ACS Solutions 4.2.1 15-2
I am having authorization issues with ACS Release 4.2(1) Build 15 Patch 2 for Windows. I have certain devices that I can authentication and pass authorization. However, on the 4900m routers (vrf enabled) and 3750 I can authenticated but fail authorization. I have a custom attribute: shell:Admin*Admin default-domain, enabled under the User Setting Tacacs+ setting. Are there other parameter in ACS 4.2.1 that need to be turned on?
Thanks
Hi,
ACS 4.2.1.15 does not support windows 2008 R2.
ACS 5.2 supports the same.
It is a bug CSCtg12399 which is resolved on ACS 5.2.
The release notes of ACS 5.2 describing the same.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html
The following link gives details of the ACS 4.2 and Windows 2008 compatibility.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html#wp100949
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
Similar Messages
-
Maximum users on ACS Solution Engine 3.3
Hello,
I need to know the maximum supported number of users in the local database of the CiscoSecure ACS Solution Engine 3.3 (the appliance) ?
Is there a document about this ?
Thank you !
PatriceThe client version of Mac OS X supports a maximum of 10 AFP clients. It's always been that way.
If you want more than 10 AFP clients you need to move to Mac OS X Server (unlimited) which can support any number of concurrent users. -
Manage a Cisco Secure ACS Solution Engine?
Hello,
how can i manage/observe a 'Cisco Secure ACS Solution Engine'? Ich found no things like SNMP etc.
regards
KarstenHi,
you have no chance to control the ACS SE with snmp. We have one router, access via ACS and uses a script roboter to control the access to the router. If the access fails, we send us an email
Bye Michael -
ACS Solution Engine TACACS+ and Radius
I have an ACS Solutions Engine that is performing TACACS authentication for remote access to Switches and now want to add 802.1X support for port based access control against the ACS server also. For some reason this is not working for me at all. Does anyone have a document that will guide me in this.
http://cisco.biz/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.pdf
There is a lot of reading on the topic. Maybe you could precise what is not working as expected ?
what EAP method are you doing ? how is your switchport configured ? Is there an error message on ACS ? -
Import user and group from dump.txt to ACS Solution Engine 3.3
I have export the user and group using the CSUtil -d on my acs v2.6. But ACS Solution Engine 3.3 does not have the CSUtil command to import the user and group database. Can anyone advise me?
I'm trying to do the same thing with no luck so far.
Documentation seems to indicate you can do this using RDBMS Synchronization but we haven't got it to work yet.
I read the doco as saying you create a csv and place it on an FTP server and ACS will read from that file. When we've tried, it rights its own file with a different extension and says it can't find the one we place in that same directory. -
Adding Users on Cisco Secure ACS Solution Engine 3.3
We have a large block of userids we need to add to our ACS 3.3 Solution Engine into the CiscoSecure User Database. When using the web-based GUI, it looks like you can only add one user at a time. Is there anyway to add users as a block with some type of command line, or is there a utility that will add users and also copy user options? It would be helpful if in the Add/Edit user panel, there was the ability to copy settings from a previously installed user definition.
I'm not sure that csutil would setup all the parameters I need, so I would have to choose CSDBSync. Tacacs is used and not Radius. I need the user to initially be configured disabled, specify his/her real name and description, assign the user to a group, assign a PAP password and confirmation, use group settings for callback, client ip address assignment, and max sessions, establish a date to automatically disable the account, provide no enable privileges, and set a Tacacs+ Outbound password.
-
Hi Folks,
I have a clarification related with ACS 3495. A customer needs a solution for ACS feature, instead of investing on ISE base, I´m looking for and ACS appliance only.
Related to the previous introduction, I will submit the following part numbers, but I really want to know if the Part Numbers are right:
SNS-3495-K9 (Cisco SNS 3495 appliance)
CSACS-3495-K9 (ACS software with Base License)
CSACS-5-LRG-LIC (ACS Large Deployment License)
CON-SNT-SNS3495 (SMARTNET 8x5xNBD)
All is right or I need to add or think in anything extra?
Can anybody giveme some insight about the optional Security Group Access License?
I really appreciate your kind help and support.
Best regards,
Claudio CubillosYour SKU's are correct.
-
Cisco 5.0 ACS Solution engine
Hi,
Just installed and finished intail setup of ACS version 5.0 Sol. engine. Next i'm not able to acces solution engine over internet explorer. Even not able to telnet port 2002.
Do i need to configure anything else for enabling gui in version 5.0?
Please assist.
Thanks!
