problem with ACS Server

  Good morning;
  I hope this is the right forum so here it goes. I have an ACS server v4 that keep hanging. If I try to restart the server (CSAuth), the service hangs and the only thing I can do is restart the server. Is there something I can do to fix this or troubleshoot it better?
  Thanks

  Good morning,
  I have the same problem with an ACS 3.3.3 that occasionally restarts CSAuth for a configured function to proceed, but the service keep hanging.
  Have you find any solution?
  Thanks

• How do I create a default account with an ACS Server

  Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
  When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
  This really concerns me from a security perspective.

  Hmm, ACS should not (by default) accept traffic from any old device.
  Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
  Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
  Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
  Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

• CSM 4.0.1 is removing ACS Server password and then cannot add a new

  Hi,
  We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
  Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
  Here is the transcript!
  Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010):  no key oldkey
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
  Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
  ! COMMENT: Device reported error here and stopped accepting further commands
  ! COMMENT: BULK END
  Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
  Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
  Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
  I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

  I would say that it it the interface problem but not that it had no interface but it had another interface.
  The whole interface story is somewhat stupefying for me.
  What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
  Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
  This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

• Upgrading an ACS Server from 5.0 to 5.1

  I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !
  I try to do it by CLI
  what CLi command I use and what patch ?
  Thanks !

  in the monitoring and report I have this
  AAA Protocol > TACACS+ Authentication
  Authentication Status :
  Pass or Fail
  Date :
  December 09, 2009
  Dec 9,09 11:52:20.200 AM
  13029 Requested privilege level too high
  admin.ad
  switch
  Device Type:All Device Types, Location:All Locations
  Default Device Admin
  AD1
  Thanks !

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Not able to install or generate acs server certificate

  Hi,
  I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
  But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
  I have ACS server 3.0 trial version and installed on windows server 2000 and
  on AP 1131 i have configured radius server commands
  ( aaa- new model  and radius server host ... ip address ... key ..... shared secret ... password .. ).
  I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
  how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
  if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
  i am trying to refer so many documents but it could not help me ..
  Your help will be appreciative.
  Looking for proper information.

  Hi,
  Thanks for your response ....
  obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
  That is the reason i have gone for this edition .
  Should i go for upgrading the acs 3.0 to 4.1 or later version ?
  if so , will it be possible on trail version ?
  please give me your suggestion.

• Change network address of acs server

  Put in a new backup ACS server and the senior guy put in temp host address. Now
  need to change the temp host address to its permanent address but need a little clarification. Do you just change it in the Windows srvr 2003 tcp/ip stack or do you need to change it also inside the CSACS app?? Can't find it in the manuals easily.

  Yes you'll need to change ACS config. Just locate the AAA Server entry for the server (in Network Config) and set the ip address to the new value.
  Or you can always just enter the server name instead in case the address changes again.
  tip: in network config you can enter DNS names instead of ip addresses for devices & aaa servers.

• ACS Server: External Authentication configuration error

  Hi ALL
  I have installed the ACS server and configure properly and it works fine.
  But whenever i restart the machine, following error message appears on the external database configuration wizard.
  External Authentication Configuration Error
  ACS has encountered a problem while attempting to process your request. This could be due to one of the following:
  An incorrect installation or configuration of the third-party DLLs required to support this External Database
  A corrupt ACS configuration
  So after i found this error, i just restart all the seven services and every things works fine.
  I always encountered the same error message after restarting the machine each time.
  Can any body recomend the solution or can help me to resolve the issue.
  Thanks

  Hi,
  Please try the following workaround.
  1. Go to Start > Programs > Administrative Tools > Services.
  2. Stop the following services in the following order.
  CSAuth
  CSDbSync
  CSLog
  CSMon
  CSRadius
  CSTacacs
  CSAdmin
  3. After stopping the following services, start them all again in the following order.
  CSAdmin
  CSAuth
  CSDbSync
  CSLog
  CSMon
  CSRadius
  CSTacacs
  Please let me know if this was able to help.
  If the above doesn't help, please reinstall the ACS as the dll files that are being used
  by the ACS have been corrupted, before uninstalling and reinstalling, do take a
  backup of ACS server database from System Configuration > ACS backup > Backup Now.
  Also make sure that the ACS is installed on the default drive.
  tnx
  somishra

• Ip not excluded in dhcp server with acs server in the network

  Someone could explain me that problem could have, if I have the following situation:
  A dhcp Server, ACS Server, and various switches 3750 interconnected. But a hosts in the network has assigned statically one of the directions that the dhcp Server can assign to the computers.
  Rank of IP to assign for dhcp Server: 172.23.8.1 – 172.23.8.100
  Ip static of the host of network: 172.23.8.17
  The ip 172.23.8.17 not this excluded in the dhcp Server.

  Hola,
  I am not totally clear on what you are asking: do you want to statically assign IP 172.23.8.17 to your server ? Can you clarify ?
  Saludos,
  GNT

• Adding secondary ACS server

  presently i am using cisco acs version 4.1.1 build 23. now i am planning to add secondary server. After installing the new server. can anyone help me,what are the steps i need to configure.
  do i need to configure all the devices on that server. thanks in advance.

  Hi,
  You dont have to add each device on secodary ACS once the proper replication is configured between two ACS servers.
  Make sure that replication is initiated and done by the primary ACS replicated to the secondary ACS server.
  For more details on replication refer to the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756330
  HTH
  Regards,
  Ahmed

• ACS Server certificate export

  Hello,
  We are in the process of renewing a certificate for our ACS server (v3.2). Is there a way to export the certificate currently in use?
  We don't want to lose it if we install a certificate that does not work. We are also exploring using a self-signed certificate, but we're not sure if that will meet our needs.
  Thanks!

  Thanks for the info...unfortunately, we tried doing the self-signed certificate, but clients couldn't connect to our wireless network (we use that to authenticate wireless users). We then tried to do a restore from a backup taken earlier this morning and it's still trying to restore - as if something is hung and won't shut down.
  This is ACS 3.2 running on a Windows 2003 server.