Kamal
[email protected]ACS 5.x doesn't work on PORT 2002 like ACS 4.2, it works on https-443 so in order to use ACS 5.x, you should URL
https://
To log in to the GUI, you must use the predefined username ACSAdmin and password default. When you access the GUI for the first time, you will be prompted to change the predefined password for the administrator. You can also define access privileges for other administrators who will access the GUI application.
Rgds, Jatin
Do rate helpful posts~ -
Cisco Secure ACS Solution engine v3.2
The ACS Soultion Engine appliance hardware by default comes with two NICs. Can I configure it so one Nic be on VLAN 30 and the other Nic be on VLAN 50?
VLAN 30 - will be the network that communicate or forward credential to ACS Remote Agent for Windows authentication.
VLAN 50 - will be for network devices authetication. RAIDUS or TACAUS.This is not possible as only one nic works at a time . ( Check for Back Panel features)
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1046176
Regards,
Jasjeet -
Cisco ACS Solution Engine version 4.2 doesn't boot
Hi,
We have a CSACSE with version 4.2 that doesn't boot. The error is "Reboot and Select proper Boot device
or Insert Boot Media in selected Boot device and press a key". Actually it happened to first to our existing primary CSACSE then after rebooting for many times the error changed to " a disk read error occured press ctrl+alt+del to restart" and ever since it didn't boot successfully again. So we proceed to RMA the device then once the replacement arrived we tested it first so it booted successfully. Now when we installed it again same error occurred " Reboot and Select Proper boot device". Then after so many times we booted it, it booted successfully again without doing anything on the hardware. So we successfully installed it. After two days the CSACSE management IP can be ping but can't be accessed through gui and the AAA access is not working on it hence the AAA was diverted to it's secondary ACS. Since we can't access it both on console and web browser we try to reboot it, and unfortunately we got same error again " Reboot and Select proper boot device". It seems that the hardisk are not detected during boot process. Hope you guys can help our problem. Thanks!You may try re-imaging the sensors with version 6.0.4. If the re-imaging fails you may try checking the flash device for hdb and hda parameter which is probably what is causing the re-image to fail.
-
ACS 5.2 Solution Engine Patches and Installs
Hi
Im trying to upload the 5.2 patches to the ACS Solution Engine so i can install the updates.
Does anyone know how to do this or know the links that show how to do this??
The User Guide documentation isnt very helpful.
Thanks
MarcoHi Marco,
Here is the link for downloading ACS5.2 patches :
http://www.cisco.com/cisco/software/release.html?mdfid=283107438&flowid=18604&softwareid=282766937&release=5.2.0.26&relind=AVAILABLE&rellifecycle=&reltype=latest
Downlaod any patch and place in the FTP/SFTP server in your enviroment
Login to the ACS CLI :
Create a repository:
acs/admin(config)# repository myrepository
acs/admin(config-Repository)# url sftp://starwars.test.com/repository/system1
acs/admin(config-Repository)# user luke password skywalker
acs/admin(config-Repository)# exit
after that run this command :
acs patch install patch-name.tar.gpg repository repository-nameInstalling an ACS patch requires a restart of ACS services.Would you like to continue? yes/no
once done you can do a sh version and see the acs5.2 with the new patch.
Also when you download the patch there is also read me with similar instructions.
Herre is the link for acs5.2 patch 5 read me link :
http://www.cisco.com/web/software/282766937/37718/Acs-5-2-0-26-5-Readme.txt
Thanks
Waris Hussain -
How do I create a default account with an ACS Server
Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
This really concerns me from a security perspective.Hmm, ACS should not (by default) accept traffic from any old device.
Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column. -
More than one Windows ACS Remote Agent
We recently added a second Windows Remote Agent to have Windows authentication service available for our two ACS.
Agent definition (CSAgent.ini) is correct but in Network Configration - Remote Agent (on each ACS web console) we see that the second Remote Agent is "available" but "not in use" (while the first one is, of course).
If we stop the CSAgent Service on the first Remote Agent server, we do not see any activity on the second one (auth not working) and service still remains "avilable" but "not in use".
Then, debugging with csagent.exe -z -p all we can see is something like:
Debug printing on..
Logging mode: LOW
ACSRemoteAgent server starting ==============================
Running as console application.
Will listen on port 2004
Configuration will be fetched from 10.1.1.101:2003
Agents: CSWinAgent
CSWinAgent File: ..\bin\CSWinAgent.exe
CSWinAgent Port: 2005
1 agents configured
Permitted CSAgent Clients: 10.1.9.10-11
Hit Return/Enter to stop...
Listener activated
Watchdog activated
CSWinAgent launched
Client connecting from 10.1.9.10:4346
RPC: Info request received
RPC: Info reply sent
Client disconnected, thread 944 terminating
Client connecting from 10.1.9.10:4347
RPC: Info request received
RPC: Info reply sent
Client disconnected, thread 2108 terminating
Client connecting from 10.1.9.10:4348
and, in the CSWinAgent log windows we see NO logs at all....
Where are we wrong???You must use ACS Remote Agent for Windows, version 4.0, with ACS Solution Engine, version 4.0. Other releases of Cisco Secure ACS are not supported.
The following URL may help you:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/installation/guide/remote_agent/rawi.html#wp300510 -
ACS Fixup Patch not found and Installation Process
Hi Experts,
In my association there is some issue going on with CSACS Device, they have suggested us to upgrade the patch as below..
1) ACS 4.2.0.124.9-Fix (Patch:4.2.0.124.9)
2) ACS-4.2.0.124-9-CSUpdate Fix (Patch:4.2.0.124.9)
3) ACS 4.2.0.124.10-Fix ( Patch : 4.2.0.124.10)
4) ACS-4.2.0.124.10-CSUpdate Fix ( Patch:4.2.0.124.10)
i tried to download it from cisco.com but i am not able to found anywhere in cisco.com
also please let me know the procedure for applying the patch in ACS..
the expert was saying that you also need to upgrade some remote agent in system where you configured..
please let me know patch installation procedure and from where i can download it. do i need to open a TAC with cisco for this ?
i have attachted my current version sc
Regards,
VivekHello Vivek,
You can download the requested files from Cisco.com > Support > All Downloads > Products > Security > Identity Management > Cisco Secure Access Control Server Solution Engine > Cisco Secure Access Control Server Solution Engine 4.2 > Secure Access Control Server (ACS) Solution Engine-4.2.0.124
ACS 4.2.0.124 latest patch right now is Patch 17. Also, there is version 4.2.1.15 available for both the ACS SE and Remote Agent (For Windows Authentication). If you are going to patch your ACS SE it would be recommended to either upgrade to the latest patch (17) or to 4.2.1.15.
Patches are cummulative as well so applying patch 10 will include Patch 9 fixes as well. You would be looking for:
1) applAcs_4.2.0.124.10.zip
2) applAcs_4.2.0.124.10-CSUpdate.zip
3) Acs-4.2.0.124.10-RA.zip
You need to apply applAcs_4.2.0.124.10-CSUpdate.zip first and then applAcs_4.2.0.124.10.zip on the ACS SE. On the Remote Agent you will install Acs-4.2.0.124.10-RA.zip.
Both the applAcs_4.2.0.124.10.zip and Acs-4.2.0.124.10-RA.zip have a link to the file release notes which include the patch installation instructions.
You can also review the following:
Appliance Upgrade and Patches Procedure
NOTE: A Cisco CCOiD is required to access software downloads. -
Default username and password for acs 3.2.3
Hi All
What is the default username and password to login to a newly built ACS Server V3.3.2 ?
Thanks in advanced.
DarrenDarren,
You need to log in to ACS on the console of the Windows server (assuming it's not an ACS Solution Engine). If you do that, http://localhost:2002 it should take you straight in with no username/password prompt. Once in you can setup admin users and access from other boxes.
Maybe you are looking for
-
Restore Mail from Time Machine backup
Hi, I have a time machine backup from my MacBook which unfortunately crashed and is now resting in Mac heaven. The problem now is that I just bought a new iMac and so wanted to get my mail settings and messages to my new computer without getting all
-
Itunes problem with windows Vista
ok i bought my touchsmart tx2 1025 with windows vista ultimate 64 bit and well i ve noticed that ..well since this is my third time i exchange this computer and i noticed there was a problem with the speakers when i was playing music that anytime dur
-
Sync contacts fails since switch to new pc with Windows 7 and live mail
Since switch to new pc with Windows 7 and live mail synchronisation of contacts fails. On old pc with Vista and Outlook Express there were no problems.
-
Hello Experts! Upon create and/or update of an Opportunity in CRM, I'd like the system to automatically generate an Outbound IDoc. I've already configured the following: 1. Define Logical Systems and Assign Client to Logical System - Transaction
-
Viewing Flash movies w/ v.9 player crashes
Has anyone had any problem viewing flash movies on a Mac with the newest v.9 player? All our Mac's with the v.9 flash player take an extra 11-12 seconds to show up and have a tendency to crash our browsers. But viewing the exact same movie on the exa